xref: /linux/tools/testing/selftests/bpf/test_verifier.c (revision c682ccc4962a8fab949e1f2d7325b3e825dbf6d1) 
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  *
6  * This program is free software; you can redistribute it and/or
7  * modify it under the terms of version 2 of the GNU General Public
8  * License as published by the Free Software Foundation.
9  */
10 
11 #include <endian.h>
12 #include <asm/types.h>
13 #include <linux/types.h>
14 #include <stdint.h>
15 #include <stdio.h>
16 #include <stdlib.h>
17 #include <unistd.h>
18 #include <errno.h>
19 #include <string.h>
20 #include <stddef.h>
21 #include <stdbool.h>
22 #include <sched.h>
23 
24 #include <sys/capability.h>
25 #include <sys/resource.h>
26 
27 #include <linux/unistd.h>
28 #include <linux/filter.h>
29 #include <linux/bpf_perf_event.h>
30 #include <linux/bpf.h>
31 
32 #include <bpf/bpf.h>
33 
34 #ifdef HAVE_GENHDR
35 # include "autoconf.h"
36 #else
37 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
38 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
39 # endif
40 #endif
41 
42 #include "../../../include/linux/filter.h"
43 
44 #ifndef ARRAY_SIZE
45 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
46 #endif
47 
48 #define MAX_INSNS	512
49 #define MAX_FIXUPS	8
50 #define MAX_NR_MAPS	4
51 
52 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
53 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
54 
55 struct bpf_test {
56 	const char *descr;
57 	struct bpf_insn	insns[MAX_INSNS];
58 	int fixup_map1[MAX_FIXUPS];
59 	int fixup_map2[MAX_FIXUPS];
60 	int fixup_prog[MAX_FIXUPS];
61 	int fixup_map_in_map[MAX_FIXUPS];
62 	const char *errstr;
63 	const char *errstr_unpriv;
64 	enum {
65 		UNDEF,
66 		ACCEPT,
67 		REJECT
68 	} result, result_unpriv;
69 	enum bpf_prog_type prog_type;
70 	uint8_t flags;
71 };
72 
73 /* Note we want this to be 64 bit aligned so that the end of our array is
74  * actually the end of the structure.
75  */
76 #define MAX_ENTRIES 11
77 
78 struct test_val {
79 	unsigned int index;
80 	int foo[MAX_ENTRIES];
81 };
82 
83 static struct bpf_test tests[] = {
84 	{
85 		"add+sub+mul",
86 		.insns = {
87 			BPF_MOV64_IMM(BPF_REG_1, 1),
88 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
89 			BPF_MOV64_IMM(BPF_REG_2, 3),
90 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
91 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
92 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
93 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
94 			BPF_EXIT_INSN(),
95 		},
96 		.result = ACCEPT,
97 	},
98 	{
99 		"unreachable",
100 		.insns = {
101 			BPF_EXIT_INSN(),
102 			BPF_EXIT_INSN(),
103 		},
104 		.errstr = "unreachable",
105 		.result = REJECT,
106 	},
107 	{
108 		"unreachable2",
109 		.insns = {
110 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
111 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
112 			BPF_EXIT_INSN(),
113 		},
114 		.errstr = "unreachable",
115 		.result = REJECT,
116 	},
117 	{
118 		"out of range jump",
119 		.insns = {
120 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
121 			BPF_EXIT_INSN(),
122 		},
123 		.errstr = "jump out of range",
124 		.result = REJECT,
125 	},
126 	{
127 		"out of range jump2",
128 		.insns = {
129 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
130 			BPF_EXIT_INSN(),
131 		},
132 		.errstr = "jump out of range",
133 		.result = REJECT,
134 	},
135 	{
136 		"test1 ld_imm64",
137 		.insns = {
138 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
139 			BPF_LD_IMM64(BPF_REG_0, 0),
140 			BPF_LD_IMM64(BPF_REG_0, 0),
141 			BPF_LD_IMM64(BPF_REG_0, 1),
142 			BPF_LD_IMM64(BPF_REG_0, 1),
143 			BPF_MOV64_IMM(BPF_REG_0, 2),
144 			BPF_EXIT_INSN(),
145 		},
146 		.errstr = "invalid BPF_LD_IMM insn",
147 		.errstr_unpriv = "R1 pointer comparison",
148 		.result = REJECT,
149 	},
150 	{
151 		"test2 ld_imm64",
152 		.insns = {
153 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
154 			BPF_LD_IMM64(BPF_REG_0, 0),
155 			BPF_LD_IMM64(BPF_REG_0, 0),
156 			BPF_LD_IMM64(BPF_REG_0, 1),
157 			BPF_LD_IMM64(BPF_REG_0, 1),
158 			BPF_EXIT_INSN(),
159 		},
160 		.errstr = "invalid BPF_LD_IMM insn",
161 		.errstr_unpriv = "R1 pointer comparison",
162 		.result = REJECT,
163 	},
164 	{
165 		"test3 ld_imm64",
166 		.insns = {
167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
168 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
169 			BPF_LD_IMM64(BPF_REG_0, 0),
170 			BPF_LD_IMM64(BPF_REG_0, 0),
171 			BPF_LD_IMM64(BPF_REG_0, 1),
172 			BPF_LD_IMM64(BPF_REG_0, 1),
173 			BPF_EXIT_INSN(),
174 		},
175 		.errstr = "invalid bpf_ld_imm64 insn",
176 		.result = REJECT,
177 	},
178 	{
179 		"test4 ld_imm64",
180 		.insns = {
181 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
182 			BPF_EXIT_INSN(),
183 		},
184 		.errstr = "invalid bpf_ld_imm64 insn",
185 		.result = REJECT,
186 	},
187 	{
188 		"test5 ld_imm64",
189 		.insns = {
190 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
191 		},
192 		.errstr = "invalid bpf_ld_imm64 insn",
193 		.result = REJECT,
194 	},
195 	{
196 		"test6 ld_imm64",
197 		.insns = {
198 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
199 			BPF_RAW_INSN(0, 0, 0, 0, 0),
200 			BPF_EXIT_INSN(),
201 		},
202 		.result = ACCEPT,
203 	},
204 	{
205 		"test7 ld_imm64",
206 		.insns = {
207 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
208 			BPF_RAW_INSN(0, 0, 0, 0, 1),
209 			BPF_EXIT_INSN(),
210 		},
211 		.result = ACCEPT,
212 	},
213 	{
214 		"test8 ld_imm64",
215 		.insns = {
216 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
217 			BPF_RAW_INSN(0, 0, 0, 0, 1),
218 			BPF_EXIT_INSN(),
219 		},
220 		.errstr = "uses reserved fields",
221 		.result = REJECT,
222 	},
223 	{
224 		"test9 ld_imm64",
225 		.insns = {
226 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
227 			BPF_RAW_INSN(0, 0, 0, 1, 1),
228 			BPF_EXIT_INSN(),
229 		},
230 		.errstr = "invalid bpf_ld_imm64 insn",
231 		.result = REJECT,
232 	},
233 	{
234 		"test10 ld_imm64",
235 		.insns = {
236 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
237 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
238 			BPF_EXIT_INSN(),
239 		},
240 		.errstr = "invalid bpf_ld_imm64 insn",
241 		.result = REJECT,
242 	},
243 	{
244 		"test11 ld_imm64",
245 		.insns = {
246 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
247 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
248 			BPF_EXIT_INSN(),
249 		},
250 		.errstr = "invalid bpf_ld_imm64 insn",
251 		.result = REJECT,
252 	},
253 	{
254 		"test12 ld_imm64",
255 		.insns = {
256 			BPF_MOV64_IMM(BPF_REG_1, 0),
257 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
258 			BPF_RAW_INSN(0, 0, 0, 0, 1),
259 			BPF_EXIT_INSN(),
260 		},
261 		.errstr = "not pointing to valid bpf_map",
262 		.result = REJECT,
263 	},
264 	{
265 		"test13 ld_imm64",
266 		.insns = {
267 			BPF_MOV64_IMM(BPF_REG_1, 0),
268 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
269 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
270 			BPF_EXIT_INSN(),
271 		},
272 		.errstr = "invalid bpf_ld_imm64 insn",
273 		.result = REJECT,
274 	},
275 	{
276 		"no bpf_exit",
277 		.insns = {
278 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
279 		},
280 		.errstr = "jump out of range",
281 		.result = REJECT,
282 	},
283 	{
284 		"loop (back-edge)",
285 		.insns = {
286 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
287 			BPF_EXIT_INSN(),
288 		},
289 		.errstr = "back-edge",
290 		.result = REJECT,
291 	},
292 	{
293 		"loop2 (back-edge)",
294 		.insns = {
295 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
296 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
297 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
298 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
299 			BPF_EXIT_INSN(),
300 		},
301 		.errstr = "back-edge",
302 		.result = REJECT,
303 	},
304 	{
305 		"conditional loop",
306 		.insns = {
307 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
308 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
309 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
310 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
311 			BPF_EXIT_INSN(),
312 		},
313 		.errstr = "back-edge",
314 		.result = REJECT,
315 	},
316 	{
317 		"read uninitialized register",
318 		.insns = {
319 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
320 			BPF_EXIT_INSN(),
321 		},
322 		.errstr = "R2 !read_ok",
323 		.result = REJECT,
324 	},
325 	{
326 		"read invalid register",
327 		.insns = {
328 			BPF_MOV64_REG(BPF_REG_0, -1),
329 			BPF_EXIT_INSN(),
330 		},
331 		.errstr = "R15 is invalid",
332 		.result = REJECT,
333 	},
334 	{
335 		"program doesn't init R0 before exit",
336 		.insns = {
337 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
338 			BPF_EXIT_INSN(),
339 		},
340 		.errstr = "R0 !read_ok",
341 		.result = REJECT,
342 	},
343 	{
344 		"program doesn't init R0 before exit in all branches",
345 		.insns = {
346 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
347 			BPF_MOV64_IMM(BPF_REG_0, 1),
348 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
349 			BPF_EXIT_INSN(),
350 		},
351 		.errstr = "R0 !read_ok",
352 		.errstr_unpriv = "R1 pointer comparison",
353 		.result = REJECT,
354 	},
355 	{
356 		"stack out of bounds",
357 		.insns = {
358 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
359 			BPF_EXIT_INSN(),
360 		},
361 		.errstr = "invalid stack",
362 		.result = REJECT,
363 	},
364 	{
365 		"invalid call insn1",
366 		.insns = {
367 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
368 			BPF_EXIT_INSN(),
369 		},
370 		.errstr = "BPF_CALL uses reserved",
371 		.result = REJECT,
372 	},
373 	{
374 		"invalid call insn2",
375 		.insns = {
376 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
377 			BPF_EXIT_INSN(),
378 		},
379 		.errstr = "BPF_CALL uses reserved",
380 		.result = REJECT,
381 	},
382 	{
383 		"invalid function call",
384 		.insns = {
385 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
386 			BPF_EXIT_INSN(),
387 		},
388 		.errstr = "invalid func unknown#1234567",
389 		.result = REJECT,
390 	},
391 	{
392 		"uninitialized stack1",
393 		.insns = {
394 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
395 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
396 			BPF_LD_MAP_FD(BPF_REG_1, 0),
397 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
398 				     BPF_FUNC_map_lookup_elem),
399 			BPF_EXIT_INSN(),
400 		},
401 		.fixup_map1 = { 2 },
402 		.errstr = "invalid indirect read from stack",
403 		.result = REJECT,
404 	},
405 	{
406 		"uninitialized stack2",
407 		.insns = {
408 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
409 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
410 			BPF_EXIT_INSN(),
411 		},
412 		.errstr = "invalid read from stack",
413 		.result = REJECT,
414 	},
415 	{
416 		"invalid fp arithmetic",
417 		/* If this gets ever changed, make sure JITs can deal with it. */
418 		.insns = {
419 			BPF_MOV64_IMM(BPF_REG_0, 0),
420 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
421 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
422 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
423 			BPF_EXIT_INSN(),
424 		},
425 		.errstr_unpriv = "R1 subtraction from stack pointer",
426 		.result_unpriv = REJECT,
427 		.errstr = "R1 invalid mem access",
428 		.result = REJECT,
429 	},
430 	{
431 		"non-invalid fp arithmetic",
432 		.insns = {
433 			BPF_MOV64_IMM(BPF_REG_0, 0),
434 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
435 			BPF_EXIT_INSN(),
436 		},
437 		.result = ACCEPT,
438 	},
439 	{
440 		"invalid argument register",
441 		.insns = {
442 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
443 				     BPF_FUNC_get_cgroup_classid),
444 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
445 				     BPF_FUNC_get_cgroup_classid),
446 			BPF_EXIT_INSN(),
447 		},
448 		.errstr = "R1 !read_ok",
449 		.result = REJECT,
450 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
451 	},
452 	{
453 		"non-invalid argument register",
454 		.insns = {
455 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
456 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
457 				     BPF_FUNC_get_cgroup_classid),
458 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
459 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
460 				     BPF_FUNC_get_cgroup_classid),
461 			BPF_EXIT_INSN(),
462 		},
463 		.result = ACCEPT,
464 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
465 	},
466 	{
467 		"check valid spill/fill",
468 		.insns = {
469 			/* spill R1(ctx) into stack */
470 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
471 			/* fill it back into R2 */
472 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
473 			/* should be able to access R0 = *(R2 + 8) */
474 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
475 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
476 			BPF_EXIT_INSN(),
477 		},
478 		.errstr_unpriv = "R0 leaks addr",
479 		.result = ACCEPT,
480 		.result_unpriv = REJECT,
481 	},
482 	{
483 		"check valid spill/fill, skb mark",
484 		.insns = {
485 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
486 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
487 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
488 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
489 				    offsetof(struct __sk_buff, mark)),
490 			BPF_EXIT_INSN(),
491 		},
492 		.result = ACCEPT,
493 		.result_unpriv = ACCEPT,
494 	},
495 	{
496 		"check corrupted spill/fill",
497 		.insns = {
498 			/* spill R1(ctx) into stack */
499 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
500 			/* mess up with R1 pointer on stack */
501 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
502 			/* fill back into R0 should fail */
503 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
504 			BPF_EXIT_INSN(),
505 		},
506 		.errstr_unpriv = "attempt to corrupt spilled",
507 		.errstr = "corrupted spill",
508 		.result = REJECT,
509 	},
510 	{
511 		"invalid src register in STX",
512 		.insns = {
513 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
514 			BPF_EXIT_INSN(),
515 		},
516 		.errstr = "R15 is invalid",
517 		.result = REJECT,
518 	},
519 	{
520 		"invalid dst register in STX",
521 		.insns = {
522 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
523 			BPF_EXIT_INSN(),
524 		},
525 		.errstr = "R14 is invalid",
526 		.result = REJECT,
527 	},
528 	{
529 		"invalid dst register in ST",
530 		.insns = {
531 			BPF_ST_MEM(BPF_B, 14, -1, -1),
532 			BPF_EXIT_INSN(),
533 		},
534 		.errstr = "R14 is invalid",
535 		.result = REJECT,
536 	},
537 	{
538 		"invalid src register in LDX",
539 		.insns = {
540 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
541 			BPF_EXIT_INSN(),
542 		},
543 		.errstr = "R12 is invalid",
544 		.result = REJECT,
545 	},
546 	{
547 		"invalid dst register in LDX",
548 		.insns = {
549 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
550 			BPF_EXIT_INSN(),
551 		},
552 		.errstr = "R11 is invalid",
553 		.result = REJECT,
554 	},
555 	{
556 		"junk insn",
557 		.insns = {
558 			BPF_RAW_INSN(0, 0, 0, 0, 0),
559 			BPF_EXIT_INSN(),
560 		},
561 		.errstr = "invalid BPF_LD_IMM",
562 		.result = REJECT,
563 	},
564 	{
565 		"junk insn2",
566 		.insns = {
567 			BPF_RAW_INSN(1, 0, 0, 0, 0),
568 			BPF_EXIT_INSN(),
569 		},
570 		.errstr = "BPF_LDX uses reserved fields",
571 		.result = REJECT,
572 	},
573 	{
574 		"junk insn3",
575 		.insns = {
576 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
577 			BPF_EXIT_INSN(),
578 		},
579 		.errstr = "invalid BPF_ALU opcode f0",
580 		.result = REJECT,
581 	},
582 	{
583 		"junk insn4",
584 		.insns = {
585 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
586 			BPF_EXIT_INSN(),
587 		},
588 		.errstr = "invalid BPF_ALU opcode f0",
589 		.result = REJECT,
590 	},
591 	{
592 		"junk insn5",
593 		.insns = {
594 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
595 			BPF_EXIT_INSN(),
596 		},
597 		.errstr = "BPF_ALU uses reserved fields",
598 		.result = REJECT,
599 	},
600 	{
601 		"misaligned read from stack",
602 		.insns = {
603 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
604 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
605 			BPF_EXIT_INSN(),
606 		},
607 		.errstr = "misaligned stack access",
608 		.result = REJECT,
609 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
610 	},
611 	{
612 		"invalid map_fd for function call",
613 		.insns = {
614 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
615 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
616 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
617 			BPF_LD_MAP_FD(BPF_REG_1, 0),
618 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
619 				     BPF_FUNC_map_delete_elem),
620 			BPF_EXIT_INSN(),
621 		},
622 		.errstr = "fd 0 is not pointing to valid bpf_map",
623 		.result = REJECT,
624 	},
625 	{
626 		"don't check return value before access",
627 		.insns = {
628 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
629 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
630 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
631 			BPF_LD_MAP_FD(BPF_REG_1, 0),
632 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
633 				     BPF_FUNC_map_lookup_elem),
634 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
635 			BPF_EXIT_INSN(),
636 		},
637 		.fixup_map1 = { 3 },
638 		.errstr = "R0 invalid mem access 'map_value_or_null'",
639 		.result = REJECT,
640 	},
641 	{
642 		"access memory with incorrect alignment",
643 		.insns = {
644 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
645 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
646 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
647 			BPF_LD_MAP_FD(BPF_REG_1, 0),
648 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
649 				     BPF_FUNC_map_lookup_elem),
650 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
651 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
652 			BPF_EXIT_INSN(),
653 		},
654 		.fixup_map1 = { 3 },
655 		.errstr = "misaligned value access",
656 		.result = REJECT,
657 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
658 	},
659 	{
660 		"sometimes access memory with incorrect alignment",
661 		.insns = {
662 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665 			BPF_LD_MAP_FD(BPF_REG_1, 0),
666 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
667 				     BPF_FUNC_map_lookup_elem),
668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
669 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
670 			BPF_EXIT_INSN(),
671 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
672 			BPF_EXIT_INSN(),
673 		},
674 		.fixup_map1 = { 3 },
675 		.errstr = "R0 invalid mem access",
676 		.errstr_unpriv = "R0 leaks addr",
677 		.result = REJECT,
678 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
679 	},
680 	{
681 		"jump test 1",
682 		.insns = {
683 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
684 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
685 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
686 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
687 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
688 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
689 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
690 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
691 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
692 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
693 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
694 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
695 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
696 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
697 			BPF_MOV64_IMM(BPF_REG_0, 0),
698 			BPF_EXIT_INSN(),
699 		},
700 		.errstr_unpriv = "R1 pointer comparison",
701 		.result_unpriv = REJECT,
702 		.result = ACCEPT,
703 	},
704 	{
705 		"jump test 2",
706 		.insns = {
707 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
708 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
709 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
710 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
711 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
712 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
713 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
714 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
715 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
716 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
717 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
718 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
719 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
720 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
721 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
722 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
723 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
724 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
725 			BPF_MOV64_IMM(BPF_REG_0, 0),
726 			BPF_EXIT_INSN(),
727 		},
728 		.errstr_unpriv = "R1 pointer comparison",
729 		.result_unpriv = REJECT,
730 		.result = ACCEPT,
731 	},
732 	{
733 		"jump test 3",
734 		.insns = {
735 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
736 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
737 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
738 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
739 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
740 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
741 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
742 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
743 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
744 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
745 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
746 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
747 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
748 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
749 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
751 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
752 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
753 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
754 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
755 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
756 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
757 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
758 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
759 			BPF_LD_MAP_FD(BPF_REG_1, 0),
760 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
761 				     BPF_FUNC_map_delete_elem),
762 			BPF_EXIT_INSN(),
763 		},
764 		.fixup_map1 = { 24 },
765 		.errstr_unpriv = "R1 pointer comparison",
766 		.result_unpriv = REJECT,
767 		.result = ACCEPT,
768 	},
769 	{
770 		"jump test 4",
771 		.insns = {
772 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
773 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
774 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
775 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
776 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
777 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
778 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
779 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
780 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
781 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
782 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
783 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
784 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
785 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
786 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
787 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
788 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
789 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
790 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
791 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
793 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
794 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
795 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
796 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
797 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
798 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
799 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
800 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
801 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
802 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
803 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
804 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
805 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
806 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
807 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
808 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
810 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
811 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
812 			BPF_MOV64_IMM(BPF_REG_0, 0),
813 			BPF_EXIT_INSN(),
814 		},
815 		.errstr_unpriv = "R1 pointer comparison",
816 		.result_unpriv = REJECT,
817 		.result = ACCEPT,
818 	},
819 	{
820 		"jump test 5",
821 		.insns = {
822 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
823 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
824 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
825 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
826 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
827 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
828 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
829 			BPF_MOV64_IMM(BPF_REG_0, 0),
830 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
831 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
832 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
833 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
834 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
835 			BPF_MOV64_IMM(BPF_REG_0, 0),
836 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
837 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
838 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
839 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
840 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
841 			BPF_MOV64_IMM(BPF_REG_0, 0),
842 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
843 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
844 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
845 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
846 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
847 			BPF_MOV64_IMM(BPF_REG_0, 0),
848 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
849 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
850 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
851 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
852 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
853 			BPF_MOV64_IMM(BPF_REG_0, 0),
854 			BPF_EXIT_INSN(),
855 		},
856 		.errstr_unpriv = "R1 pointer comparison",
857 		.result_unpriv = REJECT,
858 		.result = ACCEPT,
859 	},
860 	{
861 		"access skb fields ok",
862 		.insns = {
863 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
864 				    offsetof(struct __sk_buff, len)),
865 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
866 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
867 				    offsetof(struct __sk_buff, mark)),
868 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
869 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
870 				    offsetof(struct __sk_buff, pkt_type)),
871 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
872 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
873 				    offsetof(struct __sk_buff, queue_mapping)),
874 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
875 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
876 				    offsetof(struct __sk_buff, protocol)),
877 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
878 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
879 				    offsetof(struct __sk_buff, vlan_present)),
880 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
881 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
882 				    offsetof(struct __sk_buff, vlan_tci)),
883 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
884 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
885 				    offsetof(struct __sk_buff, napi_id)),
886 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
887 			BPF_EXIT_INSN(),
888 		},
889 		.result = ACCEPT,
890 	},
891 	{
892 		"access skb fields bad1",
893 		.insns = {
894 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
895 			BPF_EXIT_INSN(),
896 		},
897 		.errstr = "invalid bpf_context access",
898 		.result = REJECT,
899 	},
900 	{
901 		"access skb fields bad2",
902 		.insns = {
903 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
904 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
905 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
906 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
907 			BPF_LD_MAP_FD(BPF_REG_1, 0),
908 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
909 				     BPF_FUNC_map_lookup_elem),
910 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
911 			BPF_EXIT_INSN(),
912 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
913 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
914 				    offsetof(struct __sk_buff, pkt_type)),
915 			BPF_EXIT_INSN(),
916 		},
917 		.fixup_map1 = { 4 },
918 		.errstr = "different pointers",
919 		.errstr_unpriv = "R1 pointer comparison",
920 		.result = REJECT,
921 	},
922 	{
923 		"access skb fields bad3",
924 		.insns = {
925 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
926 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
927 				    offsetof(struct __sk_buff, pkt_type)),
928 			BPF_EXIT_INSN(),
929 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
930 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
931 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
932 			BPF_LD_MAP_FD(BPF_REG_1, 0),
933 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
934 				     BPF_FUNC_map_lookup_elem),
935 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
936 			BPF_EXIT_INSN(),
937 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
938 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
939 		},
940 		.fixup_map1 = { 6 },
941 		.errstr = "different pointers",
942 		.errstr_unpriv = "R1 pointer comparison",
943 		.result = REJECT,
944 	},
945 	{
946 		"access skb fields bad4",
947 		.insns = {
948 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
949 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
950 				    offsetof(struct __sk_buff, len)),
951 			BPF_MOV64_IMM(BPF_REG_0, 0),
952 			BPF_EXIT_INSN(),
953 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
954 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
956 			BPF_LD_MAP_FD(BPF_REG_1, 0),
957 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
958 				     BPF_FUNC_map_lookup_elem),
959 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
960 			BPF_EXIT_INSN(),
961 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
962 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
963 		},
964 		.fixup_map1 = { 7 },
965 		.errstr = "different pointers",
966 		.errstr_unpriv = "R1 pointer comparison",
967 		.result = REJECT,
968 	},
969 	{
970 		"invalid access __sk_buff family",
971 		.insns = {
972 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
973 				    offsetof(struct __sk_buff, family)),
974 			BPF_EXIT_INSN(),
975 		},
976 		.errstr = "invalid bpf_context access",
977 		.result = REJECT,
978 	},
979 	{
980 		"invalid access __sk_buff remote_ip4",
981 		.insns = {
982 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
983 				    offsetof(struct __sk_buff, remote_ip4)),
984 			BPF_EXIT_INSN(),
985 		},
986 		.errstr = "invalid bpf_context access",
987 		.result = REJECT,
988 	},
989 	{
990 		"invalid access __sk_buff local_ip4",
991 		.insns = {
992 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
993 				    offsetof(struct __sk_buff, local_ip4)),
994 			BPF_EXIT_INSN(),
995 		},
996 		.errstr = "invalid bpf_context access",
997 		.result = REJECT,
998 	},
999 	{
1000 		"invalid access __sk_buff remote_ip6",
1001 		.insns = {
1002 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1003 				    offsetof(struct __sk_buff, remote_ip6)),
1004 			BPF_EXIT_INSN(),
1005 		},
1006 		.errstr = "invalid bpf_context access",
1007 		.result = REJECT,
1008 	},
1009 	{
1010 		"invalid access __sk_buff local_ip6",
1011 		.insns = {
1012 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1013 				    offsetof(struct __sk_buff, local_ip6)),
1014 			BPF_EXIT_INSN(),
1015 		},
1016 		.errstr = "invalid bpf_context access",
1017 		.result = REJECT,
1018 	},
1019 	{
1020 		"invalid access __sk_buff remote_port",
1021 		.insns = {
1022 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1023 				    offsetof(struct __sk_buff, remote_port)),
1024 			BPF_EXIT_INSN(),
1025 		},
1026 		.errstr = "invalid bpf_context access",
1027 		.result = REJECT,
1028 	},
1029 	{
1030 		"invalid access __sk_buff remote_port",
1031 		.insns = {
1032 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1033 				    offsetof(struct __sk_buff, local_port)),
1034 			BPF_EXIT_INSN(),
1035 		},
1036 		.errstr = "invalid bpf_context access",
1037 		.result = REJECT,
1038 	},
1039 	{
1040 		"valid access __sk_buff family",
1041 		.insns = {
1042 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1043 				    offsetof(struct __sk_buff, family)),
1044 			BPF_EXIT_INSN(),
1045 		},
1046 		.result = ACCEPT,
1047 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1048 	},
1049 	{
1050 		"valid access __sk_buff remote_ip4",
1051 		.insns = {
1052 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1053 				    offsetof(struct __sk_buff, remote_ip4)),
1054 			BPF_EXIT_INSN(),
1055 		},
1056 		.result = ACCEPT,
1057 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1058 	},
1059 	{
1060 		"valid access __sk_buff local_ip4",
1061 		.insns = {
1062 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1063 				    offsetof(struct __sk_buff, local_ip4)),
1064 			BPF_EXIT_INSN(),
1065 		},
1066 		.result = ACCEPT,
1067 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1068 	},
1069 	{
1070 		"valid access __sk_buff remote_ip6",
1071 		.insns = {
1072 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1073 				    offsetof(struct __sk_buff, remote_ip6[0])),
1074 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1075 				    offsetof(struct __sk_buff, remote_ip6[1])),
1076 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1077 				    offsetof(struct __sk_buff, remote_ip6[2])),
1078 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1079 				    offsetof(struct __sk_buff, remote_ip6[3])),
1080 			BPF_EXIT_INSN(),
1081 		},
1082 		.result = ACCEPT,
1083 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1084 	},
1085 	{
1086 		"valid access __sk_buff local_ip6",
1087 		.insns = {
1088 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1089 				    offsetof(struct __sk_buff, local_ip6[0])),
1090 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1091 				    offsetof(struct __sk_buff, local_ip6[1])),
1092 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1093 				    offsetof(struct __sk_buff, local_ip6[2])),
1094 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1095 				    offsetof(struct __sk_buff, local_ip6[3])),
1096 			BPF_EXIT_INSN(),
1097 		},
1098 		.result = ACCEPT,
1099 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1100 	},
1101 	{
1102 		"valid access __sk_buff remote_port",
1103 		.insns = {
1104 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1105 				    offsetof(struct __sk_buff, remote_port)),
1106 			BPF_EXIT_INSN(),
1107 		},
1108 		.result = ACCEPT,
1109 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1110 	},
1111 	{
1112 		"valid access __sk_buff remote_port",
1113 		.insns = {
1114 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1115 				    offsetof(struct __sk_buff, local_port)),
1116 			BPF_EXIT_INSN(),
1117 		},
1118 		.result = ACCEPT,
1119 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1120 	},
1121 	{
1122 		"invalid access of tc_classid for SK_SKB",
1123 		.insns = {
1124 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1125 				    offsetof(struct __sk_buff, tc_classid)),
1126 			BPF_EXIT_INSN(),
1127 		},
1128 		.result = REJECT,
1129 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1130 		.errstr = "invalid bpf_context access",
1131 	},
1132 	{
1133 		"invalid access of skb->mark for SK_SKB",
1134 		.insns = {
1135 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1136 				    offsetof(struct __sk_buff, mark)),
1137 			BPF_EXIT_INSN(),
1138 		},
1139 		.result =  REJECT,
1140 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1141 		.errstr = "invalid bpf_context access",
1142 	},
1143 	{
1144 		"check skb->mark is not writeable by SK_SKB",
1145 		.insns = {
1146 			BPF_MOV64_IMM(BPF_REG_0, 0),
1147 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1148 				    offsetof(struct __sk_buff, mark)),
1149 			BPF_EXIT_INSN(),
1150 		},
1151 		.result =  REJECT,
1152 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1153 		.errstr = "invalid bpf_context access",
1154 	},
1155 	{
1156 		"check skb->tc_index is writeable by SK_SKB",
1157 		.insns = {
1158 			BPF_MOV64_IMM(BPF_REG_0, 0),
1159 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1160 				    offsetof(struct __sk_buff, tc_index)),
1161 			BPF_EXIT_INSN(),
1162 		},
1163 		.result = ACCEPT,
1164 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1165 	},
1166 	{
1167 		"check skb->priority is writeable by SK_SKB",
1168 		.insns = {
1169 			BPF_MOV64_IMM(BPF_REG_0, 0),
1170 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1171 				    offsetof(struct __sk_buff, priority)),
1172 			BPF_EXIT_INSN(),
1173 		},
1174 		.result = ACCEPT,
1175 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1176 	},
1177 	{
1178 		"direct packet read for SK_SKB",
1179 		.insns = {
1180 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1181 				    offsetof(struct __sk_buff, data)),
1182 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1183 				    offsetof(struct __sk_buff, data_end)),
1184 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1185 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1186 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1187 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1188 			BPF_MOV64_IMM(BPF_REG_0, 0),
1189 			BPF_EXIT_INSN(),
1190 		},
1191 		.result = ACCEPT,
1192 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1193 	},
1194 	{
1195 		"direct packet write for SK_SKB",
1196 		.insns = {
1197 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1198 				    offsetof(struct __sk_buff, data)),
1199 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1200 				    offsetof(struct __sk_buff, data_end)),
1201 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1202 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1203 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1204 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1205 			BPF_MOV64_IMM(BPF_REG_0, 0),
1206 			BPF_EXIT_INSN(),
1207 		},
1208 		.result = ACCEPT,
1209 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1210 	},
1211 	{
1212 		"overlapping checks for direct packet access SK_SKB",
1213 		.insns = {
1214 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1215 				    offsetof(struct __sk_buff, data)),
1216 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1217 				    offsetof(struct __sk_buff, data_end)),
1218 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1220 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1221 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1222 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1223 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1224 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1225 			BPF_MOV64_IMM(BPF_REG_0, 0),
1226 			BPF_EXIT_INSN(),
1227 		},
1228 		.result = ACCEPT,
1229 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1230 	},
1231 	{
1232 		"check skb->mark is not writeable by sockets",
1233 		.insns = {
1234 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1235 				    offsetof(struct __sk_buff, mark)),
1236 			BPF_EXIT_INSN(),
1237 		},
1238 		.errstr = "invalid bpf_context access",
1239 		.errstr_unpriv = "R1 leaks addr",
1240 		.result = REJECT,
1241 	},
1242 	{
1243 		"check skb->tc_index is not writeable by sockets",
1244 		.insns = {
1245 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1246 				    offsetof(struct __sk_buff, tc_index)),
1247 			BPF_EXIT_INSN(),
1248 		},
1249 		.errstr = "invalid bpf_context access",
1250 		.errstr_unpriv = "R1 leaks addr",
1251 		.result = REJECT,
1252 	},
1253 	{
1254 		"check cb access: byte",
1255 		.insns = {
1256 			BPF_MOV64_IMM(BPF_REG_0, 0),
1257 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1258 				    offsetof(struct __sk_buff, cb[0])),
1259 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1260 				    offsetof(struct __sk_buff, cb[0]) + 1),
1261 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1262 				    offsetof(struct __sk_buff, cb[0]) + 2),
1263 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1264 				    offsetof(struct __sk_buff, cb[0]) + 3),
1265 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1266 				    offsetof(struct __sk_buff, cb[1])),
1267 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1268 				    offsetof(struct __sk_buff, cb[1]) + 1),
1269 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1270 				    offsetof(struct __sk_buff, cb[1]) + 2),
1271 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1272 				    offsetof(struct __sk_buff, cb[1]) + 3),
1273 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1274 				    offsetof(struct __sk_buff, cb[2])),
1275 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1276 				    offsetof(struct __sk_buff, cb[2]) + 1),
1277 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1278 				    offsetof(struct __sk_buff, cb[2]) + 2),
1279 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1280 				    offsetof(struct __sk_buff, cb[2]) + 3),
1281 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1282 				    offsetof(struct __sk_buff, cb[3])),
1283 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1284 				    offsetof(struct __sk_buff, cb[3]) + 1),
1285 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1286 				    offsetof(struct __sk_buff, cb[3]) + 2),
1287 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1288 				    offsetof(struct __sk_buff, cb[3]) + 3),
1289 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1290 				    offsetof(struct __sk_buff, cb[4])),
1291 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1292 				    offsetof(struct __sk_buff, cb[4]) + 1),
1293 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1294 				    offsetof(struct __sk_buff, cb[4]) + 2),
1295 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1296 				    offsetof(struct __sk_buff, cb[4]) + 3),
1297 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1298 				    offsetof(struct __sk_buff, cb[0])),
1299 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1300 				    offsetof(struct __sk_buff, cb[0]) + 1),
1301 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1302 				    offsetof(struct __sk_buff, cb[0]) + 2),
1303 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1304 				    offsetof(struct __sk_buff, cb[0]) + 3),
1305 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1306 				    offsetof(struct __sk_buff, cb[1])),
1307 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1308 				    offsetof(struct __sk_buff, cb[1]) + 1),
1309 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1310 				    offsetof(struct __sk_buff, cb[1]) + 2),
1311 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1312 				    offsetof(struct __sk_buff, cb[1]) + 3),
1313 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1314 				    offsetof(struct __sk_buff, cb[2])),
1315 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1316 				    offsetof(struct __sk_buff, cb[2]) + 1),
1317 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1318 				    offsetof(struct __sk_buff, cb[2]) + 2),
1319 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1320 				    offsetof(struct __sk_buff, cb[2]) + 3),
1321 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1322 				    offsetof(struct __sk_buff, cb[3])),
1323 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1324 				    offsetof(struct __sk_buff, cb[3]) + 1),
1325 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1326 				    offsetof(struct __sk_buff, cb[3]) + 2),
1327 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1328 				    offsetof(struct __sk_buff, cb[3]) + 3),
1329 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1330 				    offsetof(struct __sk_buff, cb[4])),
1331 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1332 				    offsetof(struct __sk_buff, cb[4]) + 1),
1333 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1334 				    offsetof(struct __sk_buff, cb[4]) + 2),
1335 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1336 				    offsetof(struct __sk_buff, cb[4]) + 3),
1337 			BPF_EXIT_INSN(),
1338 		},
1339 		.result = ACCEPT,
1340 	},
1341 	{
1342 		"__sk_buff->hash, offset 0, byte store not permitted",
1343 		.insns = {
1344 			BPF_MOV64_IMM(BPF_REG_0, 0),
1345 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1346 				    offsetof(struct __sk_buff, hash)),
1347 			BPF_EXIT_INSN(),
1348 		},
1349 		.errstr = "invalid bpf_context access",
1350 		.result = REJECT,
1351 	},
1352 	{
1353 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1354 		.insns = {
1355 			BPF_MOV64_IMM(BPF_REG_0, 0),
1356 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1357 				    offsetof(struct __sk_buff, tc_index) + 3),
1358 			BPF_EXIT_INSN(),
1359 		},
1360 		.errstr = "invalid bpf_context access",
1361 		.result = REJECT,
1362 	},
1363 	{
1364 		"check skb->hash byte load permitted",
1365 		.insns = {
1366 			BPF_MOV64_IMM(BPF_REG_0, 0),
1367 #if __BYTE_ORDER == __LITTLE_ENDIAN
1368 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1369 				    offsetof(struct __sk_buff, hash)),
1370 #else
1371 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1372 				    offsetof(struct __sk_buff, hash) + 3),
1373 #endif
1374 			BPF_EXIT_INSN(),
1375 		},
1376 		.result = ACCEPT,
1377 	},
1378 	{
1379 		"check skb->hash byte load not permitted 1",
1380 		.insns = {
1381 			BPF_MOV64_IMM(BPF_REG_0, 0),
1382 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1383 				    offsetof(struct __sk_buff, hash) + 1),
1384 			BPF_EXIT_INSN(),
1385 		},
1386 		.errstr = "invalid bpf_context access",
1387 		.result = REJECT,
1388 	},
1389 	{
1390 		"check skb->hash byte load not permitted 2",
1391 		.insns = {
1392 			BPF_MOV64_IMM(BPF_REG_0, 0),
1393 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1394 				    offsetof(struct __sk_buff, hash) + 2),
1395 			BPF_EXIT_INSN(),
1396 		},
1397 		.errstr = "invalid bpf_context access",
1398 		.result = REJECT,
1399 	},
1400 	{
1401 		"check skb->hash byte load not permitted 3",
1402 		.insns = {
1403 			BPF_MOV64_IMM(BPF_REG_0, 0),
1404 #if __BYTE_ORDER == __LITTLE_ENDIAN
1405 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1406 				    offsetof(struct __sk_buff, hash) + 3),
1407 #else
1408 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1409 				    offsetof(struct __sk_buff, hash)),
1410 #endif
1411 			BPF_EXIT_INSN(),
1412 		},
1413 		.errstr = "invalid bpf_context access",
1414 		.result = REJECT,
1415 	},
1416 	{
1417 		"check cb access: byte, wrong type",
1418 		.insns = {
1419 			BPF_MOV64_IMM(BPF_REG_0, 0),
1420 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1421 				    offsetof(struct __sk_buff, cb[0])),
1422 			BPF_EXIT_INSN(),
1423 		},
1424 		.errstr = "invalid bpf_context access",
1425 		.result = REJECT,
1426 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1427 	},
1428 	{
1429 		"check cb access: half",
1430 		.insns = {
1431 			BPF_MOV64_IMM(BPF_REG_0, 0),
1432 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1433 				    offsetof(struct __sk_buff, cb[0])),
1434 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1435 				    offsetof(struct __sk_buff, cb[0]) + 2),
1436 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1437 				    offsetof(struct __sk_buff, cb[1])),
1438 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1439 				    offsetof(struct __sk_buff, cb[1]) + 2),
1440 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1441 				    offsetof(struct __sk_buff, cb[2])),
1442 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1443 				    offsetof(struct __sk_buff, cb[2]) + 2),
1444 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1445 				    offsetof(struct __sk_buff, cb[3])),
1446 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1447 				    offsetof(struct __sk_buff, cb[3]) + 2),
1448 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1449 				    offsetof(struct __sk_buff, cb[4])),
1450 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1451 				    offsetof(struct __sk_buff, cb[4]) + 2),
1452 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1453 				    offsetof(struct __sk_buff, cb[0])),
1454 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1455 				    offsetof(struct __sk_buff, cb[0]) + 2),
1456 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1457 				    offsetof(struct __sk_buff, cb[1])),
1458 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1459 				    offsetof(struct __sk_buff, cb[1]) + 2),
1460 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1461 				    offsetof(struct __sk_buff, cb[2])),
1462 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1463 				    offsetof(struct __sk_buff, cb[2]) + 2),
1464 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1465 				    offsetof(struct __sk_buff, cb[3])),
1466 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1467 				    offsetof(struct __sk_buff, cb[3]) + 2),
1468 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1469 				    offsetof(struct __sk_buff, cb[4])),
1470 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1471 				    offsetof(struct __sk_buff, cb[4]) + 2),
1472 			BPF_EXIT_INSN(),
1473 		},
1474 		.result = ACCEPT,
1475 	},
1476 	{
1477 		"check cb access: half, unaligned",
1478 		.insns = {
1479 			BPF_MOV64_IMM(BPF_REG_0, 0),
1480 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1481 				    offsetof(struct __sk_buff, cb[0]) + 1),
1482 			BPF_EXIT_INSN(),
1483 		},
1484 		.errstr = "misaligned context access",
1485 		.result = REJECT,
1486 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1487 	},
1488 	{
1489 		"check __sk_buff->hash, offset 0, half store not permitted",
1490 		.insns = {
1491 			BPF_MOV64_IMM(BPF_REG_0, 0),
1492 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1493 				    offsetof(struct __sk_buff, hash)),
1494 			BPF_EXIT_INSN(),
1495 		},
1496 		.errstr = "invalid bpf_context access",
1497 		.result = REJECT,
1498 	},
1499 	{
1500 		"check __sk_buff->tc_index, offset 2, half store not permitted",
1501 		.insns = {
1502 			BPF_MOV64_IMM(BPF_REG_0, 0),
1503 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1504 				    offsetof(struct __sk_buff, tc_index) + 2),
1505 			BPF_EXIT_INSN(),
1506 		},
1507 		.errstr = "invalid bpf_context access",
1508 		.result = REJECT,
1509 	},
1510 	{
1511 		"check skb->hash half load permitted",
1512 		.insns = {
1513 			BPF_MOV64_IMM(BPF_REG_0, 0),
1514 #if __BYTE_ORDER == __LITTLE_ENDIAN
1515 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1516 				    offsetof(struct __sk_buff, hash)),
1517 #else
1518 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1519 				    offsetof(struct __sk_buff, hash) + 2),
1520 #endif
1521 			BPF_EXIT_INSN(),
1522 		},
1523 		.result = ACCEPT,
1524 	},
1525 	{
1526 		"check skb->hash half load not permitted",
1527 		.insns = {
1528 			BPF_MOV64_IMM(BPF_REG_0, 0),
1529 #if __BYTE_ORDER == __LITTLE_ENDIAN
1530 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1531 				    offsetof(struct __sk_buff, hash) + 2),
1532 #else
1533 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1534 				    offsetof(struct __sk_buff, hash)),
1535 #endif
1536 			BPF_EXIT_INSN(),
1537 		},
1538 		.errstr = "invalid bpf_context access",
1539 		.result = REJECT,
1540 	},
1541 	{
1542 		"check cb access: half, wrong type",
1543 		.insns = {
1544 			BPF_MOV64_IMM(BPF_REG_0, 0),
1545 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1546 				    offsetof(struct __sk_buff, cb[0])),
1547 			BPF_EXIT_INSN(),
1548 		},
1549 		.errstr = "invalid bpf_context access",
1550 		.result = REJECT,
1551 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1552 	},
1553 	{
1554 		"check cb access: word",
1555 		.insns = {
1556 			BPF_MOV64_IMM(BPF_REG_0, 0),
1557 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1558 				    offsetof(struct __sk_buff, cb[0])),
1559 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1560 				    offsetof(struct __sk_buff, cb[1])),
1561 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1562 				    offsetof(struct __sk_buff, cb[2])),
1563 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1564 				    offsetof(struct __sk_buff, cb[3])),
1565 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1566 				    offsetof(struct __sk_buff, cb[4])),
1567 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1568 				    offsetof(struct __sk_buff, cb[0])),
1569 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 				    offsetof(struct __sk_buff, cb[1])),
1571 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 				    offsetof(struct __sk_buff, cb[2])),
1573 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 				    offsetof(struct __sk_buff, cb[3])),
1575 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 				    offsetof(struct __sk_buff, cb[4])),
1577 			BPF_EXIT_INSN(),
1578 		},
1579 		.result = ACCEPT,
1580 	},
1581 	{
1582 		"check cb access: word, unaligned 1",
1583 		.insns = {
1584 			BPF_MOV64_IMM(BPF_REG_0, 0),
1585 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1586 				    offsetof(struct __sk_buff, cb[0]) + 2),
1587 			BPF_EXIT_INSN(),
1588 		},
1589 		.errstr = "misaligned context access",
1590 		.result = REJECT,
1591 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1592 	},
1593 	{
1594 		"check cb access: word, unaligned 2",
1595 		.insns = {
1596 			BPF_MOV64_IMM(BPF_REG_0, 0),
1597 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1598 				    offsetof(struct __sk_buff, cb[4]) + 1),
1599 			BPF_EXIT_INSN(),
1600 		},
1601 		.errstr = "misaligned context access",
1602 		.result = REJECT,
1603 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1604 	},
1605 	{
1606 		"check cb access: word, unaligned 3",
1607 		.insns = {
1608 			BPF_MOV64_IMM(BPF_REG_0, 0),
1609 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1610 				    offsetof(struct __sk_buff, cb[4]) + 2),
1611 			BPF_EXIT_INSN(),
1612 		},
1613 		.errstr = "misaligned context access",
1614 		.result = REJECT,
1615 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1616 	},
1617 	{
1618 		"check cb access: word, unaligned 4",
1619 		.insns = {
1620 			BPF_MOV64_IMM(BPF_REG_0, 0),
1621 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1622 				    offsetof(struct __sk_buff, cb[4]) + 3),
1623 			BPF_EXIT_INSN(),
1624 		},
1625 		.errstr = "misaligned context access",
1626 		.result = REJECT,
1627 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1628 	},
1629 	{
1630 		"check cb access: double",
1631 		.insns = {
1632 			BPF_MOV64_IMM(BPF_REG_0, 0),
1633 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1634 				    offsetof(struct __sk_buff, cb[0])),
1635 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1636 				    offsetof(struct __sk_buff, cb[2])),
1637 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1638 				    offsetof(struct __sk_buff, cb[0])),
1639 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1640 				    offsetof(struct __sk_buff, cb[2])),
1641 			BPF_EXIT_INSN(),
1642 		},
1643 		.result = ACCEPT,
1644 	},
1645 	{
1646 		"check cb access: double, unaligned 1",
1647 		.insns = {
1648 			BPF_MOV64_IMM(BPF_REG_0, 0),
1649 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1650 				    offsetof(struct __sk_buff, cb[1])),
1651 			BPF_EXIT_INSN(),
1652 		},
1653 		.errstr = "misaligned context access",
1654 		.result = REJECT,
1655 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1656 	},
1657 	{
1658 		"check cb access: double, unaligned 2",
1659 		.insns = {
1660 			BPF_MOV64_IMM(BPF_REG_0, 0),
1661 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1662 				    offsetof(struct __sk_buff, cb[3])),
1663 			BPF_EXIT_INSN(),
1664 		},
1665 		.errstr = "misaligned context access",
1666 		.result = REJECT,
1667 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1668 	},
1669 	{
1670 		"check cb access: double, oob 1",
1671 		.insns = {
1672 			BPF_MOV64_IMM(BPF_REG_0, 0),
1673 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1674 				    offsetof(struct __sk_buff, cb[4])),
1675 			BPF_EXIT_INSN(),
1676 		},
1677 		.errstr = "invalid bpf_context access",
1678 		.result = REJECT,
1679 	},
1680 	{
1681 		"check cb access: double, oob 2",
1682 		.insns = {
1683 			BPF_MOV64_IMM(BPF_REG_0, 0),
1684 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1685 				    offsetof(struct __sk_buff, cb[4])),
1686 			BPF_EXIT_INSN(),
1687 		},
1688 		.errstr = "invalid bpf_context access",
1689 		.result = REJECT,
1690 	},
1691 	{
1692 		"check __sk_buff->ifindex dw store not permitted",
1693 		.insns = {
1694 			BPF_MOV64_IMM(BPF_REG_0, 0),
1695 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1696 				    offsetof(struct __sk_buff, ifindex)),
1697 			BPF_EXIT_INSN(),
1698 		},
1699 		.errstr = "invalid bpf_context access",
1700 		.result = REJECT,
1701 	},
1702 	{
1703 		"check __sk_buff->ifindex dw load not permitted",
1704 		.insns = {
1705 			BPF_MOV64_IMM(BPF_REG_0, 0),
1706 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1707 				    offsetof(struct __sk_buff, ifindex)),
1708 			BPF_EXIT_INSN(),
1709 		},
1710 		.errstr = "invalid bpf_context access",
1711 		.result = REJECT,
1712 	},
1713 	{
1714 		"check cb access: double, wrong type",
1715 		.insns = {
1716 			BPF_MOV64_IMM(BPF_REG_0, 0),
1717 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1718 				    offsetof(struct __sk_buff, cb[0])),
1719 			BPF_EXIT_INSN(),
1720 		},
1721 		.errstr = "invalid bpf_context access",
1722 		.result = REJECT,
1723 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1724 	},
1725 	{
1726 		"check out of range skb->cb access",
1727 		.insns = {
1728 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1729 				    offsetof(struct __sk_buff, cb[0]) + 256),
1730 			BPF_EXIT_INSN(),
1731 		},
1732 		.errstr = "invalid bpf_context access",
1733 		.errstr_unpriv = "",
1734 		.result = REJECT,
1735 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
1736 	},
1737 	{
1738 		"write skb fields from socket prog",
1739 		.insns = {
1740 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1741 				    offsetof(struct __sk_buff, cb[4])),
1742 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1743 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 				    offsetof(struct __sk_buff, mark)),
1745 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 				    offsetof(struct __sk_buff, tc_index)),
1747 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1748 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1749 				    offsetof(struct __sk_buff, cb[0])),
1750 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1751 				    offsetof(struct __sk_buff, cb[2])),
1752 			BPF_EXIT_INSN(),
1753 		},
1754 		.result = ACCEPT,
1755 		.errstr_unpriv = "R1 leaks addr",
1756 		.result_unpriv = REJECT,
1757 	},
1758 	{
1759 		"write skb fields from tc_cls_act prog",
1760 		.insns = {
1761 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 				    offsetof(struct __sk_buff, cb[0])),
1763 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1764 				    offsetof(struct __sk_buff, mark)),
1765 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 				    offsetof(struct __sk_buff, tc_index)),
1767 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1768 				    offsetof(struct __sk_buff, tc_index)),
1769 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1770 				    offsetof(struct __sk_buff, cb[3])),
1771 			BPF_EXIT_INSN(),
1772 		},
1773 		.errstr_unpriv = "",
1774 		.result_unpriv = REJECT,
1775 		.result = ACCEPT,
1776 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1777 	},
1778 	{
1779 		"PTR_TO_STACK store/load",
1780 		.insns = {
1781 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1782 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1783 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1784 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1785 			BPF_EXIT_INSN(),
1786 		},
1787 		.result = ACCEPT,
1788 	},
1789 	{
1790 		"PTR_TO_STACK store/load - bad alignment on off",
1791 		.insns = {
1792 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1793 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1794 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1795 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1796 			BPF_EXIT_INSN(),
1797 		},
1798 		.result = REJECT,
1799 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
1800 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1801 	},
1802 	{
1803 		"PTR_TO_STACK store/load - bad alignment on reg",
1804 		.insns = {
1805 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1807 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1808 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1809 			BPF_EXIT_INSN(),
1810 		},
1811 		.result = REJECT,
1812 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
1813 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1814 	},
1815 	{
1816 		"PTR_TO_STACK store/load - out of bounds low",
1817 		.insns = {
1818 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1819 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1820 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1821 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1822 			BPF_EXIT_INSN(),
1823 		},
1824 		.result = REJECT,
1825 		.errstr = "invalid stack off=-79992 size=8",
1826 	},
1827 	{
1828 		"PTR_TO_STACK store/load - out of bounds high",
1829 		.insns = {
1830 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1832 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1833 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1834 			BPF_EXIT_INSN(),
1835 		},
1836 		.result = REJECT,
1837 		.errstr = "invalid stack off=0 size=8",
1838 	},
1839 	{
1840 		"unpriv: return pointer",
1841 		.insns = {
1842 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1843 			BPF_EXIT_INSN(),
1844 		},
1845 		.result = ACCEPT,
1846 		.result_unpriv = REJECT,
1847 		.errstr_unpriv = "R0 leaks addr",
1848 	},
1849 	{
1850 		"unpriv: add const to pointer",
1851 		.insns = {
1852 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1853 			BPF_MOV64_IMM(BPF_REG_0, 0),
1854 			BPF_EXIT_INSN(),
1855 		},
1856 		.result = ACCEPT,
1857 	},
1858 	{
1859 		"unpriv: add pointer to pointer",
1860 		.insns = {
1861 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1862 			BPF_MOV64_IMM(BPF_REG_0, 0),
1863 			BPF_EXIT_INSN(),
1864 		},
1865 		.result = ACCEPT,
1866 		.result_unpriv = REJECT,
1867 		.errstr_unpriv = "R1 pointer += pointer",
1868 	},
1869 	{
1870 		"unpriv: neg pointer",
1871 		.insns = {
1872 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1873 			BPF_MOV64_IMM(BPF_REG_0, 0),
1874 			BPF_EXIT_INSN(),
1875 		},
1876 		.result = ACCEPT,
1877 		.result_unpriv = REJECT,
1878 		.errstr_unpriv = "R1 pointer arithmetic",
1879 	},
1880 	{
1881 		"unpriv: cmp pointer with const",
1882 		.insns = {
1883 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1884 			BPF_MOV64_IMM(BPF_REG_0, 0),
1885 			BPF_EXIT_INSN(),
1886 		},
1887 		.result = ACCEPT,
1888 		.result_unpriv = REJECT,
1889 		.errstr_unpriv = "R1 pointer comparison",
1890 	},
1891 	{
1892 		"unpriv: cmp pointer with pointer",
1893 		.insns = {
1894 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1895 			BPF_MOV64_IMM(BPF_REG_0, 0),
1896 			BPF_EXIT_INSN(),
1897 		},
1898 		.result = ACCEPT,
1899 		.result_unpriv = REJECT,
1900 		.errstr_unpriv = "R10 pointer comparison",
1901 	},
1902 	{
1903 		"unpriv: check that printk is disallowed",
1904 		.insns = {
1905 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1906 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1907 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1908 			BPF_MOV64_IMM(BPF_REG_2, 8),
1909 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1911 				     BPF_FUNC_trace_printk),
1912 			BPF_MOV64_IMM(BPF_REG_0, 0),
1913 			BPF_EXIT_INSN(),
1914 		},
1915 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
1916 		.result_unpriv = REJECT,
1917 		.result = ACCEPT,
1918 	},
1919 	{
1920 		"unpriv: pass pointer to helper function",
1921 		.insns = {
1922 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1923 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1924 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1925 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1926 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1927 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1928 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1929 				     BPF_FUNC_map_update_elem),
1930 			BPF_MOV64_IMM(BPF_REG_0, 0),
1931 			BPF_EXIT_INSN(),
1932 		},
1933 		.fixup_map1 = { 3 },
1934 		.errstr_unpriv = "R4 leaks addr",
1935 		.result_unpriv = REJECT,
1936 		.result = ACCEPT,
1937 	},
1938 	{
1939 		"unpriv: indirectly pass pointer on stack to helper function",
1940 		.insns = {
1941 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1942 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1943 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1944 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1945 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1946 				     BPF_FUNC_map_lookup_elem),
1947 			BPF_MOV64_IMM(BPF_REG_0, 0),
1948 			BPF_EXIT_INSN(),
1949 		},
1950 		.fixup_map1 = { 3 },
1951 		.errstr = "invalid indirect read from stack off -8+0 size 8",
1952 		.result = REJECT,
1953 	},
1954 	{
1955 		"unpriv: mangle pointer on stack 1",
1956 		.insns = {
1957 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1958 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1959 			BPF_MOV64_IMM(BPF_REG_0, 0),
1960 			BPF_EXIT_INSN(),
1961 		},
1962 		.errstr_unpriv = "attempt to corrupt spilled",
1963 		.result_unpriv = REJECT,
1964 		.result = ACCEPT,
1965 	},
1966 	{
1967 		"unpriv: mangle pointer on stack 2",
1968 		.insns = {
1969 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1970 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1971 			BPF_MOV64_IMM(BPF_REG_0, 0),
1972 			BPF_EXIT_INSN(),
1973 		},
1974 		.errstr_unpriv = "attempt to corrupt spilled",
1975 		.result_unpriv = REJECT,
1976 		.result = ACCEPT,
1977 	},
1978 	{
1979 		"unpriv: read pointer from stack in small chunks",
1980 		.insns = {
1981 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1982 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1983 			BPF_MOV64_IMM(BPF_REG_0, 0),
1984 			BPF_EXIT_INSN(),
1985 		},
1986 		.errstr = "invalid size",
1987 		.result = REJECT,
1988 	},
1989 	{
1990 		"unpriv: write pointer into ctx",
1991 		.insns = {
1992 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1993 			BPF_MOV64_IMM(BPF_REG_0, 0),
1994 			BPF_EXIT_INSN(),
1995 		},
1996 		.errstr_unpriv = "R1 leaks addr",
1997 		.result_unpriv = REJECT,
1998 		.errstr = "invalid bpf_context access",
1999 		.result = REJECT,
2000 	},
2001 	{
2002 		"unpriv: spill/fill of ctx",
2003 		.insns = {
2004 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2006 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2007 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2008 			BPF_MOV64_IMM(BPF_REG_0, 0),
2009 			BPF_EXIT_INSN(),
2010 		},
2011 		.result = ACCEPT,
2012 	},
2013 	{
2014 		"unpriv: spill/fill of ctx 2",
2015 		.insns = {
2016 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2017 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2018 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2019 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2020 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2021 				     BPF_FUNC_get_hash_recalc),
2022 			BPF_EXIT_INSN(),
2023 		},
2024 		.result = ACCEPT,
2025 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2026 	},
2027 	{
2028 		"unpriv: spill/fill of ctx 3",
2029 		.insns = {
2030 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2032 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2033 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2034 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2035 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2036 				     BPF_FUNC_get_hash_recalc),
2037 			BPF_EXIT_INSN(),
2038 		},
2039 		.result = REJECT,
2040 		.errstr = "R1 type=fp expected=ctx",
2041 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2042 	},
2043 	{
2044 		"unpriv: spill/fill of ctx 4",
2045 		.insns = {
2046 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2047 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2048 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2049 			BPF_MOV64_IMM(BPF_REG_0, 1),
2050 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2051 				     BPF_REG_0, -8, 0),
2052 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2053 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2054 				     BPF_FUNC_get_hash_recalc),
2055 			BPF_EXIT_INSN(),
2056 		},
2057 		.result = REJECT,
2058 		.errstr = "R1 type=inv expected=ctx",
2059 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2060 	},
2061 	{
2062 		"unpriv: spill/fill of different pointers stx",
2063 		.insns = {
2064 			BPF_MOV64_IMM(BPF_REG_3, 42),
2065 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2066 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2067 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2068 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2069 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2070 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2071 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2072 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2073 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2074 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2075 				    offsetof(struct __sk_buff, mark)),
2076 			BPF_MOV64_IMM(BPF_REG_0, 0),
2077 			BPF_EXIT_INSN(),
2078 		},
2079 		.result = REJECT,
2080 		.errstr = "same insn cannot be used with different pointers",
2081 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2082 	},
2083 	{
2084 		"unpriv: spill/fill of different pointers ldx",
2085 		.insns = {
2086 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2087 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2088 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2089 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2090 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2091 				      -(__s32)offsetof(struct bpf_perf_event_data,
2092 						       sample_period) - 8),
2093 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2094 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2095 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2096 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2097 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2098 				    offsetof(struct bpf_perf_event_data,
2099 					     sample_period)),
2100 			BPF_MOV64_IMM(BPF_REG_0, 0),
2101 			BPF_EXIT_INSN(),
2102 		},
2103 		.result = REJECT,
2104 		.errstr = "same insn cannot be used with different pointers",
2105 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2106 	},
2107 	{
2108 		"unpriv: write pointer into map elem value",
2109 		.insns = {
2110 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2111 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2113 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2114 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2115 				     BPF_FUNC_map_lookup_elem),
2116 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2117 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2118 			BPF_EXIT_INSN(),
2119 		},
2120 		.fixup_map1 = { 3 },
2121 		.errstr_unpriv = "R0 leaks addr",
2122 		.result_unpriv = REJECT,
2123 		.result = ACCEPT,
2124 	},
2125 	{
2126 		"unpriv: partial copy of pointer",
2127 		.insns = {
2128 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2129 			BPF_MOV64_IMM(BPF_REG_0, 0),
2130 			BPF_EXIT_INSN(),
2131 		},
2132 		.errstr_unpriv = "R10 partial copy",
2133 		.result_unpriv = REJECT,
2134 		.result = ACCEPT,
2135 	},
2136 	{
2137 		"unpriv: pass pointer to tail_call",
2138 		.insns = {
2139 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2140 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2141 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2142 				     BPF_FUNC_tail_call),
2143 			BPF_MOV64_IMM(BPF_REG_0, 0),
2144 			BPF_EXIT_INSN(),
2145 		},
2146 		.fixup_prog = { 1 },
2147 		.errstr_unpriv = "R3 leaks addr into helper",
2148 		.result_unpriv = REJECT,
2149 		.result = ACCEPT,
2150 	},
2151 	{
2152 		"unpriv: cmp map pointer with zero",
2153 		.insns = {
2154 			BPF_MOV64_IMM(BPF_REG_1, 0),
2155 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2156 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2157 			BPF_MOV64_IMM(BPF_REG_0, 0),
2158 			BPF_EXIT_INSN(),
2159 		},
2160 		.fixup_map1 = { 1 },
2161 		.errstr_unpriv = "R1 pointer comparison",
2162 		.result_unpriv = REJECT,
2163 		.result = ACCEPT,
2164 	},
2165 	{
2166 		"unpriv: write into frame pointer",
2167 		.insns = {
2168 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2169 			BPF_MOV64_IMM(BPF_REG_0, 0),
2170 			BPF_EXIT_INSN(),
2171 		},
2172 		.errstr = "frame pointer is read only",
2173 		.result = REJECT,
2174 	},
2175 	{
2176 		"unpriv: spill/fill frame pointer",
2177 		.insns = {
2178 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2179 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2180 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2181 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2182 			BPF_MOV64_IMM(BPF_REG_0, 0),
2183 			BPF_EXIT_INSN(),
2184 		},
2185 		.errstr = "frame pointer is read only",
2186 		.result = REJECT,
2187 	},
2188 	{
2189 		"unpriv: cmp of frame pointer",
2190 		.insns = {
2191 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2192 			BPF_MOV64_IMM(BPF_REG_0, 0),
2193 			BPF_EXIT_INSN(),
2194 		},
2195 		.errstr_unpriv = "R10 pointer comparison",
2196 		.result_unpriv = REJECT,
2197 		.result = ACCEPT,
2198 	},
2199 	{
2200 		"unpriv: adding of fp",
2201 		.insns = {
2202 			BPF_MOV64_IMM(BPF_REG_0, 0),
2203 			BPF_MOV64_IMM(BPF_REG_1, 0),
2204 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2205 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2206 			BPF_EXIT_INSN(),
2207 		},
2208 		.result = ACCEPT,
2209 	},
2210 	{
2211 		"unpriv: cmp of stack pointer",
2212 		.insns = {
2213 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2215 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2216 			BPF_MOV64_IMM(BPF_REG_0, 0),
2217 			BPF_EXIT_INSN(),
2218 		},
2219 		.errstr_unpriv = "R2 pointer comparison",
2220 		.result_unpriv = REJECT,
2221 		.result = ACCEPT,
2222 	},
2223 	{
2224 		"stack pointer arithmetic",
2225 		.insns = {
2226 			BPF_MOV64_IMM(BPF_REG_1, 4),
2227 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2228 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2229 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2231 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2232 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2233 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2234 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2235 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2236 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2237 			BPF_MOV64_IMM(BPF_REG_0, 0),
2238 			BPF_EXIT_INSN(),
2239 		},
2240 		.result = ACCEPT,
2241 	},
2242 	{
2243 		"raw_stack: no skb_load_bytes",
2244 		.insns = {
2245 			BPF_MOV64_IMM(BPF_REG_2, 4),
2246 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2247 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2248 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2249 			BPF_MOV64_IMM(BPF_REG_4, 8),
2250 			/* Call to skb_load_bytes() omitted. */
2251 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2252 			BPF_EXIT_INSN(),
2253 		},
2254 		.result = REJECT,
2255 		.errstr = "invalid read from stack off -8+0 size 8",
2256 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2257 	},
2258 	{
2259 		"raw_stack: skb_load_bytes, negative len",
2260 		.insns = {
2261 			BPF_MOV64_IMM(BPF_REG_2, 4),
2262 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2263 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2264 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2265 			BPF_MOV64_IMM(BPF_REG_4, -8),
2266 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2267 				     BPF_FUNC_skb_load_bytes),
2268 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2269 			BPF_EXIT_INSN(),
2270 		},
2271 		.result = REJECT,
2272 		.errstr = "R4 min value is negative",
2273 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2274 	},
2275 	{
2276 		"raw_stack: skb_load_bytes, negative len 2",
2277 		.insns = {
2278 			BPF_MOV64_IMM(BPF_REG_2, 4),
2279 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2280 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2281 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2282 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2283 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2284 				     BPF_FUNC_skb_load_bytes),
2285 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2286 			BPF_EXIT_INSN(),
2287 		},
2288 		.result = REJECT,
2289 		.errstr = "R4 min value is negative",
2290 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2291 	},
2292 	{
2293 		"raw_stack: skb_load_bytes, zero len",
2294 		.insns = {
2295 			BPF_MOV64_IMM(BPF_REG_2, 4),
2296 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2298 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2299 			BPF_MOV64_IMM(BPF_REG_4, 0),
2300 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2301 				     BPF_FUNC_skb_load_bytes),
2302 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2303 			BPF_EXIT_INSN(),
2304 		},
2305 		.result = REJECT,
2306 		.errstr = "invalid stack type R3",
2307 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2308 	},
2309 	{
2310 		"raw_stack: skb_load_bytes, no init",
2311 		.insns = {
2312 			BPF_MOV64_IMM(BPF_REG_2, 4),
2313 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2314 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2315 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2316 			BPF_MOV64_IMM(BPF_REG_4, 8),
2317 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2318 				     BPF_FUNC_skb_load_bytes),
2319 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2320 			BPF_EXIT_INSN(),
2321 		},
2322 		.result = ACCEPT,
2323 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2324 	},
2325 	{
2326 		"raw_stack: skb_load_bytes, init",
2327 		.insns = {
2328 			BPF_MOV64_IMM(BPF_REG_2, 4),
2329 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2331 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2332 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2333 			BPF_MOV64_IMM(BPF_REG_4, 8),
2334 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2335 				     BPF_FUNC_skb_load_bytes),
2336 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2337 			BPF_EXIT_INSN(),
2338 		},
2339 		.result = ACCEPT,
2340 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2341 	},
2342 	{
2343 		"raw_stack: skb_load_bytes, spilled regs around bounds",
2344 		.insns = {
2345 			BPF_MOV64_IMM(BPF_REG_2, 4),
2346 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2347 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2348 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2349 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2350 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2351 			BPF_MOV64_IMM(BPF_REG_4, 8),
2352 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2353 				     BPF_FUNC_skb_load_bytes),
2354 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2355 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2356 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2357 				    offsetof(struct __sk_buff, mark)),
2358 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2359 				    offsetof(struct __sk_buff, priority)),
2360 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2361 			BPF_EXIT_INSN(),
2362 		},
2363 		.result = ACCEPT,
2364 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2365 	},
2366 	{
2367 		"raw_stack: skb_load_bytes, spilled regs corruption",
2368 		.insns = {
2369 			BPF_MOV64_IMM(BPF_REG_2, 4),
2370 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2371 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2372 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2373 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2374 			BPF_MOV64_IMM(BPF_REG_4, 8),
2375 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2376 				     BPF_FUNC_skb_load_bytes),
2377 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2378 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2379 				    offsetof(struct __sk_buff, mark)),
2380 			BPF_EXIT_INSN(),
2381 		},
2382 		.result = REJECT,
2383 		.errstr = "R0 invalid mem access 'inv'",
2384 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2385 	},
2386 	{
2387 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
2388 		.insns = {
2389 			BPF_MOV64_IMM(BPF_REG_2, 4),
2390 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2391 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2392 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2393 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2394 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2395 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2396 			BPF_MOV64_IMM(BPF_REG_4, 8),
2397 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2398 				     BPF_FUNC_skb_load_bytes),
2399 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2400 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2401 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2402 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2403 				    offsetof(struct __sk_buff, mark)),
2404 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2405 				    offsetof(struct __sk_buff, priority)),
2406 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2407 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2408 				    offsetof(struct __sk_buff, pkt_type)),
2409 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2410 			BPF_EXIT_INSN(),
2411 		},
2412 		.result = REJECT,
2413 		.errstr = "R3 invalid mem access 'inv'",
2414 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2415 	},
2416 	{
2417 		"raw_stack: skb_load_bytes, spilled regs + data",
2418 		.insns = {
2419 			BPF_MOV64_IMM(BPF_REG_2, 4),
2420 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2421 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2422 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2423 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2424 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2425 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2426 			BPF_MOV64_IMM(BPF_REG_4, 8),
2427 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2428 				     BPF_FUNC_skb_load_bytes),
2429 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2430 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2431 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2432 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2433 				    offsetof(struct __sk_buff, mark)),
2434 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2435 				    offsetof(struct __sk_buff, priority)),
2436 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2437 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2438 			BPF_EXIT_INSN(),
2439 		},
2440 		.result = ACCEPT,
2441 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2442 	},
2443 	{
2444 		"raw_stack: skb_load_bytes, invalid access 1",
2445 		.insns = {
2446 			BPF_MOV64_IMM(BPF_REG_2, 4),
2447 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2449 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2450 			BPF_MOV64_IMM(BPF_REG_4, 8),
2451 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2452 				     BPF_FUNC_skb_load_bytes),
2453 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2454 			BPF_EXIT_INSN(),
2455 		},
2456 		.result = REJECT,
2457 		.errstr = "invalid stack type R3 off=-513 access_size=8",
2458 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2459 	},
2460 	{
2461 		"raw_stack: skb_load_bytes, invalid access 2",
2462 		.insns = {
2463 			BPF_MOV64_IMM(BPF_REG_2, 4),
2464 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2465 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2466 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2467 			BPF_MOV64_IMM(BPF_REG_4, 8),
2468 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2469 				     BPF_FUNC_skb_load_bytes),
2470 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2471 			BPF_EXIT_INSN(),
2472 		},
2473 		.result = REJECT,
2474 		.errstr = "invalid stack type R3 off=-1 access_size=8",
2475 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2476 	},
2477 	{
2478 		"raw_stack: skb_load_bytes, invalid access 3",
2479 		.insns = {
2480 			BPF_MOV64_IMM(BPF_REG_2, 4),
2481 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2483 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2484 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2485 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2486 				     BPF_FUNC_skb_load_bytes),
2487 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2488 			BPF_EXIT_INSN(),
2489 		},
2490 		.result = REJECT,
2491 		.errstr = "R4 min value is negative",
2492 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2493 	},
2494 	{
2495 		"raw_stack: skb_load_bytes, invalid access 4",
2496 		.insns = {
2497 			BPF_MOV64_IMM(BPF_REG_2, 4),
2498 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2499 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2500 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2501 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2502 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2503 				     BPF_FUNC_skb_load_bytes),
2504 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2505 			BPF_EXIT_INSN(),
2506 		},
2507 		.result = REJECT,
2508 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2509 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2510 	},
2511 	{
2512 		"raw_stack: skb_load_bytes, invalid access 5",
2513 		.insns = {
2514 			BPF_MOV64_IMM(BPF_REG_2, 4),
2515 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2516 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2517 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2518 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2519 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2520 				     BPF_FUNC_skb_load_bytes),
2521 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2522 			BPF_EXIT_INSN(),
2523 		},
2524 		.result = REJECT,
2525 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2526 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2527 	},
2528 	{
2529 		"raw_stack: skb_load_bytes, invalid access 6",
2530 		.insns = {
2531 			BPF_MOV64_IMM(BPF_REG_2, 4),
2532 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2533 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2534 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2535 			BPF_MOV64_IMM(BPF_REG_4, 0),
2536 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2537 				     BPF_FUNC_skb_load_bytes),
2538 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2539 			BPF_EXIT_INSN(),
2540 		},
2541 		.result = REJECT,
2542 		.errstr = "invalid stack type R3 off=-512 access_size=0",
2543 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2544 	},
2545 	{
2546 		"raw_stack: skb_load_bytes, large access",
2547 		.insns = {
2548 			BPF_MOV64_IMM(BPF_REG_2, 4),
2549 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2550 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2551 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2552 			BPF_MOV64_IMM(BPF_REG_4, 512),
2553 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 				     BPF_FUNC_skb_load_bytes),
2555 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2556 			BPF_EXIT_INSN(),
2557 		},
2558 		.result = ACCEPT,
2559 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2560 	},
2561 	{
2562 		"direct packet access: test1",
2563 		.insns = {
2564 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2565 				    offsetof(struct __sk_buff, data)),
2566 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2567 				    offsetof(struct __sk_buff, data_end)),
2568 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2569 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2570 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2571 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2572 			BPF_MOV64_IMM(BPF_REG_0, 0),
2573 			BPF_EXIT_INSN(),
2574 		},
2575 		.result = ACCEPT,
2576 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2577 	},
2578 	{
2579 		"direct packet access: test2",
2580 		.insns = {
2581 			BPF_MOV64_IMM(BPF_REG_0, 1),
2582 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2583 				    offsetof(struct __sk_buff, data_end)),
2584 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2585 				    offsetof(struct __sk_buff, data)),
2586 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2587 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2588 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2589 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2590 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2591 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2592 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2593 				    offsetof(struct __sk_buff, data)),
2594 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2595 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2596 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2597 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
2598 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2599 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2600 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2601 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2602 				    offsetof(struct __sk_buff, data_end)),
2603 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2604 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2605 			BPF_MOV64_IMM(BPF_REG_0, 0),
2606 			BPF_EXIT_INSN(),
2607 		},
2608 		.result = ACCEPT,
2609 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2610 	},
2611 	{
2612 		"direct packet access: test3",
2613 		.insns = {
2614 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2615 				    offsetof(struct __sk_buff, data)),
2616 			BPF_MOV64_IMM(BPF_REG_0, 0),
2617 			BPF_EXIT_INSN(),
2618 		},
2619 		.errstr = "invalid bpf_context access off=76",
2620 		.result = REJECT,
2621 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2622 	},
2623 	{
2624 		"direct packet access: test4 (write)",
2625 		.insns = {
2626 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2627 				    offsetof(struct __sk_buff, data)),
2628 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2629 				    offsetof(struct __sk_buff, data_end)),
2630 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2631 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2632 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2633 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2634 			BPF_MOV64_IMM(BPF_REG_0, 0),
2635 			BPF_EXIT_INSN(),
2636 		},
2637 		.result = ACCEPT,
2638 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2639 	},
2640 	{
2641 		"direct packet access: test5 (pkt_end >= reg, good access)",
2642 		.insns = {
2643 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2644 				    offsetof(struct __sk_buff, data)),
2645 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2646 				    offsetof(struct __sk_buff, data_end)),
2647 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2648 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2649 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2650 			BPF_MOV64_IMM(BPF_REG_0, 1),
2651 			BPF_EXIT_INSN(),
2652 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2653 			BPF_MOV64_IMM(BPF_REG_0, 0),
2654 			BPF_EXIT_INSN(),
2655 		},
2656 		.result = ACCEPT,
2657 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2658 	},
2659 	{
2660 		"direct packet access: test6 (pkt_end >= reg, bad access)",
2661 		.insns = {
2662 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2663 				    offsetof(struct __sk_buff, data)),
2664 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2665 				    offsetof(struct __sk_buff, data_end)),
2666 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2667 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2668 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2669 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2670 			BPF_MOV64_IMM(BPF_REG_0, 1),
2671 			BPF_EXIT_INSN(),
2672 			BPF_MOV64_IMM(BPF_REG_0, 0),
2673 			BPF_EXIT_INSN(),
2674 		},
2675 		.errstr = "invalid access to packet",
2676 		.result = REJECT,
2677 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2678 	},
2679 	{
2680 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
2681 		.insns = {
2682 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2683 				    offsetof(struct __sk_buff, data)),
2684 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2685 				    offsetof(struct __sk_buff, data_end)),
2686 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2687 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2688 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2689 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2690 			BPF_MOV64_IMM(BPF_REG_0, 1),
2691 			BPF_EXIT_INSN(),
2692 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2693 			BPF_MOV64_IMM(BPF_REG_0, 0),
2694 			BPF_EXIT_INSN(),
2695 		},
2696 		.errstr = "invalid access to packet",
2697 		.result = REJECT,
2698 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2699 	},
2700 	{
2701 		"direct packet access: test8 (double test, variant 1)",
2702 		.insns = {
2703 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2704 				    offsetof(struct __sk_buff, data)),
2705 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2706 				    offsetof(struct __sk_buff, data_end)),
2707 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2709 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2710 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2711 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2712 			BPF_MOV64_IMM(BPF_REG_0, 1),
2713 			BPF_EXIT_INSN(),
2714 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2715 			BPF_MOV64_IMM(BPF_REG_0, 0),
2716 			BPF_EXIT_INSN(),
2717 		},
2718 		.result = ACCEPT,
2719 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2720 	},
2721 	{
2722 		"direct packet access: test9 (double test, variant 2)",
2723 		.insns = {
2724 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2725 				    offsetof(struct __sk_buff, data)),
2726 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2727 				    offsetof(struct __sk_buff, data_end)),
2728 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2729 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2730 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2731 			BPF_MOV64_IMM(BPF_REG_0, 1),
2732 			BPF_EXIT_INSN(),
2733 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2734 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2735 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2736 			BPF_MOV64_IMM(BPF_REG_0, 0),
2737 			BPF_EXIT_INSN(),
2738 		},
2739 		.result = ACCEPT,
2740 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2741 	},
2742 	{
2743 		"direct packet access: test10 (write invalid)",
2744 		.insns = {
2745 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2746 				    offsetof(struct __sk_buff, data)),
2747 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2748 				    offsetof(struct __sk_buff, data_end)),
2749 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2751 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2752 			BPF_MOV64_IMM(BPF_REG_0, 0),
2753 			BPF_EXIT_INSN(),
2754 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2755 			BPF_MOV64_IMM(BPF_REG_0, 0),
2756 			BPF_EXIT_INSN(),
2757 		},
2758 		.errstr = "invalid access to packet",
2759 		.result = REJECT,
2760 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2761 	},
2762 	{
2763 		"direct packet access: test11 (shift, good access)",
2764 		.insns = {
2765 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2766 				    offsetof(struct __sk_buff, data)),
2767 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2768 				    offsetof(struct __sk_buff, data_end)),
2769 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2771 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2772 			BPF_MOV64_IMM(BPF_REG_3, 144),
2773 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2775 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2776 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2777 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2778 			BPF_MOV64_IMM(BPF_REG_0, 1),
2779 			BPF_EXIT_INSN(),
2780 			BPF_MOV64_IMM(BPF_REG_0, 0),
2781 			BPF_EXIT_INSN(),
2782 		},
2783 		.result = ACCEPT,
2784 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2785 	},
2786 	{
2787 		"direct packet access: test12 (and, good access)",
2788 		.insns = {
2789 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2790 				    offsetof(struct __sk_buff, data)),
2791 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2792 				    offsetof(struct __sk_buff, data_end)),
2793 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2794 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2795 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2796 			BPF_MOV64_IMM(BPF_REG_3, 144),
2797 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2798 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2799 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2800 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2801 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2802 			BPF_MOV64_IMM(BPF_REG_0, 1),
2803 			BPF_EXIT_INSN(),
2804 			BPF_MOV64_IMM(BPF_REG_0, 0),
2805 			BPF_EXIT_INSN(),
2806 		},
2807 		.result = ACCEPT,
2808 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2809 	},
2810 	{
2811 		"direct packet access: test13 (branches, good access)",
2812 		.insns = {
2813 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2814 				    offsetof(struct __sk_buff, data)),
2815 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2816 				    offsetof(struct __sk_buff, data_end)),
2817 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2818 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2819 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2820 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 				    offsetof(struct __sk_buff, mark)),
2822 			BPF_MOV64_IMM(BPF_REG_4, 1),
2823 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2824 			BPF_MOV64_IMM(BPF_REG_3, 14),
2825 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2826 			BPF_MOV64_IMM(BPF_REG_3, 24),
2827 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2829 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2830 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2831 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2832 			BPF_MOV64_IMM(BPF_REG_0, 1),
2833 			BPF_EXIT_INSN(),
2834 			BPF_MOV64_IMM(BPF_REG_0, 0),
2835 			BPF_EXIT_INSN(),
2836 		},
2837 		.result = ACCEPT,
2838 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2839 	},
2840 	{
2841 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2842 		.insns = {
2843 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2844 				    offsetof(struct __sk_buff, data)),
2845 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2846 				    offsetof(struct __sk_buff, data_end)),
2847 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2849 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2850 			BPF_MOV64_IMM(BPF_REG_5, 12),
2851 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2852 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2853 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2854 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2855 			BPF_MOV64_IMM(BPF_REG_0, 1),
2856 			BPF_EXIT_INSN(),
2857 			BPF_MOV64_IMM(BPF_REG_0, 0),
2858 			BPF_EXIT_INSN(),
2859 		},
2860 		.result = ACCEPT,
2861 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2862 	},
2863 	{
2864 		"direct packet access: test15 (spill with xadd)",
2865 		.insns = {
2866 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2867 				    offsetof(struct __sk_buff, data)),
2868 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2869 				    offsetof(struct __sk_buff, data_end)),
2870 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2872 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2873 			BPF_MOV64_IMM(BPF_REG_5, 4096),
2874 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2875 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2876 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2877 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2878 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2879 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2880 			BPF_MOV64_IMM(BPF_REG_0, 0),
2881 			BPF_EXIT_INSN(),
2882 		},
2883 		.errstr = "R2 invalid mem access 'inv'",
2884 		.result = REJECT,
2885 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2886 	},
2887 	{
2888 		"direct packet access: test16 (arith on data_end)",
2889 		.insns = {
2890 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2891 				    offsetof(struct __sk_buff, data)),
2892 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2893 				    offsetof(struct __sk_buff, data_end)),
2894 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2895 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2896 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2897 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2898 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2899 			BPF_MOV64_IMM(BPF_REG_0, 0),
2900 			BPF_EXIT_INSN(),
2901 		},
2902 		.errstr = "invalid access to packet",
2903 		.result = REJECT,
2904 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2905 	},
2906 	{
2907 		"direct packet access: test17 (pruning, alignment)",
2908 		.insns = {
2909 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2910 				    offsetof(struct __sk_buff, data)),
2911 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2912 				    offsetof(struct __sk_buff, data_end)),
2913 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2914 				    offsetof(struct __sk_buff, mark)),
2915 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2917 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2918 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2919 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2920 			BPF_MOV64_IMM(BPF_REG_0, 0),
2921 			BPF_EXIT_INSN(),
2922 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2923 			BPF_JMP_A(-6),
2924 		},
2925 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
2926 		.result = REJECT,
2927 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2928 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2929 	},
2930 	{
2931 		"direct packet access: test18 (imm += pkt_ptr, 1)",
2932 		.insns = {
2933 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2934 				    offsetof(struct __sk_buff, data)),
2935 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2936 				    offsetof(struct __sk_buff, data_end)),
2937 			BPF_MOV64_IMM(BPF_REG_0, 8),
2938 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2939 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2940 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2941 			BPF_MOV64_IMM(BPF_REG_0, 0),
2942 			BPF_EXIT_INSN(),
2943 		},
2944 		.result = ACCEPT,
2945 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2946 	},
2947 	{
2948 		"direct packet access: test19 (imm += pkt_ptr, 2)",
2949 		.insns = {
2950 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2951 				    offsetof(struct __sk_buff, data)),
2952 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2953 				    offsetof(struct __sk_buff, data_end)),
2954 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2956 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2957 			BPF_MOV64_IMM(BPF_REG_4, 4),
2958 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2959 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2960 			BPF_MOV64_IMM(BPF_REG_0, 0),
2961 			BPF_EXIT_INSN(),
2962 		},
2963 		.result = ACCEPT,
2964 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2965 	},
2966 	{
2967 		"direct packet access: test20 (x += pkt_ptr, 1)",
2968 		.insns = {
2969 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2970 				    offsetof(struct __sk_buff, data)),
2971 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2972 				    offsetof(struct __sk_buff, data_end)),
2973 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2974 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2975 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2976 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
2977 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2978 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2979 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2980 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
2981 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2982 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2983 			BPF_MOV64_IMM(BPF_REG_0, 0),
2984 			BPF_EXIT_INSN(),
2985 		},
2986 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2987 		.result = ACCEPT,
2988 	},
2989 	{
2990 		"direct packet access: test21 (x += pkt_ptr, 2)",
2991 		.insns = {
2992 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2993 				    offsetof(struct __sk_buff, data)),
2994 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2995 				    offsetof(struct __sk_buff, data_end)),
2996 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2997 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2998 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2999 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3000 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3001 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3002 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3003 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3004 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3006 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3007 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3008 			BPF_MOV64_IMM(BPF_REG_0, 0),
3009 			BPF_EXIT_INSN(),
3010 		},
3011 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3012 		.result = ACCEPT,
3013 	},
3014 	{
3015 		"direct packet access: test22 (x += pkt_ptr, 3)",
3016 		.insns = {
3017 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3018 				    offsetof(struct __sk_buff, data)),
3019 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3020 				    offsetof(struct __sk_buff, data_end)),
3021 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3022 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3023 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3024 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3025 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3026 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3027 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3028 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3029 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3030 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3031 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3032 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3033 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3034 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3035 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3036 			BPF_MOV64_IMM(BPF_REG_2, 1),
3037 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3038 			BPF_MOV64_IMM(BPF_REG_0, 0),
3039 			BPF_EXIT_INSN(),
3040 		},
3041 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3042 		.result = ACCEPT,
3043 	},
3044 	{
3045 		"direct packet access: test23 (x += pkt_ptr, 4)",
3046 		.insns = {
3047 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3048 				    offsetof(struct __sk_buff, data)),
3049 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3050 				    offsetof(struct __sk_buff, data_end)),
3051 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3052 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3053 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3054 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3055 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3056 			BPF_MOV64_IMM(BPF_REG_0, 31),
3057 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3058 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3059 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3060 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3061 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3062 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3063 			BPF_MOV64_IMM(BPF_REG_0, 0),
3064 			BPF_EXIT_INSN(),
3065 		},
3066 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3067 		.result = REJECT,
3068 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3069 	},
3070 	{
3071 		"direct packet access: test24 (x += pkt_ptr, 5)",
3072 		.insns = {
3073 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3074 				    offsetof(struct __sk_buff, data)),
3075 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3076 				    offsetof(struct __sk_buff, data_end)),
3077 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3078 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3079 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3080 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3081 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3082 			BPF_MOV64_IMM(BPF_REG_0, 64),
3083 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3084 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3085 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3086 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3087 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3088 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3089 			BPF_MOV64_IMM(BPF_REG_0, 0),
3090 			BPF_EXIT_INSN(),
3091 		},
3092 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3093 		.result = ACCEPT,
3094 	},
3095 	{
3096 		"direct packet access: test25 (marking on <, good access)",
3097 		.insns = {
3098 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3099 				    offsetof(struct __sk_buff, data)),
3100 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3101 				    offsetof(struct __sk_buff, data_end)),
3102 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3104 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3105 			BPF_MOV64_IMM(BPF_REG_0, 0),
3106 			BPF_EXIT_INSN(),
3107 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3108 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3109 		},
3110 		.result = ACCEPT,
3111 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3112 	},
3113 	{
3114 		"direct packet access: test26 (marking on <, bad access)",
3115 		.insns = {
3116 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3117 				    offsetof(struct __sk_buff, data)),
3118 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3119 				    offsetof(struct __sk_buff, data_end)),
3120 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3121 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3122 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3123 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3124 			BPF_MOV64_IMM(BPF_REG_0, 0),
3125 			BPF_EXIT_INSN(),
3126 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3127 		},
3128 		.result = REJECT,
3129 		.errstr = "invalid access to packet",
3130 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3131 	},
3132 	{
3133 		"direct packet access: test27 (marking on <=, good access)",
3134 		.insns = {
3135 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3136 				    offsetof(struct __sk_buff, data)),
3137 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3138 				    offsetof(struct __sk_buff, data_end)),
3139 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3140 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3141 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3142 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3143 			BPF_MOV64_IMM(BPF_REG_0, 1),
3144 			BPF_EXIT_INSN(),
3145 		},
3146 		.result = ACCEPT,
3147 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3148 	},
3149 	{
3150 		"direct packet access: test28 (marking on <=, bad access)",
3151 		.insns = {
3152 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3153 				    offsetof(struct __sk_buff, data)),
3154 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3155 				    offsetof(struct __sk_buff, data_end)),
3156 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3157 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3158 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3159 			BPF_MOV64_IMM(BPF_REG_0, 1),
3160 			BPF_EXIT_INSN(),
3161 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3162 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3163 		},
3164 		.result = REJECT,
3165 		.errstr = "invalid access to packet",
3166 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3167 	},
3168 	{
3169 		"helper access to packet: test1, valid packet_ptr range",
3170 		.insns = {
3171 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3172 				    offsetof(struct xdp_md, data)),
3173 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3174 				    offsetof(struct xdp_md, data_end)),
3175 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3177 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3178 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3179 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3180 			BPF_MOV64_IMM(BPF_REG_4, 0),
3181 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3182 				     BPF_FUNC_map_update_elem),
3183 			BPF_MOV64_IMM(BPF_REG_0, 0),
3184 			BPF_EXIT_INSN(),
3185 		},
3186 		.fixup_map1 = { 5 },
3187 		.result_unpriv = ACCEPT,
3188 		.result = ACCEPT,
3189 		.prog_type = BPF_PROG_TYPE_XDP,
3190 	},
3191 	{
3192 		"helper access to packet: test2, unchecked packet_ptr",
3193 		.insns = {
3194 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3195 				    offsetof(struct xdp_md, data)),
3196 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3197 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198 				     BPF_FUNC_map_lookup_elem),
3199 			BPF_MOV64_IMM(BPF_REG_0, 0),
3200 			BPF_EXIT_INSN(),
3201 		},
3202 		.fixup_map1 = { 1 },
3203 		.result = REJECT,
3204 		.errstr = "invalid access to packet",
3205 		.prog_type = BPF_PROG_TYPE_XDP,
3206 	},
3207 	{
3208 		"helper access to packet: test3, variable add",
3209 		.insns = {
3210 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3211 					offsetof(struct xdp_md, data)),
3212 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3213 					offsetof(struct xdp_md, data_end)),
3214 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3215 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3216 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3217 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3218 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3219 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3220 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3221 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3222 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3223 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3224 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3225 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3226 				     BPF_FUNC_map_lookup_elem),
3227 			BPF_MOV64_IMM(BPF_REG_0, 0),
3228 			BPF_EXIT_INSN(),
3229 		},
3230 		.fixup_map1 = { 11 },
3231 		.result = ACCEPT,
3232 		.prog_type = BPF_PROG_TYPE_XDP,
3233 	},
3234 	{
3235 		"helper access to packet: test4, packet_ptr with bad range",
3236 		.insns = {
3237 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3238 				    offsetof(struct xdp_md, data)),
3239 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3240 				    offsetof(struct xdp_md, data_end)),
3241 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3242 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3243 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3244 			BPF_MOV64_IMM(BPF_REG_0, 0),
3245 			BPF_EXIT_INSN(),
3246 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3247 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3248 				     BPF_FUNC_map_lookup_elem),
3249 			BPF_MOV64_IMM(BPF_REG_0, 0),
3250 			BPF_EXIT_INSN(),
3251 		},
3252 		.fixup_map1 = { 7 },
3253 		.result = REJECT,
3254 		.errstr = "invalid access to packet",
3255 		.prog_type = BPF_PROG_TYPE_XDP,
3256 	},
3257 	{
3258 		"helper access to packet: test5, packet_ptr with too short range",
3259 		.insns = {
3260 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3261 				    offsetof(struct xdp_md, data)),
3262 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3263 				    offsetof(struct xdp_md, data_end)),
3264 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3265 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3266 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3267 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3268 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3269 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3270 				     BPF_FUNC_map_lookup_elem),
3271 			BPF_MOV64_IMM(BPF_REG_0, 0),
3272 			BPF_EXIT_INSN(),
3273 		},
3274 		.fixup_map1 = { 6 },
3275 		.result = REJECT,
3276 		.errstr = "invalid access to packet",
3277 		.prog_type = BPF_PROG_TYPE_XDP,
3278 	},
3279 	{
3280 		"helper access to packet: test6, cls valid packet_ptr range",
3281 		.insns = {
3282 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3283 				    offsetof(struct __sk_buff, data)),
3284 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3285 				    offsetof(struct __sk_buff, data_end)),
3286 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3287 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3288 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3289 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3290 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3291 			BPF_MOV64_IMM(BPF_REG_4, 0),
3292 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 				     BPF_FUNC_map_update_elem),
3294 			BPF_MOV64_IMM(BPF_REG_0, 0),
3295 			BPF_EXIT_INSN(),
3296 		},
3297 		.fixup_map1 = { 5 },
3298 		.result = ACCEPT,
3299 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3300 	},
3301 	{
3302 		"helper access to packet: test7, cls unchecked packet_ptr",
3303 		.insns = {
3304 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3305 				    offsetof(struct __sk_buff, data)),
3306 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3307 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3308 				     BPF_FUNC_map_lookup_elem),
3309 			BPF_MOV64_IMM(BPF_REG_0, 0),
3310 			BPF_EXIT_INSN(),
3311 		},
3312 		.fixup_map1 = { 1 },
3313 		.result = REJECT,
3314 		.errstr = "invalid access to packet",
3315 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3316 	},
3317 	{
3318 		"helper access to packet: test8, cls variable add",
3319 		.insns = {
3320 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3321 					offsetof(struct __sk_buff, data)),
3322 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3323 					offsetof(struct __sk_buff, data_end)),
3324 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3325 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3326 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3327 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3328 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3329 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3330 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3331 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3332 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3333 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3334 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3335 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3336 				     BPF_FUNC_map_lookup_elem),
3337 			BPF_MOV64_IMM(BPF_REG_0, 0),
3338 			BPF_EXIT_INSN(),
3339 		},
3340 		.fixup_map1 = { 11 },
3341 		.result = ACCEPT,
3342 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3343 	},
3344 	{
3345 		"helper access to packet: test9, cls packet_ptr with bad range",
3346 		.insns = {
3347 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3348 				    offsetof(struct __sk_buff, data)),
3349 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3350 				    offsetof(struct __sk_buff, data_end)),
3351 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3352 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3353 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3354 			BPF_MOV64_IMM(BPF_REG_0, 0),
3355 			BPF_EXIT_INSN(),
3356 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3357 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3358 				     BPF_FUNC_map_lookup_elem),
3359 			BPF_MOV64_IMM(BPF_REG_0, 0),
3360 			BPF_EXIT_INSN(),
3361 		},
3362 		.fixup_map1 = { 7 },
3363 		.result = REJECT,
3364 		.errstr = "invalid access to packet",
3365 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3366 	},
3367 	{
3368 		"helper access to packet: test10, cls packet_ptr with too short range",
3369 		.insns = {
3370 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371 				    offsetof(struct __sk_buff, data)),
3372 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373 				    offsetof(struct __sk_buff, data_end)),
3374 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3375 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3377 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3378 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3379 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3380 				     BPF_FUNC_map_lookup_elem),
3381 			BPF_MOV64_IMM(BPF_REG_0, 0),
3382 			BPF_EXIT_INSN(),
3383 		},
3384 		.fixup_map1 = { 6 },
3385 		.result = REJECT,
3386 		.errstr = "invalid access to packet",
3387 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3388 	},
3389 	{
3390 		"helper access to packet: test11, cls unsuitable helper 1",
3391 		.insns = {
3392 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3393 				    offsetof(struct __sk_buff, data)),
3394 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3395 				    offsetof(struct __sk_buff, data_end)),
3396 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3397 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3399 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3400 			BPF_MOV64_IMM(BPF_REG_2, 0),
3401 			BPF_MOV64_IMM(BPF_REG_4, 42),
3402 			BPF_MOV64_IMM(BPF_REG_5, 0),
3403 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3404 				     BPF_FUNC_skb_store_bytes),
3405 			BPF_MOV64_IMM(BPF_REG_0, 0),
3406 			BPF_EXIT_INSN(),
3407 		},
3408 		.result = REJECT,
3409 		.errstr = "helper access to the packet",
3410 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3411 	},
3412 	{
3413 		"helper access to packet: test12, cls unsuitable helper 2",
3414 		.insns = {
3415 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3416 				    offsetof(struct __sk_buff, data)),
3417 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3418 				    offsetof(struct __sk_buff, data_end)),
3419 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3421 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3422 			BPF_MOV64_IMM(BPF_REG_2, 0),
3423 			BPF_MOV64_IMM(BPF_REG_4, 4),
3424 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3425 				     BPF_FUNC_skb_load_bytes),
3426 			BPF_MOV64_IMM(BPF_REG_0, 0),
3427 			BPF_EXIT_INSN(),
3428 		},
3429 		.result = REJECT,
3430 		.errstr = "helper access to the packet",
3431 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3432 	},
3433 	{
3434 		"helper access to packet: test13, cls helper ok",
3435 		.insns = {
3436 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3437 				    offsetof(struct __sk_buff, data)),
3438 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3439 				    offsetof(struct __sk_buff, data_end)),
3440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3441 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3442 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3443 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3444 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3445 			BPF_MOV64_IMM(BPF_REG_2, 4),
3446 			BPF_MOV64_IMM(BPF_REG_3, 0),
3447 			BPF_MOV64_IMM(BPF_REG_4, 0),
3448 			BPF_MOV64_IMM(BPF_REG_5, 0),
3449 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3450 				     BPF_FUNC_csum_diff),
3451 			BPF_MOV64_IMM(BPF_REG_0, 0),
3452 			BPF_EXIT_INSN(),
3453 		},
3454 		.result = ACCEPT,
3455 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3456 	},
3457 	{
3458 		"helper access to packet: test14, cls helper ok sub",
3459 		.insns = {
3460 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3461 				    offsetof(struct __sk_buff, data)),
3462 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3463 				    offsetof(struct __sk_buff, data_end)),
3464 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3465 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3466 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3467 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3468 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3469 			BPF_MOV64_IMM(BPF_REG_2, 4),
3470 			BPF_MOV64_IMM(BPF_REG_3, 0),
3471 			BPF_MOV64_IMM(BPF_REG_4, 0),
3472 			BPF_MOV64_IMM(BPF_REG_5, 0),
3473 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3474 				     BPF_FUNC_csum_diff),
3475 			BPF_MOV64_IMM(BPF_REG_0, 0),
3476 			BPF_EXIT_INSN(),
3477 		},
3478 		.result = ACCEPT,
3479 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3480 	},
3481 	{
3482 		"helper access to packet: test15, cls helper fail sub",
3483 		.insns = {
3484 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3485 				    offsetof(struct __sk_buff, data)),
3486 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3487 				    offsetof(struct __sk_buff, data_end)),
3488 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3489 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3490 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3491 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3492 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3493 			BPF_MOV64_IMM(BPF_REG_2, 4),
3494 			BPF_MOV64_IMM(BPF_REG_3, 0),
3495 			BPF_MOV64_IMM(BPF_REG_4, 0),
3496 			BPF_MOV64_IMM(BPF_REG_5, 0),
3497 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3498 				     BPF_FUNC_csum_diff),
3499 			BPF_MOV64_IMM(BPF_REG_0, 0),
3500 			BPF_EXIT_INSN(),
3501 		},
3502 		.result = REJECT,
3503 		.errstr = "invalid access to packet",
3504 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3505 	},
3506 	{
3507 		"helper access to packet: test16, cls helper fail range 1",
3508 		.insns = {
3509 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3510 				    offsetof(struct __sk_buff, data)),
3511 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3512 				    offsetof(struct __sk_buff, data_end)),
3513 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3514 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3515 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3516 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3517 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3518 			BPF_MOV64_IMM(BPF_REG_2, 8),
3519 			BPF_MOV64_IMM(BPF_REG_3, 0),
3520 			BPF_MOV64_IMM(BPF_REG_4, 0),
3521 			BPF_MOV64_IMM(BPF_REG_5, 0),
3522 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3523 				     BPF_FUNC_csum_diff),
3524 			BPF_MOV64_IMM(BPF_REG_0, 0),
3525 			BPF_EXIT_INSN(),
3526 		},
3527 		.result = REJECT,
3528 		.errstr = "invalid access to packet",
3529 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3530 	},
3531 	{
3532 		"helper access to packet: test17, cls helper fail range 2",
3533 		.insns = {
3534 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3535 				    offsetof(struct __sk_buff, data)),
3536 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3537 				    offsetof(struct __sk_buff, data_end)),
3538 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3539 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3540 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3541 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3542 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3543 			BPF_MOV64_IMM(BPF_REG_2, -9),
3544 			BPF_MOV64_IMM(BPF_REG_3, 0),
3545 			BPF_MOV64_IMM(BPF_REG_4, 0),
3546 			BPF_MOV64_IMM(BPF_REG_5, 0),
3547 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3548 				     BPF_FUNC_csum_diff),
3549 			BPF_MOV64_IMM(BPF_REG_0, 0),
3550 			BPF_EXIT_INSN(),
3551 		},
3552 		.result = REJECT,
3553 		.errstr = "R2 min value is negative",
3554 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3555 	},
3556 	{
3557 		"helper access to packet: test18, cls helper fail range 3",
3558 		.insns = {
3559 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3560 				    offsetof(struct __sk_buff, data)),
3561 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3562 				    offsetof(struct __sk_buff, data_end)),
3563 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3564 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3565 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3566 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3567 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3568 			BPF_MOV64_IMM(BPF_REG_2, ~0),
3569 			BPF_MOV64_IMM(BPF_REG_3, 0),
3570 			BPF_MOV64_IMM(BPF_REG_4, 0),
3571 			BPF_MOV64_IMM(BPF_REG_5, 0),
3572 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3573 				     BPF_FUNC_csum_diff),
3574 			BPF_MOV64_IMM(BPF_REG_0, 0),
3575 			BPF_EXIT_INSN(),
3576 		},
3577 		.result = REJECT,
3578 		.errstr = "R2 min value is negative",
3579 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3580 	},
3581 	{
3582 		"helper access to packet: test19, cls helper range zero",
3583 		.insns = {
3584 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3585 				    offsetof(struct __sk_buff, data)),
3586 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3587 				    offsetof(struct __sk_buff, data_end)),
3588 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3589 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3590 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3591 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3592 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3593 			BPF_MOV64_IMM(BPF_REG_2, 0),
3594 			BPF_MOV64_IMM(BPF_REG_3, 0),
3595 			BPF_MOV64_IMM(BPF_REG_4, 0),
3596 			BPF_MOV64_IMM(BPF_REG_5, 0),
3597 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3598 				     BPF_FUNC_csum_diff),
3599 			BPF_MOV64_IMM(BPF_REG_0, 0),
3600 			BPF_EXIT_INSN(),
3601 		},
3602 		.result = ACCEPT,
3603 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3604 	},
3605 	{
3606 		"helper access to packet: test20, pkt end as input",
3607 		.insns = {
3608 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3609 				    offsetof(struct __sk_buff, data)),
3610 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3611 				    offsetof(struct __sk_buff, data_end)),
3612 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3613 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3615 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3616 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3617 			BPF_MOV64_IMM(BPF_REG_2, 4),
3618 			BPF_MOV64_IMM(BPF_REG_3, 0),
3619 			BPF_MOV64_IMM(BPF_REG_4, 0),
3620 			BPF_MOV64_IMM(BPF_REG_5, 0),
3621 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3622 				     BPF_FUNC_csum_diff),
3623 			BPF_MOV64_IMM(BPF_REG_0, 0),
3624 			BPF_EXIT_INSN(),
3625 		},
3626 		.result = REJECT,
3627 		.errstr = "R1 type=pkt_end expected=fp",
3628 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3629 	},
3630 	{
3631 		"helper access to packet: test21, wrong reg",
3632 		.insns = {
3633 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3634 				    offsetof(struct __sk_buff, data)),
3635 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3636 				    offsetof(struct __sk_buff, data_end)),
3637 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3638 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3639 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3640 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3641 			BPF_MOV64_IMM(BPF_REG_2, 4),
3642 			BPF_MOV64_IMM(BPF_REG_3, 0),
3643 			BPF_MOV64_IMM(BPF_REG_4, 0),
3644 			BPF_MOV64_IMM(BPF_REG_5, 0),
3645 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3646 				     BPF_FUNC_csum_diff),
3647 			BPF_MOV64_IMM(BPF_REG_0, 0),
3648 			BPF_EXIT_INSN(),
3649 		},
3650 		.result = REJECT,
3651 		.errstr = "invalid access to packet",
3652 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3653 	},
3654 	{
3655 		"valid map access into an array with a constant",
3656 		.insns = {
3657 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3658 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3660 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3661 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3662 				     BPF_FUNC_map_lookup_elem),
3663 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3664 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3665 				   offsetof(struct test_val, foo)),
3666 			BPF_EXIT_INSN(),
3667 		},
3668 		.fixup_map2 = { 3 },
3669 		.errstr_unpriv = "R0 leaks addr",
3670 		.result_unpriv = REJECT,
3671 		.result = ACCEPT,
3672 	},
3673 	{
3674 		"valid map access into an array with a register",
3675 		.insns = {
3676 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3677 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3678 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3679 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3680 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3681 				     BPF_FUNC_map_lookup_elem),
3682 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3683 			BPF_MOV64_IMM(BPF_REG_1, 4),
3684 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3685 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3686 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3687 				   offsetof(struct test_val, foo)),
3688 			BPF_EXIT_INSN(),
3689 		},
3690 		.fixup_map2 = { 3 },
3691 		.errstr_unpriv = "R0 leaks addr",
3692 		.result_unpriv = REJECT,
3693 		.result = ACCEPT,
3694 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3695 	},
3696 	{
3697 		"valid map access into an array with a variable",
3698 		.insns = {
3699 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3700 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3702 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3703 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3704 				     BPF_FUNC_map_lookup_elem),
3705 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3706 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3707 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3708 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3709 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3710 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3711 				   offsetof(struct test_val, foo)),
3712 			BPF_EXIT_INSN(),
3713 		},
3714 		.fixup_map2 = { 3 },
3715 		.errstr_unpriv = "R0 leaks addr",
3716 		.result_unpriv = REJECT,
3717 		.result = ACCEPT,
3718 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3719 	},
3720 	{
3721 		"valid map access into an array with a signed variable",
3722 		.insns = {
3723 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3724 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3725 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3726 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3727 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3728 				     BPF_FUNC_map_lookup_elem),
3729 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3730 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3731 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3732 			BPF_MOV32_IMM(BPF_REG_1, 0),
3733 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3734 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3735 			BPF_MOV32_IMM(BPF_REG_1, 0),
3736 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3737 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3738 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3739 				   offsetof(struct test_val, foo)),
3740 			BPF_EXIT_INSN(),
3741 		},
3742 		.fixup_map2 = { 3 },
3743 		.errstr_unpriv = "R0 leaks addr",
3744 		.result_unpriv = REJECT,
3745 		.result = ACCEPT,
3746 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3747 	},
3748 	{
3749 		"invalid map access into an array with a constant",
3750 		.insns = {
3751 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3752 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3753 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3754 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3755 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3756 				     BPF_FUNC_map_lookup_elem),
3757 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3758 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3759 				   offsetof(struct test_val, foo)),
3760 			BPF_EXIT_INSN(),
3761 		},
3762 		.fixup_map2 = { 3 },
3763 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
3764 		.result = REJECT,
3765 	},
3766 	{
3767 		"invalid map access into an array with a register",
3768 		.insns = {
3769 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3770 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3771 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3772 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3773 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3774 				     BPF_FUNC_map_lookup_elem),
3775 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3776 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3777 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3778 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3779 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3780 				   offsetof(struct test_val, foo)),
3781 			BPF_EXIT_INSN(),
3782 		},
3783 		.fixup_map2 = { 3 },
3784 		.errstr = "R0 min value is outside of the array range",
3785 		.result = REJECT,
3786 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3787 	},
3788 	{
3789 		"invalid map access into an array with a variable",
3790 		.insns = {
3791 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3792 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3793 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3794 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3795 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3796 				     BPF_FUNC_map_lookup_elem),
3797 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3798 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3799 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3800 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3801 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3802 				   offsetof(struct test_val, foo)),
3803 			BPF_EXIT_INSN(),
3804 		},
3805 		.fixup_map2 = { 3 },
3806 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3807 		.result = REJECT,
3808 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3809 	},
3810 	{
3811 		"invalid map access into an array with no floor check",
3812 		.insns = {
3813 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3814 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3815 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3816 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3817 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3818 				     BPF_FUNC_map_lookup_elem),
3819 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3820 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3821 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3822 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3823 			BPF_MOV32_IMM(BPF_REG_1, 0),
3824 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3825 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3826 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3827 				   offsetof(struct test_val, foo)),
3828 			BPF_EXIT_INSN(),
3829 		},
3830 		.fixup_map2 = { 3 },
3831 		.errstr_unpriv = "R0 leaks addr",
3832 		.errstr = "R0 unbounded memory access",
3833 		.result_unpriv = REJECT,
3834 		.result = REJECT,
3835 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3836 	},
3837 	{
3838 		"invalid map access into an array with a invalid max check",
3839 		.insns = {
3840 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3841 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3842 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3843 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3844 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3845 				     BPF_FUNC_map_lookup_elem),
3846 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3847 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3848 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3849 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3850 			BPF_MOV32_IMM(BPF_REG_1, 0),
3851 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3852 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3853 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3854 				   offsetof(struct test_val, foo)),
3855 			BPF_EXIT_INSN(),
3856 		},
3857 		.fixup_map2 = { 3 },
3858 		.errstr_unpriv = "R0 leaks addr",
3859 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
3860 		.result_unpriv = REJECT,
3861 		.result = REJECT,
3862 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3863 	},
3864 	{
3865 		"invalid map access into an array with a invalid max check",
3866 		.insns = {
3867 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3868 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3869 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3870 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3871 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3872 				     BPF_FUNC_map_lookup_elem),
3873 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3874 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3875 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3876 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3878 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3879 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3880 				     BPF_FUNC_map_lookup_elem),
3881 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3882 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3883 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3884 				    offsetof(struct test_val, foo)),
3885 			BPF_EXIT_INSN(),
3886 		},
3887 		.fixup_map2 = { 3, 11 },
3888 		.errstr_unpriv = "R0 pointer += pointer",
3889 		.errstr = "R0 invalid mem access 'inv'",
3890 		.result_unpriv = REJECT,
3891 		.result = REJECT,
3892 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3893 	},
3894 	{
3895 		"multiple registers share map_lookup_elem result",
3896 		.insns = {
3897 			BPF_MOV64_IMM(BPF_REG_1, 10),
3898 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3899 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3901 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3902 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3903 				     BPF_FUNC_map_lookup_elem),
3904 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3905 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3906 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3907 			BPF_EXIT_INSN(),
3908 		},
3909 		.fixup_map1 = { 4 },
3910 		.result = ACCEPT,
3911 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3912 	},
3913 	{
3914 		"alu ops on ptr_to_map_value_or_null, 1",
3915 		.insns = {
3916 			BPF_MOV64_IMM(BPF_REG_1, 10),
3917 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3918 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3920 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3921 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3922 				     BPF_FUNC_map_lookup_elem),
3923 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3924 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3925 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3926 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3927 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3928 			BPF_EXIT_INSN(),
3929 		},
3930 		.fixup_map1 = { 4 },
3931 		.errstr = "R4 invalid mem access",
3932 		.result = REJECT,
3933 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3934 	},
3935 	{
3936 		"alu ops on ptr_to_map_value_or_null, 2",
3937 		.insns = {
3938 			BPF_MOV64_IMM(BPF_REG_1, 10),
3939 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3940 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3942 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3943 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3944 				     BPF_FUNC_map_lookup_elem),
3945 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3946 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3947 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3948 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3949 			BPF_EXIT_INSN(),
3950 		},
3951 		.fixup_map1 = { 4 },
3952 		.errstr = "R4 invalid mem access",
3953 		.result = REJECT,
3954 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3955 	},
3956 	{
3957 		"alu ops on ptr_to_map_value_or_null, 3",
3958 		.insns = {
3959 			BPF_MOV64_IMM(BPF_REG_1, 10),
3960 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3961 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3963 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965 				     BPF_FUNC_map_lookup_elem),
3966 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3967 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3968 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3969 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3970 			BPF_EXIT_INSN(),
3971 		},
3972 		.fixup_map1 = { 4 },
3973 		.errstr = "R4 invalid mem access",
3974 		.result = REJECT,
3975 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3976 	},
3977 	{
3978 		"invalid memory access with multiple map_lookup_elem calls",
3979 		.insns = {
3980 			BPF_MOV64_IMM(BPF_REG_1, 10),
3981 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3982 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3983 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3984 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3985 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3986 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3987 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3988 				     BPF_FUNC_map_lookup_elem),
3989 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3990 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3991 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3992 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3993 				     BPF_FUNC_map_lookup_elem),
3994 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3995 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3996 			BPF_EXIT_INSN(),
3997 		},
3998 		.fixup_map1 = { 4 },
3999 		.result = REJECT,
4000 		.errstr = "R4 !read_ok",
4001 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4002 	},
4003 	{
4004 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
4005 		.insns = {
4006 			BPF_MOV64_IMM(BPF_REG_1, 10),
4007 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4008 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4009 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4010 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4011 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4012 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4013 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4014 				     BPF_FUNC_map_lookup_elem),
4015 			BPF_MOV64_IMM(BPF_REG_2, 10),
4016 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4017 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4018 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4019 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4020 				     BPF_FUNC_map_lookup_elem),
4021 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4022 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4023 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4024 			BPF_EXIT_INSN(),
4025 		},
4026 		.fixup_map1 = { 4 },
4027 		.result = ACCEPT,
4028 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4029 	},
4030 	{
4031 		"invalid map access from else condition",
4032 		.insns = {
4033 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4034 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4035 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4036 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4037 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4038 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4039 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4040 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4042 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4043 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4044 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4045 			BPF_EXIT_INSN(),
4046 		},
4047 		.fixup_map2 = { 3 },
4048 		.errstr = "R0 unbounded memory access",
4049 		.result = REJECT,
4050 		.errstr_unpriv = "R0 leaks addr",
4051 		.result_unpriv = REJECT,
4052 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4053 	},
4054 	{
4055 		"constant register |= constant should keep constant type",
4056 		.insns = {
4057 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4058 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4059 			BPF_MOV64_IMM(BPF_REG_2, 34),
4060 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4061 			BPF_MOV64_IMM(BPF_REG_3, 0),
4062 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4063 			BPF_EXIT_INSN(),
4064 		},
4065 		.result = ACCEPT,
4066 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4067 	},
4068 	{
4069 		"constant register |= constant should not bypass stack boundary checks",
4070 		.insns = {
4071 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4073 			BPF_MOV64_IMM(BPF_REG_2, 34),
4074 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4075 			BPF_MOV64_IMM(BPF_REG_3, 0),
4076 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4077 			BPF_EXIT_INSN(),
4078 		},
4079 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4080 		.result = REJECT,
4081 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4082 	},
4083 	{
4084 		"constant register |= constant register should keep constant type",
4085 		.insns = {
4086 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4087 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4088 			BPF_MOV64_IMM(BPF_REG_2, 34),
4089 			BPF_MOV64_IMM(BPF_REG_4, 13),
4090 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4091 			BPF_MOV64_IMM(BPF_REG_3, 0),
4092 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4093 			BPF_EXIT_INSN(),
4094 		},
4095 		.result = ACCEPT,
4096 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4097 	},
4098 	{
4099 		"constant register |= constant register should not bypass stack boundary checks",
4100 		.insns = {
4101 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4103 			BPF_MOV64_IMM(BPF_REG_2, 34),
4104 			BPF_MOV64_IMM(BPF_REG_4, 24),
4105 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4106 			BPF_MOV64_IMM(BPF_REG_3, 0),
4107 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4108 			BPF_EXIT_INSN(),
4109 		},
4110 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4111 		.result = REJECT,
4112 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4113 	},
4114 	{
4115 		"invalid direct packet write for LWT_IN",
4116 		.insns = {
4117 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4118 				    offsetof(struct __sk_buff, data)),
4119 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4120 				    offsetof(struct __sk_buff, data_end)),
4121 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4122 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4123 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4124 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4125 			BPF_MOV64_IMM(BPF_REG_0, 0),
4126 			BPF_EXIT_INSN(),
4127 		},
4128 		.errstr = "cannot write into packet",
4129 		.result = REJECT,
4130 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4131 	},
4132 	{
4133 		"invalid direct packet write for LWT_OUT",
4134 		.insns = {
4135 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4136 				    offsetof(struct __sk_buff, data)),
4137 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4138 				    offsetof(struct __sk_buff, data_end)),
4139 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4140 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4141 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4142 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4143 			BPF_MOV64_IMM(BPF_REG_0, 0),
4144 			BPF_EXIT_INSN(),
4145 		},
4146 		.errstr = "cannot write into packet",
4147 		.result = REJECT,
4148 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4149 	},
4150 	{
4151 		"direct packet write for LWT_XMIT",
4152 		.insns = {
4153 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4154 				    offsetof(struct __sk_buff, data)),
4155 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4156 				    offsetof(struct __sk_buff, data_end)),
4157 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4158 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4159 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4160 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4161 			BPF_MOV64_IMM(BPF_REG_0, 0),
4162 			BPF_EXIT_INSN(),
4163 		},
4164 		.result = ACCEPT,
4165 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4166 	},
4167 	{
4168 		"direct packet read for LWT_IN",
4169 		.insns = {
4170 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4171 				    offsetof(struct __sk_buff, data)),
4172 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4173 				    offsetof(struct __sk_buff, data_end)),
4174 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4175 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4176 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4177 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4178 			BPF_MOV64_IMM(BPF_REG_0, 0),
4179 			BPF_EXIT_INSN(),
4180 		},
4181 		.result = ACCEPT,
4182 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4183 	},
4184 	{
4185 		"direct packet read for LWT_OUT",
4186 		.insns = {
4187 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4188 				    offsetof(struct __sk_buff, data)),
4189 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4190 				    offsetof(struct __sk_buff, data_end)),
4191 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4193 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4194 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4195 			BPF_MOV64_IMM(BPF_REG_0, 0),
4196 			BPF_EXIT_INSN(),
4197 		},
4198 		.result = ACCEPT,
4199 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4200 	},
4201 	{
4202 		"direct packet read for LWT_XMIT",
4203 		.insns = {
4204 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4205 				    offsetof(struct __sk_buff, data)),
4206 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4207 				    offsetof(struct __sk_buff, data_end)),
4208 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4210 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4211 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4212 			BPF_MOV64_IMM(BPF_REG_0, 0),
4213 			BPF_EXIT_INSN(),
4214 		},
4215 		.result = ACCEPT,
4216 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4217 	},
4218 	{
4219 		"overlapping checks for direct packet access",
4220 		.insns = {
4221 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4222 				    offsetof(struct __sk_buff, data)),
4223 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4224 				    offsetof(struct __sk_buff, data_end)),
4225 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4226 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4227 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4228 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4229 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4230 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4231 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4232 			BPF_MOV64_IMM(BPF_REG_0, 0),
4233 			BPF_EXIT_INSN(),
4234 		},
4235 		.result = ACCEPT,
4236 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4237 	},
4238 	{
4239 		"invalid access of tc_classid for LWT_IN",
4240 		.insns = {
4241 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4242 				    offsetof(struct __sk_buff, tc_classid)),
4243 			BPF_EXIT_INSN(),
4244 		},
4245 		.result = REJECT,
4246 		.errstr = "invalid bpf_context access",
4247 	},
4248 	{
4249 		"invalid access of tc_classid for LWT_OUT",
4250 		.insns = {
4251 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4252 				    offsetof(struct __sk_buff, tc_classid)),
4253 			BPF_EXIT_INSN(),
4254 		},
4255 		.result = REJECT,
4256 		.errstr = "invalid bpf_context access",
4257 	},
4258 	{
4259 		"invalid access of tc_classid for LWT_XMIT",
4260 		.insns = {
4261 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4262 				    offsetof(struct __sk_buff, tc_classid)),
4263 			BPF_EXIT_INSN(),
4264 		},
4265 		.result = REJECT,
4266 		.errstr = "invalid bpf_context access",
4267 	},
4268 	{
4269 		"leak pointer into ctx 1",
4270 		.insns = {
4271 			BPF_MOV64_IMM(BPF_REG_0, 0),
4272 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4273 				    offsetof(struct __sk_buff, cb[0])),
4274 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4275 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4276 				      offsetof(struct __sk_buff, cb[0])),
4277 			BPF_EXIT_INSN(),
4278 		},
4279 		.fixup_map1 = { 2 },
4280 		.errstr_unpriv = "R2 leaks addr into mem",
4281 		.result_unpriv = REJECT,
4282 		.result = ACCEPT,
4283 	},
4284 	{
4285 		"leak pointer into ctx 2",
4286 		.insns = {
4287 			BPF_MOV64_IMM(BPF_REG_0, 0),
4288 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4289 				    offsetof(struct __sk_buff, cb[0])),
4290 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4291 				      offsetof(struct __sk_buff, cb[0])),
4292 			BPF_EXIT_INSN(),
4293 		},
4294 		.errstr_unpriv = "R10 leaks addr into mem",
4295 		.result_unpriv = REJECT,
4296 		.result = ACCEPT,
4297 	},
4298 	{
4299 		"leak pointer into ctx 3",
4300 		.insns = {
4301 			BPF_MOV64_IMM(BPF_REG_0, 0),
4302 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4303 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4304 				      offsetof(struct __sk_buff, cb[0])),
4305 			BPF_EXIT_INSN(),
4306 		},
4307 		.fixup_map1 = { 1 },
4308 		.errstr_unpriv = "R2 leaks addr into ctx",
4309 		.result_unpriv = REJECT,
4310 		.result = ACCEPT,
4311 	},
4312 	{
4313 		"leak pointer into map val",
4314 		.insns = {
4315 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4316 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4317 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4318 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4319 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4320 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4321 				     BPF_FUNC_map_lookup_elem),
4322 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4323 			BPF_MOV64_IMM(BPF_REG_3, 0),
4324 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4325 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4326 			BPF_MOV64_IMM(BPF_REG_0, 0),
4327 			BPF_EXIT_INSN(),
4328 		},
4329 		.fixup_map1 = { 4 },
4330 		.errstr_unpriv = "R6 leaks addr into mem",
4331 		.result_unpriv = REJECT,
4332 		.result = ACCEPT,
4333 	},
4334 	{
4335 		"helper access to map: full range",
4336 		.insns = {
4337 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4339 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4340 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4341 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4342 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4343 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4344 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4345 			BPF_MOV64_IMM(BPF_REG_3, 0),
4346 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4347 			BPF_EXIT_INSN(),
4348 		},
4349 		.fixup_map2 = { 3 },
4350 		.result = ACCEPT,
4351 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4352 	},
4353 	{
4354 		"helper access to map: partial range",
4355 		.insns = {
4356 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4357 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4358 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4359 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4360 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4361 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4362 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4363 			BPF_MOV64_IMM(BPF_REG_2, 8),
4364 			BPF_MOV64_IMM(BPF_REG_3, 0),
4365 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4366 			BPF_EXIT_INSN(),
4367 		},
4368 		.fixup_map2 = { 3 },
4369 		.result = ACCEPT,
4370 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4371 	},
4372 	{
4373 		"helper access to map: empty range",
4374 		.insns = {
4375 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4377 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4378 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4380 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4381 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4382 			BPF_MOV64_IMM(BPF_REG_2, 0),
4383 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4384 			BPF_EXIT_INSN(),
4385 		},
4386 		.fixup_map2 = { 3 },
4387 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
4388 		.result = REJECT,
4389 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4390 	},
4391 	{
4392 		"helper access to map: out-of-bound range",
4393 		.insns = {
4394 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4395 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4396 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4397 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4398 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4399 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4400 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4401 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4402 			BPF_MOV64_IMM(BPF_REG_3, 0),
4403 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4404 			BPF_EXIT_INSN(),
4405 		},
4406 		.fixup_map2 = { 3 },
4407 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
4408 		.result = REJECT,
4409 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4410 	},
4411 	{
4412 		"helper access to map: negative range",
4413 		.insns = {
4414 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4415 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4416 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4417 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4418 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4419 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4420 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4421 			BPF_MOV64_IMM(BPF_REG_2, -8),
4422 			BPF_MOV64_IMM(BPF_REG_3, 0),
4423 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4424 			BPF_EXIT_INSN(),
4425 		},
4426 		.fixup_map2 = { 3 },
4427 		.errstr = "R2 min value is negative",
4428 		.result = REJECT,
4429 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4430 	},
4431 	{
4432 		"helper access to adjusted map (via const imm): full range",
4433 		.insns = {
4434 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4435 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4436 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4437 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4438 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4439 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4440 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4442 				offsetof(struct test_val, foo)),
4443 			BPF_MOV64_IMM(BPF_REG_2,
4444 				sizeof(struct test_val) -
4445 				offsetof(struct test_val, foo)),
4446 			BPF_MOV64_IMM(BPF_REG_3, 0),
4447 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4448 			BPF_EXIT_INSN(),
4449 		},
4450 		.fixup_map2 = { 3 },
4451 		.result = ACCEPT,
4452 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4453 	},
4454 	{
4455 		"helper access to adjusted map (via const imm): partial range",
4456 		.insns = {
4457 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4459 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4460 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4461 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4462 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4463 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4464 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4465 				offsetof(struct test_val, foo)),
4466 			BPF_MOV64_IMM(BPF_REG_2, 8),
4467 			BPF_MOV64_IMM(BPF_REG_3, 0),
4468 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4469 			BPF_EXIT_INSN(),
4470 		},
4471 		.fixup_map2 = { 3 },
4472 		.result = ACCEPT,
4473 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4474 	},
4475 	{
4476 		"helper access to adjusted map (via const imm): empty range",
4477 		.insns = {
4478 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4479 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4480 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4481 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4482 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4483 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4484 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4485 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4486 				offsetof(struct test_val, foo)),
4487 			BPF_MOV64_IMM(BPF_REG_2, 0),
4488 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4489 			BPF_EXIT_INSN(),
4490 		},
4491 		.fixup_map2 = { 3 },
4492 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
4493 		.result = REJECT,
4494 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4495 	},
4496 	{
4497 		"helper access to adjusted map (via const imm): out-of-bound range",
4498 		.insns = {
4499 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4500 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4501 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4502 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4503 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4504 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4505 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4506 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4507 				offsetof(struct test_val, foo)),
4508 			BPF_MOV64_IMM(BPF_REG_2,
4509 				sizeof(struct test_val) -
4510 				offsetof(struct test_val, foo) + 8),
4511 			BPF_MOV64_IMM(BPF_REG_3, 0),
4512 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4513 			BPF_EXIT_INSN(),
4514 		},
4515 		.fixup_map2 = { 3 },
4516 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
4517 		.result = REJECT,
4518 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4519 	},
4520 	{
4521 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
4522 		.insns = {
4523 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4524 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4525 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4526 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4527 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4528 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4529 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4530 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4531 				offsetof(struct test_val, foo)),
4532 			BPF_MOV64_IMM(BPF_REG_2, -8),
4533 			BPF_MOV64_IMM(BPF_REG_3, 0),
4534 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4535 			BPF_EXIT_INSN(),
4536 		},
4537 		.fixup_map2 = { 3 },
4538 		.errstr = "R2 min value is negative",
4539 		.result = REJECT,
4540 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4541 	},
4542 	{
4543 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
4544 		.insns = {
4545 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4546 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4547 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4548 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4549 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4550 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4551 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4552 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4553 				offsetof(struct test_val, foo)),
4554 			BPF_MOV64_IMM(BPF_REG_2, -1),
4555 			BPF_MOV64_IMM(BPF_REG_3, 0),
4556 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4557 			BPF_EXIT_INSN(),
4558 		},
4559 		.fixup_map2 = { 3 },
4560 		.errstr = "R2 min value is negative",
4561 		.result = REJECT,
4562 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4563 	},
4564 	{
4565 		"helper access to adjusted map (via const reg): full range",
4566 		.insns = {
4567 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4568 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4569 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4570 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4572 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4573 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4574 			BPF_MOV64_IMM(BPF_REG_3,
4575 				offsetof(struct test_val, foo)),
4576 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4577 			BPF_MOV64_IMM(BPF_REG_2,
4578 				sizeof(struct test_val) -
4579 				offsetof(struct test_val, foo)),
4580 			BPF_MOV64_IMM(BPF_REG_3, 0),
4581 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4582 			BPF_EXIT_INSN(),
4583 		},
4584 		.fixup_map2 = { 3 },
4585 		.result = ACCEPT,
4586 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4587 	},
4588 	{
4589 		"helper access to adjusted map (via const reg): partial range",
4590 		.insns = {
4591 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4592 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4593 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4594 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4595 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4596 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4597 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4598 			BPF_MOV64_IMM(BPF_REG_3,
4599 				offsetof(struct test_val, foo)),
4600 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4601 			BPF_MOV64_IMM(BPF_REG_2, 8),
4602 			BPF_MOV64_IMM(BPF_REG_3, 0),
4603 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4604 			BPF_EXIT_INSN(),
4605 		},
4606 		.fixup_map2 = { 3 },
4607 		.result = ACCEPT,
4608 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4609 	},
4610 	{
4611 		"helper access to adjusted map (via const reg): empty range",
4612 		.insns = {
4613 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4615 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4616 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4617 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4618 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4619 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4620 			BPF_MOV64_IMM(BPF_REG_3, 0),
4621 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4622 			BPF_MOV64_IMM(BPF_REG_2, 0),
4623 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4624 			BPF_EXIT_INSN(),
4625 		},
4626 		.fixup_map2 = { 3 },
4627 		.errstr = "R1 min value is outside of the array range",
4628 		.result = REJECT,
4629 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4630 	},
4631 	{
4632 		"helper access to adjusted map (via const reg): out-of-bound range",
4633 		.insns = {
4634 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4635 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4636 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4637 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4638 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4639 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4640 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4641 			BPF_MOV64_IMM(BPF_REG_3,
4642 				offsetof(struct test_val, foo)),
4643 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4644 			BPF_MOV64_IMM(BPF_REG_2,
4645 				sizeof(struct test_val) -
4646 				offsetof(struct test_val, foo) + 8),
4647 			BPF_MOV64_IMM(BPF_REG_3, 0),
4648 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4649 			BPF_EXIT_INSN(),
4650 		},
4651 		.fixup_map2 = { 3 },
4652 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
4653 		.result = REJECT,
4654 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4655 	},
4656 	{
4657 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
4658 		.insns = {
4659 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4660 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4661 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4662 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4663 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4664 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4665 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4666 			BPF_MOV64_IMM(BPF_REG_3,
4667 				offsetof(struct test_val, foo)),
4668 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4669 			BPF_MOV64_IMM(BPF_REG_2, -8),
4670 			BPF_MOV64_IMM(BPF_REG_3, 0),
4671 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4672 			BPF_EXIT_INSN(),
4673 		},
4674 		.fixup_map2 = { 3 },
4675 		.errstr = "R2 min value is negative",
4676 		.result = REJECT,
4677 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4678 	},
4679 	{
4680 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
4681 		.insns = {
4682 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4683 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4684 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4685 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4686 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4687 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4688 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4689 			BPF_MOV64_IMM(BPF_REG_3,
4690 				offsetof(struct test_val, foo)),
4691 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4692 			BPF_MOV64_IMM(BPF_REG_2, -1),
4693 			BPF_MOV64_IMM(BPF_REG_3, 0),
4694 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4695 			BPF_EXIT_INSN(),
4696 		},
4697 		.fixup_map2 = { 3 },
4698 		.errstr = "R2 min value is negative",
4699 		.result = REJECT,
4700 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4701 	},
4702 	{
4703 		"helper access to adjusted map (via variable): full range",
4704 		.insns = {
4705 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4706 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4707 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4708 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4709 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4710 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4711 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4712 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4713 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4714 				offsetof(struct test_val, foo), 4),
4715 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4716 			BPF_MOV64_IMM(BPF_REG_2,
4717 				sizeof(struct test_val) -
4718 				offsetof(struct test_val, foo)),
4719 			BPF_MOV64_IMM(BPF_REG_3, 0),
4720 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4721 			BPF_EXIT_INSN(),
4722 		},
4723 		.fixup_map2 = { 3 },
4724 		.result = ACCEPT,
4725 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4726 	},
4727 	{
4728 		"helper access to adjusted map (via variable): partial range",
4729 		.insns = {
4730 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4731 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4732 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4733 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4734 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4735 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4736 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4737 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4738 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4739 				offsetof(struct test_val, foo), 4),
4740 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4741 			BPF_MOV64_IMM(BPF_REG_2, 8),
4742 			BPF_MOV64_IMM(BPF_REG_3, 0),
4743 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4744 			BPF_EXIT_INSN(),
4745 		},
4746 		.fixup_map2 = { 3 },
4747 		.result = ACCEPT,
4748 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4749 	},
4750 	{
4751 		"helper access to adjusted map (via variable): empty range",
4752 		.insns = {
4753 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4754 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4755 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4756 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4757 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4758 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4759 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4760 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4761 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4762 				offsetof(struct test_val, foo), 3),
4763 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4764 			BPF_MOV64_IMM(BPF_REG_2, 0),
4765 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4766 			BPF_EXIT_INSN(),
4767 		},
4768 		.fixup_map2 = { 3 },
4769 		.errstr = "R1 min value is outside of the array range",
4770 		.result = REJECT,
4771 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4772 	},
4773 	{
4774 		"helper access to adjusted map (via variable): no max check",
4775 		.insns = {
4776 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4777 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4778 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4779 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4780 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4781 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4782 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4783 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4784 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4785 			BPF_MOV64_IMM(BPF_REG_2, 1),
4786 			BPF_MOV64_IMM(BPF_REG_3, 0),
4787 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4788 			BPF_EXIT_INSN(),
4789 		},
4790 		.fixup_map2 = { 3 },
4791 		.errstr = "R1 unbounded memory access",
4792 		.result = REJECT,
4793 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4794 	},
4795 	{
4796 		"helper access to adjusted map (via variable): wrong max check",
4797 		.insns = {
4798 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4800 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4801 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4802 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4803 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4804 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4805 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4806 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4807 				offsetof(struct test_val, foo), 4),
4808 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4809 			BPF_MOV64_IMM(BPF_REG_2,
4810 				sizeof(struct test_val) -
4811 				offsetof(struct test_val, foo) + 1),
4812 			BPF_MOV64_IMM(BPF_REG_3, 0),
4813 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4814 			BPF_EXIT_INSN(),
4815 		},
4816 		.fixup_map2 = { 3 },
4817 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
4818 		.result = REJECT,
4819 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4820 	},
4821 	{
4822 		"helper access to map: bounds check using <, good access",
4823 		.insns = {
4824 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4825 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4826 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4827 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4828 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4829 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4830 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4831 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4832 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4833 			BPF_MOV64_IMM(BPF_REG_0, 0),
4834 			BPF_EXIT_INSN(),
4835 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4836 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4837 			BPF_MOV64_IMM(BPF_REG_0, 0),
4838 			BPF_EXIT_INSN(),
4839 		},
4840 		.fixup_map2 = { 3 },
4841 		.result = ACCEPT,
4842 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4843 	},
4844 	{
4845 		"helper access to map: bounds check using <, bad access",
4846 		.insns = {
4847 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4849 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4850 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4851 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4852 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4853 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4854 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4855 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4856 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4857 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4858 			BPF_MOV64_IMM(BPF_REG_0, 0),
4859 			BPF_EXIT_INSN(),
4860 			BPF_MOV64_IMM(BPF_REG_0, 0),
4861 			BPF_EXIT_INSN(),
4862 		},
4863 		.fixup_map2 = { 3 },
4864 		.result = REJECT,
4865 		.errstr = "R1 unbounded memory access",
4866 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4867 	},
4868 	{
4869 		"helper access to map: bounds check using <=, good access",
4870 		.insns = {
4871 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4873 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4874 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4875 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4876 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4877 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4878 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4879 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4880 			BPF_MOV64_IMM(BPF_REG_0, 0),
4881 			BPF_EXIT_INSN(),
4882 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4883 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4884 			BPF_MOV64_IMM(BPF_REG_0, 0),
4885 			BPF_EXIT_INSN(),
4886 		},
4887 		.fixup_map2 = { 3 },
4888 		.result = ACCEPT,
4889 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4890 	},
4891 	{
4892 		"helper access to map: bounds check using <=, bad access",
4893 		.insns = {
4894 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4895 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4896 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4897 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4898 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4899 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4900 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4901 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4902 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
4903 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4904 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4905 			BPF_MOV64_IMM(BPF_REG_0, 0),
4906 			BPF_EXIT_INSN(),
4907 			BPF_MOV64_IMM(BPF_REG_0, 0),
4908 			BPF_EXIT_INSN(),
4909 		},
4910 		.fixup_map2 = { 3 },
4911 		.result = REJECT,
4912 		.errstr = "R1 unbounded memory access",
4913 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4914 	},
4915 	{
4916 		"helper access to map: bounds check using s<, good access",
4917 		.insns = {
4918 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4920 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4921 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4922 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4923 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4924 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4925 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4926 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4927 			BPF_MOV64_IMM(BPF_REG_0, 0),
4928 			BPF_EXIT_INSN(),
4929 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
4930 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4931 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4932 			BPF_MOV64_IMM(BPF_REG_0, 0),
4933 			BPF_EXIT_INSN(),
4934 		},
4935 		.fixup_map2 = { 3 },
4936 		.result = ACCEPT,
4937 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4938 	},
4939 	{
4940 		"helper access to map: bounds check using s<, good access 2",
4941 		.insns = {
4942 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4943 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4944 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4945 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4946 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4947 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4948 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4949 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4950 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4951 			BPF_MOV64_IMM(BPF_REG_0, 0),
4952 			BPF_EXIT_INSN(),
4953 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4954 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4955 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4956 			BPF_MOV64_IMM(BPF_REG_0, 0),
4957 			BPF_EXIT_INSN(),
4958 		},
4959 		.fixup_map2 = { 3 },
4960 		.result = ACCEPT,
4961 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4962 	},
4963 	{
4964 		"helper access to map: bounds check using s<, bad access",
4965 		.insns = {
4966 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4967 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4968 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4969 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4970 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4971 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4972 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4973 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
4974 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4975 			BPF_MOV64_IMM(BPF_REG_0, 0),
4976 			BPF_EXIT_INSN(),
4977 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4978 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4979 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4980 			BPF_MOV64_IMM(BPF_REG_0, 0),
4981 			BPF_EXIT_INSN(),
4982 		},
4983 		.fixup_map2 = { 3 },
4984 		.result = REJECT,
4985 		.errstr = "R1 min value is negative",
4986 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4987 	},
4988 	{
4989 		"helper access to map: bounds check using s<=, good access",
4990 		.insns = {
4991 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4992 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4993 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4994 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4995 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4996 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4997 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4998 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4999 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5000 			BPF_MOV64_IMM(BPF_REG_0, 0),
5001 			BPF_EXIT_INSN(),
5002 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5003 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5004 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5005 			BPF_MOV64_IMM(BPF_REG_0, 0),
5006 			BPF_EXIT_INSN(),
5007 		},
5008 		.fixup_map2 = { 3 },
5009 		.result = ACCEPT,
5010 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5011 	},
5012 	{
5013 		"helper access to map: bounds check using s<=, good access 2",
5014 		.insns = {
5015 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5016 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5017 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5018 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5019 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5020 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5021 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5022 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5023 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5024 			BPF_MOV64_IMM(BPF_REG_0, 0),
5025 			BPF_EXIT_INSN(),
5026 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5027 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5028 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5029 			BPF_MOV64_IMM(BPF_REG_0, 0),
5030 			BPF_EXIT_INSN(),
5031 		},
5032 		.fixup_map2 = { 3 },
5033 		.result = ACCEPT,
5034 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5035 	},
5036 	{
5037 		"helper access to map: bounds check using s<=, bad access",
5038 		.insns = {
5039 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5040 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5041 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5042 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5043 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5044 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5045 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5046 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5047 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5048 			BPF_MOV64_IMM(BPF_REG_0, 0),
5049 			BPF_EXIT_INSN(),
5050 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5051 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5052 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5053 			BPF_MOV64_IMM(BPF_REG_0, 0),
5054 			BPF_EXIT_INSN(),
5055 		},
5056 		.fixup_map2 = { 3 },
5057 		.result = REJECT,
5058 		.errstr = "R1 min value is negative",
5059 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5060 	},
5061 	{
5062 		"map element value is preserved across register spilling",
5063 		.insns = {
5064 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5065 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5066 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5067 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5068 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5069 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5070 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5071 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5073 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5074 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5075 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5076 			BPF_EXIT_INSN(),
5077 		},
5078 		.fixup_map2 = { 3 },
5079 		.errstr_unpriv = "R0 leaks addr",
5080 		.result = ACCEPT,
5081 		.result_unpriv = REJECT,
5082 	},
5083 	{
5084 		"map element value or null is marked on register spilling",
5085 		.insns = {
5086 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5087 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5088 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5089 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5090 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5091 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5092 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5093 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5094 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5095 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5096 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5097 			BPF_EXIT_INSN(),
5098 		},
5099 		.fixup_map2 = { 3 },
5100 		.errstr_unpriv = "R0 leaks addr",
5101 		.result = ACCEPT,
5102 		.result_unpriv = REJECT,
5103 	},
5104 	{
5105 		"map element value store of cleared call register",
5106 		.insns = {
5107 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5108 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5109 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5110 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5111 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5112 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5113 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5114 			BPF_EXIT_INSN(),
5115 		},
5116 		.fixup_map2 = { 3 },
5117 		.errstr_unpriv = "R1 !read_ok",
5118 		.errstr = "R1 !read_ok",
5119 		.result = REJECT,
5120 		.result_unpriv = REJECT,
5121 	},
5122 	{
5123 		"map element value with unaligned store",
5124 		.insns = {
5125 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5126 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5127 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5128 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5129 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5130 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5132 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5133 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5134 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5135 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5136 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5137 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5138 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5139 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5140 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5141 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5142 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5143 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5145 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5146 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5147 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5148 			BPF_EXIT_INSN(),
5149 		},
5150 		.fixup_map2 = { 3 },
5151 		.errstr_unpriv = "R0 leaks addr",
5152 		.result = ACCEPT,
5153 		.result_unpriv = REJECT,
5154 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5155 	},
5156 	{
5157 		"map element value with unaligned load",
5158 		.insns = {
5159 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5160 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5161 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5162 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5163 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5164 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5165 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5166 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5167 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5168 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5169 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5170 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5171 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5172 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5173 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5174 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5175 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5176 			BPF_EXIT_INSN(),
5177 		},
5178 		.fixup_map2 = { 3 },
5179 		.errstr_unpriv = "R0 leaks addr",
5180 		.result = ACCEPT,
5181 		.result_unpriv = REJECT,
5182 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5183 	},
5184 	{
5185 		"map element value illegal alu op, 1",
5186 		.insns = {
5187 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5188 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5189 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5190 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5191 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5192 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5193 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5194 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5195 			BPF_EXIT_INSN(),
5196 		},
5197 		.fixup_map2 = { 3 },
5198 		.errstr_unpriv = "R0 bitwise operator &= on pointer",
5199 		.errstr = "invalid mem access 'inv'",
5200 		.result = REJECT,
5201 		.result_unpriv = REJECT,
5202 	},
5203 	{
5204 		"map element value illegal alu op, 2",
5205 		.insns = {
5206 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5207 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5208 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5209 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5210 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5211 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5212 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5213 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5214 			BPF_EXIT_INSN(),
5215 		},
5216 		.fixup_map2 = { 3 },
5217 		.errstr_unpriv = "R0 32-bit pointer arithmetic prohibited",
5218 		.errstr = "invalid mem access 'inv'",
5219 		.result = REJECT,
5220 		.result_unpriv = REJECT,
5221 	},
5222 	{
5223 		"map element value illegal alu op, 3",
5224 		.insns = {
5225 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5226 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5227 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5228 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5229 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5230 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5231 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5232 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5233 			BPF_EXIT_INSN(),
5234 		},
5235 		.fixup_map2 = { 3 },
5236 		.errstr_unpriv = "R0 pointer arithmetic with /= operator",
5237 		.errstr = "invalid mem access 'inv'",
5238 		.result = REJECT,
5239 		.result_unpriv = REJECT,
5240 	},
5241 	{
5242 		"map element value illegal alu op, 4",
5243 		.insns = {
5244 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5245 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5246 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5247 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5248 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5249 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5250 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5251 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5252 			BPF_EXIT_INSN(),
5253 		},
5254 		.fixup_map2 = { 3 },
5255 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
5256 		.errstr = "invalid mem access 'inv'",
5257 		.result = REJECT,
5258 		.result_unpriv = REJECT,
5259 	},
5260 	{
5261 		"map element value illegal alu op, 5",
5262 		.insns = {
5263 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5264 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5265 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5266 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5267 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5268 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5269 			BPF_MOV64_IMM(BPF_REG_3, 4096),
5270 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5271 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5272 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5273 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5274 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5275 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5276 			BPF_EXIT_INSN(),
5277 		},
5278 		.fixup_map2 = { 3 },
5279 		.errstr = "R0 invalid mem access 'inv'",
5280 		.result = REJECT,
5281 	},
5282 	{
5283 		"map element value is preserved across register spilling",
5284 		.insns = {
5285 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5287 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5288 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5289 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5290 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5291 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5292 				offsetof(struct test_val, foo)),
5293 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5294 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5295 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5296 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5297 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5298 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5299 			BPF_EXIT_INSN(),
5300 		},
5301 		.fixup_map2 = { 3 },
5302 		.errstr_unpriv = "R0 leaks addr",
5303 		.result = ACCEPT,
5304 		.result_unpriv = REJECT,
5305 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5306 	},
5307 	{
5308 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5309 		.insns = {
5310 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5311 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5312 			BPF_MOV64_IMM(BPF_REG_0, 0),
5313 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5314 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5315 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5316 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5317 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5318 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5319 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5320 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5321 			BPF_MOV64_IMM(BPF_REG_2, 16),
5322 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5323 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5324 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5325 			BPF_MOV64_IMM(BPF_REG_4, 0),
5326 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5327 			BPF_MOV64_IMM(BPF_REG_3, 0),
5328 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5329 			BPF_MOV64_IMM(BPF_REG_0, 0),
5330 			BPF_EXIT_INSN(),
5331 		},
5332 		.result = ACCEPT,
5333 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5334 	},
5335 	{
5336 		"helper access to variable memory: stack, bitwise AND, zero included",
5337 		.insns = {
5338 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5339 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5340 			BPF_MOV64_IMM(BPF_REG_2, 16),
5341 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5342 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5343 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5344 			BPF_MOV64_IMM(BPF_REG_3, 0),
5345 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5346 			BPF_EXIT_INSN(),
5347 		},
5348 		.errstr = "invalid indirect read from stack off -64+0 size 64",
5349 		.result = REJECT,
5350 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5351 	},
5352 	{
5353 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5354 		.insns = {
5355 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5356 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5357 			BPF_MOV64_IMM(BPF_REG_2, 16),
5358 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5359 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5360 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5361 			BPF_MOV64_IMM(BPF_REG_4, 0),
5362 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5363 			BPF_MOV64_IMM(BPF_REG_3, 0),
5364 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5365 			BPF_MOV64_IMM(BPF_REG_0, 0),
5366 			BPF_EXIT_INSN(),
5367 		},
5368 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5369 		.result = REJECT,
5370 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371 	},
5372 	{
5373 		"helper access to variable memory: stack, JMP, correct bounds",
5374 		.insns = {
5375 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5377 			BPF_MOV64_IMM(BPF_REG_0, 0),
5378 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5379 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5380 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5381 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5382 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5383 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5384 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5385 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5386 			BPF_MOV64_IMM(BPF_REG_2, 16),
5387 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5388 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5389 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5390 			BPF_MOV64_IMM(BPF_REG_4, 0),
5391 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5392 			BPF_MOV64_IMM(BPF_REG_3, 0),
5393 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5394 			BPF_MOV64_IMM(BPF_REG_0, 0),
5395 			BPF_EXIT_INSN(),
5396 		},
5397 		.result = ACCEPT,
5398 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5399 	},
5400 	{
5401 		"helper access to variable memory: stack, JMP (signed), correct bounds",
5402 		.insns = {
5403 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5404 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5405 			BPF_MOV64_IMM(BPF_REG_0, 0),
5406 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5407 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5408 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5409 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5410 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5411 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5412 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5413 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5414 			BPF_MOV64_IMM(BPF_REG_2, 16),
5415 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5416 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5417 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5418 			BPF_MOV64_IMM(BPF_REG_4, 0),
5419 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5420 			BPF_MOV64_IMM(BPF_REG_3, 0),
5421 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5422 			BPF_MOV64_IMM(BPF_REG_0, 0),
5423 			BPF_EXIT_INSN(),
5424 		},
5425 		.result = ACCEPT,
5426 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5427 	},
5428 	{
5429 		"helper access to variable memory: stack, JMP, bounds + offset",
5430 		.insns = {
5431 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5433 			BPF_MOV64_IMM(BPF_REG_2, 16),
5434 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5435 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5436 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5437 			BPF_MOV64_IMM(BPF_REG_4, 0),
5438 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5439 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5440 			BPF_MOV64_IMM(BPF_REG_3, 0),
5441 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5442 			BPF_MOV64_IMM(BPF_REG_0, 0),
5443 			BPF_EXIT_INSN(),
5444 		},
5445 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5446 		.result = REJECT,
5447 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5448 	},
5449 	{
5450 		"helper access to variable memory: stack, JMP, wrong max",
5451 		.insns = {
5452 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5453 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5454 			BPF_MOV64_IMM(BPF_REG_2, 16),
5455 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5456 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5457 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5458 			BPF_MOV64_IMM(BPF_REG_4, 0),
5459 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5460 			BPF_MOV64_IMM(BPF_REG_3, 0),
5461 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5462 			BPF_MOV64_IMM(BPF_REG_0, 0),
5463 			BPF_EXIT_INSN(),
5464 		},
5465 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5466 		.result = REJECT,
5467 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5468 	},
5469 	{
5470 		"helper access to variable memory: stack, JMP, no max check",
5471 		.insns = {
5472 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5474 			BPF_MOV64_IMM(BPF_REG_2, 16),
5475 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5476 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5477 			BPF_MOV64_IMM(BPF_REG_4, 0),
5478 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5479 			BPF_MOV64_IMM(BPF_REG_3, 0),
5480 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5481 			BPF_MOV64_IMM(BPF_REG_0, 0),
5482 			BPF_EXIT_INSN(),
5483 		},
5484 		/* because max wasn't checked, signed min is negative */
5485 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5486 		.result = REJECT,
5487 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5488 	},
5489 	{
5490 		"helper access to variable memory: stack, JMP, no min check",
5491 		.insns = {
5492 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5493 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5494 			BPF_MOV64_IMM(BPF_REG_2, 16),
5495 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5496 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5497 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5498 			BPF_MOV64_IMM(BPF_REG_3, 0),
5499 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5500 			BPF_MOV64_IMM(BPF_REG_0, 0),
5501 			BPF_EXIT_INSN(),
5502 		},
5503 		.errstr = "invalid indirect read from stack off -64+0 size 64",
5504 		.result = REJECT,
5505 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5506 	},
5507 	{
5508 		"helper access to variable memory: stack, JMP (signed), no min check",
5509 		.insns = {
5510 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5511 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5512 			BPF_MOV64_IMM(BPF_REG_2, 16),
5513 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5514 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5515 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5516 			BPF_MOV64_IMM(BPF_REG_3, 0),
5517 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5518 			BPF_MOV64_IMM(BPF_REG_0, 0),
5519 			BPF_EXIT_INSN(),
5520 		},
5521 		.errstr = "R2 min value is negative",
5522 		.result = REJECT,
5523 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5524 	},
5525 	{
5526 		"helper access to variable memory: map, JMP, correct bounds",
5527 		.insns = {
5528 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5529 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5530 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5531 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5532 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5533 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5534 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5535 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5536 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5537 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5538 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5539 				sizeof(struct test_val), 4),
5540 			BPF_MOV64_IMM(BPF_REG_4, 0),
5541 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5542 			BPF_MOV64_IMM(BPF_REG_3, 0),
5543 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5544 			BPF_MOV64_IMM(BPF_REG_0, 0),
5545 			BPF_EXIT_INSN(),
5546 		},
5547 		.fixup_map2 = { 3 },
5548 		.result = ACCEPT,
5549 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5550 	},
5551 	{
5552 		"helper access to variable memory: map, JMP, wrong max",
5553 		.insns = {
5554 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5558 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5562 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5563 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5564 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5565 				sizeof(struct test_val) + 1, 4),
5566 			BPF_MOV64_IMM(BPF_REG_4, 0),
5567 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5568 			BPF_MOV64_IMM(BPF_REG_3, 0),
5569 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5570 			BPF_MOV64_IMM(BPF_REG_0, 0),
5571 			BPF_EXIT_INSN(),
5572 		},
5573 		.fixup_map2 = { 3 },
5574 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
5575 		.result = REJECT,
5576 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5577 	},
5578 	{
5579 		"helper access to variable memory: map adjusted, JMP, correct bounds",
5580 		.insns = {
5581 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5582 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5583 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5584 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5585 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5586 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5587 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5588 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5589 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5590 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5591 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5592 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5593 				sizeof(struct test_val) - 20, 4),
5594 			BPF_MOV64_IMM(BPF_REG_4, 0),
5595 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5596 			BPF_MOV64_IMM(BPF_REG_3, 0),
5597 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5598 			BPF_MOV64_IMM(BPF_REG_0, 0),
5599 			BPF_EXIT_INSN(),
5600 		},
5601 		.fixup_map2 = { 3 },
5602 		.result = ACCEPT,
5603 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5604 	},
5605 	{
5606 		"helper access to variable memory: map adjusted, JMP, wrong max",
5607 		.insns = {
5608 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5609 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5610 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5611 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5612 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5613 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5614 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5615 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5616 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5617 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5618 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5619 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5620 				sizeof(struct test_val) - 19, 4),
5621 			BPF_MOV64_IMM(BPF_REG_4, 0),
5622 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5623 			BPF_MOV64_IMM(BPF_REG_3, 0),
5624 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5625 			BPF_MOV64_IMM(BPF_REG_0, 0),
5626 			BPF_EXIT_INSN(),
5627 		},
5628 		.fixup_map2 = { 3 },
5629 		.errstr = "R1 min value is outside of the array range",
5630 		.result = REJECT,
5631 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5632 	},
5633 	{
5634 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5635 		.insns = {
5636 			BPF_MOV64_IMM(BPF_REG_1, 0),
5637 			BPF_MOV64_IMM(BPF_REG_2, 0),
5638 			BPF_MOV64_IMM(BPF_REG_3, 0),
5639 			BPF_MOV64_IMM(BPF_REG_4, 0),
5640 			BPF_MOV64_IMM(BPF_REG_5, 0),
5641 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5642 			BPF_EXIT_INSN(),
5643 		},
5644 		.result = ACCEPT,
5645 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5646 	},
5647 	{
5648 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5649 		.insns = {
5650 			BPF_MOV64_IMM(BPF_REG_1, 0),
5651 			BPF_MOV64_IMM(BPF_REG_2, 0),
5652 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5653 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5654 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5655 			BPF_MOV64_IMM(BPF_REG_3, 0),
5656 			BPF_MOV64_IMM(BPF_REG_4, 0),
5657 			BPF_MOV64_IMM(BPF_REG_5, 0),
5658 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5659 			BPF_EXIT_INSN(),
5660 		},
5661 		.errstr = "R1 type=inv expected=fp",
5662 		.result = REJECT,
5663 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5664 	},
5665 	{
5666 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5667 		.insns = {
5668 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5669 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5670 			BPF_MOV64_IMM(BPF_REG_2, 0),
5671 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5672 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5673 			BPF_MOV64_IMM(BPF_REG_3, 0),
5674 			BPF_MOV64_IMM(BPF_REG_4, 0),
5675 			BPF_MOV64_IMM(BPF_REG_5, 0),
5676 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5677 			BPF_EXIT_INSN(),
5678 		},
5679 		.result = ACCEPT,
5680 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5681 	},
5682 	{
5683 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5684 		.insns = {
5685 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5686 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5687 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5688 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5689 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5690 				     BPF_FUNC_map_lookup_elem),
5691 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5692 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5693 			BPF_MOV64_IMM(BPF_REG_2, 0),
5694 			BPF_MOV64_IMM(BPF_REG_3, 0),
5695 			BPF_MOV64_IMM(BPF_REG_4, 0),
5696 			BPF_MOV64_IMM(BPF_REG_5, 0),
5697 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5698 			BPF_EXIT_INSN(),
5699 		},
5700 		.fixup_map1 = { 3 },
5701 		.result = ACCEPT,
5702 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5703 	},
5704 	{
5705 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5706 		.insns = {
5707 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5708 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5709 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5710 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5712 				     BPF_FUNC_map_lookup_elem),
5713 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5714 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5715 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5716 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5717 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5718 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5719 			BPF_MOV64_IMM(BPF_REG_3, 0),
5720 			BPF_MOV64_IMM(BPF_REG_4, 0),
5721 			BPF_MOV64_IMM(BPF_REG_5, 0),
5722 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5723 			BPF_EXIT_INSN(),
5724 		},
5725 		.fixup_map1 = { 3 },
5726 		.result = ACCEPT,
5727 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5728 	},
5729 	{
5730 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5731 		.insns = {
5732 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5733 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737 				     BPF_FUNC_map_lookup_elem),
5738 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5739 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5740 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5741 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5742 			BPF_MOV64_IMM(BPF_REG_3, 0),
5743 			BPF_MOV64_IMM(BPF_REG_4, 0),
5744 			BPF_MOV64_IMM(BPF_REG_5, 0),
5745 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5746 			BPF_EXIT_INSN(),
5747 		},
5748 		.fixup_map1 = { 3 },
5749 		.result = ACCEPT,
5750 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5751 	},
5752 	{
5753 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
5754 		.insns = {
5755 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5756 				    offsetof(struct __sk_buff, data)),
5757 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5758 				    offsetof(struct __sk_buff, data_end)),
5759 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5760 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5761 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5762 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5763 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5764 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5765 			BPF_MOV64_IMM(BPF_REG_3, 0),
5766 			BPF_MOV64_IMM(BPF_REG_4, 0),
5767 			BPF_MOV64_IMM(BPF_REG_5, 0),
5768 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5769 			BPF_EXIT_INSN(),
5770 		},
5771 		.result = ACCEPT,
5772 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5773 	},
5774 	{
5775 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5776 		.insns = {
5777 			BPF_MOV64_IMM(BPF_REG_1, 0),
5778 			BPF_MOV64_IMM(BPF_REG_2, 0),
5779 			BPF_MOV64_IMM(BPF_REG_3, 0),
5780 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5781 			BPF_EXIT_INSN(),
5782 		},
5783 		.errstr = "R1 type=inv expected=fp",
5784 		.result = REJECT,
5785 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786 	},
5787 	{
5788 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5789 		.insns = {
5790 			BPF_MOV64_IMM(BPF_REG_1, 0),
5791 			BPF_MOV64_IMM(BPF_REG_2, 1),
5792 			BPF_MOV64_IMM(BPF_REG_3, 0),
5793 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5794 			BPF_EXIT_INSN(),
5795 		},
5796 		.errstr = "R1 type=inv expected=fp",
5797 		.result = REJECT,
5798 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5799 	},
5800 	{
5801 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5802 		.insns = {
5803 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5804 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5805 			BPF_MOV64_IMM(BPF_REG_2, 0),
5806 			BPF_MOV64_IMM(BPF_REG_3, 0),
5807 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5808 			BPF_EXIT_INSN(),
5809 		},
5810 		.result = ACCEPT,
5811 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5812 	},
5813 	{
5814 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5815 		.insns = {
5816 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5817 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5818 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5819 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5821 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5822 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5823 			BPF_MOV64_IMM(BPF_REG_2, 0),
5824 			BPF_MOV64_IMM(BPF_REG_3, 0),
5825 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5826 			BPF_EXIT_INSN(),
5827 		},
5828 		.fixup_map1 = { 3 },
5829 		.result = ACCEPT,
5830 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5831 	},
5832 	{
5833 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5834 		.insns = {
5835 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5836 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5837 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5838 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5839 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5840 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5841 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5842 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5843 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5845 			BPF_MOV64_IMM(BPF_REG_3, 0),
5846 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5847 			BPF_EXIT_INSN(),
5848 		},
5849 		.fixup_map1 = { 3 },
5850 		.result = ACCEPT,
5851 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5852 	},
5853 	{
5854 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5855 		.insns = {
5856 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5857 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5858 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5859 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5860 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5861 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5862 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5863 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5864 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5865 			BPF_MOV64_IMM(BPF_REG_3, 0),
5866 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5867 			BPF_EXIT_INSN(),
5868 		},
5869 		.fixup_map1 = { 3 },
5870 		.result = ACCEPT,
5871 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5872 	},
5873 	{
5874 		"helper access to variable memory: 8 bytes leak",
5875 		.insns = {
5876 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5878 			BPF_MOV64_IMM(BPF_REG_0, 0),
5879 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5880 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5881 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5882 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5883 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5884 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5885 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5886 			BPF_MOV64_IMM(BPF_REG_2, 0),
5887 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5888 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5889 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5891 			BPF_MOV64_IMM(BPF_REG_3, 0),
5892 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5893 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5894 			BPF_EXIT_INSN(),
5895 		},
5896 		.errstr = "invalid indirect read from stack off -64+32 size 64",
5897 		.result = REJECT,
5898 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5899 	},
5900 	{
5901 		"helper access to variable memory: 8 bytes no leak (init memory)",
5902 		.insns = {
5903 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5904 			BPF_MOV64_IMM(BPF_REG_0, 0),
5905 			BPF_MOV64_IMM(BPF_REG_0, 0),
5906 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5907 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5908 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5909 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5910 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5911 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5912 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5913 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5914 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5915 			BPF_MOV64_IMM(BPF_REG_2, 0),
5916 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5918 			BPF_MOV64_IMM(BPF_REG_3, 0),
5919 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5920 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5921 			BPF_EXIT_INSN(),
5922 		},
5923 		.result = ACCEPT,
5924 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5925 	},
5926 	{
5927 		"invalid and of negative number",
5928 		.insns = {
5929 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5930 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5931 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5932 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5933 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5934 				     BPF_FUNC_map_lookup_elem),
5935 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5936 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
5937 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5938 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5939 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5940 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5941 				   offsetof(struct test_val, foo)),
5942 			BPF_EXIT_INSN(),
5943 		},
5944 		.fixup_map2 = { 3 },
5945 		.errstr = "R0 max value is outside of the array range",
5946 		.result = REJECT,
5947 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5948 	},
5949 	{
5950 		"invalid range check",
5951 		.insns = {
5952 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5953 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5954 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5955 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5956 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5957 				     BPF_FUNC_map_lookup_elem),
5958 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5959 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5960 			BPF_MOV64_IMM(BPF_REG_9, 1),
5961 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5962 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5963 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5964 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5965 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5966 			BPF_MOV32_IMM(BPF_REG_3, 1),
5967 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5968 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5969 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5970 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5971 			BPF_MOV64_REG(BPF_REG_0, 0),
5972 			BPF_EXIT_INSN(),
5973 		},
5974 		.fixup_map2 = { 3 },
5975 		.errstr = "R0 max value is outside of the array range",
5976 		.result = REJECT,
5977 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5978 	},
5979 	{
5980 		"map in map access",
5981 		.insns = {
5982 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5983 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5984 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5985 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5986 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5987 				     BPF_FUNC_map_lookup_elem),
5988 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5989 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5990 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5992 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5993 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5994 				     BPF_FUNC_map_lookup_elem),
5995 			BPF_MOV64_REG(BPF_REG_0, 0),
5996 			BPF_EXIT_INSN(),
5997 		},
5998 		.fixup_map_in_map = { 3 },
5999 		.result = ACCEPT,
6000 	},
6001 	{
6002 		"invalid inner map pointer",
6003 		.insns = {
6004 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6005 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6006 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6007 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6008 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6009 				     BPF_FUNC_map_lookup_elem),
6010 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6011 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6012 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6014 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6015 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6016 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6017 				     BPF_FUNC_map_lookup_elem),
6018 			BPF_MOV64_REG(BPF_REG_0, 0),
6019 			BPF_EXIT_INSN(),
6020 		},
6021 		.fixup_map_in_map = { 3 },
6022 		.errstr = "R1 type=inv expected=map_ptr",
6023 		.errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6024 		.result = REJECT,
6025 	},
6026 	{
6027 		"forgot null checking on the inner map pointer",
6028 		.insns = {
6029 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6030 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6032 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6033 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6034 				     BPF_FUNC_map_lookup_elem),
6035 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6036 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6037 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6038 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6039 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6040 				     BPF_FUNC_map_lookup_elem),
6041 			BPF_MOV64_REG(BPF_REG_0, 0),
6042 			BPF_EXIT_INSN(),
6043 		},
6044 		.fixup_map_in_map = { 3 },
6045 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
6046 		.result = REJECT,
6047 	},
6048 	{
6049 		"ld_abs: check calling conv, r1",
6050 		.insns = {
6051 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6052 			BPF_MOV64_IMM(BPF_REG_1, 0),
6053 			BPF_LD_ABS(BPF_W, -0x200000),
6054 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6055 			BPF_EXIT_INSN(),
6056 		},
6057 		.errstr = "R1 !read_ok",
6058 		.result = REJECT,
6059 	},
6060 	{
6061 		"ld_abs: check calling conv, r2",
6062 		.insns = {
6063 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6064 			BPF_MOV64_IMM(BPF_REG_2, 0),
6065 			BPF_LD_ABS(BPF_W, -0x200000),
6066 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6067 			BPF_EXIT_INSN(),
6068 		},
6069 		.errstr = "R2 !read_ok",
6070 		.result = REJECT,
6071 	},
6072 	{
6073 		"ld_abs: check calling conv, r3",
6074 		.insns = {
6075 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6076 			BPF_MOV64_IMM(BPF_REG_3, 0),
6077 			BPF_LD_ABS(BPF_W, -0x200000),
6078 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6079 			BPF_EXIT_INSN(),
6080 		},
6081 		.errstr = "R3 !read_ok",
6082 		.result = REJECT,
6083 	},
6084 	{
6085 		"ld_abs: check calling conv, r4",
6086 		.insns = {
6087 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6088 			BPF_MOV64_IMM(BPF_REG_4, 0),
6089 			BPF_LD_ABS(BPF_W, -0x200000),
6090 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6091 			BPF_EXIT_INSN(),
6092 		},
6093 		.errstr = "R4 !read_ok",
6094 		.result = REJECT,
6095 	},
6096 	{
6097 		"ld_abs: check calling conv, r5",
6098 		.insns = {
6099 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6100 			BPF_MOV64_IMM(BPF_REG_5, 0),
6101 			BPF_LD_ABS(BPF_W, -0x200000),
6102 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6103 			BPF_EXIT_INSN(),
6104 		},
6105 		.errstr = "R5 !read_ok",
6106 		.result = REJECT,
6107 	},
6108 	{
6109 		"ld_abs: check calling conv, r7",
6110 		.insns = {
6111 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6112 			BPF_MOV64_IMM(BPF_REG_7, 0),
6113 			BPF_LD_ABS(BPF_W, -0x200000),
6114 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6115 			BPF_EXIT_INSN(),
6116 		},
6117 		.result = ACCEPT,
6118 	},
6119 	{
6120 		"ld_abs: tests on r6 and skb data reload helper",
6121 		.insns = {
6122 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6123 			BPF_LD_ABS(BPF_B, 0),
6124 			BPF_LD_ABS(BPF_H, 0),
6125 			BPF_LD_ABS(BPF_W, 0),
6126 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6127 			BPF_MOV64_IMM(BPF_REG_6, 0),
6128 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6129 			BPF_MOV64_IMM(BPF_REG_2, 1),
6130 			BPF_MOV64_IMM(BPF_REG_3, 2),
6131 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6132 				     BPF_FUNC_skb_vlan_push),
6133 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6134 			BPF_LD_ABS(BPF_B, 0),
6135 			BPF_LD_ABS(BPF_H, 0),
6136 			BPF_LD_ABS(BPF_W, 0),
6137 			BPF_MOV64_IMM(BPF_REG_0, 42),
6138 			BPF_EXIT_INSN(),
6139 		},
6140 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6141 		.result = ACCEPT,
6142 	},
6143 	{
6144 		"ld_ind: check calling conv, r1",
6145 		.insns = {
6146 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6147 			BPF_MOV64_IMM(BPF_REG_1, 1),
6148 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6149 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6150 			BPF_EXIT_INSN(),
6151 		},
6152 		.errstr = "R1 !read_ok",
6153 		.result = REJECT,
6154 	},
6155 	{
6156 		"ld_ind: check calling conv, r2",
6157 		.insns = {
6158 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6159 			BPF_MOV64_IMM(BPF_REG_2, 1),
6160 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6161 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6162 			BPF_EXIT_INSN(),
6163 		},
6164 		.errstr = "R2 !read_ok",
6165 		.result = REJECT,
6166 	},
6167 	{
6168 		"ld_ind: check calling conv, r3",
6169 		.insns = {
6170 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6171 			BPF_MOV64_IMM(BPF_REG_3, 1),
6172 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6173 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6174 			BPF_EXIT_INSN(),
6175 		},
6176 		.errstr = "R3 !read_ok",
6177 		.result = REJECT,
6178 	},
6179 	{
6180 		"ld_ind: check calling conv, r4",
6181 		.insns = {
6182 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6183 			BPF_MOV64_IMM(BPF_REG_4, 1),
6184 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6185 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6186 			BPF_EXIT_INSN(),
6187 		},
6188 		.errstr = "R4 !read_ok",
6189 		.result = REJECT,
6190 	},
6191 	{
6192 		"ld_ind: check calling conv, r5",
6193 		.insns = {
6194 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6195 			BPF_MOV64_IMM(BPF_REG_5, 1),
6196 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6197 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6198 			BPF_EXIT_INSN(),
6199 		},
6200 		.errstr = "R5 !read_ok",
6201 		.result = REJECT,
6202 	},
6203 	{
6204 		"ld_ind: check calling conv, r7",
6205 		.insns = {
6206 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6207 			BPF_MOV64_IMM(BPF_REG_7, 1),
6208 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6209 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6210 			BPF_EXIT_INSN(),
6211 		},
6212 		.result = ACCEPT,
6213 	},
6214 	{
6215 		"check bpf_perf_event_data->sample_period byte load permitted",
6216 		.insns = {
6217 			BPF_MOV64_IMM(BPF_REG_0, 0),
6218 #if __BYTE_ORDER == __LITTLE_ENDIAN
6219 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6220 				    offsetof(struct bpf_perf_event_data, sample_period)),
6221 #else
6222 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6223 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
6224 #endif
6225 			BPF_EXIT_INSN(),
6226 		},
6227 		.result = ACCEPT,
6228 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6229 	},
6230 	{
6231 		"check bpf_perf_event_data->sample_period half load permitted",
6232 		.insns = {
6233 			BPF_MOV64_IMM(BPF_REG_0, 0),
6234 #if __BYTE_ORDER == __LITTLE_ENDIAN
6235 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6236 				    offsetof(struct bpf_perf_event_data, sample_period)),
6237 #else
6238 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6239 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
6240 #endif
6241 			BPF_EXIT_INSN(),
6242 		},
6243 		.result = ACCEPT,
6244 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6245 	},
6246 	{
6247 		"check bpf_perf_event_data->sample_period word load permitted",
6248 		.insns = {
6249 			BPF_MOV64_IMM(BPF_REG_0, 0),
6250 #if __BYTE_ORDER == __LITTLE_ENDIAN
6251 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6252 				    offsetof(struct bpf_perf_event_data, sample_period)),
6253 #else
6254 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6255 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
6256 #endif
6257 			BPF_EXIT_INSN(),
6258 		},
6259 		.result = ACCEPT,
6260 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6261 	},
6262 	{
6263 		"check bpf_perf_event_data->sample_period dword load permitted",
6264 		.insns = {
6265 			BPF_MOV64_IMM(BPF_REG_0, 0),
6266 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6267 				    offsetof(struct bpf_perf_event_data, sample_period)),
6268 			BPF_EXIT_INSN(),
6269 		},
6270 		.result = ACCEPT,
6271 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6272 	},
6273 	{
6274 		"check skb->data half load not permitted",
6275 		.insns = {
6276 			BPF_MOV64_IMM(BPF_REG_0, 0),
6277 #if __BYTE_ORDER == __LITTLE_ENDIAN
6278 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6279 				    offsetof(struct __sk_buff, data)),
6280 #else
6281 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6282 				    offsetof(struct __sk_buff, data) + 2),
6283 #endif
6284 			BPF_EXIT_INSN(),
6285 		},
6286 		.result = REJECT,
6287 		.errstr = "invalid bpf_context access",
6288 	},
6289 	{
6290 		"check skb->tc_classid half load not permitted for lwt prog",
6291 		.insns = {
6292 			BPF_MOV64_IMM(BPF_REG_0, 0),
6293 #if __BYTE_ORDER == __LITTLE_ENDIAN
6294 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6295 				    offsetof(struct __sk_buff, tc_classid)),
6296 #else
6297 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6298 				    offsetof(struct __sk_buff, tc_classid) + 2),
6299 #endif
6300 			BPF_EXIT_INSN(),
6301 		},
6302 		.result = REJECT,
6303 		.errstr = "invalid bpf_context access",
6304 		.prog_type = BPF_PROG_TYPE_LWT_IN,
6305 	},
6306 	{
6307 		"bounds checks mixing signed and unsigned, positive bounds",
6308 		.insns = {
6309 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6310 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6313 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6314 				     BPF_FUNC_map_lookup_elem),
6315 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6316 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6317 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6318 			BPF_MOV64_IMM(BPF_REG_2, 2),
6319 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6320 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6321 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6322 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6323 			BPF_MOV64_IMM(BPF_REG_0, 0),
6324 			BPF_EXIT_INSN(),
6325 		},
6326 		.fixup_map1 = { 3 },
6327 		.errstr = "R0 min value is negative",
6328 		.result = REJECT,
6329 	},
6330 	{
6331 		"bounds checks mixing signed and unsigned",
6332 		.insns = {
6333 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6334 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6335 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6336 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6337 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6338 				     BPF_FUNC_map_lookup_elem),
6339 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6340 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6341 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6342 			BPF_MOV64_IMM(BPF_REG_2, -1),
6343 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6344 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6345 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6346 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6347 			BPF_MOV64_IMM(BPF_REG_0, 0),
6348 			BPF_EXIT_INSN(),
6349 		},
6350 		.fixup_map1 = { 3 },
6351 		.errstr = "R0 min value is negative",
6352 		.result = REJECT,
6353 	},
6354 	{
6355 		"bounds checks mixing signed and unsigned, variant 2",
6356 		.insns = {
6357 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6358 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6359 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6360 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6361 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6362 				     BPF_FUNC_map_lookup_elem),
6363 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6364 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6365 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6366 			BPF_MOV64_IMM(BPF_REG_2, -1),
6367 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6368 			BPF_MOV64_IMM(BPF_REG_8, 0),
6369 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6370 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6371 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6372 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6373 			BPF_MOV64_IMM(BPF_REG_0, 0),
6374 			BPF_EXIT_INSN(),
6375 		},
6376 		.fixup_map1 = { 3 },
6377 		.errstr = "R8 invalid mem access 'inv'",
6378 		.result = REJECT,
6379 	},
6380 	{
6381 		"bounds checks mixing signed and unsigned, variant 3",
6382 		.insns = {
6383 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6384 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6385 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6386 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6387 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6388 				     BPF_FUNC_map_lookup_elem),
6389 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6390 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6391 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6392 			BPF_MOV64_IMM(BPF_REG_2, -1),
6393 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6394 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6395 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6396 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6397 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6398 			BPF_MOV64_IMM(BPF_REG_0, 0),
6399 			BPF_EXIT_INSN(),
6400 		},
6401 		.fixup_map1 = { 3 },
6402 		.errstr = "R8 invalid mem access 'inv'",
6403 		.result = REJECT,
6404 	},
6405 	{
6406 		"bounds checks mixing signed and unsigned, variant 4",
6407 		.insns = {
6408 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6409 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6410 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6411 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6412 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6413 				     BPF_FUNC_map_lookup_elem),
6414 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6415 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6416 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6417 			BPF_MOV64_IMM(BPF_REG_2, 1),
6418 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6419 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6420 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6421 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6422 			BPF_MOV64_IMM(BPF_REG_0, 0),
6423 			BPF_EXIT_INSN(),
6424 		},
6425 		.fixup_map1 = { 3 },
6426 		.result = ACCEPT,
6427 	},
6428 	{
6429 		"bounds checks mixing signed and unsigned, variant 5",
6430 		.insns = {
6431 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6432 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6433 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6434 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6435 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6436 				     BPF_FUNC_map_lookup_elem),
6437 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6438 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6439 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6440 			BPF_MOV64_IMM(BPF_REG_2, -1),
6441 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6442 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6443 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6444 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6445 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6446 			BPF_MOV64_IMM(BPF_REG_0, 0),
6447 			BPF_EXIT_INSN(),
6448 		},
6449 		.fixup_map1 = { 3 },
6450 		.errstr = "R0 min value is negative",
6451 		.result = REJECT,
6452 	},
6453 	{
6454 		"bounds checks mixing signed and unsigned, variant 6",
6455 		.insns = {
6456 			BPF_MOV64_IMM(BPF_REG_2, 0),
6457 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6459 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6460 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6461 			BPF_MOV64_IMM(BPF_REG_6, -1),
6462 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6463 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6464 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6465 			BPF_MOV64_IMM(BPF_REG_5, 0),
6466 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6467 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6468 				     BPF_FUNC_skb_load_bytes),
6469 			BPF_MOV64_IMM(BPF_REG_0, 0),
6470 			BPF_EXIT_INSN(),
6471 		},
6472 		.errstr = "R4 min value is negative, either use unsigned",
6473 		.result = REJECT,
6474 	},
6475 	{
6476 		"bounds checks mixing signed and unsigned, variant 7",
6477 		.insns = {
6478 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6479 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6481 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6482 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6483 				     BPF_FUNC_map_lookup_elem),
6484 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6485 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6486 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6487 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6488 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6489 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6490 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6491 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6492 			BPF_MOV64_IMM(BPF_REG_0, 0),
6493 			BPF_EXIT_INSN(),
6494 		},
6495 		.fixup_map1 = { 3 },
6496 		.result = ACCEPT,
6497 	},
6498 	{
6499 		"bounds checks mixing signed and unsigned, variant 8",
6500 		.insns = {
6501 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6502 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6503 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6504 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6505 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6506 				     BPF_FUNC_map_lookup_elem),
6507 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6508 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6509 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6510 			BPF_MOV64_IMM(BPF_REG_2, -1),
6511 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6512 			BPF_MOV64_IMM(BPF_REG_0, 0),
6513 			BPF_EXIT_INSN(),
6514 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6515 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6516 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6517 			BPF_MOV64_IMM(BPF_REG_0, 0),
6518 			BPF_EXIT_INSN(),
6519 		},
6520 		.fixup_map1 = { 3 },
6521 		.errstr = "R0 min value is negative",
6522 		.result = REJECT,
6523 	},
6524 	{
6525 		"bounds checks mixing signed and unsigned, variant 9",
6526 		.insns = {
6527 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6528 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6529 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6530 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6531 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6532 				     BPF_FUNC_map_lookup_elem),
6533 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6534 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6535 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6536 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6537 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6538 			BPF_MOV64_IMM(BPF_REG_0, 0),
6539 			BPF_EXIT_INSN(),
6540 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6541 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6542 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6543 			BPF_MOV64_IMM(BPF_REG_0, 0),
6544 			BPF_EXIT_INSN(),
6545 		},
6546 		.fixup_map1 = { 3 },
6547 		.result = ACCEPT,
6548 	},
6549 	{
6550 		"bounds checks mixing signed and unsigned, variant 10",
6551 		.insns = {
6552 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6553 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6554 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6555 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6556 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6557 				     BPF_FUNC_map_lookup_elem),
6558 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6559 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6560 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6561 			BPF_MOV64_IMM(BPF_REG_2, 0),
6562 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6563 			BPF_MOV64_IMM(BPF_REG_0, 0),
6564 			BPF_EXIT_INSN(),
6565 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6566 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6567 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6568 			BPF_MOV64_IMM(BPF_REG_0, 0),
6569 			BPF_EXIT_INSN(),
6570 		},
6571 		.fixup_map1 = { 3 },
6572 		.errstr = "R0 min value is negative",
6573 		.result = REJECT,
6574 	},
6575 	{
6576 		"bounds checks mixing signed and unsigned, variant 11",
6577 		.insns = {
6578 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6579 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6580 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6581 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6582 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6583 				     BPF_FUNC_map_lookup_elem),
6584 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6585 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6586 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6587 			BPF_MOV64_IMM(BPF_REG_2, -1),
6588 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6589 			/* Dead branch. */
6590 			BPF_MOV64_IMM(BPF_REG_0, 0),
6591 			BPF_EXIT_INSN(),
6592 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6593 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6594 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6595 			BPF_MOV64_IMM(BPF_REG_0, 0),
6596 			BPF_EXIT_INSN(),
6597 		},
6598 		.fixup_map1 = { 3 },
6599 		.errstr = "R0 min value is negative",
6600 		.result = REJECT,
6601 	},
6602 	{
6603 		"bounds checks mixing signed and unsigned, variant 12",
6604 		.insns = {
6605 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6606 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6607 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6608 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6609 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6610 				     BPF_FUNC_map_lookup_elem),
6611 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6612 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6613 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6614 			BPF_MOV64_IMM(BPF_REG_2, -6),
6615 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6616 			BPF_MOV64_IMM(BPF_REG_0, 0),
6617 			BPF_EXIT_INSN(),
6618 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6619 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6620 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6621 			BPF_MOV64_IMM(BPF_REG_0, 0),
6622 			BPF_EXIT_INSN(),
6623 		},
6624 		.fixup_map1 = { 3 },
6625 		.errstr = "R0 min value is negative",
6626 		.result = REJECT,
6627 	},
6628 	{
6629 		"bounds checks mixing signed and unsigned, variant 13",
6630 		.insns = {
6631 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6632 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6633 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6634 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6635 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6636 				     BPF_FUNC_map_lookup_elem),
6637 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6638 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6639 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6640 			BPF_MOV64_IMM(BPF_REG_2, 2),
6641 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6642 			BPF_MOV64_IMM(BPF_REG_7, 1),
6643 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6644 			BPF_MOV64_IMM(BPF_REG_0, 0),
6645 			BPF_EXIT_INSN(),
6646 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6647 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6648 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6649 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6650 			BPF_MOV64_IMM(BPF_REG_0, 0),
6651 			BPF_EXIT_INSN(),
6652 		},
6653 		.fixup_map1 = { 3 },
6654 		.errstr = "R0 min value is negative",
6655 		.result = REJECT,
6656 	},
6657 	{
6658 		"bounds checks mixing signed and unsigned, variant 14",
6659 		.insns = {
6660 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6661 				    offsetof(struct __sk_buff, mark)),
6662 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6665 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6666 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6667 				     BPF_FUNC_map_lookup_elem),
6668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6669 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6670 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6671 			BPF_MOV64_IMM(BPF_REG_2, -1),
6672 			BPF_MOV64_IMM(BPF_REG_8, 2),
6673 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6674 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6675 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6676 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6677 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6678 			BPF_MOV64_IMM(BPF_REG_0, 0),
6679 			BPF_EXIT_INSN(),
6680 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6681 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6682 		},
6683 		.fixup_map1 = { 4 },
6684 		.errstr = "R0 min value is negative",
6685 		.result = REJECT,
6686 	},
6687 	{
6688 		"bounds checks mixing signed and unsigned, variant 15",
6689 		.insns = {
6690 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6691 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6692 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6693 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6694 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6695 				     BPF_FUNC_map_lookup_elem),
6696 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6697 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6698 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6699 			BPF_MOV64_IMM(BPF_REG_2, -6),
6700 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6701 			BPF_MOV64_IMM(BPF_REG_0, 0),
6702 			BPF_EXIT_INSN(),
6703 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6704 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6705 			BPF_MOV64_IMM(BPF_REG_0, 0),
6706 			BPF_EXIT_INSN(),
6707 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6708 			BPF_MOV64_IMM(BPF_REG_0, 0),
6709 			BPF_EXIT_INSN(),
6710 		},
6711 		.fixup_map1 = { 3 },
6712 		.errstr_unpriv = "R0 pointer comparison prohibited",
6713 		.errstr = "R0 min value is negative",
6714 		.result = REJECT,
6715 		.result_unpriv = REJECT,
6716 	},
6717 	{
6718 		"subtraction bounds (map value) variant 1",
6719 		.insns = {
6720 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6721 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6723 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6724 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6725 				     BPF_FUNC_map_lookup_elem),
6726 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6727 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6728 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6729 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6730 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6731 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6732 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6733 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6734 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6735 			BPF_EXIT_INSN(),
6736 			BPF_MOV64_IMM(BPF_REG_0, 0),
6737 			BPF_EXIT_INSN(),
6738 		},
6739 		.fixup_map1 = { 3 },
6740 		.errstr = "R0 max value is outside of the array range",
6741 		.result = REJECT,
6742 	},
6743 	{
6744 		"subtraction bounds (map value) variant 2",
6745 		.insns = {
6746 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6747 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6748 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6749 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6750 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6751 				     BPF_FUNC_map_lookup_elem),
6752 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6753 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6754 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6755 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6756 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6757 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6758 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6759 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6760 			BPF_EXIT_INSN(),
6761 			BPF_MOV64_IMM(BPF_REG_0, 0),
6762 			BPF_EXIT_INSN(),
6763 		},
6764 		.fixup_map1 = { 3 },
6765 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6766 		.result = REJECT,
6767 	},
6768 	{
6769 		"variable-offset ctx access",
6770 		.insns = {
6771 			/* Get an unknown value */
6772 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6773 			/* Make it small and 4-byte aligned */
6774 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6775 			/* add it to skb.  We now have either &skb->len or
6776 			 * &skb->pkt_type, but we don't know which
6777 			 */
6778 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6779 			/* dereference it */
6780 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
6781 			BPF_EXIT_INSN(),
6782 		},
6783 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
6784 		.result = REJECT,
6785 		.prog_type = BPF_PROG_TYPE_LWT_IN,
6786 	},
6787 	{
6788 		"variable-offset stack access",
6789 		.insns = {
6790 			/* Fill the top 8 bytes of the stack */
6791 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6792 			/* Get an unknown value */
6793 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6794 			/* Make it small and 4-byte aligned */
6795 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
6796 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
6797 			/* add it to fp.  We now have either fp-4 or fp-8, but
6798 			 * we don't know which
6799 			 */
6800 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
6801 			/* dereference it */
6802 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
6803 			BPF_EXIT_INSN(),
6804 		},
6805 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
6806 		.result = REJECT,
6807 		.prog_type = BPF_PROG_TYPE_LWT_IN,
6808 	},
6809 	{
6810 		"liveness pruning and write screening",
6811 		.insns = {
6812 			/* Get an unknown value */
6813 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
6814 			/* branch conditions teach us nothing about R2 */
6815 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6816 			BPF_MOV64_IMM(BPF_REG_0, 0),
6817 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
6818 			BPF_MOV64_IMM(BPF_REG_0, 0),
6819 			BPF_EXIT_INSN(),
6820 		},
6821 		.errstr = "R0 !read_ok",
6822 		.result = REJECT,
6823 		.prog_type = BPF_PROG_TYPE_LWT_IN,
6824 	},
6825 	{
6826 		"varlen_map_value_access pruning",
6827 		.insns = {
6828 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6829 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6830 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6831 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6832 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6833 				     BPF_FUNC_map_lookup_elem),
6834 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6835 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6836 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
6837 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
6838 			BPF_MOV32_IMM(BPF_REG_1, 0),
6839 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
6840 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6841 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
6842 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6843 				   offsetof(struct test_val, foo)),
6844 			BPF_EXIT_INSN(),
6845 		},
6846 		.fixup_map2 = { 3 },
6847 		.errstr_unpriv = "R0 leaks addr",
6848 		.errstr = "R0 unbounded memory access",
6849 		.result_unpriv = REJECT,
6850 		.result = REJECT,
6851 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6852 	},
6853 	{
6854 		"invalid 64-bit BPF_END",
6855 		.insns = {
6856 			BPF_MOV32_IMM(BPF_REG_0, 0),
6857 			{
6858 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
6859 				.dst_reg = BPF_REG_0,
6860 				.src_reg = 0,
6861 				.off   = 0,
6862 				.imm   = 32,
6863 			},
6864 			BPF_EXIT_INSN(),
6865 		},
6866 		.errstr = "BPF_END uses reserved fields",
6867 		.result = REJECT,
6868 	},
6869 	{
6870 		"meta access, test1",
6871 		.insns = {
6872 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6873 				    offsetof(struct xdp_md, data_meta)),
6874 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6875 				    offsetof(struct xdp_md, data)),
6876 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6878 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6879 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6880 			BPF_MOV64_IMM(BPF_REG_0, 0),
6881 			BPF_EXIT_INSN(),
6882 		},
6883 		.result = ACCEPT,
6884 		.prog_type = BPF_PROG_TYPE_XDP,
6885 	},
6886 	{
6887 		"meta access, test2",
6888 		.insns = {
6889 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6890 				    offsetof(struct xdp_md, data_meta)),
6891 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6892 				    offsetof(struct xdp_md, data)),
6893 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6894 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
6895 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6896 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6897 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6898 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6899 			BPF_MOV64_IMM(BPF_REG_0, 0),
6900 			BPF_EXIT_INSN(),
6901 		},
6902 		.result = REJECT,
6903 		.errstr = "invalid access to packet, off=-8",
6904 		.prog_type = BPF_PROG_TYPE_XDP,
6905 	},
6906 	{
6907 		"meta access, test3",
6908 		.insns = {
6909 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6910 				    offsetof(struct xdp_md, data_meta)),
6911 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6912 				    offsetof(struct xdp_md, data_end)),
6913 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6914 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6915 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6916 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6917 			BPF_MOV64_IMM(BPF_REG_0, 0),
6918 			BPF_EXIT_INSN(),
6919 		},
6920 		.result = REJECT,
6921 		.errstr = "invalid access to packet",
6922 		.prog_type = BPF_PROG_TYPE_XDP,
6923 	},
6924 	{
6925 		"meta access, test4",
6926 		.insns = {
6927 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6928 				    offsetof(struct xdp_md, data_meta)),
6929 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6930 				    offsetof(struct xdp_md, data_end)),
6931 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6932 				    offsetof(struct xdp_md, data)),
6933 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6934 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6935 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
6936 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6937 			BPF_MOV64_IMM(BPF_REG_0, 0),
6938 			BPF_EXIT_INSN(),
6939 		},
6940 		.result = REJECT,
6941 		.errstr = "invalid access to packet",
6942 		.prog_type = BPF_PROG_TYPE_XDP,
6943 	},
6944 	{
6945 		"meta access, test5",
6946 		.insns = {
6947 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6948 				    offsetof(struct xdp_md, data_meta)),
6949 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
6950 				    offsetof(struct xdp_md, data)),
6951 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6952 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6953 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
6954 			BPF_MOV64_IMM(BPF_REG_2, -8),
6955 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6956 				     BPF_FUNC_xdp_adjust_meta),
6957 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
6958 			BPF_MOV64_IMM(BPF_REG_0, 0),
6959 			BPF_EXIT_INSN(),
6960 		},
6961 		.result = REJECT,
6962 		.errstr = "R3 !read_ok",
6963 		.prog_type = BPF_PROG_TYPE_XDP,
6964 	},
6965 	{
6966 		"meta access, test6",
6967 		.insns = {
6968 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6969 				    offsetof(struct xdp_md, data_meta)),
6970 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6971 				    offsetof(struct xdp_md, data)),
6972 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6973 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6974 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6976 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
6977 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6978 			BPF_MOV64_IMM(BPF_REG_0, 0),
6979 			BPF_EXIT_INSN(),
6980 		},
6981 		.result = REJECT,
6982 		.errstr = "invalid access to packet",
6983 		.prog_type = BPF_PROG_TYPE_XDP,
6984 	},
6985 	{
6986 		"meta access, test7",
6987 		.insns = {
6988 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
6989 				    offsetof(struct xdp_md, data_meta)),
6990 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6991 				    offsetof(struct xdp_md, data)),
6992 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6993 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6994 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
6995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
6996 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
6997 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
6998 			BPF_MOV64_IMM(BPF_REG_0, 0),
6999 			BPF_EXIT_INSN(),
7000 		},
7001 		.result = ACCEPT,
7002 		.prog_type = BPF_PROG_TYPE_XDP,
7003 	},
7004 	{
7005 		"meta access, test8",
7006 		.insns = {
7007 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7008 				    offsetof(struct xdp_md, data_meta)),
7009 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7010 				    offsetof(struct xdp_md, data)),
7011 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7012 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7013 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7014 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7015 			BPF_MOV64_IMM(BPF_REG_0, 0),
7016 			BPF_EXIT_INSN(),
7017 		},
7018 		.result = ACCEPT,
7019 		.prog_type = BPF_PROG_TYPE_XDP,
7020 	},
7021 	{
7022 		"meta access, test9",
7023 		.insns = {
7024 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7025 				    offsetof(struct xdp_md, data_meta)),
7026 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7027 				    offsetof(struct xdp_md, data)),
7028 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7029 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7030 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7031 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7032 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7033 			BPF_MOV64_IMM(BPF_REG_0, 0),
7034 			BPF_EXIT_INSN(),
7035 		},
7036 		.result = REJECT,
7037 		.errstr = "invalid access to packet",
7038 		.prog_type = BPF_PROG_TYPE_XDP,
7039 	},
7040 	{
7041 		"meta access, test10",
7042 		.insns = {
7043 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7044 				    offsetof(struct xdp_md, data_meta)),
7045 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7046 				    offsetof(struct xdp_md, data)),
7047 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7048 				    offsetof(struct xdp_md, data_end)),
7049 			BPF_MOV64_IMM(BPF_REG_5, 42),
7050 			BPF_MOV64_IMM(BPF_REG_6, 24),
7051 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7052 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7053 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7054 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7055 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7056 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7057 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7058 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7059 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7060 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7061 			BPF_MOV64_IMM(BPF_REG_0, 0),
7062 			BPF_EXIT_INSN(),
7063 		},
7064 		.result = REJECT,
7065 		.errstr = "invalid access to packet",
7066 		.prog_type = BPF_PROG_TYPE_XDP,
7067 	},
7068 	{
7069 		"meta access, test11",
7070 		.insns = {
7071 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7072 				    offsetof(struct xdp_md, data_meta)),
7073 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7074 				    offsetof(struct xdp_md, data)),
7075 			BPF_MOV64_IMM(BPF_REG_5, 42),
7076 			BPF_MOV64_IMM(BPF_REG_6, 24),
7077 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7078 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7079 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7080 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7081 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7082 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7083 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7085 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7086 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7087 			BPF_MOV64_IMM(BPF_REG_0, 0),
7088 			BPF_EXIT_INSN(),
7089 		},
7090 		.result = ACCEPT,
7091 		.prog_type = BPF_PROG_TYPE_XDP,
7092 	},
7093 	{
7094 		"meta access, test12",
7095 		.insns = {
7096 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7097 				    offsetof(struct xdp_md, data_meta)),
7098 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7099 				    offsetof(struct xdp_md, data)),
7100 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7101 				    offsetof(struct xdp_md, data_end)),
7102 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7104 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
7105 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7106 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7107 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7108 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
7109 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7110 			BPF_MOV64_IMM(BPF_REG_0, 0),
7111 			BPF_EXIT_INSN(),
7112 		},
7113 		.result = ACCEPT,
7114 		.prog_type = BPF_PROG_TYPE_XDP,
7115 	},
7116 	{
7117 		"arithmetic ops make PTR_TO_CTX unusable",
7118 		.insns = {
7119 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7120 				      offsetof(struct __sk_buff, data) -
7121 				      offsetof(struct __sk_buff, mark)),
7122 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7123 				    offsetof(struct __sk_buff, mark)),
7124 			BPF_EXIT_INSN(),
7125 		},
7126 		.errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
7127 		.result = REJECT,
7128 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7129 	},
7130 	{
7131 		"XDP pkt read, pkt_end mangling, bad access 1",
7132 		.insns = {
7133 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7134 				    offsetof(struct xdp_md, data)),
7135 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7136 				    offsetof(struct xdp_md, data_end)),
7137 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7138 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7139 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7140 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7141 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7142 			BPF_MOV64_IMM(BPF_REG_0, 0),
7143 			BPF_EXIT_INSN(),
7144 		},
7145 		.errstr = "R1 offset is outside of the packet",
7146 		.result = REJECT,
7147 		.prog_type = BPF_PROG_TYPE_XDP,
7148 	},
7149 	{
7150 		"XDP pkt read, pkt_end mangling, bad access 2",
7151 		.insns = {
7152 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7153 				    offsetof(struct xdp_md, data)),
7154 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7155 				    offsetof(struct xdp_md, data_end)),
7156 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7157 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7158 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7159 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7160 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7161 			BPF_MOV64_IMM(BPF_REG_0, 0),
7162 			BPF_EXIT_INSN(),
7163 		},
7164 		.errstr = "R1 offset is outside of the packet",
7165 		.result = REJECT,
7166 		.prog_type = BPF_PROG_TYPE_XDP,
7167 	},
7168 	{
7169 		"XDP pkt read, pkt_data' > pkt_end, good access",
7170 		.insns = {
7171 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7172 				    offsetof(struct xdp_md, data)),
7173 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7174 				    offsetof(struct xdp_md, data_end)),
7175 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7177 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7178 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7179 			BPF_MOV64_IMM(BPF_REG_0, 0),
7180 			BPF_EXIT_INSN(),
7181 		},
7182 		.result = ACCEPT,
7183 		.prog_type = BPF_PROG_TYPE_XDP,
7184 	},
7185 	{
7186 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
7187 		.insns = {
7188 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7189 				    offsetof(struct xdp_md, data)),
7190 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7191 				    offsetof(struct xdp_md, data_end)),
7192 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7193 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7194 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7195 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7196 			BPF_MOV64_IMM(BPF_REG_0, 0),
7197 			BPF_EXIT_INSN(),
7198 		},
7199 		.errstr = "R1 offset is outside of the packet",
7200 		.result = REJECT,
7201 		.prog_type = BPF_PROG_TYPE_XDP,
7202 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7203 	},
7204 	{
7205 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
7206 		.insns = {
7207 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7208 				    offsetof(struct xdp_md, data)),
7209 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7210 				    offsetof(struct xdp_md, data_end)),
7211 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7213 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7214 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7215 			BPF_MOV64_IMM(BPF_REG_0, 0),
7216 			BPF_EXIT_INSN(),
7217 		},
7218 		.errstr = "R1 offset is outside of the packet",
7219 		.result = REJECT,
7220 		.prog_type = BPF_PROG_TYPE_XDP,
7221 	},
7222 	{
7223 		"XDP pkt read, pkt_end > pkt_data', good access",
7224 		.insns = {
7225 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7226 				    offsetof(struct xdp_md, data)),
7227 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7228 				    offsetof(struct xdp_md, data_end)),
7229 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7231 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7232 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7233 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7234 			BPF_MOV64_IMM(BPF_REG_0, 0),
7235 			BPF_EXIT_INSN(),
7236 		},
7237 		.result = ACCEPT,
7238 		.prog_type = BPF_PROG_TYPE_XDP,
7239 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7240 	},
7241 	{
7242 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
7243 		.insns = {
7244 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7245 				    offsetof(struct xdp_md, data)),
7246 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7247 				    offsetof(struct xdp_md, data_end)),
7248 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7249 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7250 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7251 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7252 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7253 			BPF_MOV64_IMM(BPF_REG_0, 0),
7254 			BPF_EXIT_INSN(),
7255 		},
7256 		.errstr = "R1 offset is outside of the packet",
7257 		.result = REJECT,
7258 		.prog_type = BPF_PROG_TYPE_XDP,
7259 	},
7260 	{
7261 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
7262 		.insns = {
7263 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7264 				    offsetof(struct xdp_md, data)),
7265 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7266 				    offsetof(struct xdp_md, data_end)),
7267 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7268 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7269 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7270 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7271 			BPF_MOV64_IMM(BPF_REG_0, 0),
7272 			BPF_EXIT_INSN(),
7273 		},
7274 		.errstr = "R1 offset is outside of the packet",
7275 		.result = REJECT,
7276 		.prog_type = BPF_PROG_TYPE_XDP,
7277 	},
7278 	{
7279 		"XDP pkt read, pkt_data' < pkt_end, good access",
7280 		.insns = {
7281 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7282 				    offsetof(struct xdp_md, data)),
7283 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7284 				    offsetof(struct xdp_md, data_end)),
7285 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7287 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7288 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7289 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7290 			BPF_MOV64_IMM(BPF_REG_0, 0),
7291 			BPF_EXIT_INSN(),
7292 		},
7293 		.result = ACCEPT,
7294 		.prog_type = BPF_PROG_TYPE_XDP,
7295 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7296 	},
7297 	{
7298 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
7299 		.insns = {
7300 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7301 				    offsetof(struct xdp_md, data)),
7302 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7303 				    offsetof(struct xdp_md, data_end)),
7304 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7305 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7306 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7307 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7308 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7309 			BPF_MOV64_IMM(BPF_REG_0, 0),
7310 			BPF_EXIT_INSN(),
7311 		},
7312 		.errstr = "R1 offset is outside of the packet",
7313 		.result = REJECT,
7314 		.prog_type = BPF_PROG_TYPE_XDP,
7315 	},
7316 	{
7317 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
7318 		.insns = {
7319 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7320 				    offsetof(struct xdp_md, data)),
7321 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7322 				    offsetof(struct xdp_md, data_end)),
7323 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7324 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7325 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7326 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7327 			BPF_MOV64_IMM(BPF_REG_0, 0),
7328 			BPF_EXIT_INSN(),
7329 		},
7330 		.errstr = "R1 offset is outside of the packet",
7331 		.result = REJECT,
7332 		.prog_type = BPF_PROG_TYPE_XDP,
7333 	},
7334 	{
7335 		"XDP pkt read, pkt_end < pkt_data', good access",
7336 		.insns = {
7337 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7338 				    offsetof(struct xdp_md, data)),
7339 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7340 				    offsetof(struct xdp_md, data_end)),
7341 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7342 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7343 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7344 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7345 			BPF_MOV64_IMM(BPF_REG_0, 0),
7346 			BPF_EXIT_INSN(),
7347 		},
7348 		.result = ACCEPT,
7349 		.prog_type = BPF_PROG_TYPE_XDP,
7350 	},
7351 	{
7352 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
7353 		.insns = {
7354 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7355 				    offsetof(struct xdp_md, data)),
7356 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7357 				    offsetof(struct xdp_md, data_end)),
7358 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7359 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7360 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7361 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7362 			BPF_MOV64_IMM(BPF_REG_0, 0),
7363 			BPF_EXIT_INSN(),
7364 		},
7365 		.errstr = "R1 offset is outside of the packet",
7366 		.result = REJECT,
7367 		.prog_type = BPF_PROG_TYPE_XDP,
7368 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7369 	},
7370 	{
7371 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
7372 		.insns = {
7373 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7374 				    offsetof(struct xdp_md, data)),
7375 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7376 				    offsetof(struct xdp_md, data_end)),
7377 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7378 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7379 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7380 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7381 			BPF_MOV64_IMM(BPF_REG_0, 0),
7382 			BPF_EXIT_INSN(),
7383 		},
7384 		.errstr = "R1 offset is outside of the packet",
7385 		.result = REJECT,
7386 		.prog_type = BPF_PROG_TYPE_XDP,
7387 	},
7388 	{
7389 		"XDP pkt read, pkt_data' >= pkt_end, good access",
7390 		.insns = {
7391 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7392 				    offsetof(struct xdp_md, data)),
7393 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7394 				    offsetof(struct xdp_md, data_end)),
7395 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7396 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7397 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7398 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7399 			BPF_MOV64_IMM(BPF_REG_0, 0),
7400 			BPF_EXIT_INSN(),
7401 		},
7402 		.result = ACCEPT,
7403 		.prog_type = BPF_PROG_TYPE_XDP,
7404 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7405 	},
7406 	{
7407 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7408 		.insns = {
7409 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7410 				    offsetof(struct xdp_md, data)),
7411 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7412 				    offsetof(struct xdp_md, data_end)),
7413 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7414 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7415 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7416 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7417 			BPF_MOV64_IMM(BPF_REG_0, 0),
7418 			BPF_EXIT_INSN(),
7419 		},
7420 		.errstr = "R1 offset is outside of the packet",
7421 		.result = REJECT,
7422 		.prog_type = BPF_PROG_TYPE_XDP,
7423 	},
7424 	{
7425 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7426 		.insns = {
7427 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7428 				    offsetof(struct xdp_md, data)),
7429 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7430 				    offsetof(struct xdp_md, data_end)),
7431 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7433 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7434 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7435 			BPF_MOV64_IMM(BPF_REG_0, 0),
7436 			BPF_EXIT_INSN(),
7437 		},
7438 		.errstr = "R1 offset is outside of the packet",
7439 		.result = REJECT,
7440 		.prog_type = BPF_PROG_TYPE_XDP,
7441 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7442 	},
7443 	{
7444 		"XDP pkt read, pkt_end >= pkt_data', good access",
7445 		.insns = {
7446 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7447 				    offsetof(struct xdp_md, data)),
7448 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7449 				    offsetof(struct xdp_md, data_end)),
7450 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7452 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7453 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7454 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7455 			BPF_MOV64_IMM(BPF_REG_0, 0),
7456 			BPF_EXIT_INSN(),
7457 		},
7458 		.result = ACCEPT,
7459 		.prog_type = BPF_PROG_TYPE_XDP,
7460 	},
7461 	{
7462 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
7463 		.insns = {
7464 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7465 				    offsetof(struct xdp_md, data)),
7466 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7467 				    offsetof(struct xdp_md, data_end)),
7468 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7469 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7470 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7471 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7472 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7473 			BPF_MOV64_IMM(BPF_REG_0, 0),
7474 			BPF_EXIT_INSN(),
7475 		},
7476 		.errstr = "R1 offset is outside of the packet",
7477 		.result = REJECT,
7478 		.prog_type = BPF_PROG_TYPE_XDP,
7479 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7480 	},
7481 	{
7482 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
7483 		.insns = {
7484 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7485 				    offsetof(struct xdp_md, data)),
7486 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7487 				    offsetof(struct xdp_md, data_end)),
7488 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7490 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7491 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7492 			BPF_MOV64_IMM(BPF_REG_0, 0),
7493 			BPF_EXIT_INSN(),
7494 		},
7495 		.errstr = "R1 offset is outside of the packet",
7496 		.result = REJECT,
7497 		.prog_type = BPF_PROG_TYPE_XDP,
7498 	},
7499 	{
7500 		"XDP pkt read, pkt_data' <= pkt_end, good access",
7501 		.insns = {
7502 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7503 				    offsetof(struct xdp_md, data)),
7504 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7505 				    offsetof(struct xdp_md, data_end)),
7506 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7507 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7508 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7509 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7510 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7511 			BPF_MOV64_IMM(BPF_REG_0, 0),
7512 			BPF_EXIT_INSN(),
7513 		},
7514 		.result = ACCEPT,
7515 		.prog_type = BPF_PROG_TYPE_XDP,
7516 	},
7517 	{
7518 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
7519 		.insns = {
7520 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7521 				    offsetof(struct xdp_md, data)),
7522 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7523 				    offsetof(struct xdp_md, data_end)),
7524 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7525 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7526 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7527 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7528 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7529 			BPF_MOV64_IMM(BPF_REG_0, 0),
7530 			BPF_EXIT_INSN(),
7531 		},
7532 		.errstr = "R1 offset is outside of the packet",
7533 		.result = REJECT,
7534 		.prog_type = BPF_PROG_TYPE_XDP,
7535 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7536 	},
7537 	{
7538 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
7539 		.insns = {
7540 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7541 				    offsetof(struct xdp_md, data)),
7542 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7543 				    offsetof(struct xdp_md, data_end)),
7544 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7545 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7546 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7547 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7548 			BPF_MOV64_IMM(BPF_REG_0, 0),
7549 			BPF_EXIT_INSN(),
7550 		},
7551 		.errstr = "R1 offset is outside of the packet",
7552 		.result = REJECT,
7553 		.prog_type = BPF_PROG_TYPE_XDP,
7554 	},
7555 	{
7556 		"XDP pkt read, pkt_end <= pkt_data', good access",
7557 		.insns = {
7558 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7559 				    offsetof(struct xdp_md, data)),
7560 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7561 				    offsetof(struct xdp_md, data_end)),
7562 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7563 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7564 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7565 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7566 			BPF_MOV64_IMM(BPF_REG_0, 0),
7567 			BPF_EXIT_INSN(),
7568 		},
7569 		.result = ACCEPT,
7570 		.prog_type = BPF_PROG_TYPE_XDP,
7571 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7572 	},
7573 	{
7574 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
7575 		.insns = {
7576 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7577 				    offsetof(struct xdp_md, data)),
7578 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7579 				    offsetof(struct xdp_md, data_end)),
7580 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7581 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7582 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
7583 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7584 			BPF_MOV64_IMM(BPF_REG_0, 0),
7585 			BPF_EXIT_INSN(),
7586 		},
7587 		.errstr = "R1 offset is outside of the packet",
7588 		.result = REJECT,
7589 		.prog_type = BPF_PROG_TYPE_XDP,
7590 	},
7591 	{
7592 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
7593 		.insns = {
7594 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7595 				    offsetof(struct xdp_md, data)),
7596 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7597 				    offsetof(struct xdp_md, data_end)),
7598 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7600 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
7601 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7602 			BPF_MOV64_IMM(BPF_REG_0, 0),
7603 			BPF_EXIT_INSN(),
7604 		},
7605 		.errstr = "R1 offset is outside of the packet",
7606 		.result = REJECT,
7607 		.prog_type = BPF_PROG_TYPE_XDP,
7608 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7609 	},
7610 	{
7611 		"XDP pkt read, pkt_meta' > pkt_data, good access",
7612 		.insns = {
7613 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7614 				    offsetof(struct xdp_md, data_meta)),
7615 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7616 				    offsetof(struct xdp_md, data)),
7617 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7619 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7620 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7621 			BPF_MOV64_IMM(BPF_REG_0, 0),
7622 			BPF_EXIT_INSN(),
7623 		},
7624 		.result = ACCEPT,
7625 		.prog_type = BPF_PROG_TYPE_XDP,
7626 	},
7627 	{
7628 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
7629 		.insns = {
7630 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7631 				    offsetof(struct xdp_md, data_meta)),
7632 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7633 				    offsetof(struct xdp_md, data)),
7634 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7635 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7636 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7637 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7638 			BPF_MOV64_IMM(BPF_REG_0, 0),
7639 			BPF_EXIT_INSN(),
7640 		},
7641 		.errstr = "R1 offset is outside of the packet",
7642 		.result = REJECT,
7643 		.prog_type = BPF_PROG_TYPE_XDP,
7644 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7645 	},
7646 	{
7647 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
7648 		.insns = {
7649 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7650 				    offsetof(struct xdp_md, data_meta)),
7651 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7652 				    offsetof(struct xdp_md, data)),
7653 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7655 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7656 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7657 			BPF_MOV64_IMM(BPF_REG_0, 0),
7658 			BPF_EXIT_INSN(),
7659 		},
7660 		.errstr = "R1 offset is outside of the packet",
7661 		.result = REJECT,
7662 		.prog_type = BPF_PROG_TYPE_XDP,
7663 	},
7664 	{
7665 		"XDP pkt read, pkt_data > pkt_meta', good access",
7666 		.insns = {
7667 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7668 				    offsetof(struct xdp_md, data_meta)),
7669 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7670 				    offsetof(struct xdp_md, data)),
7671 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7672 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7673 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7674 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7675 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7676 			BPF_MOV64_IMM(BPF_REG_0, 0),
7677 			BPF_EXIT_INSN(),
7678 		},
7679 		.result = ACCEPT,
7680 		.prog_type = BPF_PROG_TYPE_XDP,
7681 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7682 	},
7683 	{
7684 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
7685 		.insns = {
7686 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7687 				    offsetof(struct xdp_md, data_meta)),
7688 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7689 				    offsetof(struct xdp_md, data)),
7690 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7691 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7692 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7693 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7694 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7695 			BPF_MOV64_IMM(BPF_REG_0, 0),
7696 			BPF_EXIT_INSN(),
7697 		},
7698 		.errstr = "R1 offset is outside of the packet",
7699 		.result = REJECT,
7700 		.prog_type = BPF_PROG_TYPE_XDP,
7701 	},
7702 	{
7703 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
7704 		.insns = {
7705 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7706 				    offsetof(struct xdp_md, data_meta)),
7707 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7708 				    offsetof(struct xdp_md, data)),
7709 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7710 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7711 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7712 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7713 			BPF_MOV64_IMM(BPF_REG_0, 0),
7714 			BPF_EXIT_INSN(),
7715 		},
7716 		.errstr = "R1 offset is outside of the packet",
7717 		.result = REJECT,
7718 		.prog_type = BPF_PROG_TYPE_XDP,
7719 	},
7720 	{
7721 		"XDP pkt read, pkt_meta' < pkt_data, good access",
7722 		.insns = {
7723 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7724 				    offsetof(struct xdp_md, data_meta)),
7725 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7726 				    offsetof(struct xdp_md, data)),
7727 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7728 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7729 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7730 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7731 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7732 			BPF_MOV64_IMM(BPF_REG_0, 0),
7733 			BPF_EXIT_INSN(),
7734 		},
7735 		.result = ACCEPT,
7736 		.prog_type = BPF_PROG_TYPE_XDP,
7737 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7738 	},
7739 	{
7740 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
7741 		.insns = {
7742 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7743 				    offsetof(struct xdp_md, data_meta)),
7744 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7745 				    offsetof(struct xdp_md, data)),
7746 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7747 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7748 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7749 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7750 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7751 			BPF_MOV64_IMM(BPF_REG_0, 0),
7752 			BPF_EXIT_INSN(),
7753 		},
7754 		.errstr = "R1 offset is outside of the packet",
7755 		.result = REJECT,
7756 		.prog_type = BPF_PROG_TYPE_XDP,
7757 	},
7758 	{
7759 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
7760 		.insns = {
7761 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7762 				    offsetof(struct xdp_md, data_meta)),
7763 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7764 				    offsetof(struct xdp_md, data)),
7765 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7766 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7767 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7768 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7769 			BPF_MOV64_IMM(BPF_REG_0, 0),
7770 			BPF_EXIT_INSN(),
7771 		},
7772 		.errstr = "R1 offset is outside of the packet",
7773 		.result = REJECT,
7774 		.prog_type = BPF_PROG_TYPE_XDP,
7775 	},
7776 	{
7777 		"XDP pkt read, pkt_data < pkt_meta', good access",
7778 		.insns = {
7779 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7780 				    offsetof(struct xdp_md, data_meta)),
7781 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7782 				    offsetof(struct xdp_md, data)),
7783 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7784 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7785 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7786 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7787 			BPF_MOV64_IMM(BPF_REG_0, 0),
7788 			BPF_EXIT_INSN(),
7789 		},
7790 		.result = ACCEPT,
7791 		.prog_type = BPF_PROG_TYPE_XDP,
7792 	},
7793 	{
7794 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
7795 		.insns = {
7796 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7797 				    offsetof(struct xdp_md, data_meta)),
7798 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7799 				    offsetof(struct xdp_md, data)),
7800 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7801 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7802 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7803 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7804 			BPF_MOV64_IMM(BPF_REG_0, 0),
7805 			BPF_EXIT_INSN(),
7806 		},
7807 		.errstr = "R1 offset is outside of the packet",
7808 		.result = REJECT,
7809 		.prog_type = BPF_PROG_TYPE_XDP,
7810 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7811 	},
7812 	{
7813 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
7814 		.insns = {
7815 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7816 				    offsetof(struct xdp_md, data_meta)),
7817 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7818 				    offsetof(struct xdp_md, data)),
7819 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7820 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7821 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7822 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7823 			BPF_MOV64_IMM(BPF_REG_0, 0),
7824 			BPF_EXIT_INSN(),
7825 		},
7826 		.errstr = "R1 offset is outside of the packet",
7827 		.result = REJECT,
7828 		.prog_type = BPF_PROG_TYPE_XDP,
7829 	},
7830 	{
7831 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
7832 		.insns = {
7833 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7834 				    offsetof(struct xdp_md, data_meta)),
7835 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7836 				    offsetof(struct xdp_md, data)),
7837 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7839 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7840 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7841 			BPF_MOV64_IMM(BPF_REG_0, 0),
7842 			BPF_EXIT_INSN(),
7843 		},
7844 		.result = ACCEPT,
7845 		.prog_type = BPF_PROG_TYPE_XDP,
7846 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7847 	},
7848 	{
7849 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
7850 		.insns = {
7851 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7852 				    offsetof(struct xdp_md, data_meta)),
7853 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7854 				    offsetof(struct xdp_md, data)),
7855 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7856 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7857 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7858 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7859 			BPF_MOV64_IMM(BPF_REG_0, 0),
7860 			BPF_EXIT_INSN(),
7861 		},
7862 		.errstr = "R1 offset is outside of the packet",
7863 		.result = REJECT,
7864 		.prog_type = BPF_PROG_TYPE_XDP,
7865 	},
7866 	{
7867 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
7868 		.insns = {
7869 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7870 				    offsetof(struct xdp_md, data_meta)),
7871 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7872 				    offsetof(struct xdp_md, data)),
7873 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7874 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7875 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7876 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7877 			BPF_MOV64_IMM(BPF_REG_0, 0),
7878 			BPF_EXIT_INSN(),
7879 		},
7880 		.errstr = "R1 offset is outside of the packet",
7881 		.result = REJECT,
7882 		.prog_type = BPF_PROG_TYPE_XDP,
7883 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7884 	},
7885 	{
7886 		"XDP pkt read, pkt_data >= pkt_meta', good access",
7887 		.insns = {
7888 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7889 				    offsetof(struct xdp_md, data_meta)),
7890 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7891 				    offsetof(struct xdp_md, data)),
7892 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7893 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7894 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7895 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7896 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7897 			BPF_MOV64_IMM(BPF_REG_0, 0),
7898 			BPF_EXIT_INSN(),
7899 		},
7900 		.result = ACCEPT,
7901 		.prog_type = BPF_PROG_TYPE_XDP,
7902 	},
7903 	{
7904 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
7905 		.insns = {
7906 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7907 				    offsetof(struct xdp_md, data_meta)),
7908 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7909 				    offsetof(struct xdp_md, data)),
7910 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7911 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7912 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7913 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7914 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7915 			BPF_MOV64_IMM(BPF_REG_0, 0),
7916 			BPF_EXIT_INSN(),
7917 		},
7918 		.errstr = "R1 offset is outside of the packet",
7919 		.result = REJECT,
7920 		.prog_type = BPF_PROG_TYPE_XDP,
7921 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7922 	},
7923 	{
7924 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
7925 		.insns = {
7926 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7927 				    offsetof(struct xdp_md, data_meta)),
7928 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7929 				    offsetof(struct xdp_md, data)),
7930 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7931 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7932 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7933 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7934 			BPF_MOV64_IMM(BPF_REG_0, 0),
7935 			BPF_EXIT_INSN(),
7936 		},
7937 		.errstr = "R1 offset is outside of the packet",
7938 		.result = REJECT,
7939 		.prog_type = BPF_PROG_TYPE_XDP,
7940 	},
7941 	{
7942 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
7943 		.insns = {
7944 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7945 				    offsetof(struct xdp_md, data_meta)),
7946 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7947 				    offsetof(struct xdp_md, data)),
7948 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7949 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7950 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7951 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7952 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7953 			BPF_MOV64_IMM(BPF_REG_0, 0),
7954 			BPF_EXIT_INSN(),
7955 		},
7956 		.result = ACCEPT,
7957 		.prog_type = BPF_PROG_TYPE_XDP,
7958 	},
7959 	{
7960 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
7961 		.insns = {
7962 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7963 				    offsetof(struct xdp_md, data_meta)),
7964 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7965 				    offsetof(struct xdp_md, data)),
7966 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7967 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7968 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7969 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7970 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7971 			BPF_MOV64_IMM(BPF_REG_0, 0),
7972 			BPF_EXIT_INSN(),
7973 		},
7974 		.errstr = "R1 offset is outside of the packet",
7975 		.result = REJECT,
7976 		.prog_type = BPF_PROG_TYPE_XDP,
7977 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7978 	},
7979 	{
7980 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
7981 		.insns = {
7982 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7983 				    offsetof(struct xdp_md, data_meta)),
7984 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7985 				    offsetof(struct xdp_md, data)),
7986 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7987 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7988 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
7989 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7990 			BPF_MOV64_IMM(BPF_REG_0, 0),
7991 			BPF_EXIT_INSN(),
7992 		},
7993 		.errstr = "R1 offset is outside of the packet",
7994 		.result = REJECT,
7995 		.prog_type = BPF_PROG_TYPE_XDP,
7996 	},
7997 	{
7998 		"XDP pkt read, pkt_data <= pkt_meta', good access",
7999 		.insns = {
8000 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8001 				    offsetof(struct xdp_md, data_meta)),
8002 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8003 				    offsetof(struct xdp_md, data)),
8004 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8006 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8007 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8008 			BPF_MOV64_IMM(BPF_REG_0, 0),
8009 			BPF_EXIT_INSN(),
8010 		},
8011 		.result = ACCEPT,
8012 		.prog_type = BPF_PROG_TYPE_XDP,
8013 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8014 	},
8015 	{
8016 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
8017 		.insns = {
8018 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8019 				    offsetof(struct xdp_md, data_meta)),
8020 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8021 				    offsetof(struct xdp_md, data)),
8022 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8023 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8024 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8025 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8026 			BPF_MOV64_IMM(BPF_REG_0, 0),
8027 			BPF_EXIT_INSN(),
8028 		},
8029 		.errstr = "R1 offset is outside of the packet",
8030 		.result = REJECT,
8031 		.prog_type = BPF_PROG_TYPE_XDP,
8032 	},
8033 	{
8034 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8035 		.insns = {
8036 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8037 				    offsetof(struct xdp_md, data_meta)),
8038 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8039 				    offsetof(struct xdp_md, data)),
8040 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8042 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8043 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8044 			BPF_MOV64_IMM(BPF_REG_0, 0),
8045 			BPF_EXIT_INSN(),
8046 		},
8047 		.errstr = "R1 offset is outside of the packet",
8048 		.result = REJECT,
8049 		.prog_type = BPF_PROG_TYPE_XDP,
8050 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8051 	},
8052 	{
8053 		"bpf_exit with invalid return code. test1",
8054 		.insns = {
8055 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8056 			BPF_EXIT_INSN(),
8057 		},
8058 		.errstr = "R0 has value (0x0; 0xffffffff)",
8059 		.result = REJECT,
8060 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8061 	},
8062 	{
8063 		"bpf_exit with invalid return code. test2",
8064 		.insns = {
8065 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8066 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
8067 			BPF_EXIT_INSN(),
8068 		},
8069 		.result = ACCEPT,
8070 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8071 	},
8072 	{
8073 		"bpf_exit with invalid return code. test3",
8074 		.insns = {
8075 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8076 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
8077 			BPF_EXIT_INSN(),
8078 		},
8079 		.errstr = "R0 has value (0x0; 0x3)",
8080 		.result = REJECT,
8081 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8082 	},
8083 	{
8084 		"bpf_exit with invalid return code. test4",
8085 		.insns = {
8086 			BPF_MOV64_IMM(BPF_REG_0, 1),
8087 			BPF_EXIT_INSN(),
8088 		},
8089 		.result = ACCEPT,
8090 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8091 	},
8092 	{
8093 		"bpf_exit with invalid return code. test5",
8094 		.insns = {
8095 			BPF_MOV64_IMM(BPF_REG_0, 2),
8096 			BPF_EXIT_INSN(),
8097 		},
8098 		.errstr = "R0 has value (0x2; 0x0)",
8099 		.result = REJECT,
8100 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8101 	},
8102 	{
8103 		"bpf_exit with invalid return code. test6",
8104 		.insns = {
8105 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8106 			BPF_EXIT_INSN(),
8107 		},
8108 		.errstr = "R0 is not a known value (ctx)",
8109 		.result = REJECT,
8110 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8111 	},
8112 	{
8113 		"bpf_exit with invalid return code. test7",
8114 		.insns = {
8115 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8116 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
8117 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
8118 			BPF_EXIT_INSN(),
8119 		},
8120 		.errstr = "R0 has unknown scalar value",
8121 		.result = REJECT,
8122 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8123 	},
8124 };
8125 
8126 static int probe_filter_length(const struct bpf_insn *fp)
8127 {
8128 	int len;
8129 
8130 	for (len = MAX_INSNS - 1; len > 0; --len)
8131 		if (fp[len].code != 0 || fp[len].imm != 0)
8132 			break;
8133 	return len + 1;
8134 }
8135 
8136 static int create_map(uint32_t size_value, uint32_t max_elem)
8137 {
8138 	int fd;
8139 
8140 	fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
8141 			    size_value, max_elem, BPF_F_NO_PREALLOC);
8142 	if (fd < 0)
8143 		printf("Failed to create hash map '%s'!\n", strerror(errno));
8144 
8145 	return fd;
8146 }
8147 
8148 static int create_prog_array(void)
8149 {
8150 	int fd;
8151 
8152 	fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
8153 			    sizeof(int), 4, 0);
8154 	if (fd < 0)
8155 		printf("Failed to create prog array '%s'!\n", strerror(errno));
8156 
8157 	return fd;
8158 }
8159 
8160 static int create_map_in_map(void)
8161 {
8162 	int inner_map_fd, outer_map_fd;
8163 
8164 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
8165 				      sizeof(int), 1, 0);
8166 	if (inner_map_fd < 0) {
8167 		printf("Failed to create array '%s'!\n", strerror(errno));
8168 		return inner_map_fd;
8169 	}
8170 
8171 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
8172 					     sizeof(int), inner_map_fd, 1, 0);
8173 	if (outer_map_fd < 0)
8174 		printf("Failed to create array of maps '%s'!\n",
8175 		       strerror(errno));
8176 
8177 	close(inner_map_fd);
8178 
8179 	return outer_map_fd;
8180 }
8181 
8182 static char bpf_vlog[32768];
8183 
8184 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
8185 			  int *map_fds)
8186 {
8187 	int *fixup_map1 = test->fixup_map1;
8188 	int *fixup_map2 = test->fixup_map2;
8189 	int *fixup_prog = test->fixup_prog;
8190 	int *fixup_map_in_map = test->fixup_map_in_map;
8191 
8192 	/* Allocating HTs with 1 elem is fine here, since we only test
8193 	 * for verifier and not do a runtime lookup, so the only thing
8194 	 * that really matters is value size in this case.
8195 	 */
8196 	if (*fixup_map1) {
8197 		map_fds[0] = create_map(sizeof(long long), 1);
8198 		do {
8199 			prog[*fixup_map1].imm = map_fds[0];
8200 			fixup_map1++;
8201 		} while (*fixup_map1);
8202 	}
8203 
8204 	if (*fixup_map2) {
8205 		map_fds[1] = create_map(sizeof(struct test_val), 1);
8206 		do {
8207 			prog[*fixup_map2].imm = map_fds[1];
8208 			fixup_map2++;
8209 		} while (*fixup_map2);
8210 	}
8211 
8212 	if (*fixup_prog) {
8213 		map_fds[2] = create_prog_array();
8214 		do {
8215 			prog[*fixup_prog].imm = map_fds[2];
8216 			fixup_prog++;
8217 		} while (*fixup_prog);
8218 	}
8219 
8220 	if (*fixup_map_in_map) {
8221 		map_fds[3] = create_map_in_map();
8222 		do {
8223 			prog[*fixup_map_in_map].imm = map_fds[3];
8224 			fixup_map_in_map++;
8225 		} while (*fixup_map_in_map);
8226 	}
8227 }
8228 
8229 static void do_test_single(struct bpf_test *test, bool unpriv,
8230 			   int *passes, int *errors)
8231 {
8232 	int fd_prog, expected_ret, reject_from_alignment;
8233 	struct bpf_insn *prog = test->insns;
8234 	int prog_len = probe_filter_length(prog);
8235 	int prog_type = test->prog_type;
8236 	int map_fds[MAX_NR_MAPS];
8237 	const char *expected_err;
8238 	int i;
8239 
8240 	for (i = 0; i < MAX_NR_MAPS; i++)
8241 		map_fds[i] = -1;
8242 
8243 	do_test_fixup(test, prog, map_fds);
8244 
8245 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
8246 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
8247 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
8248 
8249 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
8250 		       test->result_unpriv : test->result;
8251 	expected_err = unpriv && test->errstr_unpriv ?
8252 		       test->errstr_unpriv : test->errstr;
8253 
8254 	reject_from_alignment = fd_prog < 0 &&
8255 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
8256 				strstr(bpf_vlog, "Unknown alignment.");
8257 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
8258 	if (reject_from_alignment) {
8259 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
8260 		       strerror(errno));
8261 		goto fail_log;
8262 	}
8263 #endif
8264 	if (expected_ret == ACCEPT) {
8265 		if (fd_prog < 0 && !reject_from_alignment) {
8266 			printf("FAIL\nFailed to load prog '%s'!\n",
8267 			       strerror(errno));
8268 			goto fail_log;
8269 		}
8270 	} else {
8271 		if (fd_prog >= 0) {
8272 			printf("FAIL\nUnexpected success to load!\n");
8273 			goto fail_log;
8274 		}
8275 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
8276 			printf("FAIL\nUnexpected error message!\n");
8277 			goto fail_log;
8278 		}
8279 	}
8280 
8281 	(*passes)++;
8282 	printf("OK%s\n", reject_from_alignment ?
8283 	       " (NOTE: reject due to unknown alignment)" : "");
8284 close_fds:
8285 	close(fd_prog);
8286 	for (i = 0; i < MAX_NR_MAPS; i++)
8287 		close(map_fds[i]);
8288 	sched_yield();
8289 	return;
8290 fail_log:
8291 	(*errors)++;
8292 	printf("%s", bpf_vlog);
8293 	goto close_fds;
8294 }
8295 
8296 static bool is_admin(void)
8297 {
8298 	cap_t caps;
8299 	cap_flag_value_t sysadmin = CAP_CLEAR;
8300 	const cap_value_t cap_val = CAP_SYS_ADMIN;
8301 
8302 #ifdef CAP_IS_SUPPORTED
8303 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
8304 		perror("cap_get_flag");
8305 		return false;
8306 	}
8307 #endif
8308 	caps = cap_get_proc();
8309 	if (!caps) {
8310 		perror("cap_get_proc");
8311 		return false;
8312 	}
8313 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
8314 		perror("cap_get_flag");
8315 	if (cap_free(caps))
8316 		perror("cap_free");
8317 	return (sysadmin == CAP_SET);
8318 }
8319 
8320 static int set_admin(bool admin)
8321 {
8322 	cap_t caps;
8323 	const cap_value_t cap_val = CAP_SYS_ADMIN;
8324 	int ret = -1;
8325 
8326 	caps = cap_get_proc();
8327 	if (!caps) {
8328 		perror("cap_get_proc");
8329 		return -1;
8330 	}
8331 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
8332 				admin ? CAP_SET : CAP_CLEAR)) {
8333 		perror("cap_set_flag");
8334 		goto out;
8335 	}
8336 	if (cap_set_proc(caps)) {
8337 		perror("cap_set_proc");
8338 		goto out;
8339 	}
8340 	ret = 0;
8341 out:
8342 	if (cap_free(caps))
8343 		perror("cap_free");
8344 	return ret;
8345 }
8346 
8347 static int do_test(bool unpriv, unsigned int from, unsigned int to)
8348 {
8349 	int i, passes = 0, errors = 0;
8350 
8351 	for (i = from; i < to; i++) {
8352 		struct bpf_test *test = &tests[i];
8353 
8354 		/* Program types that are not supported by non-root we
8355 		 * skip right away.
8356 		 */
8357 		if (!test->prog_type) {
8358 			if (!unpriv)
8359 				set_admin(false);
8360 			printf("#%d/u %s ", i, test->descr);
8361 			do_test_single(test, true, &passes, &errors);
8362 			if (!unpriv)
8363 				set_admin(true);
8364 		}
8365 
8366 		if (!unpriv) {
8367 			printf("#%d/p %s ", i, test->descr);
8368 			do_test_single(test, false, &passes, &errors);
8369 		}
8370 	}
8371 
8372 	printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
8373 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
8374 }
8375 
8376 int main(int argc, char **argv)
8377 {
8378 	struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
8379 	struct rlimit rlim = { 1 << 20, 1 << 20 };
8380 	unsigned int from = 0, to = ARRAY_SIZE(tests);
8381 	bool unpriv = !is_admin();
8382 
8383 	if (argc == 3) {
8384 		unsigned int l = atoi(argv[argc - 2]);
8385 		unsigned int u = atoi(argv[argc - 1]);
8386 
8387 		if (l < to && u < to) {
8388 			from = l;
8389 			to   = u + 1;
8390 		}
8391 	} else if (argc == 2) {
8392 		unsigned int t = atoi(argv[argc - 1]);
8393 
8394 		if (t < to) {
8395 			from = t;
8396 			to   = t + 1;
8397 		}
8398 	}
8399 
8400 	setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
8401 	return do_test(unpriv, from, to);
8402 }
8403