xref: /linux/tools/testing/selftests/bpf/test_verifier.c (revision f412eed9dfdeeb6becd7de2ffe8b5d0a8b3f81ca) 
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of version 2 of the GNU General Public
9  * License as published by the Free Software Foundation.
10  */
11 
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 #include <limits.h>
25 
26 #include <sys/capability.h>
27 
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
33 
34 #include <bpf/bpf.h>
35 
36 #ifdef HAVE_GENHDR
37 # include "autoconf.h"
38 #else
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 # endif
42 #endif
43 #include "bpf_rlimit.h"
44 #include "../../../include/linux/filter.h"
45 
46 #ifndef ARRAY_SIZE
47 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
48 #endif
49 
50 #define MAX_INSNS	BPF_MAXINSNS
51 #define MAX_FIXUPS	8
52 #define MAX_NR_MAPS	4
53 #define POINTER_VALUE	0xcafe4all
54 #define TEST_DATA_LEN	64
55 
56 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
57 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
58 
59 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
60 static bool unpriv_disabled = false;
61 
62 struct bpf_test {
63 	const char *descr;
64 	struct bpf_insn	insns[MAX_INSNS];
65 	int fixup_map1[MAX_FIXUPS];
66 	int fixup_map2[MAX_FIXUPS];
67 	int fixup_map3[MAX_FIXUPS];
68 	int fixup_prog[MAX_FIXUPS];
69 	int fixup_map_in_map[MAX_FIXUPS];
70 	const char *errstr;
71 	const char *errstr_unpriv;
72 	uint32_t retval;
73 	enum {
74 		UNDEF,
75 		ACCEPT,
76 		REJECT
77 	} result, result_unpriv;
78 	enum bpf_prog_type prog_type;
79 	uint8_t flags;
80 	__u8 data[TEST_DATA_LEN];
81 	void (*fill_helper)(struct bpf_test *self);
82 };
83 
84 /* Note we want this to be 64 bit aligned so that the end of our array is
85  * actually the end of the structure.
86  */
87 #define MAX_ENTRIES 11
88 
89 struct test_val {
90 	unsigned int index;
91 	int foo[MAX_ENTRIES];
92 };
93 
94 struct other_val {
95 	long long foo;
96 	long long bar;
97 };
98 
99 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
100 {
101 	/* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
102 #define PUSH_CNT 51
103 	unsigned int len = BPF_MAXINSNS;
104 	struct bpf_insn *insn = self->insns;
105 	int i = 0, j, k = 0;
106 
107 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
108 loop:
109 	for (j = 0; j < PUSH_CNT; j++) {
110 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
111 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
112 		i++;
113 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
114 		insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
115 		insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
116 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
117 					 BPF_FUNC_skb_vlan_push),
118 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
119 		i++;
120 	}
121 
122 	for (j = 0; j < PUSH_CNT; j++) {
123 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
124 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
125 		i++;
126 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
127 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
128 					 BPF_FUNC_skb_vlan_pop),
129 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
130 		i++;
131 	}
132 	if (++k < 5)
133 		goto loop;
134 
135 	for (; i < len - 1; i++)
136 		insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
137 	insn[len - 1] = BPF_EXIT_INSN();
138 }
139 
140 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
141 {
142 	struct bpf_insn *insn = self->insns;
143 	unsigned int len = BPF_MAXINSNS;
144 	int i = 0;
145 
146 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
147 	insn[i++] = BPF_LD_ABS(BPF_B, 0);
148 	insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
149 	i++;
150 	while (i < len - 1)
151 		insn[i++] = BPF_LD_ABS(BPF_B, 1);
152 	insn[i] = BPF_EXIT_INSN();
153 }
154 
155 static struct bpf_test tests[] = {
156 	{
157 		"add+sub+mul",
158 		.insns = {
159 			BPF_MOV64_IMM(BPF_REG_1, 1),
160 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
161 			BPF_MOV64_IMM(BPF_REG_2, 3),
162 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
163 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
164 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
165 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
166 			BPF_EXIT_INSN(),
167 		},
168 		.result = ACCEPT,
169 		.retval = -3,
170 	},
171 	{
172 		"DIV32 by 0, zero check 1",
173 		.insns = {
174 			BPF_MOV32_IMM(BPF_REG_0, 42),
175 			BPF_MOV32_IMM(BPF_REG_1, 0),
176 			BPF_MOV32_IMM(BPF_REG_2, 1),
177 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
178 			BPF_EXIT_INSN(),
179 		},
180 		.result = ACCEPT,
181 		.retval = 42,
182 	},
183 	{
184 		"DIV32 by 0, zero check 2",
185 		.insns = {
186 			BPF_MOV32_IMM(BPF_REG_0, 42),
187 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
188 			BPF_MOV32_IMM(BPF_REG_2, 1),
189 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
190 			BPF_EXIT_INSN(),
191 		},
192 		.result = ACCEPT,
193 		.retval = 42,
194 	},
195 	{
196 		"DIV64 by 0, zero check",
197 		.insns = {
198 			BPF_MOV32_IMM(BPF_REG_0, 42),
199 			BPF_MOV32_IMM(BPF_REG_1, 0),
200 			BPF_MOV32_IMM(BPF_REG_2, 1),
201 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
202 			BPF_EXIT_INSN(),
203 		},
204 		.result = ACCEPT,
205 		.retval = 42,
206 	},
207 	{
208 		"MOD32 by 0, zero check 1",
209 		.insns = {
210 			BPF_MOV32_IMM(BPF_REG_0, 42),
211 			BPF_MOV32_IMM(BPF_REG_1, 0),
212 			BPF_MOV32_IMM(BPF_REG_2, 1),
213 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
214 			BPF_EXIT_INSN(),
215 		},
216 		.result = ACCEPT,
217 		.retval = 42,
218 	},
219 	{
220 		"MOD32 by 0, zero check 2",
221 		.insns = {
222 			BPF_MOV32_IMM(BPF_REG_0, 42),
223 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
224 			BPF_MOV32_IMM(BPF_REG_2, 1),
225 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
226 			BPF_EXIT_INSN(),
227 		},
228 		.result = ACCEPT,
229 		.retval = 42,
230 	},
231 	{
232 		"MOD64 by 0, zero check",
233 		.insns = {
234 			BPF_MOV32_IMM(BPF_REG_0, 42),
235 			BPF_MOV32_IMM(BPF_REG_1, 0),
236 			BPF_MOV32_IMM(BPF_REG_2, 1),
237 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
238 			BPF_EXIT_INSN(),
239 		},
240 		.result = ACCEPT,
241 		.retval = 42,
242 	},
243 	{
244 		"DIV32 by 0, zero check ok, cls",
245 		.insns = {
246 			BPF_MOV32_IMM(BPF_REG_0, 42),
247 			BPF_MOV32_IMM(BPF_REG_1, 2),
248 			BPF_MOV32_IMM(BPF_REG_2, 16),
249 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
250 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
251 			BPF_EXIT_INSN(),
252 		},
253 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
254 		.result = ACCEPT,
255 		.retval = 8,
256 	},
257 	{
258 		"DIV32 by 0, zero check 1, cls",
259 		.insns = {
260 			BPF_MOV32_IMM(BPF_REG_1, 0),
261 			BPF_MOV32_IMM(BPF_REG_0, 1),
262 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
263 			BPF_EXIT_INSN(),
264 		},
265 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
266 		.result = ACCEPT,
267 		.retval = 0,
268 	},
269 	{
270 		"DIV32 by 0, zero check 2, cls",
271 		.insns = {
272 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 			BPF_MOV32_IMM(BPF_REG_0, 1),
274 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
275 			BPF_EXIT_INSN(),
276 		},
277 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
278 		.result = ACCEPT,
279 		.retval = 0,
280 	},
281 	{
282 		"DIV64 by 0, zero check, cls",
283 		.insns = {
284 			BPF_MOV32_IMM(BPF_REG_1, 0),
285 			BPF_MOV32_IMM(BPF_REG_0, 1),
286 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
287 			BPF_EXIT_INSN(),
288 		},
289 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
290 		.result = ACCEPT,
291 		.retval = 0,
292 	},
293 	{
294 		"MOD32 by 0, zero check ok, cls",
295 		.insns = {
296 			BPF_MOV32_IMM(BPF_REG_0, 42),
297 			BPF_MOV32_IMM(BPF_REG_1, 3),
298 			BPF_MOV32_IMM(BPF_REG_2, 5),
299 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
300 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
301 			BPF_EXIT_INSN(),
302 		},
303 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
304 		.result = ACCEPT,
305 		.retval = 2,
306 	},
307 	{
308 		"MOD32 by 0, zero check 1, cls",
309 		.insns = {
310 			BPF_MOV32_IMM(BPF_REG_1, 0),
311 			BPF_MOV32_IMM(BPF_REG_0, 1),
312 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
313 			BPF_EXIT_INSN(),
314 		},
315 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
316 		.result = ACCEPT,
317 		.retval = 1,
318 	},
319 	{
320 		"MOD32 by 0, zero check 2, cls",
321 		.insns = {
322 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
323 			BPF_MOV32_IMM(BPF_REG_0, 1),
324 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
325 			BPF_EXIT_INSN(),
326 		},
327 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
328 		.result = ACCEPT,
329 		.retval = 1,
330 	},
331 	{
332 		"MOD64 by 0, zero check 1, cls",
333 		.insns = {
334 			BPF_MOV32_IMM(BPF_REG_1, 0),
335 			BPF_MOV32_IMM(BPF_REG_0, 2),
336 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
337 			BPF_EXIT_INSN(),
338 		},
339 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
340 		.result = ACCEPT,
341 		.retval = 2,
342 	},
343 	{
344 		"MOD64 by 0, zero check 2, cls",
345 		.insns = {
346 			BPF_MOV32_IMM(BPF_REG_1, 0),
347 			BPF_MOV32_IMM(BPF_REG_0, -1),
348 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
349 			BPF_EXIT_INSN(),
350 		},
351 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
352 		.result = ACCEPT,
353 		.retval = -1,
354 	},
355 	/* Just make sure that JITs used udiv/umod as otherwise we get
356 	 * an exception from INT_MIN/-1 overflow similarly as with div
357 	 * by zero.
358 	 */
359 	{
360 		"DIV32 overflow, check 1",
361 		.insns = {
362 			BPF_MOV32_IMM(BPF_REG_1, -1),
363 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
364 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
365 			BPF_EXIT_INSN(),
366 		},
367 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
368 		.result = ACCEPT,
369 		.retval = 0,
370 	},
371 	{
372 		"DIV32 overflow, check 2",
373 		.insns = {
374 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
375 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
376 			BPF_EXIT_INSN(),
377 		},
378 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
379 		.result = ACCEPT,
380 		.retval = 0,
381 	},
382 	{
383 		"DIV64 overflow, check 1",
384 		.insns = {
385 			BPF_MOV64_IMM(BPF_REG_1, -1),
386 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
387 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
388 			BPF_EXIT_INSN(),
389 		},
390 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
391 		.result = ACCEPT,
392 		.retval = 0,
393 	},
394 	{
395 		"DIV64 overflow, check 2",
396 		.insns = {
397 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
398 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
399 			BPF_EXIT_INSN(),
400 		},
401 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
402 		.result = ACCEPT,
403 		.retval = 0,
404 	},
405 	{
406 		"MOD32 overflow, check 1",
407 		.insns = {
408 			BPF_MOV32_IMM(BPF_REG_1, -1),
409 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
410 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
411 			BPF_EXIT_INSN(),
412 		},
413 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
414 		.result = ACCEPT,
415 		.retval = INT_MIN,
416 	},
417 	{
418 		"MOD32 overflow, check 2",
419 		.insns = {
420 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
421 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
422 			BPF_EXIT_INSN(),
423 		},
424 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
425 		.result = ACCEPT,
426 		.retval = INT_MIN,
427 	},
428 	{
429 		"MOD64 overflow, check 1",
430 		.insns = {
431 			BPF_MOV64_IMM(BPF_REG_1, -1),
432 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
433 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
434 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
435 			BPF_MOV32_IMM(BPF_REG_0, 0),
436 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
437 			BPF_MOV32_IMM(BPF_REG_0, 1),
438 			BPF_EXIT_INSN(),
439 		},
440 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
441 		.result = ACCEPT,
442 		.retval = 1,
443 	},
444 	{
445 		"MOD64 overflow, check 2",
446 		.insns = {
447 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
448 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
449 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
450 			BPF_MOV32_IMM(BPF_REG_0, 0),
451 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
452 			BPF_MOV32_IMM(BPF_REG_0, 1),
453 			BPF_EXIT_INSN(),
454 		},
455 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
456 		.result = ACCEPT,
457 		.retval = 1,
458 	},
459 	{
460 		"xor32 zero extend check",
461 		.insns = {
462 			BPF_MOV32_IMM(BPF_REG_2, -1),
463 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
464 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
465 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
466 			BPF_MOV32_IMM(BPF_REG_0, 2),
467 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
468 			BPF_MOV32_IMM(BPF_REG_0, 1),
469 			BPF_EXIT_INSN(),
470 		},
471 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
472 		.result = ACCEPT,
473 		.retval = 1,
474 	},
475 	{
476 		"empty prog",
477 		.insns = {
478 		},
479 		.errstr = "unknown opcode 00",
480 		.result = REJECT,
481 	},
482 	{
483 		"only exit insn",
484 		.insns = {
485 			BPF_EXIT_INSN(),
486 		},
487 		.errstr = "R0 !read_ok",
488 		.result = REJECT,
489 	},
490 	{
491 		"unreachable",
492 		.insns = {
493 			BPF_EXIT_INSN(),
494 			BPF_EXIT_INSN(),
495 		},
496 		.errstr = "unreachable",
497 		.result = REJECT,
498 	},
499 	{
500 		"unreachable2",
501 		.insns = {
502 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
503 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
504 			BPF_EXIT_INSN(),
505 		},
506 		.errstr = "unreachable",
507 		.result = REJECT,
508 	},
509 	{
510 		"out of range jump",
511 		.insns = {
512 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
513 			BPF_EXIT_INSN(),
514 		},
515 		.errstr = "jump out of range",
516 		.result = REJECT,
517 	},
518 	{
519 		"out of range jump2",
520 		.insns = {
521 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
522 			BPF_EXIT_INSN(),
523 		},
524 		.errstr = "jump out of range",
525 		.result = REJECT,
526 	},
527 	{
528 		"test1 ld_imm64",
529 		.insns = {
530 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
531 			BPF_LD_IMM64(BPF_REG_0, 0),
532 			BPF_LD_IMM64(BPF_REG_0, 0),
533 			BPF_LD_IMM64(BPF_REG_0, 1),
534 			BPF_LD_IMM64(BPF_REG_0, 1),
535 			BPF_MOV64_IMM(BPF_REG_0, 2),
536 			BPF_EXIT_INSN(),
537 		},
538 		.errstr = "invalid BPF_LD_IMM insn",
539 		.errstr_unpriv = "R1 pointer comparison",
540 		.result = REJECT,
541 	},
542 	{
543 		"test2 ld_imm64",
544 		.insns = {
545 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
546 			BPF_LD_IMM64(BPF_REG_0, 0),
547 			BPF_LD_IMM64(BPF_REG_0, 0),
548 			BPF_LD_IMM64(BPF_REG_0, 1),
549 			BPF_LD_IMM64(BPF_REG_0, 1),
550 			BPF_EXIT_INSN(),
551 		},
552 		.errstr = "invalid BPF_LD_IMM insn",
553 		.errstr_unpriv = "R1 pointer comparison",
554 		.result = REJECT,
555 	},
556 	{
557 		"test3 ld_imm64",
558 		.insns = {
559 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
560 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
561 			BPF_LD_IMM64(BPF_REG_0, 0),
562 			BPF_LD_IMM64(BPF_REG_0, 0),
563 			BPF_LD_IMM64(BPF_REG_0, 1),
564 			BPF_LD_IMM64(BPF_REG_0, 1),
565 			BPF_EXIT_INSN(),
566 		},
567 		.errstr = "invalid bpf_ld_imm64 insn",
568 		.result = REJECT,
569 	},
570 	{
571 		"test4 ld_imm64",
572 		.insns = {
573 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
574 			BPF_EXIT_INSN(),
575 		},
576 		.errstr = "invalid bpf_ld_imm64 insn",
577 		.result = REJECT,
578 	},
579 	{
580 		"test5 ld_imm64",
581 		.insns = {
582 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
583 		},
584 		.errstr = "invalid bpf_ld_imm64 insn",
585 		.result = REJECT,
586 	},
587 	{
588 		"test6 ld_imm64",
589 		.insns = {
590 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
591 			BPF_RAW_INSN(0, 0, 0, 0, 0),
592 			BPF_EXIT_INSN(),
593 		},
594 		.result = ACCEPT,
595 	},
596 	{
597 		"test7 ld_imm64",
598 		.insns = {
599 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
600 			BPF_RAW_INSN(0, 0, 0, 0, 1),
601 			BPF_EXIT_INSN(),
602 		},
603 		.result = ACCEPT,
604 		.retval = 1,
605 	},
606 	{
607 		"test8 ld_imm64",
608 		.insns = {
609 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
610 			BPF_RAW_INSN(0, 0, 0, 0, 1),
611 			BPF_EXIT_INSN(),
612 		},
613 		.errstr = "uses reserved fields",
614 		.result = REJECT,
615 	},
616 	{
617 		"test9 ld_imm64",
618 		.insns = {
619 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
620 			BPF_RAW_INSN(0, 0, 0, 1, 1),
621 			BPF_EXIT_INSN(),
622 		},
623 		.errstr = "invalid bpf_ld_imm64 insn",
624 		.result = REJECT,
625 	},
626 	{
627 		"test10 ld_imm64",
628 		.insns = {
629 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
630 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
631 			BPF_EXIT_INSN(),
632 		},
633 		.errstr = "invalid bpf_ld_imm64 insn",
634 		.result = REJECT,
635 	},
636 	{
637 		"test11 ld_imm64",
638 		.insns = {
639 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
640 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
641 			BPF_EXIT_INSN(),
642 		},
643 		.errstr = "invalid bpf_ld_imm64 insn",
644 		.result = REJECT,
645 	},
646 	{
647 		"test12 ld_imm64",
648 		.insns = {
649 			BPF_MOV64_IMM(BPF_REG_1, 0),
650 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
651 			BPF_RAW_INSN(0, 0, 0, 0, 1),
652 			BPF_EXIT_INSN(),
653 		},
654 		.errstr = "not pointing to valid bpf_map",
655 		.result = REJECT,
656 	},
657 	{
658 		"test13 ld_imm64",
659 		.insns = {
660 			BPF_MOV64_IMM(BPF_REG_1, 0),
661 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
662 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
663 			BPF_EXIT_INSN(),
664 		},
665 		.errstr = "invalid bpf_ld_imm64 insn",
666 		.result = REJECT,
667 	},
668 	{
669 		"arsh32 on imm",
670 		.insns = {
671 			BPF_MOV64_IMM(BPF_REG_0, 1),
672 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
673 			BPF_EXIT_INSN(),
674 		},
675 		.result = REJECT,
676 		.errstr = "unknown opcode c4",
677 	},
678 	{
679 		"arsh32 on reg",
680 		.insns = {
681 			BPF_MOV64_IMM(BPF_REG_0, 1),
682 			BPF_MOV64_IMM(BPF_REG_1, 5),
683 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
684 			BPF_EXIT_INSN(),
685 		},
686 		.result = REJECT,
687 		.errstr = "unknown opcode cc",
688 	},
689 	{
690 		"arsh64 on imm",
691 		.insns = {
692 			BPF_MOV64_IMM(BPF_REG_0, 1),
693 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
694 			BPF_EXIT_INSN(),
695 		},
696 		.result = ACCEPT,
697 	},
698 	{
699 		"arsh64 on reg",
700 		.insns = {
701 			BPF_MOV64_IMM(BPF_REG_0, 1),
702 			BPF_MOV64_IMM(BPF_REG_1, 5),
703 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
704 			BPF_EXIT_INSN(),
705 		},
706 		.result = ACCEPT,
707 	},
708 	{
709 		"no bpf_exit",
710 		.insns = {
711 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
712 		},
713 		.errstr = "not an exit",
714 		.result = REJECT,
715 	},
716 	{
717 		"loop (back-edge)",
718 		.insns = {
719 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
720 			BPF_EXIT_INSN(),
721 		},
722 		.errstr = "back-edge",
723 		.result = REJECT,
724 	},
725 	{
726 		"loop2 (back-edge)",
727 		.insns = {
728 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
729 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
730 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
731 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
732 			BPF_EXIT_INSN(),
733 		},
734 		.errstr = "back-edge",
735 		.result = REJECT,
736 	},
737 	{
738 		"conditional loop",
739 		.insns = {
740 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
741 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
742 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
743 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
744 			BPF_EXIT_INSN(),
745 		},
746 		.errstr = "back-edge",
747 		.result = REJECT,
748 	},
749 	{
750 		"read uninitialized register",
751 		.insns = {
752 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
753 			BPF_EXIT_INSN(),
754 		},
755 		.errstr = "R2 !read_ok",
756 		.result = REJECT,
757 	},
758 	{
759 		"read invalid register",
760 		.insns = {
761 			BPF_MOV64_REG(BPF_REG_0, -1),
762 			BPF_EXIT_INSN(),
763 		},
764 		.errstr = "R15 is invalid",
765 		.result = REJECT,
766 	},
767 	{
768 		"program doesn't init R0 before exit",
769 		.insns = {
770 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
771 			BPF_EXIT_INSN(),
772 		},
773 		.errstr = "R0 !read_ok",
774 		.result = REJECT,
775 	},
776 	{
777 		"program doesn't init R0 before exit in all branches",
778 		.insns = {
779 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
780 			BPF_MOV64_IMM(BPF_REG_0, 1),
781 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
782 			BPF_EXIT_INSN(),
783 		},
784 		.errstr = "R0 !read_ok",
785 		.errstr_unpriv = "R1 pointer comparison",
786 		.result = REJECT,
787 	},
788 	{
789 		"stack out of bounds",
790 		.insns = {
791 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
792 			BPF_EXIT_INSN(),
793 		},
794 		.errstr = "invalid stack",
795 		.result = REJECT,
796 	},
797 	{
798 		"invalid call insn1",
799 		.insns = {
800 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
801 			BPF_EXIT_INSN(),
802 		},
803 		.errstr = "unknown opcode 8d",
804 		.result = REJECT,
805 	},
806 	{
807 		"invalid call insn2",
808 		.insns = {
809 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
810 			BPF_EXIT_INSN(),
811 		},
812 		.errstr = "BPF_CALL uses reserved",
813 		.result = REJECT,
814 	},
815 	{
816 		"invalid function call",
817 		.insns = {
818 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
819 			BPF_EXIT_INSN(),
820 		},
821 		.errstr = "invalid func unknown#1234567",
822 		.result = REJECT,
823 	},
824 	{
825 		"uninitialized stack1",
826 		.insns = {
827 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
829 			BPF_LD_MAP_FD(BPF_REG_1, 0),
830 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
831 				     BPF_FUNC_map_lookup_elem),
832 			BPF_EXIT_INSN(),
833 		},
834 		.fixup_map1 = { 2 },
835 		.errstr = "invalid indirect read from stack",
836 		.result = REJECT,
837 	},
838 	{
839 		"uninitialized stack2",
840 		.insns = {
841 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
842 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
843 			BPF_EXIT_INSN(),
844 		},
845 		.errstr = "invalid read from stack",
846 		.result = REJECT,
847 	},
848 	{
849 		"invalid fp arithmetic",
850 		/* If this gets ever changed, make sure JITs can deal with it. */
851 		.insns = {
852 			BPF_MOV64_IMM(BPF_REG_0, 0),
853 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
854 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
855 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
856 			BPF_EXIT_INSN(),
857 		},
858 		.errstr = "R1 subtraction from stack pointer",
859 		.result = REJECT,
860 	},
861 	{
862 		"non-invalid fp arithmetic",
863 		.insns = {
864 			BPF_MOV64_IMM(BPF_REG_0, 0),
865 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
866 			BPF_EXIT_INSN(),
867 		},
868 		.result = ACCEPT,
869 	},
870 	{
871 		"invalid argument register",
872 		.insns = {
873 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
874 				     BPF_FUNC_get_cgroup_classid),
875 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
876 				     BPF_FUNC_get_cgroup_classid),
877 			BPF_EXIT_INSN(),
878 		},
879 		.errstr = "R1 !read_ok",
880 		.result = REJECT,
881 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
882 	},
883 	{
884 		"non-invalid argument register",
885 		.insns = {
886 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
887 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
888 				     BPF_FUNC_get_cgroup_classid),
889 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
890 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
891 				     BPF_FUNC_get_cgroup_classid),
892 			BPF_EXIT_INSN(),
893 		},
894 		.result = ACCEPT,
895 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
896 	},
897 	{
898 		"check valid spill/fill",
899 		.insns = {
900 			/* spill R1(ctx) into stack */
901 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
902 			/* fill it back into R2 */
903 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
904 			/* should be able to access R0 = *(R2 + 8) */
905 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
906 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
907 			BPF_EXIT_INSN(),
908 		},
909 		.errstr_unpriv = "R0 leaks addr",
910 		.result = ACCEPT,
911 		.result_unpriv = REJECT,
912 		.retval = POINTER_VALUE,
913 	},
914 	{
915 		"check valid spill/fill, skb mark",
916 		.insns = {
917 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
918 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
919 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
920 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
921 				    offsetof(struct __sk_buff, mark)),
922 			BPF_EXIT_INSN(),
923 		},
924 		.result = ACCEPT,
925 		.result_unpriv = ACCEPT,
926 	},
927 	{
928 		"check corrupted spill/fill",
929 		.insns = {
930 			/* spill R1(ctx) into stack */
931 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
932 			/* mess up with R1 pointer on stack */
933 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
934 			/* fill back into R0 should fail */
935 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
936 			BPF_EXIT_INSN(),
937 		},
938 		.errstr_unpriv = "attempt to corrupt spilled",
939 		.errstr = "corrupted spill",
940 		.result = REJECT,
941 	},
942 	{
943 		"invalid src register in STX",
944 		.insns = {
945 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
946 			BPF_EXIT_INSN(),
947 		},
948 		.errstr = "R15 is invalid",
949 		.result = REJECT,
950 	},
951 	{
952 		"invalid dst register in STX",
953 		.insns = {
954 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
955 			BPF_EXIT_INSN(),
956 		},
957 		.errstr = "R14 is invalid",
958 		.result = REJECT,
959 	},
960 	{
961 		"invalid dst register in ST",
962 		.insns = {
963 			BPF_ST_MEM(BPF_B, 14, -1, -1),
964 			BPF_EXIT_INSN(),
965 		},
966 		.errstr = "R14 is invalid",
967 		.result = REJECT,
968 	},
969 	{
970 		"invalid src register in LDX",
971 		.insns = {
972 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
973 			BPF_EXIT_INSN(),
974 		},
975 		.errstr = "R12 is invalid",
976 		.result = REJECT,
977 	},
978 	{
979 		"invalid dst register in LDX",
980 		.insns = {
981 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
982 			BPF_EXIT_INSN(),
983 		},
984 		.errstr = "R11 is invalid",
985 		.result = REJECT,
986 	},
987 	{
988 		"junk insn",
989 		.insns = {
990 			BPF_RAW_INSN(0, 0, 0, 0, 0),
991 			BPF_EXIT_INSN(),
992 		},
993 		.errstr = "unknown opcode 00",
994 		.result = REJECT,
995 	},
996 	{
997 		"junk insn2",
998 		.insns = {
999 			BPF_RAW_INSN(1, 0, 0, 0, 0),
1000 			BPF_EXIT_INSN(),
1001 		},
1002 		.errstr = "BPF_LDX uses reserved fields",
1003 		.result = REJECT,
1004 	},
1005 	{
1006 		"junk insn3",
1007 		.insns = {
1008 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
1009 			BPF_EXIT_INSN(),
1010 		},
1011 		.errstr = "unknown opcode ff",
1012 		.result = REJECT,
1013 	},
1014 	{
1015 		"junk insn4",
1016 		.insns = {
1017 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
1018 			BPF_EXIT_INSN(),
1019 		},
1020 		.errstr = "unknown opcode ff",
1021 		.result = REJECT,
1022 	},
1023 	{
1024 		"junk insn5",
1025 		.insns = {
1026 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1027 			BPF_EXIT_INSN(),
1028 		},
1029 		.errstr = "BPF_ALU uses reserved fields",
1030 		.result = REJECT,
1031 	},
1032 	{
1033 		"misaligned read from stack",
1034 		.insns = {
1035 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1036 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1037 			BPF_EXIT_INSN(),
1038 		},
1039 		.errstr = "misaligned stack access",
1040 		.result = REJECT,
1041 	},
1042 	{
1043 		"invalid map_fd for function call",
1044 		.insns = {
1045 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1046 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1047 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1048 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1049 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1050 				     BPF_FUNC_map_delete_elem),
1051 			BPF_EXIT_INSN(),
1052 		},
1053 		.errstr = "fd 0 is not pointing to valid bpf_map",
1054 		.result = REJECT,
1055 	},
1056 	{
1057 		"don't check return value before access",
1058 		.insns = {
1059 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1060 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1062 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1063 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1064 				     BPF_FUNC_map_lookup_elem),
1065 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1066 			BPF_EXIT_INSN(),
1067 		},
1068 		.fixup_map1 = { 3 },
1069 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1070 		.result = REJECT,
1071 	},
1072 	{
1073 		"access memory with incorrect alignment",
1074 		.insns = {
1075 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1076 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1077 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1078 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1079 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1080 				     BPF_FUNC_map_lookup_elem),
1081 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1082 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1083 			BPF_EXIT_INSN(),
1084 		},
1085 		.fixup_map1 = { 3 },
1086 		.errstr = "misaligned value access",
1087 		.result = REJECT,
1088 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1089 	},
1090 	{
1091 		"sometimes access memory with incorrect alignment",
1092 		.insns = {
1093 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1094 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1096 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1097 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1098 				     BPF_FUNC_map_lookup_elem),
1099 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1100 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1101 			BPF_EXIT_INSN(),
1102 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1103 			BPF_EXIT_INSN(),
1104 		},
1105 		.fixup_map1 = { 3 },
1106 		.errstr = "R0 invalid mem access",
1107 		.errstr_unpriv = "R0 leaks addr",
1108 		.result = REJECT,
1109 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1110 	},
1111 	{
1112 		"jump test 1",
1113 		.insns = {
1114 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1115 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1116 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1117 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1118 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1119 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1120 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1121 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1122 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1123 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1124 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1125 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1126 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1127 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1128 			BPF_MOV64_IMM(BPF_REG_0, 0),
1129 			BPF_EXIT_INSN(),
1130 		},
1131 		.errstr_unpriv = "R1 pointer comparison",
1132 		.result_unpriv = REJECT,
1133 		.result = ACCEPT,
1134 	},
1135 	{
1136 		"jump test 2",
1137 		.insns = {
1138 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1139 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1140 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1141 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1142 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1143 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1144 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1146 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1147 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1148 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1149 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1150 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1151 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1152 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1153 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1154 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1155 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1156 			BPF_MOV64_IMM(BPF_REG_0, 0),
1157 			BPF_EXIT_INSN(),
1158 		},
1159 		.errstr_unpriv = "R1 pointer comparison",
1160 		.result_unpriv = REJECT,
1161 		.result = ACCEPT,
1162 	},
1163 	{
1164 		"jump test 3",
1165 		.insns = {
1166 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1168 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1169 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1170 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1171 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1172 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1173 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1174 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1175 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1176 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1177 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1178 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1179 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1180 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1182 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1183 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1184 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1185 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1186 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1187 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1188 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1189 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1190 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1191 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1192 				     BPF_FUNC_map_delete_elem),
1193 			BPF_EXIT_INSN(),
1194 		},
1195 		.fixup_map1 = { 24 },
1196 		.errstr_unpriv = "R1 pointer comparison",
1197 		.result_unpriv = REJECT,
1198 		.result = ACCEPT,
1199 		.retval = -ENOENT,
1200 	},
1201 	{
1202 		"jump test 4",
1203 		.insns = {
1204 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1205 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1206 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1207 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1208 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1209 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1211 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1212 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1213 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1214 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1215 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1216 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1217 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1218 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1219 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1220 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1221 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1222 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1223 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1224 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1225 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1226 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1227 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1228 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1229 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1230 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1231 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1232 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1237 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1238 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1239 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1240 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1241 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1242 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1243 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1244 			BPF_MOV64_IMM(BPF_REG_0, 0),
1245 			BPF_EXIT_INSN(),
1246 		},
1247 		.errstr_unpriv = "R1 pointer comparison",
1248 		.result_unpriv = REJECT,
1249 		.result = ACCEPT,
1250 	},
1251 	{
1252 		"jump test 5",
1253 		.insns = {
1254 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1255 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1256 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1257 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1258 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1259 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1260 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1261 			BPF_MOV64_IMM(BPF_REG_0, 0),
1262 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1263 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1264 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1265 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1266 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1267 			BPF_MOV64_IMM(BPF_REG_0, 0),
1268 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1269 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1270 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1271 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1272 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1273 			BPF_MOV64_IMM(BPF_REG_0, 0),
1274 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1275 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1276 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1277 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1278 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1279 			BPF_MOV64_IMM(BPF_REG_0, 0),
1280 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1281 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1282 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1283 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1284 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1285 			BPF_MOV64_IMM(BPF_REG_0, 0),
1286 			BPF_EXIT_INSN(),
1287 		},
1288 		.errstr_unpriv = "R1 pointer comparison",
1289 		.result_unpriv = REJECT,
1290 		.result = ACCEPT,
1291 	},
1292 	{
1293 		"access skb fields ok",
1294 		.insns = {
1295 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1296 				    offsetof(struct __sk_buff, len)),
1297 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1298 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1299 				    offsetof(struct __sk_buff, mark)),
1300 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1301 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1302 				    offsetof(struct __sk_buff, pkt_type)),
1303 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1304 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1305 				    offsetof(struct __sk_buff, queue_mapping)),
1306 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1307 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1308 				    offsetof(struct __sk_buff, protocol)),
1309 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1310 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1311 				    offsetof(struct __sk_buff, vlan_present)),
1312 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1313 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1314 				    offsetof(struct __sk_buff, vlan_tci)),
1315 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1316 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1317 				    offsetof(struct __sk_buff, napi_id)),
1318 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1319 			BPF_EXIT_INSN(),
1320 		},
1321 		.result = ACCEPT,
1322 	},
1323 	{
1324 		"access skb fields bad1",
1325 		.insns = {
1326 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1327 			BPF_EXIT_INSN(),
1328 		},
1329 		.errstr = "invalid bpf_context access",
1330 		.result = REJECT,
1331 	},
1332 	{
1333 		"access skb fields bad2",
1334 		.insns = {
1335 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1336 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1337 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1339 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1340 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1341 				     BPF_FUNC_map_lookup_elem),
1342 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1343 			BPF_EXIT_INSN(),
1344 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1345 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1346 				    offsetof(struct __sk_buff, pkt_type)),
1347 			BPF_EXIT_INSN(),
1348 		},
1349 		.fixup_map1 = { 4 },
1350 		.errstr = "different pointers",
1351 		.errstr_unpriv = "R1 pointer comparison",
1352 		.result = REJECT,
1353 	},
1354 	{
1355 		"access skb fields bad3",
1356 		.insns = {
1357 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1358 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1359 				    offsetof(struct __sk_buff, pkt_type)),
1360 			BPF_EXIT_INSN(),
1361 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 				     BPF_FUNC_map_lookup_elem),
1367 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1368 			BPF_EXIT_INSN(),
1369 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1371 		},
1372 		.fixup_map1 = { 6 },
1373 		.errstr = "different pointers",
1374 		.errstr_unpriv = "R1 pointer comparison",
1375 		.result = REJECT,
1376 	},
1377 	{
1378 		"access skb fields bad4",
1379 		.insns = {
1380 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1381 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1382 				    offsetof(struct __sk_buff, len)),
1383 			BPF_MOV64_IMM(BPF_REG_0, 0),
1384 			BPF_EXIT_INSN(),
1385 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1389 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390 				     BPF_FUNC_map_lookup_elem),
1391 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1392 			BPF_EXIT_INSN(),
1393 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1395 		},
1396 		.fixup_map1 = { 7 },
1397 		.errstr = "different pointers",
1398 		.errstr_unpriv = "R1 pointer comparison",
1399 		.result = REJECT,
1400 	},
1401 	{
1402 		"invalid access __sk_buff family",
1403 		.insns = {
1404 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1405 				    offsetof(struct __sk_buff, family)),
1406 			BPF_EXIT_INSN(),
1407 		},
1408 		.errstr = "invalid bpf_context access",
1409 		.result = REJECT,
1410 	},
1411 	{
1412 		"invalid access __sk_buff remote_ip4",
1413 		.insns = {
1414 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1415 				    offsetof(struct __sk_buff, remote_ip4)),
1416 			BPF_EXIT_INSN(),
1417 		},
1418 		.errstr = "invalid bpf_context access",
1419 		.result = REJECT,
1420 	},
1421 	{
1422 		"invalid access __sk_buff local_ip4",
1423 		.insns = {
1424 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1425 				    offsetof(struct __sk_buff, local_ip4)),
1426 			BPF_EXIT_INSN(),
1427 		},
1428 		.errstr = "invalid bpf_context access",
1429 		.result = REJECT,
1430 	},
1431 	{
1432 		"invalid access __sk_buff remote_ip6",
1433 		.insns = {
1434 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1435 				    offsetof(struct __sk_buff, remote_ip6)),
1436 			BPF_EXIT_INSN(),
1437 		},
1438 		.errstr = "invalid bpf_context access",
1439 		.result = REJECT,
1440 	},
1441 	{
1442 		"invalid access __sk_buff local_ip6",
1443 		.insns = {
1444 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1445 				    offsetof(struct __sk_buff, local_ip6)),
1446 			BPF_EXIT_INSN(),
1447 		},
1448 		.errstr = "invalid bpf_context access",
1449 		.result = REJECT,
1450 	},
1451 	{
1452 		"invalid access __sk_buff remote_port",
1453 		.insns = {
1454 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1455 				    offsetof(struct __sk_buff, remote_port)),
1456 			BPF_EXIT_INSN(),
1457 		},
1458 		.errstr = "invalid bpf_context access",
1459 		.result = REJECT,
1460 	},
1461 	{
1462 		"invalid access __sk_buff remote_port",
1463 		.insns = {
1464 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1465 				    offsetof(struct __sk_buff, local_port)),
1466 			BPF_EXIT_INSN(),
1467 		},
1468 		.errstr = "invalid bpf_context access",
1469 		.result = REJECT,
1470 	},
1471 	{
1472 		"valid access __sk_buff family",
1473 		.insns = {
1474 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1475 				    offsetof(struct __sk_buff, family)),
1476 			BPF_EXIT_INSN(),
1477 		},
1478 		.result = ACCEPT,
1479 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1480 	},
1481 	{
1482 		"valid access __sk_buff remote_ip4",
1483 		.insns = {
1484 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1485 				    offsetof(struct __sk_buff, remote_ip4)),
1486 			BPF_EXIT_INSN(),
1487 		},
1488 		.result = ACCEPT,
1489 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1490 	},
1491 	{
1492 		"valid access __sk_buff local_ip4",
1493 		.insns = {
1494 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1495 				    offsetof(struct __sk_buff, local_ip4)),
1496 			BPF_EXIT_INSN(),
1497 		},
1498 		.result = ACCEPT,
1499 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1500 	},
1501 	{
1502 		"valid access __sk_buff remote_ip6",
1503 		.insns = {
1504 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1505 				    offsetof(struct __sk_buff, remote_ip6[0])),
1506 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1507 				    offsetof(struct __sk_buff, remote_ip6[1])),
1508 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1509 				    offsetof(struct __sk_buff, remote_ip6[2])),
1510 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1511 				    offsetof(struct __sk_buff, remote_ip6[3])),
1512 			BPF_EXIT_INSN(),
1513 		},
1514 		.result = ACCEPT,
1515 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1516 	},
1517 	{
1518 		"valid access __sk_buff local_ip6",
1519 		.insns = {
1520 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1521 				    offsetof(struct __sk_buff, local_ip6[0])),
1522 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1523 				    offsetof(struct __sk_buff, local_ip6[1])),
1524 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1525 				    offsetof(struct __sk_buff, local_ip6[2])),
1526 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1527 				    offsetof(struct __sk_buff, local_ip6[3])),
1528 			BPF_EXIT_INSN(),
1529 		},
1530 		.result = ACCEPT,
1531 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1532 	},
1533 	{
1534 		"valid access __sk_buff remote_port",
1535 		.insns = {
1536 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1537 				    offsetof(struct __sk_buff, remote_port)),
1538 			BPF_EXIT_INSN(),
1539 		},
1540 		.result = ACCEPT,
1541 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1542 	},
1543 	{
1544 		"valid access __sk_buff remote_port",
1545 		.insns = {
1546 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1547 				    offsetof(struct __sk_buff, local_port)),
1548 			BPF_EXIT_INSN(),
1549 		},
1550 		.result = ACCEPT,
1551 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1552 	},
1553 	{
1554 		"invalid access of tc_classid for SK_SKB",
1555 		.insns = {
1556 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1557 				    offsetof(struct __sk_buff, tc_classid)),
1558 			BPF_EXIT_INSN(),
1559 		},
1560 		.result = REJECT,
1561 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1562 		.errstr = "invalid bpf_context access",
1563 	},
1564 	{
1565 		"invalid access of skb->mark for SK_SKB",
1566 		.insns = {
1567 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1568 				    offsetof(struct __sk_buff, mark)),
1569 			BPF_EXIT_INSN(),
1570 		},
1571 		.result =  REJECT,
1572 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1573 		.errstr = "invalid bpf_context access",
1574 	},
1575 	{
1576 		"check skb->mark is not writeable by SK_SKB",
1577 		.insns = {
1578 			BPF_MOV64_IMM(BPF_REG_0, 0),
1579 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1580 				    offsetof(struct __sk_buff, mark)),
1581 			BPF_EXIT_INSN(),
1582 		},
1583 		.result =  REJECT,
1584 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1585 		.errstr = "invalid bpf_context access",
1586 	},
1587 	{
1588 		"check skb->tc_index is writeable by SK_SKB",
1589 		.insns = {
1590 			BPF_MOV64_IMM(BPF_REG_0, 0),
1591 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1592 				    offsetof(struct __sk_buff, tc_index)),
1593 			BPF_EXIT_INSN(),
1594 		},
1595 		.result = ACCEPT,
1596 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1597 	},
1598 	{
1599 		"check skb->priority is writeable by SK_SKB",
1600 		.insns = {
1601 			BPF_MOV64_IMM(BPF_REG_0, 0),
1602 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1603 				    offsetof(struct __sk_buff, priority)),
1604 			BPF_EXIT_INSN(),
1605 		},
1606 		.result = ACCEPT,
1607 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1608 	},
1609 	{
1610 		"direct packet read for SK_SKB",
1611 		.insns = {
1612 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1613 				    offsetof(struct __sk_buff, data)),
1614 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1615 				    offsetof(struct __sk_buff, data_end)),
1616 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1617 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1618 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1619 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1620 			BPF_MOV64_IMM(BPF_REG_0, 0),
1621 			BPF_EXIT_INSN(),
1622 		},
1623 		.result = ACCEPT,
1624 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1625 	},
1626 	{
1627 		"direct packet write for SK_SKB",
1628 		.insns = {
1629 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1630 				    offsetof(struct __sk_buff, data)),
1631 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1632 				    offsetof(struct __sk_buff, data_end)),
1633 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1634 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1635 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1636 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1637 			BPF_MOV64_IMM(BPF_REG_0, 0),
1638 			BPF_EXIT_INSN(),
1639 		},
1640 		.result = ACCEPT,
1641 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1642 	},
1643 	{
1644 		"overlapping checks for direct packet access SK_SKB",
1645 		.insns = {
1646 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1647 				    offsetof(struct __sk_buff, data)),
1648 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1649 				    offsetof(struct __sk_buff, data_end)),
1650 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1651 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1652 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1653 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1655 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1656 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1657 			BPF_MOV64_IMM(BPF_REG_0, 0),
1658 			BPF_EXIT_INSN(),
1659 		},
1660 		.result = ACCEPT,
1661 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1662 	},
1663 	{
1664 		"direct packet read for SK_MSG",
1665 		.insns = {
1666 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1667 				    offsetof(struct sk_msg_md, data)),
1668 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1669 				    offsetof(struct sk_msg_md, data_end)),
1670 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1671 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1672 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1673 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1674 			BPF_MOV64_IMM(BPF_REG_0, 0),
1675 			BPF_EXIT_INSN(),
1676 		},
1677 		.result = ACCEPT,
1678 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1679 	},
1680 	{
1681 		"direct packet write for SK_MSG",
1682 		.insns = {
1683 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1684 				    offsetof(struct sk_msg_md, data)),
1685 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1686 				    offsetof(struct sk_msg_md, data_end)),
1687 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1688 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1689 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1690 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1691 			BPF_MOV64_IMM(BPF_REG_0, 0),
1692 			BPF_EXIT_INSN(),
1693 		},
1694 		.result = ACCEPT,
1695 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1696 	},
1697 	{
1698 		"overlapping checks for direct packet access SK_MSG",
1699 		.insns = {
1700 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1701 				    offsetof(struct sk_msg_md, data)),
1702 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1703 				    offsetof(struct sk_msg_md, data_end)),
1704 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1705 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1706 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1707 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1709 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1710 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1711 			BPF_MOV64_IMM(BPF_REG_0, 0),
1712 			BPF_EXIT_INSN(),
1713 		},
1714 		.result = ACCEPT,
1715 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1716 	},
1717 	{
1718 		"check skb->mark is not writeable by sockets",
1719 		.insns = {
1720 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1721 				    offsetof(struct __sk_buff, mark)),
1722 			BPF_EXIT_INSN(),
1723 		},
1724 		.errstr = "invalid bpf_context access",
1725 		.errstr_unpriv = "R1 leaks addr",
1726 		.result = REJECT,
1727 	},
1728 	{
1729 		"check skb->tc_index is not writeable by sockets",
1730 		.insns = {
1731 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1732 				    offsetof(struct __sk_buff, tc_index)),
1733 			BPF_EXIT_INSN(),
1734 		},
1735 		.errstr = "invalid bpf_context access",
1736 		.errstr_unpriv = "R1 leaks addr",
1737 		.result = REJECT,
1738 	},
1739 	{
1740 		"check cb access: byte",
1741 		.insns = {
1742 			BPF_MOV64_IMM(BPF_REG_0, 0),
1743 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1744 				    offsetof(struct __sk_buff, cb[0])),
1745 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1746 				    offsetof(struct __sk_buff, cb[0]) + 1),
1747 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1748 				    offsetof(struct __sk_buff, cb[0]) + 2),
1749 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1750 				    offsetof(struct __sk_buff, cb[0]) + 3),
1751 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1752 				    offsetof(struct __sk_buff, cb[1])),
1753 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1754 				    offsetof(struct __sk_buff, cb[1]) + 1),
1755 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1756 				    offsetof(struct __sk_buff, cb[1]) + 2),
1757 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1758 				    offsetof(struct __sk_buff, cb[1]) + 3),
1759 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1760 				    offsetof(struct __sk_buff, cb[2])),
1761 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1762 				    offsetof(struct __sk_buff, cb[2]) + 1),
1763 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1764 				    offsetof(struct __sk_buff, cb[2]) + 2),
1765 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1766 				    offsetof(struct __sk_buff, cb[2]) + 3),
1767 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1768 				    offsetof(struct __sk_buff, cb[3])),
1769 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1770 				    offsetof(struct __sk_buff, cb[3]) + 1),
1771 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1772 				    offsetof(struct __sk_buff, cb[3]) + 2),
1773 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1774 				    offsetof(struct __sk_buff, cb[3]) + 3),
1775 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1776 				    offsetof(struct __sk_buff, cb[4])),
1777 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1778 				    offsetof(struct __sk_buff, cb[4]) + 1),
1779 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1780 				    offsetof(struct __sk_buff, cb[4]) + 2),
1781 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1782 				    offsetof(struct __sk_buff, cb[4]) + 3),
1783 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1784 				    offsetof(struct __sk_buff, cb[0])),
1785 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1786 				    offsetof(struct __sk_buff, cb[0]) + 1),
1787 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1788 				    offsetof(struct __sk_buff, cb[0]) + 2),
1789 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1790 				    offsetof(struct __sk_buff, cb[0]) + 3),
1791 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1792 				    offsetof(struct __sk_buff, cb[1])),
1793 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1794 				    offsetof(struct __sk_buff, cb[1]) + 1),
1795 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1796 				    offsetof(struct __sk_buff, cb[1]) + 2),
1797 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1798 				    offsetof(struct __sk_buff, cb[1]) + 3),
1799 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1800 				    offsetof(struct __sk_buff, cb[2])),
1801 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1802 				    offsetof(struct __sk_buff, cb[2]) + 1),
1803 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1804 				    offsetof(struct __sk_buff, cb[2]) + 2),
1805 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1806 				    offsetof(struct __sk_buff, cb[2]) + 3),
1807 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1808 				    offsetof(struct __sk_buff, cb[3])),
1809 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1810 				    offsetof(struct __sk_buff, cb[3]) + 1),
1811 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1812 				    offsetof(struct __sk_buff, cb[3]) + 2),
1813 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1814 				    offsetof(struct __sk_buff, cb[3]) + 3),
1815 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1816 				    offsetof(struct __sk_buff, cb[4])),
1817 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1818 				    offsetof(struct __sk_buff, cb[4]) + 1),
1819 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1820 				    offsetof(struct __sk_buff, cb[4]) + 2),
1821 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1822 				    offsetof(struct __sk_buff, cb[4]) + 3),
1823 			BPF_EXIT_INSN(),
1824 		},
1825 		.result = ACCEPT,
1826 	},
1827 	{
1828 		"__sk_buff->hash, offset 0, byte store not permitted",
1829 		.insns = {
1830 			BPF_MOV64_IMM(BPF_REG_0, 0),
1831 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1832 				    offsetof(struct __sk_buff, hash)),
1833 			BPF_EXIT_INSN(),
1834 		},
1835 		.errstr = "invalid bpf_context access",
1836 		.result = REJECT,
1837 	},
1838 	{
1839 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1840 		.insns = {
1841 			BPF_MOV64_IMM(BPF_REG_0, 0),
1842 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1843 				    offsetof(struct __sk_buff, tc_index) + 3),
1844 			BPF_EXIT_INSN(),
1845 		},
1846 		.errstr = "invalid bpf_context access",
1847 		.result = REJECT,
1848 	},
1849 	{
1850 		"check skb->hash byte load permitted",
1851 		.insns = {
1852 			BPF_MOV64_IMM(BPF_REG_0, 0),
1853 #if __BYTE_ORDER == __LITTLE_ENDIAN
1854 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1855 				    offsetof(struct __sk_buff, hash)),
1856 #else
1857 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1858 				    offsetof(struct __sk_buff, hash) + 3),
1859 #endif
1860 			BPF_EXIT_INSN(),
1861 		},
1862 		.result = ACCEPT,
1863 	},
1864 	{
1865 		"check skb->hash byte load not permitted 1",
1866 		.insns = {
1867 			BPF_MOV64_IMM(BPF_REG_0, 0),
1868 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1869 				    offsetof(struct __sk_buff, hash) + 1),
1870 			BPF_EXIT_INSN(),
1871 		},
1872 		.errstr = "invalid bpf_context access",
1873 		.result = REJECT,
1874 	},
1875 	{
1876 		"check skb->hash byte load not permitted 2",
1877 		.insns = {
1878 			BPF_MOV64_IMM(BPF_REG_0, 0),
1879 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1880 				    offsetof(struct __sk_buff, hash) + 2),
1881 			BPF_EXIT_INSN(),
1882 		},
1883 		.errstr = "invalid bpf_context access",
1884 		.result = REJECT,
1885 	},
1886 	{
1887 		"check skb->hash byte load not permitted 3",
1888 		.insns = {
1889 			BPF_MOV64_IMM(BPF_REG_0, 0),
1890 #if __BYTE_ORDER == __LITTLE_ENDIAN
1891 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1892 				    offsetof(struct __sk_buff, hash) + 3),
1893 #else
1894 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1895 				    offsetof(struct __sk_buff, hash)),
1896 #endif
1897 			BPF_EXIT_INSN(),
1898 		},
1899 		.errstr = "invalid bpf_context access",
1900 		.result = REJECT,
1901 	},
1902 	{
1903 		"check cb access: byte, wrong type",
1904 		.insns = {
1905 			BPF_MOV64_IMM(BPF_REG_0, 0),
1906 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1907 				    offsetof(struct __sk_buff, cb[0])),
1908 			BPF_EXIT_INSN(),
1909 		},
1910 		.errstr = "invalid bpf_context access",
1911 		.result = REJECT,
1912 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1913 	},
1914 	{
1915 		"check cb access: half",
1916 		.insns = {
1917 			BPF_MOV64_IMM(BPF_REG_0, 0),
1918 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1919 				    offsetof(struct __sk_buff, cb[0])),
1920 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1921 				    offsetof(struct __sk_buff, cb[0]) + 2),
1922 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1923 				    offsetof(struct __sk_buff, cb[1])),
1924 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1925 				    offsetof(struct __sk_buff, cb[1]) + 2),
1926 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1927 				    offsetof(struct __sk_buff, cb[2])),
1928 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1929 				    offsetof(struct __sk_buff, cb[2]) + 2),
1930 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1931 				    offsetof(struct __sk_buff, cb[3])),
1932 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1933 				    offsetof(struct __sk_buff, cb[3]) + 2),
1934 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1935 				    offsetof(struct __sk_buff, cb[4])),
1936 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1937 				    offsetof(struct __sk_buff, cb[4]) + 2),
1938 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1939 				    offsetof(struct __sk_buff, cb[0])),
1940 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1941 				    offsetof(struct __sk_buff, cb[0]) + 2),
1942 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1943 				    offsetof(struct __sk_buff, cb[1])),
1944 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1945 				    offsetof(struct __sk_buff, cb[1]) + 2),
1946 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1947 				    offsetof(struct __sk_buff, cb[2])),
1948 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1949 				    offsetof(struct __sk_buff, cb[2]) + 2),
1950 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1951 				    offsetof(struct __sk_buff, cb[3])),
1952 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1953 				    offsetof(struct __sk_buff, cb[3]) + 2),
1954 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1955 				    offsetof(struct __sk_buff, cb[4])),
1956 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1957 				    offsetof(struct __sk_buff, cb[4]) + 2),
1958 			BPF_EXIT_INSN(),
1959 		},
1960 		.result = ACCEPT,
1961 	},
1962 	{
1963 		"check cb access: half, unaligned",
1964 		.insns = {
1965 			BPF_MOV64_IMM(BPF_REG_0, 0),
1966 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1967 				    offsetof(struct __sk_buff, cb[0]) + 1),
1968 			BPF_EXIT_INSN(),
1969 		},
1970 		.errstr = "misaligned context access",
1971 		.result = REJECT,
1972 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1973 	},
1974 	{
1975 		"check __sk_buff->hash, offset 0, half store not permitted",
1976 		.insns = {
1977 			BPF_MOV64_IMM(BPF_REG_0, 0),
1978 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1979 				    offsetof(struct __sk_buff, hash)),
1980 			BPF_EXIT_INSN(),
1981 		},
1982 		.errstr = "invalid bpf_context access",
1983 		.result = REJECT,
1984 	},
1985 	{
1986 		"check __sk_buff->tc_index, offset 2, half store not permitted",
1987 		.insns = {
1988 			BPF_MOV64_IMM(BPF_REG_0, 0),
1989 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1990 				    offsetof(struct __sk_buff, tc_index) + 2),
1991 			BPF_EXIT_INSN(),
1992 		},
1993 		.errstr = "invalid bpf_context access",
1994 		.result = REJECT,
1995 	},
1996 	{
1997 		"check skb->hash half load permitted",
1998 		.insns = {
1999 			BPF_MOV64_IMM(BPF_REG_0, 0),
2000 #if __BYTE_ORDER == __LITTLE_ENDIAN
2001 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2002 				    offsetof(struct __sk_buff, hash)),
2003 #else
2004 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2005 				    offsetof(struct __sk_buff, hash) + 2),
2006 #endif
2007 			BPF_EXIT_INSN(),
2008 		},
2009 		.result = ACCEPT,
2010 	},
2011 	{
2012 		"check skb->hash half load not permitted",
2013 		.insns = {
2014 			BPF_MOV64_IMM(BPF_REG_0, 0),
2015 #if __BYTE_ORDER == __LITTLE_ENDIAN
2016 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2017 				    offsetof(struct __sk_buff, hash) + 2),
2018 #else
2019 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2020 				    offsetof(struct __sk_buff, hash)),
2021 #endif
2022 			BPF_EXIT_INSN(),
2023 		},
2024 		.errstr = "invalid bpf_context access",
2025 		.result = REJECT,
2026 	},
2027 	{
2028 		"check cb access: half, wrong type",
2029 		.insns = {
2030 			BPF_MOV64_IMM(BPF_REG_0, 0),
2031 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2032 				    offsetof(struct __sk_buff, cb[0])),
2033 			BPF_EXIT_INSN(),
2034 		},
2035 		.errstr = "invalid bpf_context access",
2036 		.result = REJECT,
2037 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2038 	},
2039 	{
2040 		"check cb access: word",
2041 		.insns = {
2042 			BPF_MOV64_IMM(BPF_REG_0, 0),
2043 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2044 				    offsetof(struct __sk_buff, cb[0])),
2045 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2046 				    offsetof(struct __sk_buff, cb[1])),
2047 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2048 				    offsetof(struct __sk_buff, cb[2])),
2049 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2050 				    offsetof(struct __sk_buff, cb[3])),
2051 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2052 				    offsetof(struct __sk_buff, cb[4])),
2053 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2054 				    offsetof(struct __sk_buff, cb[0])),
2055 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2056 				    offsetof(struct __sk_buff, cb[1])),
2057 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2058 				    offsetof(struct __sk_buff, cb[2])),
2059 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2060 				    offsetof(struct __sk_buff, cb[3])),
2061 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2062 				    offsetof(struct __sk_buff, cb[4])),
2063 			BPF_EXIT_INSN(),
2064 		},
2065 		.result = ACCEPT,
2066 	},
2067 	{
2068 		"check cb access: word, unaligned 1",
2069 		.insns = {
2070 			BPF_MOV64_IMM(BPF_REG_0, 0),
2071 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2072 				    offsetof(struct __sk_buff, cb[0]) + 2),
2073 			BPF_EXIT_INSN(),
2074 		},
2075 		.errstr = "misaligned context access",
2076 		.result = REJECT,
2077 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2078 	},
2079 	{
2080 		"check cb access: word, unaligned 2",
2081 		.insns = {
2082 			BPF_MOV64_IMM(BPF_REG_0, 0),
2083 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2084 				    offsetof(struct __sk_buff, cb[4]) + 1),
2085 			BPF_EXIT_INSN(),
2086 		},
2087 		.errstr = "misaligned context access",
2088 		.result = REJECT,
2089 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2090 	},
2091 	{
2092 		"check cb access: word, unaligned 3",
2093 		.insns = {
2094 			BPF_MOV64_IMM(BPF_REG_0, 0),
2095 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2096 				    offsetof(struct __sk_buff, cb[4]) + 2),
2097 			BPF_EXIT_INSN(),
2098 		},
2099 		.errstr = "misaligned context access",
2100 		.result = REJECT,
2101 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2102 	},
2103 	{
2104 		"check cb access: word, unaligned 4",
2105 		.insns = {
2106 			BPF_MOV64_IMM(BPF_REG_0, 0),
2107 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2108 				    offsetof(struct __sk_buff, cb[4]) + 3),
2109 			BPF_EXIT_INSN(),
2110 		},
2111 		.errstr = "misaligned context access",
2112 		.result = REJECT,
2113 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2114 	},
2115 	{
2116 		"check cb access: double",
2117 		.insns = {
2118 			BPF_MOV64_IMM(BPF_REG_0, 0),
2119 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2120 				    offsetof(struct __sk_buff, cb[0])),
2121 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2122 				    offsetof(struct __sk_buff, cb[2])),
2123 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2124 				    offsetof(struct __sk_buff, cb[0])),
2125 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2126 				    offsetof(struct __sk_buff, cb[2])),
2127 			BPF_EXIT_INSN(),
2128 		},
2129 		.result = ACCEPT,
2130 	},
2131 	{
2132 		"check cb access: double, unaligned 1",
2133 		.insns = {
2134 			BPF_MOV64_IMM(BPF_REG_0, 0),
2135 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2136 				    offsetof(struct __sk_buff, cb[1])),
2137 			BPF_EXIT_INSN(),
2138 		},
2139 		.errstr = "misaligned context access",
2140 		.result = REJECT,
2141 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2142 	},
2143 	{
2144 		"check cb access: double, unaligned 2",
2145 		.insns = {
2146 			BPF_MOV64_IMM(BPF_REG_0, 0),
2147 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2148 				    offsetof(struct __sk_buff, cb[3])),
2149 			BPF_EXIT_INSN(),
2150 		},
2151 		.errstr = "misaligned context access",
2152 		.result = REJECT,
2153 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2154 	},
2155 	{
2156 		"check cb access: double, oob 1",
2157 		.insns = {
2158 			BPF_MOV64_IMM(BPF_REG_0, 0),
2159 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2160 				    offsetof(struct __sk_buff, cb[4])),
2161 			BPF_EXIT_INSN(),
2162 		},
2163 		.errstr = "invalid bpf_context access",
2164 		.result = REJECT,
2165 	},
2166 	{
2167 		"check cb access: double, oob 2",
2168 		.insns = {
2169 			BPF_MOV64_IMM(BPF_REG_0, 0),
2170 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2171 				    offsetof(struct __sk_buff, cb[4])),
2172 			BPF_EXIT_INSN(),
2173 		},
2174 		.errstr = "invalid bpf_context access",
2175 		.result = REJECT,
2176 	},
2177 	{
2178 		"check __sk_buff->ifindex dw store not permitted",
2179 		.insns = {
2180 			BPF_MOV64_IMM(BPF_REG_0, 0),
2181 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2182 				    offsetof(struct __sk_buff, ifindex)),
2183 			BPF_EXIT_INSN(),
2184 		},
2185 		.errstr = "invalid bpf_context access",
2186 		.result = REJECT,
2187 	},
2188 	{
2189 		"check __sk_buff->ifindex dw load not permitted",
2190 		.insns = {
2191 			BPF_MOV64_IMM(BPF_REG_0, 0),
2192 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2193 				    offsetof(struct __sk_buff, ifindex)),
2194 			BPF_EXIT_INSN(),
2195 		},
2196 		.errstr = "invalid bpf_context access",
2197 		.result = REJECT,
2198 	},
2199 	{
2200 		"check cb access: double, wrong type",
2201 		.insns = {
2202 			BPF_MOV64_IMM(BPF_REG_0, 0),
2203 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2204 				    offsetof(struct __sk_buff, cb[0])),
2205 			BPF_EXIT_INSN(),
2206 		},
2207 		.errstr = "invalid bpf_context access",
2208 		.result = REJECT,
2209 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2210 	},
2211 	{
2212 		"check out of range skb->cb access",
2213 		.insns = {
2214 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2215 				    offsetof(struct __sk_buff, cb[0]) + 256),
2216 			BPF_EXIT_INSN(),
2217 		},
2218 		.errstr = "invalid bpf_context access",
2219 		.errstr_unpriv = "",
2220 		.result = REJECT,
2221 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2222 	},
2223 	{
2224 		"write skb fields from socket prog",
2225 		.insns = {
2226 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2227 				    offsetof(struct __sk_buff, cb[4])),
2228 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2229 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2230 				    offsetof(struct __sk_buff, mark)),
2231 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2232 				    offsetof(struct __sk_buff, tc_index)),
2233 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2234 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2235 				    offsetof(struct __sk_buff, cb[0])),
2236 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2237 				    offsetof(struct __sk_buff, cb[2])),
2238 			BPF_EXIT_INSN(),
2239 		},
2240 		.result = ACCEPT,
2241 		.errstr_unpriv = "R1 leaks addr",
2242 		.result_unpriv = REJECT,
2243 	},
2244 	{
2245 		"write skb fields from tc_cls_act prog",
2246 		.insns = {
2247 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2248 				    offsetof(struct __sk_buff, cb[0])),
2249 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2250 				    offsetof(struct __sk_buff, mark)),
2251 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2252 				    offsetof(struct __sk_buff, tc_index)),
2253 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2254 				    offsetof(struct __sk_buff, tc_index)),
2255 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2256 				    offsetof(struct __sk_buff, cb[3])),
2257 			BPF_EXIT_INSN(),
2258 		},
2259 		.errstr_unpriv = "",
2260 		.result_unpriv = REJECT,
2261 		.result = ACCEPT,
2262 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2263 	},
2264 	{
2265 		"PTR_TO_STACK store/load",
2266 		.insns = {
2267 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2268 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2269 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2270 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2271 			BPF_EXIT_INSN(),
2272 		},
2273 		.result = ACCEPT,
2274 		.retval = 0xfaceb00c,
2275 	},
2276 	{
2277 		"PTR_TO_STACK store/load - bad alignment on off",
2278 		.insns = {
2279 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2280 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2281 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2282 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2283 			BPF_EXIT_INSN(),
2284 		},
2285 		.result = REJECT,
2286 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2287 	},
2288 	{
2289 		"PTR_TO_STACK store/load - bad alignment on reg",
2290 		.insns = {
2291 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2292 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2293 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2294 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2295 			BPF_EXIT_INSN(),
2296 		},
2297 		.result = REJECT,
2298 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2299 	},
2300 	{
2301 		"PTR_TO_STACK store/load - out of bounds low",
2302 		.insns = {
2303 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2305 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2306 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2307 			BPF_EXIT_INSN(),
2308 		},
2309 		.result = REJECT,
2310 		.errstr = "invalid stack off=-79992 size=8",
2311 	},
2312 	{
2313 		"PTR_TO_STACK store/load - out of bounds high",
2314 		.insns = {
2315 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2316 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2317 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2318 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2319 			BPF_EXIT_INSN(),
2320 		},
2321 		.result = REJECT,
2322 		.errstr = "invalid stack off=0 size=8",
2323 	},
2324 	{
2325 		"unpriv: return pointer",
2326 		.insns = {
2327 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2328 			BPF_EXIT_INSN(),
2329 		},
2330 		.result = ACCEPT,
2331 		.result_unpriv = REJECT,
2332 		.errstr_unpriv = "R0 leaks addr",
2333 		.retval = POINTER_VALUE,
2334 	},
2335 	{
2336 		"unpriv: add const to pointer",
2337 		.insns = {
2338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2339 			BPF_MOV64_IMM(BPF_REG_0, 0),
2340 			BPF_EXIT_INSN(),
2341 		},
2342 		.result = ACCEPT,
2343 	},
2344 	{
2345 		"unpriv: add pointer to pointer",
2346 		.insns = {
2347 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2348 			BPF_MOV64_IMM(BPF_REG_0, 0),
2349 			BPF_EXIT_INSN(),
2350 		},
2351 		.result = REJECT,
2352 		.errstr = "R1 pointer += pointer",
2353 	},
2354 	{
2355 		"unpriv: neg pointer",
2356 		.insns = {
2357 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2358 			BPF_MOV64_IMM(BPF_REG_0, 0),
2359 			BPF_EXIT_INSN(),
2360 		},
2361 		.result = ACCEPT,
2362 		.result_unpriv = REJECT,
2363 		.errstr_unpriv = "R1 pointer arithmetic",
2364 	},
2365 	{
2366 		"unpriv: cmp pointer with const",
2367 		.insns = {
2368 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2369 			BPF_MOV64_IMM(BPF_REG_0, 0),
2370 			BPF_EXIT_INSN(),
2371 		},
2372 		.result = ACCEPT,
2373 		.result_unpriv = REJECT,
2374 		.errstr_unpriv = "R1 pointer comparison",
2375 	},
2376 	{
2377 		"unpriv: cmp pointer with pointer",
2378 		.insns = {
2379 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2380 			BPF_MOV64_IMM(BPF_REG_0, 0),
2381 			BPF_EXIT_INSN(),
2382 		},
2383 		.result = ACCEPT,
2384 		.result_unpriv = REJECT,
2385 		.errstr_unpriv = "R10 pointer comparison",
2386 	},
2387 	{
2388 		"unpriv: check that printk is disallowed",
2389 		.insns = {
2390 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2391 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2392 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2393 			BPF_MOV64_IMM(BPF_REG_2, 8),
2394 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2395 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2396 				     BPF_FUNC_trace_printk),
2397 			BPF_MOV64_IMM(BPF_REG_0, 0),
2398 			BPF_EXIT_INSN(),
2399 		},
2400 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2401 		.result_unpriv = REJECT,
2402 		.result = ACCEPT,
2403 	},
2404 	{
2405 		"unpriv: pass pointer to helper function",
2406 		.insns = {
2407 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2408 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2409 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2410 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2411 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2412 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2413 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2414 				     BPF_FUNC_map_update_elem),
2415 			BPF_MOV64_IMM(BPF_REG_0, 0),
2416 			BPF_EXIT_INSN(),
2417 		},
2418 		.fixup_map1 = { 3 },
2419 		.errstr_unpriv = "R4 leaks addr",
2420 		.result_unpriv = REJECT,
2421 		.result = ACCEPT,
2422 	},
2423 	{
2424 		"unpriv: indirectly pass pointer on stack to helper function",
2425 		.insns = {
2426 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2427 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2428 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2429 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2430 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2431 				     BPF_FUNC_map_lookup_elem),
2432 			BPF_MOV64_IMM(BPF_REG_0, 0),
2433 			BPF_EXIT_INSN(),
2434 		},
2435 		.fixup_map1 = { 3 },
2436 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2437 		.result = REJECT,
2438 	},
2439 	{
2440 		"unpriv: mangle pointer on stack 1",
2441 		.insns = {
2442 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2443 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2444 			BPF_MOV64_IMM(BPF_REG_0, 0),
2445 			BPF_EXIT_INSN(),
2446 		},
2447 		.errstr_unpriv = "attempt to corrupt spilled",
2448 		.result_unpriv = REJECT,
2449 		.result = ACCEPT,
2450 	},
2451 	{
2452 		"unpriv: mangle pointer on stack 2",
2453 		.insns = {
2454 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2455 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2456 			BPF_MOV64_IMM(BPF_REG_0, 0),
2457 			BPF_EXIT_INSN(),
2458 		},
2459 		.errstr_unpriv = "attempt to corrupt spilled",
2460 		.result_unpriv = REJECT,
2461 		.result = ACCEPT,
2462 	},
2463 	{
2464 		"unpriv: read pointer from stack in small chunks",
2465 		.insns = {
2466 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2467 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2468 			BPF_MOV64_IMM(BPF_REG_0, 0),
2469 			BPF_EXIT_INSN(),
2470 		},
2471 		.errstr = "invalid size",
2472 		.result = REJECT,
2473 	},
2474 	{
2475 		"unpriv: write pointer into ctx",
2476 		.insns = {
2477 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2478 			BPF_MOV64_IMM(BPF_REG_0, 0),
2479 			BPF_EXIT_INSN(),
2480 		},
2481 		.errstr_unpriv = "R1 leaks addr",
2482 		.result_unpriv = REJECT,
2483 		.errstr = "invalid bpf_context access",
2484 		.result = REJECT,
2485 	},
2486 	{
2487 		"unpriv: spill/fill of ctx",
2488 		.insns = {
2489 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2490 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2491 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2492 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2493 			BPF_MOV64_IMM(BPF_REG_0, 0),
2494 			BPF_EXIT_INSN(),
2495 		},
2496 		.result = ACCEPT,
2497 	},
2498 	{
2499 		"unpriv: spill/fill of ctx 2",
2500 		.insns = {
2501 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2502 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2503 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2504 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2505 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2506 				     BPF_FUNC_get_hash_recalc),
2507 			BPF_MOV64_IMM(BPF_REG_0, 0),
2508 			BPF_EXIT_INSN(),
2509 		},
2510 		.result = ACCEPT,
2511 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2512 	},
2513 	{
2514 		"unpriv: spill/fill of ctx 3",
2515 		.insns = {
2516 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2517 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2518 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2519 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2520 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2521 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2522 				     BPF_FUNC_get_hash_recalc),
2523 			BPF_EXIT_INSN(),
2524 		},
2525 		.result = REJECT,
2526 		.errstr = "R1 type=fp expected=ctx",
2527 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2528 	},
2529 	{
2530 		"unpriv: spill/fill of ctx 4",
2531 		.insns = {
2532 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2533 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2534 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2535 			BPF_MOV64_IMM(BPF_REG_0, 1),
2536 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2537 				     BPF_REG_0, -8, 0),
2538 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2539 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2540 				     BPF_FUNC_get_hash_recalc),
2541 			BPF_EXIT_INSN(),
2542 		},
2543 		.result = REJECT,
2544 		.errstr = "R1 type=inv expected=ctx",
2545 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2546 	},
2547 	{
2548 		"unpriv: spill/fill of different pointers stx",
2549 		.insns = {
2550 			BPF_MOV64_IMM(BPF_REG_3, 42),
2551 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2552 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2553 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2554 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2555 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2556 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2557 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2558 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2559 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2560 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2561 				    offsetof(struct __sk_buff, mark)),
2562 			BPF_MOV64_IMM(BPF_REG_0, 0),
2563 			BPF_EXIT_INSN(),
2564 		},
2565 		.result = REJECT,
2566 		.errstr = "same insn cannot be used with different pointers",
2567 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2568 	},
2569 	{
2570 		"unpriv: spill/fill of different pointers ldx",
2571 		.insns = {
2572 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2573 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2574 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2575 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2576 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2577 				      -(__s32)offsetof(struct bpf_perf_event_data,
2578 						       sample_period) - 8),
2579 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2580 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2581 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2582 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2583 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2584 				    offsetof(struct bpf_perf_event_data,
2585 					     sample_period)),
2586 			BPF_MOV64_IMM(BPF_REG_0, 0),
2587 			BPF_EXIT_INSN(),
2588 		},
2589 		.result = REJECT,
2590 		.errstr = "same insn cannot be used with different pointers",
2591 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2592 	},
2593 	{
2594 		"unpriv: write pointer into map elem value",
2595 		.insns = {
2596 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2597 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2598 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2599 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2600 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2601 				     BPF_FUNC_map_lookup_elem),
2602 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2603 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2604 			BPF_EXIT_INSN(),
2605 		},
2606 		.fixup_map1 = { 3 },
2607 		.errstr_unpriv = "R0 leaks addr",
2608 		.result_unpriv = REJECT,
2609 		.result = ACCEPT,
2610 	},
2611 	{
2612 		"unpriv: partial copy of pointer",
2613 		.insns = {
2614 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2615 			BPF_MOV64_IMM(BPF_REG_0, 0),
2616 			BPF_EXIT_INSN(),
2617 		},
2618 		.errstr_unpriv = "R10 partial copy",
2619 		.result_unpriv = REJECT,
2620 		.result = ACCEPT,
2621 	},
2622 	{
2623 		"unpriv: pass pointer to tail_call",
2624 		.insns = {
2625 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2626 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2627 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2628 				     BPF_FUNC_tail_call),
2629 			BPF_MOV64_IMM(BPF_REG_0, 0),
2630 			BPF_EXIT_INSN(),
2631 		},
2632 		.fixup_prog = { 1 },
2633 		.errstr_unpriv = "R3 leaks addr into helper",
2634 		.result_unpriv = REJECT,
2635 		.result = ACCEPT,
2636 	},
2637 	{
2638 		"unpriv: cmp map pointer with zero",
2639 		.insns = {
2640 			BPF_MOV64_IMM(BPF_REG_1, 0),
2641 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2642 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2643 			BPF_MOV64_IMM(BPF_REG_0, 0),
2644 			BPF_EXIT_INSN(),
2645 		},
2646 		.fixup_map1 = { 1 },
2647 		.errstr_unpriv = "R1 pointer comparison",
2648 		.result_unpriv = REJECT,
2649 		.result = ACCEPT,
2650 	},
2651 	{
2652 		"unpriv: write into frame pointer",
2653 		.insns = {
2654 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2655 			BPF_MOV64_IMM(BPF_REG_0, 0),
2656 			BPF_EXIT_INSN(),
2657 		},
2658 		.errstr = "frame pointer is read only",
2659 		.result = REJECT,
2660 	},
2661 	{
2662 		"unpriv: spill/fill frame pointer",
2663 		.insns = {
2664 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2665 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2666 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2667 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2668 			BPF_MOV64_IMM(BPF_REG_0, 0),
2669 			BPF_EXIT_INSN(),
2670 		},
2671 		.errstr = "frame pointer is read only",
2672 		.result = REJECT,
2673 	},
2674 	{
2675 		"unpriv: cmp of frame pointer",
2676 		.insns = {
2677 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2678 			BPF_MOV64_IMM(BPF_REG_0, 0),
2679 			BPF_EXIT_INSN(),
2680 		},
2681 		.errstr_unpriv = "R10 pointer comparison",
2682 		.result_unpriv = REJECT,
2683 		.result = ACCEPT,
2684 	},
2685 	{
2686 		"unpriv: adding of fp",
2687 		.insns = {
2688 			BPF_MOV64_IMM(BPF_REG_0, 0),
2689 			BPF_MOV64_IMM(BPF_REG_1, 0),
2690 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2691 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2692 			BPF_EXIT_INSN(),
2693 		},
2694 		.result = ACCEPT,
2695 	},
2696 	{
2697 		"unpriv: cmp of stack pointer",
2698 		.insns = {
2699 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2700 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2701 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2702 			BPF_MOV64_IMM(BPF_REG_0, 0),
2703 			BPF_EXIT_INSN(),
2704 		},
2705 		.errstr_unpriv = "R2 pointer comparison",
2706 		.result_unpriv = REJECT,
2707 		.result = ACCEPT,
2708 	},
2709 	{
2710 		"runtime/jit: tail_call within bounds, prog once",
2711 		.insns = {
2712 			BPF_MOV64_IMM(BPF_REG_3, 0),
2713 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2714 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2715 				     BPF_FUNC_tail_call),
2716 			BPF_MOV64_IMM(BPF_REG_0, 1),
2717 			BPF_EXIT_INSN(),
2718 		},
2719 		.fixup_prog = { 1 },
2720 		.result = ACCEPT,
2721 		.retval = 42,
2722 	},
2723 	{
2724 		"runtime/jit: tail_call within bounds, prog loop",
2725 		.insns = {
2726 			BPF_MOV64_IMM(BPF_REG_3, 1),
2727 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2729 				     BPF_FUNC_tail_call),
2730 			BPF_MOV64_IMM(BPF_REG_0, 1),
2731 			BPF_EXIT_INSN(),
2732 		},
2733 		.fixup_prog = { 1 },
2734 		.result = ACCEPT,
2735 		.retval = 41,
2736 	},
2737 	{
2738 		"runtime/jit: tail_call within bounds, no prog",
2739 		.insns = {
2740 			BPF_MOV64_IMM(BPF_REG_3, 2),
2741 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2742 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2743 				     BPF_FUNC_tail_call),
2744 			BPF_MOV64_IMM(BPF_REG_0, 1),
2745 			BPF_EXIT_INSN(),
2746 		},
2747 		.fixup_prog = { 1 },
2748 		.result = ACCEPT,
2749 		.retval = 1,
2750 	},
2751 	{
2752 		"runtime/jit: tail_call out of bounds",
2753 		.insns = {
2754 			BPF_MOV64_IMM(BPF_REG_3, 256),
2755 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2756 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2757 				     BPF_FUNC_tail_call),
2758 			BPF_MOV64_IMM(BPF_REG_0, 2),
2759 			BPF_EXIT_INSN(),
2760 		},
2761 		.fixup_prog = { 1 },
2762 		.result = ACCEPT,
2763 		.retval = 2,
2764 	},
2765 	{
2766 		"runtime/jit: pass negative index to tail_call",
2767 		.insns = {
2768 			BPF_MOV64_IMM(BPF_REG_3, -1),
2769 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2770 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2771 				     BPF_FUNC_tail_call),
2772 			BPF_MOV64_IMM(BPF_REG_0, 2),
2773 			BPF_EXIT_INSN(),
2774 		},
2775 		.fixup_prog = { 1 },
2776 		.result = ACCEPT,
2777 		.retval = 2,
2778 	},
2779 	{
2780 		"runtime/jit: pass > 32bit index to tail_call",
2781 		.insns = {
2782 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2783 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2784 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2785 				     BPF_FUNC_tail_call),
2786 			BPF_MOV64_IMM(BPF_REG_0, 2),
2787 			BPF_EXIT_INSN(),
2788 		},
2789 		.fixup_prog = { 2 },
2790 		.result = ACCEPT,
2791 		.retval = 42,
2792 	},
2793 	{
2794 		"stack pointer arithmetic",
2795 		.insns = {
2796 			BPF_MOV64_IMM(BPF_REG_1, 4),
2797 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2798 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2800 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2801 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2802 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2803 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2804 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2805 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2806 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2807 			BPF_MOV64_IMM(BPF_REG_0, 0),
2808 			BPF_EXIT_INSN(),
2809 		},
2810 		.result = ACCEPT,
2811 	},
2812 	{
2813 		"raw_stack: no skb_load_bytes",
2814 		.insns = {
2815 			BPF_MOV64_IMM(BPF_REG_2, 4),
2816 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2817 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2818 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2819 			BPF_MOV64_IMM(BPF_REG_4, 8),
2820 			/* Call to skb_load_bytes() omitted. */
2821 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2822 			BPF_EXIT_INSN(),
2823 		},
2824 		.result = REJECT,
2825 		.errstr = "invalid read from stack off -8+0 size 8",
2826 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2827 	},
2828 	{
2829 		"raw_stack: skb_load_bytes, negative len",
2830 		.insns = {
2831 			BPF_MOV64_IMM(BPF_REG_2, 4),
2832 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2833 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2834 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2835 			BPF_MOV64_IMM(BPF_REG_4, -8),
2836 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2837 				     BPF_FUNC_skb_load_bytes),
2838 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2839 			BPF_EXIT_INSN(),
2840 		},
2841 		.result = REJECT,
2842 		.errstr = "R4 min value is negative",
2843 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2844 	},
2845 	{
2846 		"raw_stack: skb_load_bytes, negative len 2",
2847 		.insns = {
2848 			BPF_MOV64_IMM(BPF_REG_2, 4),
2849 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2851 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2852 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2853 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2854 				     BPF_FUNC_skb_load_bytes),
2855 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2856 			BPF_EXIT_INSN(),
2857 		},
2858 		.result = REJECT,
2859 		.errstr = "R4 min value is negative",
2860 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2861 	},
2862 	{
2863 		"raw_stack: skb_load_bytes, zero len",
2864 		.insns = {
2865 			BPF_MOV64_IMM(BPF_REG_2, 4),
2866 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2867 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2868 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2869 			BPF_MOV64_IMM(BPF_REG_4, 0),
2870 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2871 				     BPF_FUNC_skb_load_bytes),
2872 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2873 			BPF_EXIT_INSN(),
2874 		},
2875 		.result = REJECT,
2876 		.errstr = "invalid stack type R3",
2877 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2878 	},
2879 	{
2880 		"raw_stack: skb_load_bytes, no init",
2881 		.insns = {
2882 			BPF_MOV64_IMM(BPF_REG_2, 4),
2883 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2884 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2885 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2886 			BPF_MOV64_IMM(BPF_REG_4, 8),
2887 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2888 				     BPF_FUNC_skb_load_bytes),
2889 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2890 			BPF_EXIT_INSN(),
2891 		},
2892 		.result = ACCEPT,
2893 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2894 	},
2895 	{
2896 		"raw_stack: skb_load_bytes, init",
2897 		.insns = {
2898 			BPF_MOV64_IMM(BPF_REG_2, 4),
2899 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2901 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2902 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2903 			BPF_MOV64_IMM(BPF_REG_4, 8),
2904 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2905 				     BPF_FUNC_skb_load_bytes),
2906 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2907 			BPF_EXIT_INSN(),
2908 		},
2909 		.result = ACCEPT,
2910 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2911 	},
2912 	{
2913 		"raw_stack: skb_load_bytes, spilled regs around bounds",
2914 		.insns = {
2915 			BPF_MOV64_IMM(BPF_REG_2, 4),
2916 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2918 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2919 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2920 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2921 			BPF_MOV64_IMM(BPF_REG_4, 8),
2922 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2923 				     BPF_FUNC_skb_load_bytes),
2924 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2925 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2926 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2927 				    offsetof(struct __sk_buff, mark)),
2928 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2929 				    offsetof(struct __sk_buff, priority)),
2930 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2931 			BPF_EXIT_INSN(),
2932 		},
2933 		.result = ACCEPT,
2934 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2935 	},
2936 	{
2937 		"raw_stack: skb_load_bytes, spilled regs corruption",
2938 		.insns = {
2939 			BPF_MOV64_IMM(BPF_REG_2, 4),
2940 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2942 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2943 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2944 			BPF_MOV64_IMM(BPF_REG_4, 8),
2945 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2946 				     BPF_FUNC_skb_load_bytes),
2947 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2948 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2949 				    offsetof(struct __sk_buff, mark)),
2950 			BPF_EXIT_INSN(),
2951 		},
2952 		.result = REJECT,
2953 		.errstr = "R0 invalid mem access 'inv'",
2954 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2955 	},
2956 	{
2957 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
2958 		.insns = {
2959 			BPF_MOV64_IMM(BPF_REG_2, 4),
2960 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2961 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2962 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2963 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2964 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2965 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2966 			BPF_MOV64_IMM(BPF_REG_4, 8),
2967 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2968 				     BPF_FUNC_skb_load_bytes),
2969 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2970 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2971 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2972 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2973 				    offsetof(struct __sk_buff, mark)),
2974 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2975 				    offsetof(struct __sk_buff, priority)),
2976 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2977 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2978 				    offsetof(struct __sk_buff, pkt_type)),
2979 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2980 			BPF_EXIT_INSN(),
2981 		},
2982 		.result = REJECT,
2983 		.errstr = "R3 invalid mem access 'inv'",
2984 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2985 	},
2986 	{
2987 		"raw_stack: skb_load_bytes, spilled regs + data",
2988 		.insns = {
2989 			BPF_MOV64_IMM(BPF_REG_2, 4),
2990 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2991 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2992 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2993 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2994 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2995 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2996 			BPF_MOV64_IMM(BPF_REG_4, 8),
2997 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2998 				     BPF_FUNC_skb_load_bytes),
2999 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3000 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3001 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3002 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3003 				    offsetof(struct __sk_buff, mark)),
3004 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3005 				    offsetof(struct __sk_buff, priority)),
3006 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3007 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3008 			BPF_EXIT_INSN(),
3009 		},
3010 		.result = ACCEPT,
3011 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3012 	},
3013 	{
3014 		"raw_stack: skb_load_bytes, invalid access 1",
3015 		.insns = {
3016 			BPF_MOV64_IMM(BPF_REG_2, 4),
3017 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3018 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3019 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3020 			BPF_MOV64_IMM(BPF_REG_4, 8),
3021 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3022 				     BPF_FUNC_skb_load_bytes),
3023 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3024 			BPF_EXIT_INSN(),
3025 		},
3026 		.result = REJECT,
3027 		.errstr = "invalid stack type R3 off=-513 access_size=8",
3028 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3029 	},
3030 	{
3031 		"raw_stack: skb_load_bytes, invalid access 2",
3032 		.insns = {
3033 			BPF_MOV64_IMM(BPF_REG_2, 4),
3034 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3035 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3036 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3037 			BPF_MOV64_IMM(BPF_REG_4, 8),
3038 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3039 				     BPF_FUNC_skb_load_bytes),
3040 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3041 			BPF_EXIT_INSN(),
3042 		},
3043 		.result = REJECT,
3044 		.errstr = "invalid stack type R3 off=-1 access_size=8",
3045 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3046 	},
3047 	{
3048 		"raw_stack: skb_load_bytes, invalid access 3",
3049 		.insns = {
3050 			BPF_MOV64_IMM(BPF_REG_2, 4),
3051 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3052 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3053 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3054 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3055 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3056 				     BPF_FUNC_skb_load_bytes),
3057 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3058 			BPF_EXIT_INSN(),
3059 		},
3060 		.result = REJECT,
3061 		.errstr = "R4 min value is negative",
3062 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3063 	},
3064 	{
3065 		"raw_stack: skb_load_bytes, invalid access 4",
3066 		.insns = {
3067 			BPF_MOV64_IMM(BPF_REG_2, 4),
3068 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3069 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3070 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3071 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3072 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3073 				     BPF_FUNC_skb_load_bytes),
3074 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3075 			BPF_EXIT_INSN(),
3076 		},
3077 		.result = REJECT,
3078 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3079 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3080 	},
3081 	{
3082 		"raw_stack: skb_load_bytes, invalid access 5",
3083 		.insns = {
3084 			BPF_MOV64_IMM(BPF_REG_2, 4),
3085 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3086 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3087 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3088 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3089 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3090 				     BPF_FUNC_skb_load_bytes),
3091 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3092 			BPF_EXIT_INSN(),
3093 		},
3094 		.result = REJECT,
3095 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3096 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3097 	},
3098 	{
3099 		"raw_stack: skb_load_bytes, invalid access 6",
3100 		.insns = {
3101 			BPF_MOV64_IMM(BPF_REG_2, 4),
3102 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3104 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3105 			BPF_MOV64_IMM(BPF_REG_4, 0),
3106 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3107 				     BPF_FUNC_skb_load_bytes),
3108 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3109 			BPF_EXIT_INSN(),
3110 		},
3111 		.result = REJECT,
3112 		.errstr = "invalid stack type R3 off=-512 access_size=0",
3113 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3114 	},
3115 	{
3116 		"raw_stack: skb_load_bytes, large access",
3117 		.insns = {
3118 			BPF_MOV64_IMM(BPF_REG_2, 4),
3119 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3121 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3122 			BPF_MOV64_IMM(BPF_REG_4, 512),
3123 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3124 				     BPF_FUNC_skb_load_bytes),
3125 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3126 			BPF_EXIT_INSN(),
3127 		},
3128 		.result = ACCEPT,
3129 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3130 	},
3131 	{
3132 		"context stores via ST",
3133 		.insns = {
3134 			BPF_MOV64_IMM(BPF_REG_0, 0),
3135 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3136 			BPF_EXIT_INSN(),
3137 		},
3138 		.errstr = "BPF_ST stores into R1 context is not allowed",
3139 		.result = REJECT,
3140 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3141 	},
3142 	{
3143 		"context stores via XADD",
3144 		.insns = {
3145 			BPF_MOV64_IMM(BPF_REG_0, 0),
3146 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3147 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3148 			BPF_EXIT_INSN(),
3149 		},
3150 		.errstr = "BPF_XADD stores into R1 context is not allowed",
3151 		.result = REJECT,
3152 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3153 	},
3154 	{
3155 		"direct packet access: test1",
3156 		.insns = {
3157 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3158 				    offsetof(struct __sk_buff, data)),
3159 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3160 				    offsetof(struct __sk_buff, data_end)),
3161 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3163 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3164 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3165 			BPF_MOV64_IMM(BPF_REG_0, 0),
3166 			BPF_EXIT_INSN(),
3167 		},
3168 		.result = ACCEPT,
3169 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3170 	},
3171 	{
3172 		"direct packet access: test2",
3173 		.insns = {
3174 			BPF_MOV64_IMM(BPF_REG_0, 1),
3175 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3176 				    offsetof(struct __sk_buff, data_end)),
3177 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3178 				    offsetof(struct __sk_buff, data)),
3179 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3180 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3181 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3182 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3183 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3184 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3185 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3186 				    offsetof(struct __sk_buff, data)),
3187 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3188 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3189 				    offsetof(struct __sk_buff, len)),
3190 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3191 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3192 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3193 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3195 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3196 				    offsetof(struct __sk_buff, data_end)),
3197 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3198 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3199 			BPF_MOV64_IMM(BPF_REG_0, 0),
3200 			BPF_EXIT_INSN(),
3201 		},
3202 		.result = ACCEPT,
3203 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3204 	},
3205 	{
3206 		"direct packet access: test3",
3207 		.insns = {
3208 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3209 				    offsetof(struct __sk_buff, data)),
3210 			BPF_MOV64_IMM(BPF_REG_0, 0),
3211 			BPF_EXIT_INSN(),
3212 		},
3213 		.errstr = "invalid bpf_context access off=76",
3214 		.result = REJECT,
3215 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3216 	},
3217 	{
3218 		"direct packet access: test4 (write)",
3219 		.insns = {
3220 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3221 				    offsetof(struct __sk_buff, data)),
3222 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3223 				    offsetof(struct __sk_buff, data_end)),
3224 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3225 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3226 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3227 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3228 			BPF_MOV64_IMM(BPF_REG_0, 0),
3229 			BPF_EXIT_INSN(),
3230 		},
3231 		.result = ACCEPT,
3232 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3233 	},
3234 	{
3235 		"direct packet access: test5 (pkt_end >= reg, good access)",
3236 		.insns = {
3237 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3238 				    offsetof(struct __sk_buff, data)),
3239 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3240 				    offsetof(struct __sk_buff, data_end)),
3241 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3242 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3243 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3244 			BPF_MOV64_IMM(BPF_REG_0, 1),
3245 			BPF_EXIT_INSN(),
3246 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3247 			BPF_MOV64_IMM(BPF_REG_0, 0),
3248 			BPF_EXIT_INSN(),
3249 		},
3250 		.result = ACCEPT,
3251 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3252 	},
3253 	{
3254 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3255 		.insns = {
3256 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3257 				    offsetof(struct __sk_buff, data)),
3258 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3259 				    offsetof(struct __sk_buff, data_end)),
3260 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3261 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3262 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3263 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3264 			BPF_MOV64_IMM(BPF_REG_0, 1),
3265 			BPF_EXIT_INSN(),
3266 			BPF_MOV64_IMM(BPF_REG_0, 0),
3267 			BPF_EXIT_INSN(),
3268 		},
3269 		.errstr = "invalid access to packet",
3270 		.result = REJECT,
3271 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3272 	},
3273 	{
3274 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3275 		.insns = {
3276 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3277 				    offsetof(struct __sk_buff, data)),
3278 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3279 				    offsetof(struct __sk_buff, data_end)),
3280 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3282 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3283 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3284 			BPF_MOV64_IMM(BPF_REG_0, 1),
3285 			BPF_EXIT_INSN(),
3286 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3287 			BPF_MOV64_IMM(BPF_REG_0, 0),
3288 			BPF_EXIT_INSN(),
3289 		},
3290 		.errstr = "invalid access to packet",
3291 		.result = REJECT,
3292 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3293 	},
3294 	{
3295 		"direct packet access: test8 (double test, variant 1)",
3296 		.insns = {
3297 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3298 				    offsetof(struct __sk_buff, data)),
3299 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3300 				    offsetof(struct __sk_buff, data_end)),
3301 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3302 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3303 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3304 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3305 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3306 			BPF_MOV64_IMM(BPF_REG_0, 1),
3307 			BPF_EXIT_INSN(),
3308 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3309 			BPF_MOV64_IMM(BPF_REG_0, 0),
3310 			BPF_EXIT_INSN(),
3311 		},
3312 		.result = ACCEPT,
3313 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3314 	},
3315 	{
3316 		"direct packet access: test9 (double test, variant 2)",
3317 		.insns = {
3318 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3319 				    offsetof(struct __sk_buff, data)),
3320 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3321 				    offsetof(struct __sk_buff, data_end)),
3322 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3323 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3324 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3325 			BPF_MOV64_IMM(BPF_REG_0, 1),
3326 			BPF_EXIT_INSN(),
3327 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3328 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3329 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3330 			BPF_MOV64_IMM(BPF_REG_0, 0),
3331 			BPF_EXIT_INSN(),
3332 		},
3333 		.result = ACCEPT,
3334 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3335 	},
3336 	{
3337 		"direct packet access: test10 (write invalid)",
3338 		.insns = {
3339 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3340 				    offsetof(struct __sk_buff, data)),
3341 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3342 				    offsetof(struct __sk_buff, data_end)),
3343 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3344 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3345 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3346 			BPF_MOV64_IMM(BPF_REG_0, 0),
3347 			BPF_EXIT_INSN(),
3348 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3349 			BPF_MOV64_IMM(BPF_REG_0, 0),
3350 			BPF_EXIT_INSN(),
3351 		},
3352 		.errstr = "invalid access to packet",
3353 		.result = REJECT,
3354 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3355 	},
3356 	{
3357 		"direct packet access: test11 (shift, good access)",
3358 		.insns = {
3359 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3360 				    offsetof(struct __sk_buff, data)),
3361 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3362 				    offsetof(struct __sk_buff, data_end)),
3363 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3364 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3365 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3366 			BPF_MOV64_IMM(BPF_REG_3, 144),
3367 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3368 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3369 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3370 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3371 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3372 			BPF_MOV64_IMM(BPF_REG_0, 1),
3373 			BPF_EXIT_INSN(),
3374 			BPF_MOV64_IMM(BPF_REG_0, 0),
3375 			BPF_EXIT_INSN(),
3376 		},
3377 		.result = ACCEPT,
3378 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3379 		.retval = 1,
3380 	},
3381 	{
3382 		"direct packet access: test12 (and, good access)",
3383 		.insns = {
3384 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3385 				    offsetof(struct __sk_buff, data)),
3386 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3387 				    offsetof(struct __sk_buff, data_end)),
3388 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3389 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3390 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3391 			BPF_MOV64_IMM(BPF_REG_3, 144),
3392 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3393 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3394 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3395 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3396 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3397 			BPF_MOV64_IMM(BPF_REG_0, 1),
3398 			BPF_EXIT_INSN(),
3399 			BPF_MOV64_IMM(BPF_REG_0, 0),
3400 			BPF_EXIT_INSN(),
3401 		},
3402 		.result = ACCEPT,
3403 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3404 		.retval = 1,
3405 	},
3406 	{
3407 		"direct packet access: test13 (branches, good access)",
3408 		.insns = {
3409 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3410 				    offsetof(struct __sk_buff, data)),
3411 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3412 				    offsetof(struct __sk_buff, data_end)),
3413 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3414 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3415 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3416 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3417 				    offsetof(struct __sk_buff, mark)),
3418 			BPF_MOV64_IMM(BPF_REG_4, 1),
3419 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3420 			BPF_MOV64_IMM(BPF_REG_3, 14),
3421 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3422 			BPF_MOV64_IMM(BPF_REG_3, 24),
3423 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3425 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3426 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3427 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3428 			BPF_MOV64_IMM(BPF_REG_0, 1),
3429 			BPF_EXIT_INSN(),
3430 			BPF_MOV64_IMM(BPF_REG_0, 0),
3431 			BPF_EXIT_INSN(),
3432 		},
3433 		.result = ACCEPT,
3434 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3435 		.retval = 1,
3436 	},
3437 	{
3438 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3439 		.insns = {
3440 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3441 				    offsetof(struct __sk_buff, data)),
3442 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3443 				    offsetof(struct __sk_buff, data_end)),
3444 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3445 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3446 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3447 			BPF_MOV64_IMM(BPF_REG_5, 12),
3448 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3449 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3450 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3451 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3452 			BPF_MOV64_IMM(BPF_REG_0, 1),
3453 			BPF_EXIT_INSN(),
3454 			BPF_MOV64_IMM(BPF_REG_0, 0),
3455 			BPF_EXIT_INSN(),
3456 		},
3457 		.result = ACCEPT,
3458 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3459 		.retval = 1,
3460 	},
3461 	{
3462 		"direct packet access: test15 (spill with xadd)",
3463 		.insns = {
3464 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3465 				    offsetof(struct __sk_buff, data)),
3466 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3467 				    offsetof(struct __sk_buff, data_end)),
3468 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3469 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3470 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3471 			BPF_MOV64_IMM(BPF_REG_5, 4096),
3472 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3474 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3475 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3476 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3477 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3478 			BPF_MOV64_IMM(BPF_REG_0, 0),
3479 			BPF_EXIT_INSN(),
3480 		},
3481 		.errstr = "R2 invalid mem access 'inv'",
3482 		.result = REJECT,
3483 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3484 	},
3485 	{
3486 		"direct packet access: test16 (arith on data_end)",
3487 		.insns = {
3488 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3489 				    offsetof(struct __sk_buff, data)),
3490 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3491 				    offsetof(struct __sk_buff, data_end)),
3492 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3493 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3495 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3496 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3497 			BPF_MOV64_IMM(BPF_REG_0, 0),
3498 			BPF_EXIT_INSN(),
3499 		},
3500 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3501 		.result = REJECT,
3502 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3503 	},
3504 	{
3505 		"direct packet access: test17 (pruning, alignment)",
3506 		.insns = {
3507 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3508 				    offsetof(struct __sk_buff, data)),
3509 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3510 				    offsetof(struct __sk_buff, data_end)),
3511 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3512 				    offsetof(struct __sk_buff, mark)),
3513 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3514 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3515 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3516 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3517 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3518 			BPF_MOV64_IMM(BPF_REG_0, 0),
3519 			BPF_EXIT_INSN(),
3520 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3521 			BPF_JMP_A(-6),
3522 		},
3523 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3524 		.result = REJECT,
3525 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3526 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3527 	},
3528 	{
3529 		"direct packet access: test18 (imm += pkt_ptr, 1)",
3530 		.insns = {
3531 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3532 				    offsetof(struct __sk_buff, data)),
3533 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3534 				    offsetof(struct __sk_buff, data_end)),
3535 			BPF_MOV64_IMM(BPF_REG_0, 8),
3536 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3537 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3538 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3539 			BPF_MOV64_IMM(BPF_REG_0, 0),
3540 			BPF_EXIT_INSN(),
3541 		},
3542 		.result = ACCEPT,
3543 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3544 	},
3545 	{
3546 		"direct packet access: test19 (imm += pkt_ptr, 2)",
3547 		.insns = {
3548 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3549 				    offsetof(struct __sk_buff, data)),
3550 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3551 				    offsetof(struct __sk_buff, data_end)),
3552 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3554 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3555 			BPF_MOV64_IMM(BPF_REG_4, 4),
3556 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3557 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3558 			BPF_MOV64_IMM(BPF_REG_0, 0),
3559 			BPF_EXIT_INSN(),
3560 		},
3561 		.result = ACCEPT,
3562 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3563 	},
3564 	{
3565 		"direct packet access: test20 (x += pkt_ptr, 1)",
3566 		.insns = {
3567 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3568 				    offsetof(struct __sk_buff, data)),
3569 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3570 				    offsetof(struct __sk_buff, data_end)),
3571 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3572 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3573 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3574 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3575 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3576 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3577 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3579 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3580 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3581 			BPF_MOV64_IMM(BPF_REG_0, 0),
3582 			BPF_EXIT_INSN(),
3583 		},
3584 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3585 		.result = ACCEPT,
3586 	},
3587 	{
3588 		"direct packet access: test21 (x += pkt_ptr, 2)",
3589 		.insns = {
3590 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3591 				    offsetof(struct __sk_buff, data)),
3592 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3593 				    offsetof(struct __sk_buff, data_end)),
3594 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3595 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3596 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3597 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3598 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3599 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3600 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3601 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3602 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3604 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3605 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3606 			BPF_MOV64_IMM(BPF_REG_0, 0),
3607 			BPF_EXIT_INSN(),
3608 		},
3609 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3610 		.result = ACCEPT,
3611 	},
3612 	{
3613 		"direct packet access: test22 (x += pkt_ptr, 3)",
3614 		.insns = {
3615 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 				    offsetof(struct __sk_buff, data)),
3617 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 				    offsetof(struct __sk_buff, data_end)),
3619 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3622 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3623 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3624 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3625 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3626 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3627 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3628 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3629 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3630 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3631 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3632 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3633 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3634 			BPF_MOV64_IMM(BPF_REG_2, 1),
3635 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3636 			BPF_MOV64_IMM(BPF_REG_0, 0),
3637 			BPF_EXIT_INSN(),
3638 		},
3639 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3640 		.result = ACCEPT,
3641 	},
3642 	{
3643 		"direct packet access: test23 (x += pkt_ptr, 4)",
3644 		.insns = {
3645 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3646 				    offsetof(struct __sk_buff, data)),
3647 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3648 				    offsetof(struct __sk_buff, data_end)),
3649 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3650 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3651 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3652 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3653 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3654 			BPF_MOV64_IMM(BPF_REG_0, 31),
3655 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3656 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3657 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3658 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3659 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3660 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3661 			BPF_MOV64_IMM(BPF_REG_0, 0),
3662 			BPF_EXIT_INSN(),
3663 		},
3664 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3665 		.result = REJECT,
3666 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3667 	},
3668 	{
3669 		"direct packet access: test24 (x += pkt_ptr, 5)",
3670 		.insns = {
3671 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3672 				    offsetof(struct __sk_buff, data)),
3673 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3674 				    offsetof(struct __sk_buff, data_end)),
3675 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3676 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3677 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3678 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3679 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3680 			BPF_MOV64_IMM(BPF_REG_0, 64),
3681 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3682 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3683 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3684 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3685 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3686 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3687 			BPF_MOV64_IMM(BPF_REG_0, 0),
3688 			BPF_EXIT_INSN(),
3689 		},
3690 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3691 		.result = ACCEPT,
3692 	},
3693 	{
3694 		"direct packet access: test25 (marking on <, good access)",
3695 		.insns = {
3696 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3697 				    offsetof(struct __sk_buff, data)),
3698 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3699 				    offsetof(struct __sk_buff, data_end)),
3700 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3702 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3703 			BPF_MOV64_IMM(BPF_REG_0, 0),
3704 			BPF_EXIT_INSN(),
3705 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3706 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3707 		},
3708 		.result = ACCEPT,
3709 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3710 	},
3711 	{
3712 		"direct packet access: test26 (marking on <, bad access)",
3713 		.insns = {
3714 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3715 				    offsetof(struct __sk_buff, data)),
3716 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3717 				    offsetof(struct __sk_buff, data_end)),
3718 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3719 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3720 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3721 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3722 			BPF_MOV64_IMM(BPF_REG_0, 0),
3723 			BPF_EXIT_INSN(),
3724 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3725 		},
3726 		.result = REJECT,
3727 		.errstr = "invalid access to packet",
3728 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3729 	},
3730 	{
3731 		"direct packet access: test27 (marking on <=, good access)",
3732 		.insns = {
3733 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3734 				    offsetof(struct __sk_buff, data)),
3735 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3736 				    offsetof(struct __sk_buff, data_end)),
3737 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3738 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3739 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3740 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3741 			BPF_MOV64_IMM(BPF_REG_0, 1),
3742 			BPF_EXIT_INSN(),
3743 		},
3744 		.result = ACCEPT,
3745 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3746 		.retval = 1,
3747 	},
3748 	{
3749 		"direct packet access: test28 (marking on <=, bad access)",
3750 		.insns = {
3751 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3752 				    offsetof(struct __sk_buff, data)),
3753 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3754 				    offsetof(struct __sk_buff, data_end)),
3755 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3756 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3757 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3758 			BPF_MOV64_IMM(BPF_REG_0, 1),
3759 			BPF_EXIT_INSN(),
3760 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3761 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3762 		},
3763 		.result = REJECT,
3764 		.errstr = "invalid access to packet",
3765 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3766 	},
3767 	{
3768 		"helper access to packet: test1, valid packet_ptr range",
3769 		.insns = {
3770 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3771 				    offsetof(struct xdp_md, data)),
3772 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3773 				    offsetof(struct xdp_md, data_end)),
3774 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3775 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3776 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3777 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3778 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3779 			BPF_MOV64_IMM(BPF_REG_4, 0),
3780 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3781 				     BPF_FUNC_map_update_elem),
3782 			BPF_MOV64_IMM(BPF_REG_0, 0),
3783 			BPF_EXIT_INSN(),
3784 		},
3785 		.fixup_map1 = { 5 },
3786 		.result_unpriv = ACCEPT,
3787 		.result = ACCEPT,
3788 		.prog_type = BPF_PROG_TYPE_XDP,
3789 	},
3790 	{
3791 		"helper access to packet: test2, unchecked packet_ptr",
3792 		.insns = {
3793 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3794 				    offsetof(struct xdp_md, data)),
3795 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3796 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3797 				     BPF_FUNC_map_lookup_elem),
3798 			BPF_MOV64_IMM(BPF_REG_0, 0),
3799 			BPF_EXIT_INSN(),
3800 		},
3801 		.fixup_map1 = { 1 },
3802 		.result = REJECT,
3803 		.errstr = "invalid access to packet",
3804 		.prog_type = BPF_PROG_TYPE_XDP,
3805 	},
3806 	{
3807 		"helper access to packet: test3, variable add",
3808 		.insns = {
3809 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3810 					offsetof(struct xdp_md, data)),
3811 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3812 					offsetof(struct xdp_md, data_end)),
3813 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3814 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3815 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3816 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3817 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3818 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3819 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3820 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3821 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3822 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3823 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3824 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3825 				     BPF_FUNC_map_lookup_elem),
3826 			BPF_MOV64_IMM(BPF_REG_0, 0),
3827 			BPF_EXIT_INSN(),
3828 		},
3829 		.fixup_map1 = { 11 },
3830 		.result = ACCEPT,
3831 		.prog_type = BPF_PROG_TYPE_XDP,
3832 	},
3833 	{
3834 		"helper access to packet: test4, packet_ptr with bad range",
3835 		.insns = {
3836 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3837 				    offsetof(struct xdp_md, data)),
3838 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3839 				    offsetof(struct xdp_md, data_end)),
3840 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3841 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3842 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3843 			BPF_MOV64_IMM(BPF_REG_0, 0),
3844 			BPF_EXIT_INSN(),
3845 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3846 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3847 				     BPF_FUNC_map_lookup_elem),
3848 			BPF_MOV64_IMM(BPF_REG_0, 0),
3849 			BPF_EXIT_INSN(),
3850 		},
3851 		.fixup_map1 = { 7 },
3852 		.result = REJECT,
3853 		.errstr = "invalid access to packet",
3854 		.prog_type = BPF_PROG_TYPE_XDP,
3855 	},
3856 	{
3857 		"helper access to packet: test5, packet_ptr with too short range",
3858 		.insns = {
3859 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3860 				    offsetof(struct xdp_md, data)),
3861 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3862 				    offsetof(struct xdp_md, data_end)),
3863 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3864 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3866 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3867 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3868 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3869 				     BPF_FUNC_map_lookup_elem),
3870 			BPF_MOV64_IMM(BPF_REG_0, 0),
3871 			BPF_EXIT_INSN(),
3872 		},
3873 		.fixup_map1 = { 6 },
3874 		.result = REJECT,
3875 		.errstr = "invalid access to packet",
3876 		.prog_type = BPF_PROG_TYPE_XDP,
3877 	},
3878 	{
3879 		"helper access to packet: test6, cls valid packet_ptr range",
3880 		.insns = {
3881 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3882 				    offsetof(struct __sk_buff, data)),
3883 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3884 				    offsetof(struct __sk_buff, data_end)),
3885 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3886 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3887 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3888 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3889 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3890 			BPF_MOV64_IMM(BPF_REG_4, 0),
3891 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3892 				     BPF_FUNC_map_update_elem),
3893 			BPF_MOV64_IMM(BPF_REG_0, 0),
3894 			BPF_EXIT_INSN(),
3895 		},
3896 		.fixup_map1 = { 5 },
3897 		.result = ACCEPT,
3898 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3899 	},
3900 	{
3901 		"helper access to packet: test7, cls unchecked packet_ptr",
3902 		.insns = {
3903 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3904 				    offsetof(struct __sk_buff, data)),
3905 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3906 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3907 				     BPF_FUNC_map_lookup_elem),
3908 			BPF_MOV64_IMM(BPF_REG_0, 0),
3909 			BPF_EXIT_INSN(),
3910 		},
3911 		.fixup_map1 = { 1 },
3912 		.result = REJECT,
3913 		.errstr = "invalid access to packet",
3914 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3915 	},
3916 	{
3917 		"helper access to packet: test8, cls variable add",
3918 		.insns = {
3919 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3920 					offsetof(struct __sk_buff, data)),
3921 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3922 					offsetof(struct __sk_buff, data_end)),
3923 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3924 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3925 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3926 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3927 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3928 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3929 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3930 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3931 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3932 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3933 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3934 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3935 				     BPF_FUNC_map_lookup_elem),
3936 			BPF_MOV64_IMM(BPF_REG_0, 0),
3937 			BPF_EXIT_INSN(),
3938 		},
3939 		.fixup_map1 = { 11 },
3940 		.result = ACCEPT,
3941 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3942 	},
3943 	{
3944 		"helper access to packet: test9, cls packet_ptr with bad range",
3945 		.insns = {
3946 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3947 				    offsetof(struct __sk_buff, data)),
3948 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3949 				    offsetof(struct __sk_buff, data_end)),
3950 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3951 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3952 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3953 			BPF_MOV64_IMM(BPF_REG_0, 0),
3954 			BPF_EXIT_INSN(),
3955 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3956 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3957 				     BPF_FUNC_map_lookup_elem),
3958 			BPF_MOV64_IMM(BPF_REG_0, 0),
3959 			BPF_EXIT_INSN(),
3960 		},
3961 		.fixup_map1 = { 7 },
3962 		.result = REJECT,
3963 		.errstr = "invalid access to packet",
3964 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3965 	},
3966 	{
3967 		"helper access to packet: test10, cls packet_ptr with too short range",
3968 		.insns = {
3969 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3970 				    offsetof(struct __sk_buff, data)),
3971 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3972 				    offsetof(struct __sk_buff, data_end)),
3973 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3974 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3976 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3977 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3978 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3979 				     BPF_FUNC_map_lookup_elem),
3980 			BPF_MOV64_IMM(BPF_REG_0, 0),
3981 			BPF_EXIT_INSN(),
3982 		},
3983 		.fixup_map1 = { 6 },
3984 		.result = REJECT,
3985 		.errstr = "invalid access to packet",
3986 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3987 	},
3988 	{
3989 		"helper access to packet: test11, cls unsuitable helper 1",
3990 		.insns = {
3991 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3992 				    offsetof(struct __sk_buff, data)),
3993 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3994 				    offsetof(struct __sk_buff, data_end)),
3995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3996 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3997 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3998 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3999 			BPF_MOV64_IMM(BPF_REG_2, 0),
4000 			BPF_MOV64_IMM(BPF_REG_4, 42),
4001 			BPF_MOV64_IMM(BPF_REG_5, 0),
4002 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4003 				     BPF_FUNC_skb_store_bytes),
4004 			BPF_MOV64_IMM(BPF_REG_0, 0),
4005 			BPF_EXIT_INSN(),
4006 		},
4007 		.result = REJECT,
4008 		.errstr = "helper access to the packet",
4009 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4010 	},
4011 	{
4012 		"helper access to packet: test12, cls unsuitable helper 2",
4013 		.insns = {
4014 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4015 				    offsetof(struct __sk_buff, data)),
4016 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4017 				    offsetof(struct __sk_buff, data_end)),
4018 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4019 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4020 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4021 			BPF_MOV64_IMM(BPF_REG_2, 0),
4022 			BPF_MOV64_IMM(BPF_REG_4, 4),
4023 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4024 				     BPF_FUNC_skb_load_bytes),
4025 			BPF_MOV64_IMM(BPF_REG_0, 0),
4026 			BPF_EXIT_INSN(),
4027 		},
4028 		.result = REJECT,
4029 		.errstr = "helper access to the packet",
4030 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4031 	},
4032 	{
4033 		"helper access to packet: test13, cls helper ok",
4034 		.insns = {
4035 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4036 				    offsetof(struct __sk_buff, data)),
4037 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4038 				    offsetof(struct __sk_buff, data_end)),
4039 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4040 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4042 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4043 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4044 			BPF_MOV64_IMM(BPF_REG_2, 4),
4045 			BPF_MOV64_IMM(BPF_REG_3, 0),
4046 			BPF_MOV64_IMM(BPF_REG_4, 0),
4047 			BPF_MOV64_IMM(BPF_REG_5, 0),
4048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4049 				     BPF_FUNC_csum_diff),
4050 			BPF_MOV64_IMM(BPF_REG_0, 0),
4051 			BPF_EXIT_INSN(),
4052 		},
4053 		.result = ACCEPT,
4054 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4055 	},
4056 	{
4057 		"helper access to packet: test14, cls helper ok sub",
4058 		.insns = {
4059 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4060 				    offsetof(struct __sk_buff, data)),
4061 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4062 				    offsetof(struct __sk_buff, data_end)),
4063 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4064 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4065 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4066 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4067 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4068 			BPF_MOV64_IMM(BPF_REG_2, 4),
4069 			BPF_MOV64_IMM(BPF_REG_3, 0),
4070 			BPF_MOV64_IMM(BPF_REG_4, 0),
4071 			BPF_MOV64_IMM(BPF_REG_5, 0),
4072 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4073 				     BPF_FUNC_csum_diff),
4074 			BPF_MOV64_IMM(BPF_REG_0, 0),
4075 			BPF_EXIT_INSN(),
4076 		},
4077 		.result = ACCEPT,
4078 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4079 	},
4080 	{
4081 		"helper access to packet: test15, cls helper fail sub",
4082 		.insns = {
4083 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4084 				    offsetof(struct __sk_buff, data)),
4085 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4086 				    offsetof(struct __sk_buff, data_end)),
4087 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4088 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4089 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4090 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4091 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4092 			BPF_MOV64_IMM(BPF_REG_2, 4),
4093 			BPF_MOV64_IMM(BPF_REG_3, 0),
4094 			BPF_MOV64_IMM(BPF_REG_4, 0),
4095 			BPF_MOV64_IMM(BPF_REG_5, 0),
4096 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4097 				     BPF_FUNC_csum_diff),
4098 			BPF_MOV64_IMM(BPF_REG_0, 0),
4099 			BPF_EXIT_INSN(),
4100 		},
4101 		.result = REJECT,
4102 		.errstr = "invalid access to packet",
4103 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4104 	},
4105 	{
4106 		"helper access to packet: test16, cls helper fail range 1",
4107 		.insns = {
4108 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4109 				    offsetof(struct __sk_buff, data)),
4110 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4111 				    offsetof(struct __sk_buff, data_end)),
4112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4113 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4114 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4115 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4116 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4117 			BPF_MOV64_IMM(BPF_REG_2, 8),
4118 			BPF_MOV64_IMM(BPF_REG_3, 0),
4119 			BPF_MOV64_IMM(BPF_REG_4, 0),
4120 			BPF_MOV64_IMM(BPF_REG_5, 0),
4121 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4122 				     BPF_FUNC_csum_diff),
4123 			BPF_MOV64_IMM(BPF_REG_0, 0),
4124 			BPF_EXIT_INSN(),
4125 		},
4126 		.result = REJECT,
4127 		.errstr = "invalid access to packet",
4128 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4129 	},
4130 	{
4131 		"helper access to packet: test17, cls helper fail range 2",
4132 		.insns = {
4133 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4134 				    offsetof(struct __sk_buff, data)),
4135 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4136 				    offsetof(struct __sk_buff, data_end)),
4137 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4138 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4139 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4140 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4141 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4142 			BPF_MOV64_IMM(BPF_REG_2, -9),
4143 			BPF_MOV64_IMM(BPF_REG_3, 0),
4144 			BPF_MOV64_IMM(BPF_REG_4, 0),
4145 			BPF_MOV64_IMM(BPF_REG_5, 0),
4146 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4147 				     BPF_FUNC_csum_diff),
4148 			BPF_MOV64_IMM(BPF_REG_0, 0),
4149 			BPF_EXIT_INSN(),
4150 		},
4151 		.result = REJECT,
4152 		.errstr = "R2 min value is negative",
4153 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4154 	},
4155 	{
4156 		"helper access to packet: test18, cls helper fail range 3",
4157 		.insns = {
4158 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4159 				    offsetof(struct __sk_buff, data)),
4160 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4161 				    offsetof(struct __sk_buff, data_end)),
4162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4163 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4165 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4166 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4167 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4168 			BPF_MOV64_IMM(BPF_REG_3, 0),
4169 			BPF_MOV64_IMM(BPF_REG_4, 0),
4170 			BPF_MOV64_IMM(BPF_REG_5, 0),
4171 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4172 				     BPF_FUNC_csum_diff),
4173 			BPF_MOV64_IMM(BPF_REG_0, 0),
4174 			BPF_EXIT_INSN(),
4175 		},
4176 		.result = REJECT,
4177 		.errstr = "R2 min value is negative",
4178 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4179 	},
4180 	{
4181 		"helper access to packet: test19, cls helper range zero",
4182 		.insns = {
4183 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4184 				    offsetof(struct __sk_buff, data)),
4185 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4186 				    offsetof(struct __sk_buff, data_end)),
4187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4188 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4189 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4190 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4192 			BPF_MOV64_IMM(BPF_REG_2, 0),
4193 			BPF_MOV64_IMM(BPF_REG_3, 0),
4194 			BPF_MOV64_IMM(BPF_REG_4, 0),
4195 			BPF_MOV64_IMM(BPF_REG_5, 0),
4196 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4197 				     BPF_FUNC_csum_diff),
4198 			BPF_MOV64_IMM(BPF_REG_0, 0),
4199 			BPF_EXIT_INSN(),
4200 		},
4201 		.result = ACCEPT,
4202 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4203 	},
4204 	{
4205 		"helper access to packet: test20, pkt end as input",
4206 		.insns = {
4207 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4208 				    offsetof(struct __sk_buff, data)),
4209 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4210 				    offsetof(struct __sk_buff, data_end)),
4211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4212 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4213 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4214 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4215 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4216 			BPF_MOV64_IMM(BPF_REG_2, 4),
4217 			BPF_MOV64_IMM(BPF_REG_3, 0),
4218 			BPF_MOV64_IMM(BPF_REG_4, 0),
4219 			BPF_MOV64_IMM(BPF_REG_5, 0),
4220 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4221 				     BPF_FUNC_csum_diff),
4222 			BPF_MOV64_IMM(BPF_REG_0, 0),
4223 			BPF_EXIT_INSN(),
4224 		},
4225 		.result = REJECT,
4226 		.errstr = "R1 type=pkt_end expected=fp",
4227 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4228 	},
4229 	{
4230 		"helper access to packet: test21, wrong reg",
4231 		.insns = {
4232 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4233 				    offsetof(struct __sk_buff, data)),
4234 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4235 				    offsetof(struct __sk_buff, data_end)),
4236 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4237 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4238 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4239 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4240 			BPF_MOV64_IMM(BPF_REG_2, 4),
4241 			BPF_MOV64_IMM(BPF_REG_3, 0),
4242 			BPF_MOV64_IMM(BPF_REG_4, 0),
4243 			BPF_MOV64_IMM(BPF_REG_5, 0),
4244 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4245 				     BPF_FUNC_csum_diff),
4246 			BPF_MOV64_IMM(BPF_REG_0, 0),
4247 			BPF_EXIT_INSN(),
4248 		},
4249 		.result = REJECT,
4250 		.errstr = "invalid access to packet",
4251 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4252 	},
4253 	{
4254 		"valid map access into an array with a constant",
4255 		.insns = {
4256 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4257 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4258 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4259 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4260 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4261 				     BPF_FUNC_map_lookup_elem),
4262 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4263 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4264 				   offsetof(struct test_val, foo)),
4265 			BPF_EXIT_INSN(),
4266 		},
4267 		.fixup_map2 = { 3 },
4268 		.errstr_unpriv = "R0 leaks addr",
4269 		.result_unpriv = REJECT,
4270 		.result = ACCEPT,
4271 	},
4272 	{
4273 		"valid map access into an array with a register",
4274 		.insns = {
4275 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4276 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4277 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4278 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4279 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4280 				     BPF_FUNC_map_lookup_elem),
4281 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4282 			BPF_MOV64_IMM(BPF_REG_1, 4),
4283 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4284 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4285 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4286 				   offsetof(struct test_val, foo)),
4287 			BPF_EXIT_INSN(),
4288 		},
4289 		.fixup_map2 = { 3 },
4290 		.errstr_unpriv = "R0 leaks addr",
4291 		.result_unpriv = REJECT,
4292 		.result = ACCEPT,
4293 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4294 	},
4295 	{
4296 		"valid map access into an array with a variable",
4297 		.insns = {
4298 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4299 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4300 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4301 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4302 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4303 				     BPF_FUNC_map_lookup_elem),
4304 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4305 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4306 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4307 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4308 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4309 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4310 				   offsetof(struct test_val, foo)),
4311 			BPF_EXIT_INSN(),
4312 		},
4313 		.fixup_map2 = { 3 },
4314 		.errstr_unpriv = "R0 leaks addr",
4315 		.result_unpriv = REJECT,
4316 		.result = ACCEPT,
4317 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4318 	},
4319 	{
4320 		"valid map access into an array with a signed variable",
4321 		.insns = {
4322 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4323 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4324 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4325 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4326 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4327 				     BPF_FUNC_map_lookup_elem),
4328 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4329 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4330 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4331 			BPF_MOV32_IMM(BPF_REG_1, 0),
4332 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4333 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4334 			BPF_MOV32_IMM(BPF_REG_1, 0),
4335 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4336 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4337 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4338 				   offsetof(struct test_val, foo)),
4339 			BPF_EXIT_INSN(),
4340 		},
4341 		.fixup_map2 = { 3 },
4342 		.errstr_unpriv = "R0 leaks addr",
4343 		.result_unpriv = REJECT,
4344 		.result = ACCEPT,
4345 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4346 	},
4347 	{
4348 		"invalid map access into an array with a constant",
4349 		.insns = {
4350 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4351 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4352 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4353 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4354 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4355 				     BPF_FUNC_map_lookup_elem),
4356 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4357 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4358 				   offsetof(struct test_val, foo)),
4359 			BPF_EXIT_INSN(),
4360 		},
4361 		.fixup_map2 = { 3 },
4362 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
4363 		.result = REJECT,
4364 	},
4365 	{
4366 		"invalid map access into an array with a register",
4367 		.insns = {
4368 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4369 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4370 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4371 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4372 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4373 				     BPF_FUNC_map_lookup_elem),
4374 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4375 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4376 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4377 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4378 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4379 				   offsetof(struct test_val, foo)),
4380 			BPF_EXIT_INSN(),
4381 		},
4382 		.fixup_map2 = { 3 },
4383 		.errstr = "R0 min value is outside of the array range",
4384 		.result = REJECT,
4385 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4386 	},
4387 	{
4388 		"invalid map access into an array with a variable",
4389 		.insns = {
4390 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4391 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4392 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4393 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4394 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4395 				     BPF_FUNC_map_lookup_elem),
4396 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4397 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4398 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4399 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4400 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4401 				   offsetof(struct test_val, foo)),
4402 			BPF_EXIT_INSN(),
4403 		},
4404 		.fixup_map2 = { 3 },
4405 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4406 		.result = REJECT,
4407 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4408 	},
4409 	{
4410 		"invalid map access into an array with no floor check",
4411 		.insns = {
4412 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4413 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4414 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4415 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4416 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4417 				     BPF_FUNC_map_lookup_elem),
4418 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4419 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4420 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4421 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4422 			BPF_MOV32_IMM(BPF_REG_1, 0),
4423 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4424 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4425 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4426 				   offsetof(struct test_val, foo)),
4427 			BPF_EXIT_INSN(),
4428 		},
4429 		.fixup_map2 = { 3 },
4430 		.errstr_unpriv = "R0 leaks addr",
4431 		.errstr = "R0 unbounded memory access",
4432 		.result_unpriv = REJECT,
4433 		.result = REJECT,
4434 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4435 	},
4436 	{
4437 		"invalid map access into an array with a invalid max check",
4438 		.insns = {
4439 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4440 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4442 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4443 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4444 				     BPF_FUNC_map_lookup_elem),
4445 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4446 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4447 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4448 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4449 			BPF_MOV32_IMM(BPF_REG_1, 0),
4450 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4451 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4452 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4453 				   offsetof(struct test_val, foo)),
4454 			BPF_EXIT_INSN(),
4455 		},
4456 		.fixup_map2 = { 3 },
4457 		.errstr_unpriv = "R0 leaks addr",
4458 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
4459 		.result_unpriv = REJECT,
4460 		.result = REJECT,
4461 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4462 	},
4463 	{
4464 		"invalid map access into an array with a invalid max check",
4465 		.insns = {
4466 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4467 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4468 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4469 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4470 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4471 				     BPF_FUNC_map_lookup_elem),
4472 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4473 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4474 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4475 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4476 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4477 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4478 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4479 				     BPF_FUNC_map_lookup_elem),
4480 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4481 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4482 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4483 				    offsetof(struct test_val, foo)),
4484 			BPF_EXIT_INSN(),
4485 		},
4486 		.fixup_map2 = { 3, 11 },
4487 		.errstr = "R0 pointer += pointer",
4488 		.result = REJECT,
4489 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4490 	},
4491 	{
4492 		"multiple registers share map_lookup_elem result",
4493 		.insns = {
4494 			BPF_MOV64_IMM(BPF_REG_1, 10),
4495 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4496 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4497 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4498 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4499 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4500 				     BPF_FUNC_map_lookup_elem),
4501 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4502 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4503 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4504 			BPF_EXIT_INSN(),
4505 		},
4506 		.fixup_map1 = { 4 },
4507 		.result = ACCEPT,
4508 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4509 	},
4510 	{
4511 		"alu ops on ptr_to_map_value_or_null, 1",
4512 		.insns = {
4513 			BPF_MOV64_IMM(BPF_REG_1, 10),
4514 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4515 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4516 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4517 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4518 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4519 				     BPF_FUNC_map_lookup_elem),
4520 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4521 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4522 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4523 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4524 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4525 			BPF_EXIT_INSN(),
4526 		},
4527 		.fixup_map1 = { 4 },
4528 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4529 		.result = REJECT,
4530 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4531 	},
4532 	{
4533 		"alu ops on ptr_to_map_value_or_null, 2",
4534 		.insns = {
4535 			BPF_MOV64_IMM(BPF_REG_1, 10),
4536 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4537 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4538 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4539 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4540 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4541 				     BPF_FUNC_map_lookup_elem),
4542 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4543 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4544 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4545 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4546 			BPF_EXIT_INSN(),
4547 		},
4548 		.fixup_map1 = { 4 },
4549 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4550 		.result = REJECT,
4551 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4552 	},
4553 	{
4554 		"alu ops on ptr_to_map_value_or_null, 3",
4555 		.insns = {
4556 			BPF_MOV64_IMM(BPF_REG_1, 10),
4557 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4558 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4559 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4560 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4561 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4562 				     BPF_FUNC_map_lookup_elem),
4563 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4564 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4565 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4566 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4567 			BPF_EXIT_INSN(),
4568 		},
4569 		.fixup_map1 = { 4 },
4570 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4571 		.result = REJECT,
4572 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4573 	},
4574 	{
4575 		"invalid memory access with multiple map_lookup_elem calls",
4576 		.insns = {
4577 			BPF_MOV64_IMM(BPF_REG_1, 10),
4578 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4579 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4580 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4581 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4582 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4583 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4584 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4585 				     BPF_FUNC_map_lookup_elem),
4586 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4587 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4588 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4589 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4590 				     BPF_FUNC_map_lookup_elem),
4591 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4592 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4593 			BPF_EXIT_INSN(),
4594 		},
4595 		.fixup_map1 = { 4 },
4596 		.result = REJECT,
4597 		.errstr = "R4 !read_ok",
4598 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4599 	},
4600 	{
4601 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
4602 		.insns = {
4603 			BPF_MOV64_IMM(BPF_REG_1, 10),
4604 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4605 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4606 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4607 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4608 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4609 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4610 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4611 				     BPF_FUNC_map_lookup_elem),
4612 			BPF_MOV64_IMM(BPF_REG_2, 10),
4613 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4614 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4615 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4616 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4617 				     BPF_FUNC_map_lookup_elem),
4618 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4619 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4620 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4621 			BPF_EXIT_INSN(),
4622 		},
4623 		.fixup_map1 = { 4 },
4624 		.result = ACCEPT,
4625 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4626 	},
4627 	{
4628 		"invalid map access from else condition",
4629 		.insns = {
4630 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4631 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4632 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4633 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4634 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4635 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4636 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4637 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4638 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4639 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4640 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4641 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4642 			BPF_EXIT_INSN(),
4643 		},
4644 		.fixup_map2 = { 3 },
4645 		.errstr = "R0 unbounded memory access",
4646 		.result = REJECT,
4647 		.errstr_unpriv = "R0 leaks addr",
4648 		.result_unpriv = REJECT,
4649 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4650 	},
4651 	{
4652 		"constant register |= constant should keep constant type",
4653 		.insns = {
4654 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4655 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4656 			BPF_MOV64_IMM(BPF_REG_2, 34),
4657 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4658 			BPF_MOV64_IMM(BPF_REG_3, 0),
4659 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4660 			BPF_EXIT_INSN(),
4661 		},
4662 		.result = ACCEPT,
4663 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4664 	},
4665 	{
4666 		"constant register |= constant should not bypass stack boundary checks",
4667 		.insns = {
4668 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4669 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4670 			BPF_MOV64_IMM(BPF_REG_2, 34),
4671 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4672 			BPF_MOV64_IMM(BPF_REG_3, 0),
4673 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4674 			BPF_EXIT_INSN(),
4675 		},
4676 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4677 		.result = REJECT,
4678 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4679 	},
4680 	{
4681 		"constant register |= constant register should keep constant type",
4682 		.insns = {
4683 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4684 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4685 			BPF_MOV64_IMM(BPF_REG_2, 34),
4686 			BPF_MOV64_IMM(BPF_REG_4, 13),
4687 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4688 			BPF_MOV64_IMM(BPF_REG_3, 0),
4689 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4690 			BPF_EXIT_INSN(),
4691 		},
4692 		.result = ACCEPT,
4693 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4694 	},
4695 	{
4696 		"constant register |= constant register should not bypass stack boundary checks",
4697 		.insns = {
4698 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4700 			BPF_MOV64_IMM(BPF_REG_2, 34),
4701 			BPF_MOV64_IMM(BPF_REG_4, 24),
4702 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4703 			BPF_MOV64_IMM(BPF_REG_3, 0),
4704 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4705 			BPF_EXIT_INSN(),
4706 		},
4707 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4708 		.result = REJECT,
4709 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4710 	},
4711 	{
4712 		"invalid direct packet write for LWT_IN",
4713 		.insns = {
4714 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4715 				    offsetof(struct __sk_buff, data)),
4716 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4717 				    offsetof(struct __sk_buff, data_end)),
4718 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4719 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4720 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4721 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4722 			BPF_MOV64_IMM(BPF_REG_0, 0),
4723 			BPF_EXIT_INSN(),
4724 		},
4725 		.errstr = "cannot write into packet",
4726 		.result = REJECT,
4727 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4728 	},
4729 	{
4730 		"invalid direct packet write for LWT_OUT",
4731 		.insns = {
4732 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4733 				    offsetof(struct __sk_buff, data)),
4734 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4735 				    offsetof(struct __sk_buff, data_end)),
4736 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4737 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4738 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4739 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4740 			BPF_MOV64_IMM(BPF_REG_0, 0),
4741 			BPF_EXIT_INSN(),
4742 		},
4743 		.errstr = "cannot write into packet",
4744 		.result = REJECT,
4745 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4746 	},
4747 	{
4748 		"direct packet write for LWT_XMIT",
4749 		.insns = {
4750 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4751 				    offsetof(struct __sk_buff, data)),
4752 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4753 				    offsetof(struct __sk_buff, data_end)),
4754 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4756 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4757 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4758 			BPF_MOV64_IMM(BPF_REG_0, 0),
4759 			BPF_EXIT_INSN(),
4760 		},
4761 		.result = ACCEPT,
4762 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4763 	},
4764 	{
4765 		"direct packet read for LWT_IN",
4766 		.insns = {
4767 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4768 				    offsetof(struct __sk_buff, data)),
4769 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4770 				    offsetof(struct __sk_buff, data_end)),
4771 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4772 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4773 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4774 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4775 			BPF_MOV64_IMM(BPF_REG_0, 0),
4776 			BPF_EXIT_INSN(),
4777 		},
4778 		.result = ACCEPT,
4779 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4780 	},
4781 	{
4782 		"direct packet read for LWT_OUT",
4783 		.insns = {
4784 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4785 				    offsetof(struct __sk_buff, data)),
4786 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4787 				    offsetof(struct __sk_buff, data_end)),
4788 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4789 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4790 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4791 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4792 			BPF_MOV64_IMM(BPF_REG_0, 0),
4793 			BPF_EXIT_INSN(),
4794 		},
4795 		.result = ACCEPT,
4796 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4797 	},
4798 	{
4799 		"direct packet read for LWT_XMIT",
4800 		.insns = {
4801 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4802 				    offsetof(struct __sk_buff, data)),
4803 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4804 				    offsetof(struct __sk_buff, data_end)),
4805 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4807 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4808 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4809 			BPF_MOV64_IMM(BPF_REG_0, 0),
4810 			BPF_EXIT_INSN(),
4811 		},
4812 		.result = ACCEPT,
4813 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4814 	},
4815 	{
4816 		"overlapping checks for direct packet access",
4817 		.insns = {
4818 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4819 				    offsetof(struct __sk_buff, data)),
4820 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4821 				    offsetof(struct __sk_buff, data_end)),
4822 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4823 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4824 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4825 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4827 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4828 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4829 			BPF_MOV64_IMM(BPF_REG_0, 0),
4830 			BPF_EXIT_INSN(),
4831 		},
4832 		.result = ACCEPT,
4833 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4834 	},
4835 	{
4836 		"invalid access of tc_classid for LWT_IN",
4837 		.insns = {
4838 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4839 				    offsetof(struct __sk_buff, tc_classid)),
4840 			BPF_EXIT_INSN(),
4841 		},
4842 		.result = REJECT,
4843 		.errstr = "invalid bpf_context access",
4844 	},
4845 	{
4846 		"invalid access of tc_classid for LWT_OUT",
4847 		.insns = {
4848 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4849 				    offsetof(struct __sk_buff, tc_classid)),
4850 			BPF_EXIT_INSN(),
4851 		},
4852 		.result = REJECT,
4853 		.errstr = "invalid bpf_context access",
4854 	},
4855 	{
4856 		"invalid access of tc_classid for LWT_XMIT",
4857 		.insns = {
4858 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4859 				    offsetof(struct __sk_buff, tc_classid)),
4860 			BPF_EXIT_INSN(),
4861 		},
4862 		.result = REJECT,
4863 		.errstr = "invalid bpf_context access",
4864 	},
4865 	{
4866 		"leak pointer into ctx 1",
4867 		.insns = {
4868 			BPF_MOV64_IMM(BPF_REG_0, 0),
4869 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4870 				    offsetof(struct __sk_buff, cb[0])),
4871 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4872 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4873 				      offsetof(struct __sk_buff, cb[0])),
4874 			BPF_EXIT_INSN(),
4875 		},
4876 		.fixup_map1 = { 2 },
4877 		.errstr_unpriv = "R2 leaks addr into mem",
4878 		.result_unpriv = REJECT,
4879 		.result = REJECT,
4880 		.errstr = "BPF_XADD stores into R1 context is not allowed",
4881 	},
4882 	{
4883 		"leak pointer into ctx 2",
4884 		.insns = {
4885 			BPF_MOV64_IMM(BPF_REG_0, 0),
4886 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4887 				    offsetof(struct __sk_buff, cb[0])),
4888 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4889 				      offsetof(struct __sk_buff, cb[0])),
4890 			BPF_EXIT_INSN(),
4891 		},
4892 		.errstr_unpriv = "R10 leaks addr into mem",
4893 		.result_unpriv = REJECT,
4894 		.result = REJECT,
4895 		.errstr = "BPF_XADD stores into R1 context is not allowed",
4896 	},
4897 	{
4898 		"leak pointer into ctx 3",
4899 		.insns = {
4900 			BPF_MOV64_IMM(BPF_REG_0, 0),
4901 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4902 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4903 				      offsetof(struct __sk_buff, cb[0])),
4904 			BPF_EXIT_INSN(),
4905 		},
4906 		.fixup_map1 = { 1 },
4907 		.errstr_unpriv = "R2 leaks addr into ctx",
4908 		.result_unpriv = REJECT,
4909 		.result = ACCEPT,
4910 	},
4911 	{
4912 		"leak pointer into map val",
4913 		.insns = {
4914 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4915 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4916 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4918 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4919 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4920 				     BPF_FUNC_map_lookup_elem),
4921 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4922 			BPF_MOV64_IMM(BPF_REG_3, 0),
4923 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4924 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4925 			BPF_MOV64_IMM(BPF_REG_0, 0),
4926 			BPF_EXIT_INSN(),
4927 		},
4928 		.fixup_map1 = { 4 },
4929 		.errstr_unpriv = "R6 leaks addr into mem",
4930 		.result_unpriv = REJECT,
4931 		.result = ACCEPT,
4932 	},
4933 	{
4934 		"helper access to map: full range",
4935 		.insns = {
4936 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4937 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4938 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4940 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4941 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4942 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4943 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4944 			BPF_MOV64_IMM(BPF_REG_3, 0),
4945 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4946 			BPF_EXIT_INSN(),
4947 		},
4948 		.fixup_map2 = { 3 },
4949 		.result = ACCEPT,
4950 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4951 	},
4952 	{
4953 		"helper access to map: partial range",
4954 		.insns = {
4955 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4956 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4957 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4958 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4959 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4960 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4961 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4962 			BPF_MOV64_IMM(BPF_REG_2, 8),
4963 			BPF_MOV64_IMM(BPF_REG_3, 0),
4964 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4965 			BPF_EXIT_INSN(),
4966 		},
4967 		.fixup_map2 = { 3 },
4968 		.result = ACCEPT,
4969 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4970 	},
4971 	{
4972 		"helper access to map: empty range",
4973 		.insns = {
4974 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4976 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4977 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4978 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4979 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4980 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4981 			BPF_MOV64_IMM(BPF_REG_2, 0),
4982 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4983 			BPF_EXIT_INSN(),
4984 		},
4985 		.fixup_map2 = { 3 },
4986 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
4987 		.result = REJECT,
4988 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4989 	},
4990 	{
4991 		"helper access to map: out-of-bound range",
4992 		.insns = {
4993 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4995 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4996 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4997 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4998 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4999 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5000 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5001 			BPF_MOV64_IMM(BPF_REG_3, 0),
5002 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5003 			BPF_EXIT_INSN(),
5004 		},
5005 		.fixup_map2 = { 3 },
5006 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
5007 		.result = REJECT,
5008 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5009 	},
5010 	{
5011 		"helper access to map: negative range",
5012 		.insns = {
5013 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5014 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5015 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5016 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5017 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5018 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5019 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5020 			BPF_MOV64_IMM(BPF_REG_2, -8),
5021 			BPF_MOV64_IMM(BPF_REG_3, 0),
5022 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5023 			BPF_EXIT_INSN(),
5024 		},
5025 		.fixup_map2 = { 3 },
5026 		.errstr = "R2 min value is negative",
5027 		.result = REJECT,
5028 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5029 	},
5030 	{
5031 		"helper access to adjusted map (via const imm): full range",
5032 		.insns = {
5033 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5034 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5035 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5036 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5037 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5038 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5039 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5040 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5041 				offsetof(struct test_val, foo)),
5042 			BPF_MOV64_IMM(BPF_REG_2,
5043 				sizeof(struct test_val) -
5044 				offsetof(struct test_val, foo)),
5045 			BPF_MOV64_IMM(BPF_REG_3, 0),
5046 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5047 			BPF_EXIT_INSN(),
5048 		},
5049 		.fixup_map2 = { 3 },
5050 		.result = ACCEPT,
5051 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5052 	},
5053 	{
5054 		"helper access to adjusted map (via const imm): partial range",
5055 		.insns = {
5056 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5057 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5058 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5059 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5060 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5061 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5062 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5063 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5064 				offsetof(struct test_val, foo)),
5065 			BPF_MOV64_IMM(BPF_REG_2, 8),
5066 			BPF_MOV64_IMM(BPF_REG_3, 0),
5067 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5068 			BPF_EXIT_INSN(),
5069 		},
5070 		.fixup_map2 = { 3 },
5071 		.result = ACCEPT,
5072 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5073 	},
5074 	{
5075 		"helper access to adjusted map (via const imm): empty range",
5076 		.insns = {
5077 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5078 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5079 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5080 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5081 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5082 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5083 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5085 				offsetof(struct test_val, foo)),
5086 			BPF_MOV64_IMM(BPF_REG_2, 0),
5087 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5088 			BPF_EXIT_INSN(),
5089 		},
5090 		.fixup_map2 = { 3 },
5091 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
5092 		.result = REJECT,
5093 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5094 	},
5095 	{
5096 		"helper access to adjusted map (via const imm): out-of-bound range",
5097 		.insns = {
5098 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5099 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5100 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5101 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5102 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5103 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5104 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5105 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5106 				offsetof(struct test_val, foo)),
5107 			BPF_MOV64_IMM(BPF_REG_2,
5108 				sizeof(struct test_val) -
5109 				offsetof(struct test_val, foo) + 8),
5110 			BPF_MOV64_IMM(BPF_REG_3, 0),
5111 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5112 			BPF_EXIT_INSN(),
5113 		},
5114 		.fixup_map2 = { 3 },
5115 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5116 		.result = REJECT,
5117 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5118 	},
5119 	{
5120 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
5121 		.insns = {
5122 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5123 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5124 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5125 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5126 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5127 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5128 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5129 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5130 				offsetof(struct test_val, foo)),
5131 			BPF_MOV64_IMM(BPF_REG_2, -8),
5132 			BPF_MOV64_IMM(BPF_REG_3, 0),
5133 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5134 			BPF_EXIT_INSN(),
5135 		},
5136 		.fixup_map2 = { 3 },
5137 		.errstr = "R2 min value is negative",
5138 		.result = REJECT,
5139 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5140 	},
5141 	{
5142 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
5143 		.insns = {
5144 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5145 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5146 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5147 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5148 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5149 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5150 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5151 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5152 				offsetof(struct test_val, foo)),
5153 			BPF_MOV64_IMM(BPF_REG_2, -1),
5154 			BPF_MOV64_IMM(BPF_REG_3, 0),
5155 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5156 			BPF_EXIT_INSN(),
5157 		},
5158 		.fixup_map2 = { 3 },
5159 		.errstr = "R2 min value is negative",
5160 		.result = REJECT,
5161 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5162 	},
5163 	{
5164 		"helper access to adjusted map (via const reg): full range",
5165 		.insns = {
5166 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5167 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5168 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5169 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5170 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5171 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5172 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5173 			BPF_MOV64_IMM(BPF_REG_3,
5174 				offsetof(struct test_val, foo)),
5175 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5176 			BPF_MOV64_IMM(BPF_REG_2,
5177 				sizeof(struct test_val) -
5178 				offsetof(struct test_val, foo)),
5179 			BPF_MOV64_IMM(BPF_REG_3, 0),
5180 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5181 			BPF_EXIT_INSN(),
5182 		},
5183 		.fixup_map2 = { 3 },
5184 		.result = ACCEPT,
5185 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5186 	},
5187 	{
5188 		"helper access to adjusted map (via const reg): partial range",
5189 		.insns = {
5190 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5191 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5192 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5193 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5194 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5195 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5196 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5197 			BPF_MOV64_IMM(BPF_REG_3,
5198 				offsetof(struct test_val, foo)),
5199 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5200 			BPF_MOV64_IMM(BPF_REG_2, 8),
5201 			BPF_MOV64_IMM(BPF_REG_3, 0),
5202 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5203 			BPF_EXIT_INSN(),
5204 		},
5205 		.fixup_map2 = { 3 },
5206 		.result = ACCEPT,
5207 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5208 	},
5209 	{
5210 		"helper access to adjusted map (via const reg): empty range",
5211 		.insns = {
5212 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5213 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5214 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5215 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5216 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5217 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5218 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5219 			BPF_MOV64_IMM(BPF_REG_3, 0),
5220 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5221 			BPF_MOV64_IMM(BPF_REG_2, 0),
5222 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5223 			BPF_EXIT_INSN(),
5224 		},
5225 		.fixup_map2 = { 3 },
5226 		.errstr = "R1 min value is outside of the array range",
5227 		.result = REJECT,
5228 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5229 	},
5230 	{
5231 		"helper access to adjusted map (via const reg): out-of-bound range",
5232 		.insns = {
5233 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5234 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5235 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5236 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5237 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5238 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5239 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5240 			BPF_MOV64_IMM(BPF_REG_3,
5241 				offsetof(struct test_val, foo)),
5242 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5243 			BPF_MOV64_IMM(BPF_REG_2,
5244 				sizeof(struct test_val) -
5245 				offsetof(struct test_val, foo) + 8),
5246 			BPF_MOV64_IMM(BPF_REG_3, 0),
5247 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5248 			BPF_EXIT_INSN(),
5249 		},
5250 		.fixup_map2 = { 3 },
5251 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5252 		.result = REJECT,
5253 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5254 	},
5255 	{
5256 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
5257 		.insns = {
5258 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5260 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5261 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5262 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5263 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5264 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5265 			BPF_MOV64_IMM(BPF_REG_3,
5266 				offsetof(struct test_val, foo)),
5267 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5268 			BPF_MOV64_IMM(BPF_REG_2, -8),
5269 			BPF_MOV64_IMM(BPF_REG_3, 0),
5270 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5271 			BPF_EXIT_INSN(),
5272 		},
5273 		.fixup_map2 = { 3 },
5274 		.errstr = "R2 min value is negative",
5275 		.result = REJECT,
5276 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5277 	},
5278 	{
5279 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
5280 		.insns = {
5281 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5282 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5283 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5284 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5285 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5286 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5287 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5288 			BPF_MOV64_IMM(BPF_REG_3,
5289 				offsetof(struct test_val, foo)),
5290 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5291 			BPF_MOV64_IMM(BPF_REG_2, -1),
5292 			BPF_MOV64_IMM(BPF_REG_3, 0),
5293 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5294 			BPF_EXIT_INSN(),
5295 		},
5296 		.fixup_map2 = { 3 },
5297 		.errstr = "R2 min value is negative",
5298 		.result = REJECT,
5299 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5300 	},
5301 	{
5302 		"helper access to adjusted map (via variable): full range",
5303 		.insns = {
5304 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5305 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5306 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5307 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5308 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5309 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5310 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5311 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5312 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5313 				offsetof(struct test_val, foo), 4),
5314 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5315 			BPF_MOV64_IMM(BPF_REG_2,
5316 				sizeof(struct test_val) -
5317 				offsetof(struct test_val, foo)),
5318 			BPF_MOV64_IMM(BPF_REG_3, 0),
5319 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5320 			BPF_EXIT_INSN(),
5321 		},
5322 		.fixup_map2 = { 3 },
5323 		.result = ACCEPT,
5324 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5325 	},
5326 	{
5327 		"helper access to adjusted map (via variable): partial range",
5328 		.insns = {
5329 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5331 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5332 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5333 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5334 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5335 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5336 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5337 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5338 				offsetof(struct test_val, foo), 4),
5339 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5340 			BPF_MOV64_IMM(BPF_REG_2, 8),
5341 			BPF_MOV64_IMM(BPF_REG_3, 0),
5342 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5343 			BPF_EXIT_INSN(),
5344 		},
5345 		.fixup_map2 = { 3 },
5346 		.result = ACCEPT,
5347 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5348 	},
5349 	{
5350 		"helper access to adjusted map (via variable): empty range",
5351 		.insns = {
5352 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5353 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5354 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5355 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5356 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5357 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5358 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5359 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5360 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5361 				offsetof(struct test_val, foo), 3),
5362 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5363 			BPF_MOV64_IMM(BPF_REG_2, 0),
5364 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5365 			BPF_EXIT_INSN(),
5366 		},
5367 		.fixup_map2 = { 3 },
5368 		.errstr = "R1 min value is outside of the array range",
5369 		.result = REJECT,
5370 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371 	},
5372 	{
5373 		"helper access to adjusted map (via variable): no max check",
5374 		.insns = {
5375 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5377 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5378 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5379 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5380 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5381 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5382 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5383 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5384 			BPF_MOV64_IMM(BPF_REG_2, 1),
5385 			BPF_MOV64_IMM(BPF_REG_3, 0),
5386 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5387 			BPF_EXIT_INSN(),
5388 		},
5389 		.fixup_map2 = { 3 },
5390 		.errstr = "R1 unbounded memory access",
5391 		.result = REJECT,
5392 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5393 	},
5394 	{
5395 		"helper access to adjusted map (via variable): wrong max check",
5396 		.insns = {
5397 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5399 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5400 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5401 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5402 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5403 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5404 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5405 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5406 				offsetof(struct test_val, foo), 4),
5407 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5408 			BPF_MOV64_IMM(BPF_REG_2,
5409 				sizeof(struct test_val) -
5410 				offsetof(struct test_val, foo) + 1),
5411 			BPF_MOV64_IMM(BPF_REG_3, 0),
5412 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5413 			BPF_EXIT_INSN(),
5414 		},
5415 		.fixup_map2 = { 3 },
5416 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
5417 		.result = REJECT,
5418 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5419 	},
5420 	{
5421 		"helper access to map: bounds check using <, good access",
5422 		.insns = {
5423 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5425 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5426 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5427 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5428 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5429 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5430 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5431 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5432 			BPF_MOV64_IMM(BPF_REG_0, 0),
5433 			BPF_EXIT_INSN(),
5434 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5435 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5436 			BPF_MOV64_IMM(BPF_REG_0, 0),
5437 			BPF_EXIT_INSN(),
5438 		},
5439 		.fixup_map2 = { 3 },
5440 		.result = ACCEPT,
5441 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5442 	},
5443 	{
5444 		"helper access to map: bounds check using <, bad access",
5445 		.insns = {
5446 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5447 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5448 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5449 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5450 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5451 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5452 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5453 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5454 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5455 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5456 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5457 			BPF_MOV64_IMM(BPF_REG_0, 0),
5458 			BPF_EXIT_INSN(),
5459 			BPF_MOV64_IMM(BPF_REG_0, 0),
5460 			BPF_EXIT_INSN(),
5461 		},
5462 		.fixup_map2 = { 3 },
5463 		.result = REJECT,
5464 		.errstr = "R1 unbounded memory access",
5465 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5466 	},
5467 	{
5468 		"helper access to map: bounds check using <=, good access",
5469 		.insns = {
5470 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5471 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5472 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5473 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5474 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5475 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5476 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5477 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5478 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5479 			BPF_MOV64_IMM(BPF_REG_0, 0),
5480 			BPF_EXIT_INSN(),
5481 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5482 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5483 			BPF_MOV64_IMM(BPF_REG_0, 0),
5484 			BPF_EXIT_INSN(),
5485 		},
5486 		.fixup_map2 = { 3 },
5487 		.result = ACCEPT,
5488 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5489 	},
5490 	{
5491 		"helper access to map: bounds check using <=, bad access",
5492 		.insns = {
5493 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5495 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5496 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5497 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5498 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5499 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5500 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5501 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5502 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5503 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5504 			BPF_MOV64_IMM(BPF_REG_0, 0),
5505 			BPF_EXIT_INSN(),
5506 			BPF_MOV64_IMM(BPF_REG_0, 0),
5507 			BPF_EXIT_INSN(),
5508 		},
5509 		.fixup_map2 = { 3 },
5510 		.result = REJECT,
5511 		.errstr = "R1 unbounded memory access",
5512 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5513 	},
5514 	{
5515 		"helper access to map: bounds check using s<, good access",
5516 		.insns = {
5517 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5518 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5519 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5520 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5521 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5522 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5523 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5524 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5525 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5526 			BPF_MOV64_IMM(BPF_REG_0, 0),
5527 			BPF_EXIT_INSN(),
5528 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5529 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5530 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5531 			BPF_MOV64_IMM(BPF_REG_0, 0),
5532 			BPF_EXIT_INSN(),
5533 		},
5534 		.fixup_map2 = { 3 },
5535 		.result = ACCEPT,
5536 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5537 	},
5538 	{
5539 		"helper access to map: bounds check using s<, good access 2",
5540 		.insns = {
5541 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5542 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5543 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5544 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5545 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5546 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5547 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5548 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5549 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5550 			BPF_MOV64_IMM(BPF_REG_0, 0),
5551 			BPF_EXIT_INSN(),
5552 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5553 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5554 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5555 			BPF_MOV64_IMM(BPF_REG_0, 0),
5556 			BPF_EXIT_INSN(),
5557 		},
5558 		.fixup_map2 = { 3 },
5559 		.result = ACCEPT,
5560 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5561 	},
5562 	{
5563 		"helper access to map: bounds check using s<, bad access",
5564 		.insns = {
5565 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5566 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5567 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5568 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5569 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5570 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5571 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5572 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5573 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5574 			BPF_MOV64_IMM(BPF_REG_0, 0),
5575 			BPF_EXIT_INSN(),
5576 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5577 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5578 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5579 			BPF_MOV64_IMM(BPF_REG_0, 0),
5580 			BPF_EXIT_INSN(),
5581 		},
5582 		.fixup_map2 = { 3 },
5583 		.result = REJECT,
5584 		.errstr = "R1 min value is negative",
5585 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5586 	},
5587 	{
5588 		"helper access to map: bounds check using s<=, good access",
5589 		.insns = {
5590 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5591 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5592 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5593 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5594 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5595 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5596 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5597 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5598 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5599 			BPF_MOV64_IMM(BPF_REG_0, 0),
5600 			BPF_EXIT_INSN(),
5601 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5602 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5603 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5604 			BPF_MOV64_IMM(BPF_REG_0, 0),
5605 			BPF_EXIT_INSN(),
5606 		},
5607 		.fixup_map2 = { 3 },
5608 		.result = ACCEPT,
5609 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5610 	},
5611 	{
5612 		"helper access to map: bounds check using s<=, good access 2",
5613 		.insns = {
5614 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5615 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5616 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5617 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5618 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5619 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5620 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5621 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5622 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5623 			BPF_MOV64_IMM(BPF_REG_0, 0),
5624 			BPF_EXIT_INSN(),
5625 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5626 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5627 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5628 			BPF_MOV64_IMM(BPF_REG_0, 0),
5629 			BPF_EXIT_INSN(),
5630 		},
5631 		.fixup_map2 = { 3 },
5632 		.result = ACCEPT,
5633 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5634 	},
5635 	{
5636 		"helper access to map: bounds check using s<=, bad access",
5637 		.insns = {
5638 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5639 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5640 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5641 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5642 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5643 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5644 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5645 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5646 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5647 			BPF_MOV64_IMM(BPF_REG_0, 0),
5648 			BPF_EXIT_INSN(),
5649 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5650 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5651 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5652 			BPF_MOV64_IMM(BPF_REG_0, 0),
5653 			BPF_EXIT_INSN(),
5654 		},
5655 		.fixup_map2 = { 3 },
5656 		.result = REJECT,
5657 		.errstr = "R1 min value is negative",
5658 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5659 	},
5660 	{
5661 		"map lookup helper access to map",
5662 		.insns = {
5663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5665 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5666 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5667 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5669 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5670 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5671 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5672 			BPF_EXIT_INSN(),
5673 		},
5674 		.fixup_map3 = { 3, 8 },
5675 		.result = ACCEPT,
5676 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5677 	},
5678 	{
5679 		"map update helper access to map",
5680 		.insns = {
5681 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5683 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5684 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5685 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5686 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5687 			BPF_MOV64_IMM(BPF_REG_4, 0),
5688 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5689 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5690 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5691 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5692 			BPF_EXIT_INSN(),
5693 		},
5694 		.fixup_map3 = { 3, 10 },
5695 		.result = ACCEPT,
5696 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5697 	},
5698 	{
5699 		"map update helper access to map: wrong size",
5700 		.insns = {
5701 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5702 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5703 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5704 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5705 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5706 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5707 			BPF_MOV64_IMM(BPF_REG_4, 0),
5708 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5709 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5710 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5712 			BPF_EXIT_INSN(),
5713 		},
5714 		.fixup_map1 = { 3 },
5715 		.fixup_map3 = { 10 },
5716 		.result = REJECT,
5717 		.errstr = "invalid access to map value, value_size=8 off=0 size=16",
5718 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5719 	},
5720 	{
5721 		"map helper access to adjusted map (via const imm)",
5722 		.insns = {
5723 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5724 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5725 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5726 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5727 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5728 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5729 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5731 				      offsetof(struct other_val, bar)),
5732 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5733 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5734 			BPF_EXIT_INSN(),
5735 		},
5736 		.fixup_map3 = { 3, 9 },
5737 		.result = ACCEPT,
5738 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5739 	},
5740 	{
5741 		"map helper access to adjusted map (via const imm): out-of-bound 1",
5742 		.insns = {
5743 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5745 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5746 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5747 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5748 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5749 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5751 				      sizeof(struct other_val) - 4),
5752 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5753 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5754 			BPF_EXIT_INSN(),
5755 		},
5756 		.fixup_map3 = { 3, 9 },
5757 		.result = REJECT,
5758 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
5759 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5760 	},
5761 	{
5762 		"map helper access to adjusted map (via const imm): out-of-bound 2",
5763 		.insns = {
5764 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5765 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5766 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5767 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5768 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5769 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5770 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5771 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5772 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5773 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5774 			BPF_EXIT_INSN(),
5775 		},
5776 		.fixup_map3 = { 3, 9 },
5777 		.result = REJECT,
5778 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5779 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5780 	},
5781 	{
5782 		"map helper access to adjusted map (via const reg)",
5783 		.insns = {
5784 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5785 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5786 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5787 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5788 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5789 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5790 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5791 			BPF_MOV64_IMM(BPF_REG_3,
5792 				      offsetof(struct other_val, bar)),
5793 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5794 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5795 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5796 			BPF_EXIT_INSN(),
5797 		},
5798 		.fixup_map3 = { 3, 10 },
5799 		.result = ACCEPT,
5800 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5801 	},
5802 	{
5803 		"map helper access to adjusted map (via const reg): out-of-bound 1",
5804 		.insns = {
5805 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5807 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5808 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5809 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5810 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5811 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5812 			BPF_MOV64_IMM(BPF_REG_3,
5813 				      sizeof(struct other_val) - 4),
5814 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5815 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5816 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5817 			BPF_EXIT_INSN(),
5818 		},
5819 		.fixup_map3 = { 3, 10 },
5820 		.result = REJECT,
5821 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
5822 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5823 	},
5824 	{
5825 		"map helper access to adjusted map (via const reg): out-of-bound 2",
5826 		.insns = {
5827 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5829 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5830 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5831 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5832 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5833 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5834 			BPF_MOV64_IMM(BPF_REG_3, -4),
5835 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5836 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5837 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5838 			BPF_EXIT_INSN(),
5839 		},
5840 		.fixup_map3 = { 3, 10 },
5841 		.result = REJECT,
5842 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5843 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5844 	},
5845 	{
5846 		"map helper access to adjusted map (via variable)",
5847 		.insns = {
5848 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5849 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5850 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5851 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5852 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5853 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5854 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5855 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5856 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5857 				    offsetof(struct other_val, bar), 4),
5858 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5859 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5860 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5861 			BPF_EXIT_INSN(),
5862 		},
5863 		.fixup_map3 = { 3, 11 },
5864 		.result = ACCEPT,
5865 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5866 	},
5867 	{
5868 		"map helper access to adjusted map (via variable): no max check",
5869 		.insns = {
5870 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5872 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5873 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5874 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5875 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5876 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5877 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5878 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5879 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5880 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5881 			BPF_EXIT_INSN(),
5882 		},
5883 		.fixup_map3 = { 3, 10 },
5884 		.result = REJECT,
5885 		.errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
5886 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5887 	},
5888 	{
5889 		"map helper access to adjusted map (via variable): wrong max check",
5890 		.insns = {
5891 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5892 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5893 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5894 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5895 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5896 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5897 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5898 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5899 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5900 				    offsetof(struct other_val, bar) + 1, 4),
5901 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5902 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5903 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5904 			BPF_EXIT_INSN(),
5905 		},
5906 		.fixup_map3 = { 3, 11 },
5907 		.result = REJECT,
5908 		.errstr = "invalid access to map value, value_size=16 off=9 size=8",
5909 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5910 	},
5911 	{
5912 		"map element value is preserved across register spilling",
5913 		.insns = {
5914 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5915 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5916 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5917 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5918 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5919 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5920 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5921 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5922 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5923 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5924 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5925 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5926 			BPF_EXIT_INSN(),
5927 		},
5928 		.fixup_map2 = { 3 },
5929 		.errstr_unpriv = "R0 leaks addr",
5930 		.result = ACCEPT,
5931 		.result_unpriv = REJECT,
5932 	},
5933 	{
5934 		"map element value or null is marked on register spilling",
5935 		.insns = {
5936 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5937 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5938 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5940 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5941 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5943 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5944 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5945 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5946 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5947 			BPF_EXIT_INSN(),
5948 		},
5949 		.fixup_map2 = { 3 },
5950 		.errstr_unpriv = "R0 leaks addr",
5951 		.result = ACCEPT,
5952 		.result_unpriv = REJECT,
5953 	},
5954 	{
5955 		"map element value store of cleared call register",
5956 		.insns = {
5957 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5958 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5959 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5960 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5961 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5962 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5963 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5964 			BPF_EXIT_INSN(),
5965 		},
5966 		.fixup_map2 = { 3 },
5967 		.errstr_unpriv = "R1 !read_ok",
5968 		.errstr = "R1 !read_ok",
5969 		.result = REJECT,
5970 		.result_unpriv = REJECT,
5971 	},
5972 	{
5973 		"map element value with unaligned store",
5974 		.insns = {
5975 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5977 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5978 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5979 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5980 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5982 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5983 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5984 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5985 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5986 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5987 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5988 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5989 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5990 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5991 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5992 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5993 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5995 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5996 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5997 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5998 			BPF_EXIT_INSN(),
5999 		},
6000 		.fixup_map2 = { 3 },
6001 		.errstr_unpriv = "R0 leaks addr",
6002 		.result = ACCEPT,
6003 		.result_unpriv = REJECT,
6004 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6005 	},
6006 	{
6007 		"map element value with unaligned load",
6008 		.insns = {
6009 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6010 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6011 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6012 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6013 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6014 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6015 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6016 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6017 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6018 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6019 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6020 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6021 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6022 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6023 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6024 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6025 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6026 			BPF_EXIT_INSN(),
6027 		},
6028 		.fixup_map2 = { 3 },
6029 		.errstr_unpriv = "R0 leaks addr",
6030 		.result = ACCEPT,
6031 		.result_unpriv = REJECT,
6032 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6033 	},
6034 	{
6035 		"map element value illegal alu op, 1",
6036 		.insns = {
6037 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6038 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6039 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6040 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6041 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6042 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6043 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6044 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6045 			BPF_EXIT_INSN(),
6046 		},
6047 		.fixup_map2 = { 3 },
6048 		.errstr = "R0 bitwise operator &= on pointer",
6049 		.result = REJECT,
6050 	},
6051 	{
6052 		"map element value illegal alu op, 2",
6053 		.insns = {
6054 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6055 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6056 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6057 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6058 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6059 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6060 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6061 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6062 			BPF_EXIT_INSN(),
6063 		},
6064 		.fixup_map2 = { 3 },
6065 		.errstr = "R0 32-bit pointer arithmetic prohibited",
6066 		.result = REJECT,
6067 	},
6068 	{
6069 		"map element value illegal alu op, 3",
6070 		.insns = {
6071 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6073 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6074 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6075 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6076 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6077 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6078 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6079 			BPF_EXIT_INSN(),
6080 		},
6081 		.fixup_map2 = { 3 },
6082 		.errstr = "R0 pointer arithmetic with /= operator",
6083 		.result = REJECT,
6084 	},
6085 	{
6086 		"map element value illegal alu op, 4",
6087 		.insns = {
6088 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6089 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6090 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6091 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6092 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6093 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6094 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6095 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6096 			BPF_EXIT_INSN(),
6097 		},
6098 		.fixup_map2 = { 3 },
6099 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
6100 		.errstr = "invalid mem access 'inv'",
6101 		.result = REJECT,
6102 		.result_unpriv = REJECT,
6103 	},
6104 	{
6105 		"map element value illegal alu op, 5",
6106 		.insns = {
6107 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6108 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6109 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6110 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6111 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6112 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6113 			BPF_MOV64_IMM(BPF_REG_3, 4096),
6114 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6115 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6116 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6117 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6118 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6119 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6120 			BPF_EXIT_INSN(),
6121 		},
6122 		.fixup_map2 = { 3 },
6123 		.errstr = "R0 invalid mem access 'inv'",
6124 		.result = REJECT,
6125 	},
6126 	{
6127 		"map element value is preserved across register spilling",
6128 		.insns = {
6129 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6130 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6131 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6132 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6133 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6134 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6135 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6136 				offsetof(struct test_val, foo)),
6137 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6138 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6139 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6140 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6141 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6142 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6143 			BPF_EXIT_INSN(),
6144 		},
6145 		.fixup_map2 = { 3 },
6146 		.errstr_unpriv = "R0 leaks addr",
6147 		.result = ACCEPT,
6148 		.result_unpriv = REJECT,
6149 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6150 	},
6151 	{
6152 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6153 		.insns = {
6154 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6155 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6156 			BPF_MOV64_IMM(BPF_REG_0, 0),
6157 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6158 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6159 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6160 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6161 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6162 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6163 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6164 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6165 			BPF_MOV64_IMM(BPF_REG_2, 16),
6166 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6167 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6168 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6169 			BPF_MOV64_IMM(BPF_REG_4, 0),
6170 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6171 			BPF_MOV64_IMM(BPF_REG_3, 0),
6172 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6173 			BPF_MOV64_IMM(BPF_REG_0, 0),
6174 			BPF_EXIT_INSN(),
6175 		},
6176 		.result = ACCEPT,
6177 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6178 	},
6179 	{
6180 		"helper access to variable memory: stack, bitwise AND, zero included",
6181 		.insns = {
6182 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6183 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6184 			BPF_MOV64_IMM(BPF_REG_2, 16),
6185 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6186 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6187 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6188 			BPF_MOV64_IMM(BPF_REG_3, 0),
6189 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6190 			BPF_EXIT_INSN(),
6191 		},
6192 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6193 		.result = REJECT,
6194 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6195 	},
6196 	{
6197 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6198 		.insns = {
6199 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6200 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6201 			BPF_MOV64_IMM(BPF_REG_2, 16),
6202 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6203 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6204 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6205 			BPF_MOV64_IMM(BPF_REG_4, 0),
6206 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6207 			BPF_MOV64_IMM(BPF_REG_3, 0),
6208 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6209 			BPF_MOV64_IMM(BPF_REG_0, 0),
6210 			BPF_EXIT_INSN(),
6211 		},
6212 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6213 		.result = REJECT,
6214 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6215 	},
6216 	{
6217 		"helper access to variable memory: stack, JMP, correct bounds",
6218 		.insns = {
6219 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6220 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6221 			BPF_MOV64_IMM(BPF_REG_0, 0),
6222 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6223 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6224 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6225 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6226 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6227 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6228 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6229 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6230 			BPF_MOV64_IMM(BPF_REG_2, 16),
6231 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6232 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6233 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6234 			BPF_MOV64_IMM(BPF_REG_4, 0),
6235 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6236 			BPF_MOV64_IMM(BPF_REG_3, 0),
6237 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6238 			BPF_MOV64_IMM(BPF_REG_0, 0),
6239 			BPF_EXIT_INSN(),
6240 		},
6241 		.result = ACCEPT,
6242 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6243 	},
6244 	{
6245 		"helper access to variable memory: stack, JMP (signed), correct bounds",
6246 		.insns = {
6247 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6249 			BPF_MOV64_IMM(BPF_REG_0, 0),
6250 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6251 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6252 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6253 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6254 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6255 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6256 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6257 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6258 			BPF_MOV64_IMM(BPF_REG_2, 16),
6259 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6260 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6261 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6262 			BPF_MOV64_IMM(BPF_REG_4, 0),
6263 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6264 			BPF_MOV64_IMM(BPF_REG_3, 0),
6265 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6266 			BPF_MOV64_IMM(BPF_REG_0, 0),
6267 			BPF_EXIT_INSN(),
6268 		},
6269 		.result = ACCEPT,
6270 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6271 	},
6272 	{
6273 		"helper access to variable memory: stack, JMP, bounds + offset",
6274 		.insns = {
6275 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6276 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6277 			BPF_MOV64_IMM(BPF_REG_2, 16),
6278 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6279 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6280 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6281 			BPF_MOV64_IMM(BPF_REG_4, 0),
6282 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6284 			BPF_MOV64_IMM(BPF_REG_3, 0),
6285 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6286 			BPF_MOV64_IMM(BPF_REG_0, 0),
6287 			BPF_EXIT_INSN(),
6288 		},
6289 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6290 		.result = REJECT,
6291 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6292 	},
6293 	{
6294 		"helper access to variable memory: stack, JMP, wrong max",
6295 		.insns = {
6296 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6298 			BPF_MOV64_IMM(BPF_REG_2, 16),
6299 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6300 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6301 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6302 			BPF_MOV64_IMM(BPF_REG_4, 0),
6303 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6304 			BPF_MOV64_IMM(BPF_REG_3, 0),
6305 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6306 			BPF_MOV64_IMM(BPF_REG_0, 0),
6307 			BPF_EXIT_INSN(),
6308 		},
6309 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6310 		.result = REJECT,
6311 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6312 	},
6313 	{
6314 		"helper access to variable memory: stack, JMP, no max check",
6315 		.insns = {
6316 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6317 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6318 			BPF_MOV64_IMM(BPF_REG_2, 16),
6319 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6320 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6321 			BPF_MOV64_IMM(BPF_REG_4, 0),
6322 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6323 			BPF_MOV64_IMM(BPF_REG_3, 0),
6324 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6325 			BPF_MOV64_IMM(BPF_REG_0, 0),
6326 			BPF_EXIT_INSN(),
6327 		},
6328 		/* because max wasn't checked, signed min is negative */
6329 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6330 		.result = REJECT,
6331 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6332 	},
6333 	{
6334 		"helper access to variable memory: stack, JMP, no min check",
6335 		.insns = {
6336 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6337 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6338 			BPF_MOV64_IMM(BPF_REG_2, 16),
6339 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6340 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6341 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6342 			BPF_MOV64_IMM(BPF_REG_3, 0),
6343 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6344 			BPF_MOV64_IMM(BPF_REG_0, 0),
6345 			BPF_EXIT_INSN(),
6346 		},
6347 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6348 		.result = REJECT,
6349 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6350 	},
6351 	{
6352 		"helper access to variable memory: stack, JMP (signed), no min check",
6353 		.insns = {
6354 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6356 			BPF_MOV64_IMM(BPF_REG_2, 16),
6357 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6358 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6359 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6360 			BPF_MOV64_IMM(BPF_REG_3, 0),
6361 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6362 			BPF_MOV64_IMM(BPF_REG_0, 0),
6363 			BPF_EXIT_INSN(),
6364 		},
6365 		.errstr = "R2 min value is negative",
6366 		.result = REJECT,
6367 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6368 	},
6369 	{
6370 		"helper access to variable memory: map, JMP, correct bounds",
6371 		.insns = {
6372 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6373 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6374 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6375 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6376 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6377 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6378 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6379 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6380 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6381 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6382 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6383 				sizeof(struct test_val), 4),
6384 			BPF_MOV64_IMM(BPF_REG_4, 0),
6385 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6386 			BPF_MOV64_IMM(BPF_REG_3, 0),
6387 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6388 			BPF_MOV64_IMM(BPF_REG_0, 0),
6389 			BPF_EXIT_INSN(),
6390 		},
6391 		.fixup_map2 = { 3 },
6392 		.result = ACCEPT,
6393 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6394 	},
6395 	{
6396 		"helper access to variable memory: map, JMP, wrong max",
6397 		.insns = {
6398 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6399 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6400 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6401 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6402 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6403 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6404 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6405 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6406 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6407 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6408 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6409 				sizeof(struct test_val) + 1, 4),
6410 			BPF_MOV64_IMM(BPF_REG_4, 0),
6411 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6412 			BPF_MOV64_IMM(BPF_REG_3, 0),
6413 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6414 			BPF_MOV64_IMM(BPF_REG_0, 0),
6415 			BPF_EXIT_INSN(),
6416 		},
6417 		.fixup_map2 = { 3 },
6418 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
6419 		.result = REJECT,
6420 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6421 	},
6422 	{
6423 		"helper access to variable memory: map adjusted, JMP, correct bounds",
6424 		.insns = {
6425 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6426 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6427 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6428 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6429 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6430 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6431 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6433 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6434 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6435 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6436 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6437 				sizeof(struct test_val) - 20, 4),
6438 			BPF_MOV64_IMM(BPF_REG_4, 0),
6439 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6440 			BPF_MOV64_IMM(BPF_REG_3, 0),
6441 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6442 			BPF_MOV64_IMM(BPF_REG_0, 0),
6443 			BPF_EXIT_INSN(),
6444 		},
6445 		.fixup_map2 = { 3 },
6446 		.result = ACCEPT,
6447 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6448 	},
6449 	{
6450 		"helper access to variable memory: map adjusted, JMP, wrong max",
6451 		.insns = {
6452 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6453 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6454 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6455 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6456 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6457 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6458 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6460 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6461 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6462 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6463 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6464 				sizeof(struct test_val) - 19, 4),
6465 			BPF_MOV64_IMM(BPF_REG_4, 0),
6466 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6467 			BPF_MOV64_IMM(BPF_REG_3, 0),
6468 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6469 			BPF_MOV64_IMM(BPF_REG_0, 0),
6470 			BPF_EXIT_INSN(),
6471 		},
6472 		.fixup_map2 = { 3 },
6473 		.errstr = "R1 min value is outside of the array range",
6474 		.result = REJECT,
6475 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6476 	},
6477 	{
6478 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6479 		.insns = {
6480 			BPF_MOV64_IMM(BPF_REG_1, 0),
6481 			BPF_MOV64_IMM(BPF_REG_2, 0),
6482 			BPF_MOV64_IMM(BPF_REG_3, 0),
6483 			BPF_MOV64_IMM(BPF_REG_4, 0),
6484 			BPF_MOV64_IMM(BPF_REG_5, 0),
6485 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6486 			BPF_EXIT_INSN(),
6487 		},
6488 		.result = ACCEPT,
6489 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6490 	},
6491 	{
6492 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6493 		.insns = {
6494 			BPF_MOV64_IMM(BPF_REG_1, 0),
6495 			BPF_MOV64_IMM(BPF_REG_2, 1),
6496 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6497 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6498 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6499 			BPF_MOV64_IMM(BPF_REG_3, 0),
6500 			BPF_MOV64_IMM(BPF_REG_4, 0),
6501 			BPF_MOV64_IMM(BPF_REG_5, 0),
6502 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6503 			BPF_EXIT_INSN(),
6504 		},
6505 		.errstr = "R1 type=inv expected=fp",
6506 		.result = REJECT,
6507 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6508 	},
6509 	{
6510 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6511 		.insns = {
6512 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6513 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6514 			BPF_MOV64_IMM(BPF_REG_2, 0),
6515 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6516 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6517 			BPF_MOV64_IMM(BPF_REG_3, 0),
6518 			BPF_MOV64_IMM(BPF_REG_4, 0),
6519 			BPF_MOV64_IMM(BPF_REG_5, 0),
6520 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6521 			BPF_EXIT_INSN(),
6522 		},
6523 		.result = ACCEPT,
6524 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6525 	},
6526 	{
6527 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6528 		.insns = {
6529 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6530 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6531 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6532 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6533 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6534 				     BPF_FUNC_map_lookup_elem),
6535 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6536 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6537 			BPF_MOV64_IMM(BPF_REG_2, 0),
6538 			BPF_MOV64_IMM(BPF_REG_3, 0),
6539 			BPF_MOV64_IMM(BPF_REG_4, 0),
6540 			BPF_MOV64_IMM(BPF_REG_5, 0),
6541 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6542 			BPF_EXIT_INSN(),
6543 		},
6544 		.fixup_map1 = { 3 },
6545 		.result = ACCEPT,
6546 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6547 	},
6548 	{
6549 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6550 		.insns = {
6551 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6552 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6554 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6555 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6556 				     BPF_FUNC_map_lookup_elem),
6557 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6558 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6559 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6561 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6562 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6563 			BPF_MOV64_IMM(BPF_REG_3, 0),
6564 			BPF_MOV64_IMM(BPF_REG_4, 0),
6565 			BPF_MOV64_IMM(BPF_REG_5, 0),
6566 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6567 			BPF_EXIT_INSN(),
6568 		},
6569 		.fixup_map1 = { 3 },
6570 		.result = ACCEPT,
6571 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6572 	},
6573 	{
6574 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6575 		.insns = {
6576 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6577 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6579 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6580 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6581 				     BPF_FUNC_map_lookup_elem),
6582 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6583 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6584 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6585 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6586 			BPF_MOV64_IMM(BPF_REG_3, 0),
6587 			BPF_MOV64_IMM(BPF_REG_4, 0),
6588 			BPF_MOV64_IMM(BPF_REG_5, 0),
6589 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6590 			BPF_EXIT_INSN(),
6591 		},
6592 		.fixup_map1 = { 3 },
6593 		.result = ACCEPT,
6594 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6595 	},
6596 	{
6597 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6598 		.insns = {
6599 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6600 				    offsetof(struct __sk_buff, data)),
6601 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6602 				    offsetof(struct __sk_buff, data_end)),
6603 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6604 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6605 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6606 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6607 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6608 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6609 			BPF_MOV64_IMM(BPF_REG_3, 0),
6610 			BPF_MOV64_IMM(BPF_REG_4, 0),
6611 			BPF_MOV64_IMM(BPF_REG_5, 0),
6612 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6613 			BPF_EXIT_INSN(),
6614 		},
6615 		.result = ACCEPT,
6616 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6617 		.retval = 0 /* csum_diff of 64-byte packet */,
6618 	},
6619 	{
6620 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6621 		.insns = {
6622 			BPF_MOV64_IMM(BPF_REG_1, 0),
6623 			BPF_MOV64_IMM(BPF_REG_2, 0),
6624 			BPF_MOV64_IMM(BPF_REG_3, 0),
6625 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6626 			BPF_EXIT_INSN(),
6627 		},
6628 		.errstr = "R1 type=inv expected=fp",
6629 		.result = REJECT,
6630 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6631 	},
6632 	{
6633 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6634 		.insns = {
6635 			BPF_MOV64_IMM(BPF_REG_1, 0),
6636 			BPF_MOV64_IMM(BPF_REG_2, 1),
6637 			BPF_MOV64_IMM(BPF_REG_3, 0),
6638 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6639 			BPF_EXIT_INSN(),
6640 		},
6641 		.errstr = "R1 type=inv expected=fp",
6642 		.result = REJECT,
6643 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6644 	},
6645 	{
6646 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6647 		.insns = {
6648 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6649 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6650 			BPF_MOV64_IMM(BPF_REG_2, 0),
6651 			BPF_MOV64_IMM(BPF_REG_3, 0),
6652 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6653 			BPF_EXIT_INSN(),
6654 		},
6655 		.result = ACCEPT,
6656 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6657 	},
6658 	{
6659 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6660 		.insns = {
6661 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6662 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6664 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6665 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6666 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6667 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6668 			BPF_MOV64_IMM(BPF_REG_2, 0),
6669 			BPF_MOV64_IMM(BPF_REG_3, 0),
6670 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6671 			BPF_EXIT_INSN(),
6672 		},
6673 		.fixup_map1 = { 3 },
6674 		.result = ACCEPT,
6675 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6676 	},
6677 	{
6678 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6679 		.insns = {
6680 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6681 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6683 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6684 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6685 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6686 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6687 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6688 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6689 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6690 			BPF_MOV64_IMM(BPF_REG_3, 0),
6691 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6692 			BPF_EXIT_INSN(),
6693 		},
6694 		.fixup_map1 = { 3 },
6695 		.result = ACCEPT,
6696 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6697 	},
6698 	{
6699 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6700 		.insns = {
6701 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6702 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6703 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6704 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6705 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6706 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6707 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6708 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6709 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6710 			BPF_MOV64_IMM(BPF_REG_3, 0),
6711 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6712 			BPF_EXIT_INSN(),
6713 		},
6714 		.fixup_map1 = { 3 },
6715 		.result = ACCEPT,
6716 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6717 	},
6718 	{
6719 		"helper access to variable memory: 8 bytes leak",
6720 		.insns = {
6721 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6723 			BPF_MOV64_IMM(BPF_REG_0, 0),
6724 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6725 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6726 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6727 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6728 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6729 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6730 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6731 			BPF_MOV64_IMM(BPF_REG_2, 1),
6732 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6733 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6734 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6736 			BPF_MOV64_IMM(BPF_REG_3, 0),
6737 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6738 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6739 			BPF_EXIT_INSN(),
6740 		},
6741 		.errstr = "invalid indirect read from stack off -64+32 size 64",
6742 		.result = REJECT,
6743 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6744 	},
6745 	{
6746 		"helper access to variable memory: 8 bytes no leak (init memory)",
6747 		.insns = {
6748 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6749 			BPF_MOV64_IMM(BPF_REG_0, 0),
6750 			BPF_MOV64_IMM(BPF_REG_0, 0),
6751 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6752 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6753 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6754 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6755 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6756 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6757 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6758 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6759 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6760 			BPF_MOV64_IMM(BPF_REG_2, 0),
6761 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6762 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6763 			BPF_MOV64_IMM(BPF_REG_3, 0),
6764 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6765 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6766 			BPF_EXIT_INSN(),
6767 		},
6768 		.result = ACCEPT,
6769 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6770 	},
6771 	{
6772 		"invalid and of negative number",
6773 		.insns = {
6774 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6775 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6776 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6777 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6778 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6779 				     BPF_FUNC_map_lookup_elem),
6780 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6781 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6782 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6783 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6784 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6785 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6786 				   offsetof(struct test_val, foo)),
6787 			BPF_EXIT_INSN(),
6788 		},
6789 		.fixup_map2 = { 3 },
6790 		.errstr = "R0 max value is outside of the array range",
6791 		.result = REJECT,
6792 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6793 	},
6794 	{
6795 		"invalid range check",
6796 		.insns = {
6797 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6798 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6800 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6801 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6802 				     BPF_FUNC_map_lookup_elem),
6803 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6804 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6805 			BPF_MOV64_IMM(BPF_REG_9, 1),
6806 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6807 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6808 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6809 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6810 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6811 			BPF_MOV32_IMM(BPF_REG_3, 1),
6812 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6813 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6814 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6815 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6816 			BPF_MOV64_REG(BPF_REG_0, 0),
6817 			BPF_EXIT_INSN(),
6818 		},
6819 		.fixup_map2 = { 3 },
6820 		.errstr = "R0 max value is outside of the array range",
6821 		.result = REJECT,
6822 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6823 	},
6824 	{
6825 		"map in map access",
6826 		.insns = {
6827 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6828 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6829 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6830 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6831 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6832 				     BPF_FUNC_map_lookup_elem),
6833 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6834 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6835 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6836 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6837 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6838 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6839 				     BPF_FUNC_map_lookup_elem),
6840 			BPF_MOV64_REG(BPF_REG_0, 0),
6841 			BPF_EXIT_INSN(),
6842 		},
6843 		.fixup_map_in_map = { 3 },
6844 		.result = ACCEPT,
6845 	},
6846 	{
6847 		"invalid inner map pointer",
6848 		.insns = {
6849 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6850 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6851 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6852 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6853 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6854 				     BPF_FUNC_map_lookup_elem),
6855 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6856 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6857 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6858 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6859 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6860 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6861 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6862 				     BPF_FUNC_map_lookup_elem),
6863 			BPF_MOV64_REG(BPF_REG_0, 0),
6864 			BPF_EXIT_INSN(),
6865 		},
6866 		.fixup_map_in_map = { 3 },
6867 		.errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6868 		.result = REJECT,
6869 	},
6870 	{
6871 		"forgot null checking on the inner map pointer",
6872 		.insns = {
6873 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6874 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6875 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6876 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6877 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6878 				     BPF_FUNC_map_lookup_elem),
6879 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6880 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6881 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6882 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6883 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6884 				     BPF_FUNC_map_lookup_elem),
6885 			BPF_MOV64_REG(BPF_REG_0, 0),
6886 			BPF_EXIT_INSN(),
6887 		},
6888 		.fixup_map_in_map = { 3 },
6889 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
6890 		.result = REJECT,
6891 	},
6892 	{
6893 		"ld_abs: check calling conv, r1",
6894 		.insns = {
6895 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6896 			BPF_MOV64_IMM(BPF_REG_1, 0),
6897 			BPF_LD_ABS(BPF_W, -0x200000),
6898 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6899 			BPF_EXIT_INSN(),
6900 		},
6901 		.errstr = "R1 !read_ok",
6902 		.result = REJECT,
6903 	},
6904 	{
6905 		"ld_abs: check calling conv, r2",
6906 		.insns = {
6907 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6908 			BPF_MOV64_IMM(BPF_REG_2, 0),
6909 			BPF_LD_ABS(BPF_W, -0x200000),
6910 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6911 			BPF_EXIT_INSN(),
6912 		},
6913 		.errstr = "R2 !read_ok",
6914 		.result = REJECT,
6915 	},
6916 	{
6917 		"ld_abs: check calling conv, r3",
6918 		.insns = {
6919 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6920 			BPF_MOV64_IMM(BPF_REG_3, 0),
6921 			BPF_LD_ABS(BPF_W, -0x200000),
6922 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6923 			BPF_EXIT_INSN(),
6924 		},
6925 		.errstr = "R3 !read_ok",
6926 		.result = REJECT,
6927 	},
6928 	{
6929 		"ld_abs: check calling conv, r4",
6930 		.insns = {
6931 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6932 			BPF_MOV64_IMM(BPF_REG_4, 0),
6933 			BPF_LD_ABS(BPF_W, -0x200000),
6934 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6935 			BPF_EXIT_INSN(),
6936 		},
6937 		.errstr = "R4 !read_ok",
6938 		.result = REJECT,
6939 	},
6940 	{
6941 		"ld_abs: check calling conv, r5",
6942 		.insns = {
6943 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6944 			BPF_MOV64_IMM(BPF_REG_5, 0),
6945 			BPF_LD_ABS(BPF_W, -0x200000),
6946 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6947 			BPF_EXIT_INSN(),
6948 		},
6949 		.errstr = "R5 !read_ok",
6950 		.result = REJECT,
6951 	},
6952 	{
6953 		"ld_abs: check calling conv, r7",
6954 		.insns = {
6955 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6956 			BPF_MOV64_IMM(BPF_REG_7, 0),
6957 			BPF_LD_ABS(BPF_W, -0x200000),
6958 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6959 			BPF_EXIT_INSN(),
6960 		},
6961 		.result = ACCEPT,
6962 	},
6963 	{
6964 		"ld_abs: tests on r6 and skb data reload helper",
6965 		.insns = {
6966 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6967 			BPF_LD_ABS(BPF_B, 0),
6968 			BPF_LD_ABS(BPF_H, 0),
6969 			BPF_LD_ABS(BPF_W, 0),
6970 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6971 			BPF_MOV64_IMM(BPF_REG_6, 0),
6972 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6973 			BPF_MOV64_IMM(BPF_REG_2, 1),
6974 			BPF_MOV64_IMM(BPF_REG_3, 2),
6975 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6976 				     BPF_FUNC_skb_vlan_push),
6977 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6978 			BPF_LD_ABS(BPF_B, 0),
6979 			BPF_LD_ABS(BPF_H, 0),
6980 			BPF_LD_ABS(BPF_W, 0),
6981 			BPF_MOV64_IMM(BPF_REG_0, 42),
6982 			BPF_EXIT_INSN(),
6983 		},
6984 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6985 		.result = ACCEPT,
6986 		.retval = 42 /* ultimate return value */,
6987 	},
6988 	{
6989 		"ld_ind: check calling conv, r1",
6990 		.insns = {
6991 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6992 			BPF_MOV64_IMM(BPF_REG_1, 1),
6993 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6994 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6995 			BPF_EXIT_INSN(),
6996 		},
6997 		.errstr = "R1 !read_ok",
6998 		.result = REJECT,
6999 	},
7000 	{
7001 		"ld_ind: check calling conv, r2",
7002 		.insns = {
7003 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7004 			BPF_MOV64_IMM(BPF_REG_2, 1),
7005 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7006 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7007 			BPF_EXIT_INSN(),
7008 		},
7009 		.errstr = "R2 !read_ok",
7010 		.result = REJECT,
7011 	},
7012 	{
7013 		"ld_ind: check calling conv, r3",
7014 		.insns = {
7015 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7016 			BPF_MOV64_IMM(BPF_REG_3, 1),
7017 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7018 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7019 			BPF_EXIT_INSN(),
7020 		},
7021 		.errstr = "R3 !read_ok",
7022 		.result = REJECT,
7023 	},
7024 	{
7025 		"ld_ind: check calling conv, r4",
7026 		.insns = {
7027 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7028 			BPF_MOV64_IMM(BPF_REG_4, 1),
7029 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7030 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7031 			BPF_EXIT_INSN(),
7032 		},
7033 		.errstr = "R4 !read_ok",
7034 		.result = REJECT,
7035 	},
7036 	{
7037 		"ld_ind: check calling conv, r5",
7038 		.insns = {
7039 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7040 			BPF_MOV64_IMM(BPF_REG_5, 1),
7041 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7042 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7043 			BPF_EXIT_INSN(),
7044 		},
7045 		.errstr = "R5 !read_ok",
7046 		.result = REJECT,
7047 	},
7048 	{
7049 		"ld_ind: check calling conv, r7",
7050 		.insns = {
7051 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7052 			BPF_MOV64_IMM(BPF_REG_7, 1),
7053 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7054 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7055 			BPF_EXIT_INSN(),
7056 		},
7057 		.result = ACCEPT,
7058 		.retval = 1,
7059 	},
7060 	{
7061 		"check bpf_perf_event_data->sample_period byte load permitted",
7062 		.insns = {
7063 			BPF_MOV64_IMM(BPF_REG_0, 0),
7064 #if __BYTE_ORDER == __LITTLE_ENDIAN
7065 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7066 				    offsetof(struct bpf_perf_event_data, sample_period)),
7067 #else
7068 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7069 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
7070 #endif
7071 			BPF_EXIT_INSN(),
7072 		},
7073 		.result = ACCEPT,
7074 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7075 	},
7076 	{
7077 		"check bpf_perf_event_data->sample_period half load permitted",
7078 		.insns = {
7079 			BPF_MOV64_IMM(BPF_REG_0, 0),
7080 #if __BYTE_ORDER == __LITTLE_ENDIAN
7081 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7082 				    offsetof(struct bpf_perf_event_data, sample_period)),
7083 #else
7084 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7085 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
7086 #endif
7087 			BPF_EXIT_INSN(),
7088 		},
7089 		.result = ACCEPT,
7090 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7091 	},
7092 	{
7093 		"check bpf_perf_event_data->sample_period word load permitted",
7094 		.insns = {
7095 			BPF_MOV64_IMM(BPF_REG_0, 0),
7096 #if __BYTE_ORDER == __LITTLE_ENDIAN
7097 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7098 				    offsetof(struct bpf_perf_event_data, sample_period)),
7099 #else
7100 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7101 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
7102 #endif
7103 			BPF_EXIT_INSN(),
7104 		},
7105 		.result = ACCEPT,
7106 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7107 	},
7108 	{
7109 		"check bpf_perf_event_data->sample_period dword load permitted",
7110 		.insns = {
7111 			BPF_MOV64_IMM(BPF_REG_0, 0),
7112 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7113 				    offsetof(struct bpf_perf_event_data, sample_period)),
7114 			BPF_EXIT_INSN(),
7115 		},
7116 		.result = ACCEPT,
7117 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7118 	},
7119 	{
7120 		"check skb->data half load not permitted",
7121 		.insns = {
7122 			BPF_MOV64_IMM(BPF_REG_0, 0),
7123 #if __BYTE_ORDER == __LITTLE_ENDIAN
7124 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7125 				    offsetof(struct __sk_buff, data)),
7126 #else
7127 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7128 				    offsetof(struct __sk_buff, data) + 2),
7129 #endif
7130 			BPF_EXIT_INSN(),
7131 		},
7132 		.result = REJECT,
7133 		.errstr = "invalid bpf_context access",
7134 	},
7135 	{
7136 		"check skb->tc_classid half load not permitted for lwt prog",
7137 		.insns = {
7138 			BPF_MOV64_IMM(BPF_REG_0, 0),
7139 #if __BYTE_ORDER == __LITTLE_ENDIAN
7140 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7141 				    offsetof(struct __sk_buff, tc_classid)),
7142 #else
7143 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7144 				    offsetof(struct __sk_buff, tc_classid) + 2),
7145 #endif
7146 			BPF_EXIT_INSN(),
7147 		},
7148 		.result = REJECT,
7149 		.errstr = "invalid bpf_context access",
7150 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7151 	},
7152 	{
7153 		"bounds checks mixing signed and unsigned, positive bounds",
7154 		.insns = {
7155 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7156 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7157 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7158 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7159 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7160 				     BPF_FUNC_map_lookup_elem),
7161 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7162 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7163 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7164 			BPF_MOV64_IMM(BPF_REG_2, 2),
7165 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7166 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7167 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7168 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7169 			BPF_MOV64_IMM(BPF_REG_0, 0),
7170 			BPF_EXIT_INSN(),
7171 		},
7172 		.fixup_map1 = { 3 },
7173 		.errstr = "unbounded min value",
7174 		.result = REJECT,
7175 	},
7176 	{
7177 		"bounds checks mixing signed and unsigned",
7178 		.insns = {
7179 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7180 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7182 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7183 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7184 				     BPF_FUNC_map_lookup_elem),
7185 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7186 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7187 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7188 			BPF_MOV64_IMM(BPF_REG_2, -1),
7189 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7190 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7191 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7192 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7193 			BPF_MOV64_IMM(BPF_REG_0, 0),
7194 			BPF_EXIT_INSN(),
7195 		},
7196 		.fixup_map1 = { 3 },
7197 		.errstr = "unbounded min value",
7198 		.result = REJECT,
7199 	},
7200 	{
7201 		"bounds checks mixing signed and unsigned, variant 2",
7202 		.insns = {
7203 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7204 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7206 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7207 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7208 				     BPF_FUNC_map_lookup_elem),
7209 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7210 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7211 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7212 			BPF_MOV64_IMM(BPF_REG_2, -1),
7213 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7214 			BPF_MOV64_IMM(BPF_REG_8, 0),
7215 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7216 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7217 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7218 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7219 			BPF_MOV64_IMM(BPF_REG_0, 0),
7220 			BPF_EXIT_INSN(),
7221 		},
7222 		.fixup_map1 = { 3 },
7223 		.errstr = "unbounded min value",
7224 		.result = REJECT,
7225 	},
7226 	{
7227 		"bounds checks mixing signed and unsigned, variant 3",
7228 		.insns = {
7229 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7230 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7231 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7232 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7233 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7234 				     BPF_FUNC_map_lookup_elem),
7235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7236 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7237 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7238 			BPF_MOV64_IMM(BPF_REG_2, -1),
7239 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7240 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7241 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7242 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7243 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7244 			BPF_MOV64_IMM(BPF_REG_0, 0),
7245 			BPF_EXIT_INSN(),
7246 		},
7247 		.fixup_map1 = { 3 },
7248 		.errstr = "unbounded min value",
7249 		.result = REJECT,
7250 	},
7251 	{
7252 		"bounds checks mixing signed and unsigned, variant 4",
7253 		.insns = {
7254 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7255 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7256 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7257 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7258 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7259 				     BPF_FUNC_map_lookup_elem),
7260 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7261 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7262 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7263 			BPF_MOV64_IMM(BPF_REG_2, 1),
7264 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7265 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7266 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7267 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7268 			BPF_MOV64_IMM(BPF_REG_0, 0),
7269 			BPF_EXIT_INSN(),
7270 		},
7271 		.fixup_map1 = { 3 },
7272 		.result = ACCEPT,
7273 	},
7274 	{
7275 		"bounds checks mixing signed and unsigned, variant 5",
7276 		.insns = {
7277 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7278 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7280 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7281 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7282 				     BPF_FUNC_map_lookup_elem),
7283 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7284 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7285 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7286 			BPF_MOV64_IMM(BPF_REG_2, -1),
7287 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7288 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7289 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7290 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7291 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7292 			BPF_MOV64_IMM(BPF_REG_0, 0),
7293 			BPF_EXIT_INSN(),
7294 		},
7295 		.fixup_map1 = { 3 },
7296 		.errstr = "unbounded min value",
7297 		.result = REJECT,
7298 	},
7299 	{
7300 		"bounds checks mixing signed and unsigned, variant 6",
7301 		.insns = {
7302 			BPF_MOV64_IMM(BPF_REG_2, 0),
7303 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7305 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7306 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7307 			BPF_MOV64_IMM(BPF_REG_6, -1),
7308 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7309 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7310 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7311 			BPF_MOV64_IMM(BPF_REG_5, 0),
7312 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7313 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7314 				     BPF_FUNC_skb_load_bytes),
7315 			BPF_MOV64_IMM(BPF_REG_0, 0),
7316 			BPF_EXIT_INSN(),
7317 		},
7318 		.errstr = "R4 min value is negative, either use unsigned",
7319 		.result = REJECT,
7320 	},
7321 	{
7322 		"bounds checks mixing signed and unsigned, variant 7",
7323 		.insns = {
7324 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7325 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7326 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7327 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7328 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7329 				     BPF_FUNC_map_lookup_elem),
7330 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7331 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7332 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7333 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7334 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7335 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7336 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7337 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7338 			BPF_MOV64_IMM(BPF_REG_0, 0),
7339 			BPF_EXIT_INSN(),
7340 		},
7341 		.fixup_map1 = { 3 },
7342 		.result = ACCEPT,
7343 	},
7344 	{
7345 		"bounds checks mixing signed and unsigned, variant 8",
7346 		.insns = {
7347 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7348 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7349 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7350 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7351 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7352 				     BPF_FUNC_map_lookup_elem),
7353 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7354 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7355 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7356 			BPF_MOV64_IMM(BPF_REG_2, -1),
7357 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7358 			BPF_MOV64_IMM(BPF_REG_0, 0),
7359 			BPF_EXIT_INSN(),
7360 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7361 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7362 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7363 			BPF_MOV64_IMM(BPF_REG_0, 0),
7364 			BPF_EXIT_INSN(),
7365 		},
7366 		.fixup_map1 = { 3 },
7367 		.errstr = "unbounded min value",
7368 		.result = REJECT,
7369 	},
7370 	{
7371 		"bounds checks mixing signed and unsigned, variant 9",
7372 		.insns = {
7373 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7374 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7375 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7376 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7377 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7378 				     BPF_FUNC_map_lookup_elem),
7379 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7380 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7381 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7382 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7383 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7384 			BPF_MOV64_IMM(BPF_REG_0, 0),
7385 			BPF_EXIT_INSN(),
7386 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7387 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7388 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7389 			BPF_MOV64_IMM(BPF_REG_0, 0),
7390 			BPF_EXIT_INSN(),
7391 		},
7392 		.fixup_map1 = { 3 },
7393 		.result = ACCEPT,
7394 	},
7395 	{
7396 		"bounds checks mixing signed and unsigned, variant 10",
7397 		.insns = {
7398 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7399 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7400 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7401 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7402 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7403 				     BPF_FUNC_map_lookup_elem),
7404 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7405 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7406 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7407 			BPF_MOV64_IMM(BPF_REG_2, 0),
7408 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7409 			BPF_MOV64_IMM(BPF_REG_0, 0),
7410 			BPF_EXIT_INSN(),
7411 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7412 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7413 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7414 			BPF_MOV64_IMM(BPF_REG_0, 0),
7415 			BPF_EXIT_INSN(),
7416 		},
7417 		.fixup_map1 = { 3 },
7418 		.errstr = "unbounded min value",
7419 		.result = REJECT,
7420 	},
7421 	{
7422 		"bounds checks mixing signed and unsigned, variant 11",
7423 		.insns = {
7424 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7425 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7426 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7427 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7428 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7429 				     BPF_FUNC_map_lookup_elem),
7430 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7431 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7432 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7433 			BPF_MOV64_IMM(BPF_REG_2, -1),
7434 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7435 			/* Dead branch. */
7436 			BPF_MOV64_IMM(BPF_REG_0, 0),
7437 			BPF_EXIT_INSN(),
7438 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7439 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7440 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7441 			BPF_MOV64_IMM(BPF_REG_0, 0),
7442 			BPF_EXIT_INSN(),
7443 		},
7444 		.fixup_map1 = { 3 },
7445 		.errstr = "unbounded min value",
7446 		.result = REJECT,
7447 	},
7448 	{
7449 		"bounds checks mixing signed and unsigned, variant 12",
7450 		.insns = {
7451 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7452 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7453 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7454 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7455 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7456 				     BPF_FUNC_map_lookup_elem),
7457 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7458 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7459 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7460 			BPF_MOV64_IMM(BPF_REG_2, -6),
7461 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7462 			BPF_MOV64_IMM(BPF_REG_0, 0),
7463 			BPF_EXIT_INSN(),
7464 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7465 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7466 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7467 			BPF_MOV64_IMM(BPF_REG_0, 0),
7468 			BPF_EXIT_INSN(),
7469 		},
7470 		.fixup_map1 = { 3 },
7471 		.errstr = "unbounded min value",
7472 		.result = REJECT,
7473 	},
7474 	{
7475 		"bounds checks mixing signed and unsigned, variant 13",
7476 		.insns = {
7477 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7478 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7479 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7480 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7481 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7482 				     BPF_FUNC_map_lookup_elem),
7483 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7484 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7485 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7486 			BPF_MOV64_IMM(BPF_REG_2, 2),
7487 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7488 			BPF_MOV64_IMM(BPF_REG_7, 1),
7489 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7490 			BPF_MOV64_IMM(BPF_REG_0, 0),
7491 			BPF_EXIT_INSN(),
7492 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7493 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7494 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7495 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7496 			BPF_MOV64_IMM(BPF_REG_0, 0),
7497 			BPF_EXIT_INSN(),
7498 		},
7499 		.fixup_map1 = { 3 },
7500 		.errstr = "unbounded min value",
7501 		.result = REJECT,
7502 	},
7503 	{
7504 		"bounds checks mixing signed and unsigned, variant 14",
7505 		.insns = {
7506 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7507 				    offsetof(struct __sk_buff, mark)),
7508 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7509 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7510 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7511 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7512 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7513 				     BPF_FUNC_map_lookup_elem),
7514 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7515 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7516 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7517 			BPF_MOV64_IMM(BPF_REG_2, -1),
7518 			BPF_MOV64_IMM(BPF_REG_8, 2),
7519 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7520 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7521 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7522 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7523 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7524 			BPF_MOV64_IMM(BPF_REG_0, 0),
7525 			BPF_EXIT_INSN(),
7526 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7527 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7528 		},
7529 		.fixup_map1 = { 4 },
7530 		.errstr = "R0 invalid mem access 'inv'",
7531 		.result = REJECT,
7532 	},
7533 	{
7534 		"bounds checks mixing signed and unsigned, variant 15",
7535 		.insns = {
7536 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7537 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7538 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7539 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7540 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7541 				     BPF_FUNC_map_lookup_elem),
7542 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7543 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7544 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7545 			BPF_MOV64_IMM(BPF_REG_2, -6),
7546 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7547 			BPF_MOV64_IMM(BPF_REG_0, 0),
7548 			BPF_EXIT_INSN(),
7549 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7550 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7551 			BPF_MOV64_IMM(BPF_REG_0, 0),
7552 			BPF_EXIT_INSN(),
7553 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7554 			BPF_MOV64_IMM(BPF_REG_0, 0),
7555 			BPF_EXIT_INSN(),
7556 		},
7557 		.fixup_map1 = { 3 },
7558 		.errstr = "unbounded min value",
7559 		.result = REJECT,
7560 		.result_unpriv = REJECT,
7561 	},
7562 	{
7563 		"subtraction bounds (map value) variant 1",
7564 		.insns = {
7565 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7566 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7567 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7568 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7569 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7570 				     BPF_FUNC_map_lookup_elem),
7571 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7572 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7573 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7574 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7575 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7576 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7577 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7578 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7579 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7580 			BPF_EXIT_INSN(),
7581 			BPF_MOV64_IMM(BPF_REG_0, 0),
7582 			BPF_EXIT_INSN(),
7583 		},
7584 		.fixup_map1 = { 3 },
7585 		.errstr = "R0 max value is outside of the array range",
7586 		.result = REJECT,
7587 	},
7588 	{
7589 		"subtraction bounds (map value) variant 2",
7590 		.insns = {
7591 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7592 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7593 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7594 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7595 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7596 				     BPF_FUNC_map_lookup_elem),
7597 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7598 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7599 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7600 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7601 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7602 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7603 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7604 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7605 			BPF_EXIT_INSN(),
7606 			BPF_MOV64_IMM(BPF_REG_0, 0),
7607 			BPF_EXIT_INSN(),
7608 		},
7609 		.fixup_map1 = { 3 },
7610 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7611 		.result = REJECT,
7612 	},
7613 	{
7614 		"bounds check based on zero-extended MOV",
7615 		.insns = {
7616 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7617 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7619 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7620 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7621 				     BPF_FUNC_map_lookup_elem),
7622 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7623 			/* r2 = 0x0000'0000'ffff'ffff */
7624 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7625 			/* r2 = 0 */
7626 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7627 			/* no-op */
7628 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7629 			/* access at offset 0 */
7630 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7631 			/* exit */
7632 			BPF_MOV64_IMM(BPF_REG_0, 0),
7633 			BPF_EXIT_INSN(),
7634 		},
7635 		.fixup_map1 = { 3 },
7636 		.result = ACCEPT
7637 	},
7638 	{
7639 		"bounds check based on sign-extended MOV. test1",
7640 		.insns = {
7641 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7642 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7643 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7644 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7645 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7646 				     BPF_FUNC_map_lookup_elem),
7647 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7648 			/* r2 = 0xffff'ffff'ffff'ffff */
7649 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7650 			/* r2 = 0xffff'ffff */
7651 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7652 			/* r0 = <oob pointer> */
7653 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7654 			/* access to OOB pointer */
7655 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7656 			/* exit */
7657 			BPF_MOV64_IMM(BPF_REG_0, 0),
7658 			BPF_EXIT_INSN(),
7659 		},
7660 		.fixup_map1 = { 3 },
7661 		.errstr = "map_value pointer and 4294967295",
7662 		.result = REJECT
7663 	},
7664 	{
7665 		"bounds check based on sign-extended MOV. test2",
7666 		.insns = {
7667 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7668 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7669 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7670 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7671 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7672 				     BPF_FUNC_map_lookup_elem),
7673 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7674 			/* r2 = 0xffff'ffff'ffff'ffff */
7675 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7676 			/* r2 = 0xfff'ffff */
7677 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7678 			/* r0 = <oob pointer> */
7679 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7680 			/* access to OOB pointer */
7681 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7682 			/* exit */
7683 			BPF_MOV64_IMM(BPF_REG_0, 0),
7684 			BPF_EXIT_INSN(),
7685 		},
7686 		.fixup_map1 = { 3 },
7687 		.errstr = "R0 min value is outside of the array range",
7688 		.result = REJECT
7689 	},
7690 	{
7691 		"bounds check based on reg_off + var_off + insn_off. test1",
7692 		.insns = {
7693 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7694 				    offsetof(struct __sk_buff, mark)),
7695 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7698 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7699 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7700 				     BPF_FUNC_map_lookup_elem),
7701 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7702 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7703 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7704 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7705 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7706 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7707 			BPF_MOV64_IMM(BPF_REG_0, 0),
7708 			BPF_EXIT_INSN(),
7709 		},
7710 		.fixup_map1 = { 4 },
7711 		.errstr = "value_size=8 off=1073741825",
7712 		.result = REJECT,
7713 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7714 	},
7715 	{
7716 		"bounds check based on reg_off + var_off + insn_off. test2",
7717 		.insns = {
7718 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7719 				    offsetof(struct __sk_buff, mark)),
7720 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7721 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7723 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7724 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7725 				     BPF_FUNC_map_lookup_elem),
7726 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7727 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7728 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7729 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7731 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7732 			BPF_MOV64_IMM(BPF_REG_0, 0),
7733 			BPF_EXIT_INSN(),
7734 		},
7735 		.fixup_map1 = { 4 },
7736 		.errstr = "value 1073741823",
7737 		.result = REJECT,
7738 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7739 	},
7740 	{
7741 		"bounds check after truncation of non-boundary-crossing range",
7742 		.insns = {
7743 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7744 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7745 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7746 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7747 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7748 				     BPF_FUNC_map_lookup_elem),
7749 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7750 			/* r1 = [0x00, 0xff] */
7751 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7752 			BPF_MOV64_IMM(BPF_REG_2, 1),
7753 			/* r2 = 0x10'0000'0000 */
7754 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7755 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7756 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7757 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7758 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7759 			/* r1 = [0x00, 0xff] */
7760 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7761 			/* r1 = 0 */
7762 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7763 			/* no-op */
7764 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7765 			/* access at offset 0 */
7766 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7767 			/* exit */
7768 			BPF_MOV64_IMM(BPF_REG_0, 0),
7769 			BPF_EXIT_INSN(),
7770 		},
7771 		.fixup_map1 = { 3 },
7772 		.result = ACCEPT
7773 	},
7774 	{
7775 		"bounds check after truncation of boundary-crossing range (1)",
7776 		.insns = {
7777 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7778 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7779 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7780 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7781 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7782 				     BPF_FUNC_map_lookup_elem),
7783 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7784 			/* r1 = [0x00, 0xff] */
7785 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7786 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7787 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7789 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7790 			 *      [0x0000'0000, 0x0000'007f]
7791 			 */
7792 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7793 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7794 			/* r1 = [0x00, 0xff] or
7795 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7796 			 */
7797 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7798 			/* r1 = 0 or
7799 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7800 			 */
7801 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7802 			/* no-op or OOB pointer computation */
7803 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7804 			/* potentially OOB access */
7805 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7806 			/* exit */
7807 			BPF_MOV64_IMM(BPF_REG_0, 0),
7808 			BPF_EXIT_INSN(),
7809 		},
7810 		.fixup_map1 = { 3 },
7811 		/* not actually fully unbounded, but the bound is very high */
7812 		.errstr = "R0 unbounded memory access",
7813 		.result = REJECT
7814 	},
7815 	{
7816 		"bounds check after truncation of boundary-crossing range (2)",
7817 		.insns = {
7818 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7819 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7820 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7821 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7822 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7823 				     BPF_FUNC_map_lookup_elem),
7824 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7825 			/* r1 = [0x00, 0xff] */
7826 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7827 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7828 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7829 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7830 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7831 			 *      [0x0000'0000, 0x0000'007f]
7832 			 * difference to previous test: truncation via MOV32
7833 			 * instead of ALU32.
7834 			 */
7835 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7836 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7837 			/* r1 = [0x00, 0xff] or
7838 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7839 			 */
7840 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7841 			/* r1 = 0 or
7842 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7843 			 */
7844 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7845 			/* no-op or OOB pointer computation */
7846 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7847 			/* potentially OOB access */
7848 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7849 			/* exit */
7850 			BPF_MOV64_IMM(BPF_REG_0, 0),
7851 			BPF_EXIT_INSN(),
7852 		},
7853 		.fixup_map1 = { 3 },
7854 		/* not actually fully unbounded, but the bound is very high */
7855 		.errstr = "R0 unbounded memory access",
7856 		.result = REJECT
7857 	},
7858 	{
7859 		"bounds check after wrapping 32-bit addition",
7860 		.insns = {
7861 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7862 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7863 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7864 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7865 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7866 				     BPF_FUNC_map_lookup_elem),
7867 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7868 			/* r1 = 0x7fff'ffff */
7869 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7870 			/* r1 = 0xffff'fffe */
7871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7872 			/* r1 = 0 */
7873 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7874 			/* no-op */
7875 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7876 			/* access at offset 0 */
7877 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7878 			/* exit */
7879 			BPF_MOV64_IMM(BPF_REG_0, 0),
7880 			BPF_EXIT_INSN(),
7881 		},
7882 		.fixup_map1 = { 3 },
7883 		.result = ACCEPT
7884 	},
7885 	{
7886 		"bounds check after shift with oversized count operand",
7887 		.insns = {
7888 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7889 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7891 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7892 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7893 				     BPF_FUNC_map_lookup_elem),
7894 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7895 			BPF_MOV64_IMM(BPF_REG_2, 32),
7896 			BPF_MOV64_IMM(BPF_REG_1, 1),
7897 			/* r1 = (u32)1 << (u32)32 = ? */
7898 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7899 			/* r1 = [0x0000, 0xffff] */
7900 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7901 			/* computes unknown pointer, potentially OOB */
7902 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7903 			/* potentially OOB access */
7904 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7905 			/* exit */
7906 			BPF_MOV64_IMM(BPF_REG_0, 0),
7907 			BPF_EXIT_INSN(),
7908 		},
7909 		.fixup_map1 = { 3 },
7910 		.errstr = "R0 max value is outside of the array range",
7911 		.result = REJECT
7912 	},
7913 	{
7914 		"bounds check after right shift of maybe-negative number",
7915 		.insns = {
7916 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7917 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7919 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7920 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7921 				     BPF_FUNC_map_lookup_elem),
7922 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7923 			/* r1 = [0x00, 0xff] */
7924 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7925 			/* r1 = [-0x01, 0xfe] */
7926 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7927 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
7928 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7929 			/* r1 = 0 or 0xffff'ffff'ffff */
7930 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7931 			/* computes unknown pointer, potentially OOB */
7932 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7933 			/* potentially OOB access */
7934 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7935 			/* exit */
7936 			BPF_MOV64_IMM(BPF_REG_0, 0),
7937 			BPF_EXIT_INSN(),
7938 		},
7939 		.fixup_map1 = { 3 },
7940 		.errstr = "R0 unbounded memory access",
7941 		.result = REJECT
7942 	},
7943 	{
7944 		"bounds check map access with off+size signed 32bit overflow. test1",
7945 		.insns = {
7946 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7947 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7948 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7949 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7950 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7951 				     BPF_FUNC_map_lookup_elem),
7952 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7953 			BPF_EXIT_INSN(),
7954 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7955 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7956 			BPF_JMP_A(0),
7957 			BPF_EXIT_INSN(),
7958 		},
7959 		.fixup_map1 = { 3 },
7960 		.errstr = "map_value pointer and 2147483646",
7961 		.result = REJECT
7962 	},
7963 	{
7964 		"bounds check map access with off+size signed 32bit overflow. test2",
7965 		.insns = {
7966 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7967 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7969 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7970 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7971 				     BPF_FUNC_map_lookup_elem),
7972 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7973 			BPF_EXIT_INSN(),
7974 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7977 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7978 			BPF_JMP_A(0),
7979 			BPF_EXIT_INSN(),
7980 		},
7981 		.fixup_map1 = { 3 },
7982 		.errstr = "pointer offset 1073741822",
7983 		.result = REJECT
7984 	},
7985 	{
7986 		"bounds check map access with off+size signed 32bit overflow. test3",
7987 		.insns = {
7988 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7989 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7990 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7991 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7992 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7993 				     BPF_FUNC_map_lookup_elem),
7994 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7995 			BPF_EXIT_INSN(),
7996 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7997 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7998 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7999 			BPF_JMP_A(0),
8000 			BPF_EXIT_INSN(),
8001 		},
8002 		.fixup_map1 = { 3 },
8003 		.errstr = "pointer offset -1073741822",
8004 		.result = REJECT
8005 	},
8006 	{
8007 		"bounds check map access with off+size signed 32bit overflow. test4",
8008 		.insns = {
8009 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8010 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8011 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8012 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8013 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8014 				     BPF_FUNC_map_lookup_elem),
8015 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8016 			BPF_EXIT_INSN(),
8017 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
8018 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8019 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8020 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8021 			BPF_JMP_A(0),
8022 			BPF_EXIT_INSN(),
8023 		},
8024 		.fixup_map1 = { 3 },
8025 		.errstr = "map_value pointer and 1000000000000",
8026 		.result = REJECT
8027 	},
8028 	{
8029 		"pointer/scalar confusion in state equality check (way 1)",
8030 		.insns = {
8031 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8032 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8033 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8034 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8035 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8036 				     BPF_FUNC_map_lookup_elem),
8037 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8038 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8039 			BPF_JMP_A(1),
8040 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8041 			BPF_JMP_A(0),
8042 			BPF_EXIT_INSN(),
8043 		},
8044 		.fixup_map1 = { 3 },
8045 		.result = ACCEPT,
8046 		.retval = POINTER_VALUE,
8047 		.result_unpriv = REJECT,
8048 		.errstr_unpriv = "R0 leaks addr as return value"
8049 	},
8050 	{
8051 		"pointer/scalar confusion in state equality check (way 2)",
8052 		.insns = {
8053 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8054 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8055 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8056 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8057 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8058 				     BPF_FUNC_map_lookup_elem),
8059 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8060 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8061 			BPF_JMP_A(1),
8062 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8063 			BPF_EXIT_INSN(),
8064 		},
8065 		.fixup_map1 = { 3 },
8066 		.result = ACCEPT,
8067 		.retval = POINTER_VALUE,
8068 		.result_unpriv = REJECT,
8069 		.errstr_unpriv = "R0 leaks addr as return value"
8070 	},
8071 	{
8072 		"variable-offset ctx access",
8073 		.insns = {
8074 			/* Get an unknown value */
8075 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8076 			/* Make it small and 4-byte aligned */
8077 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8078 			/* add it to skb.  We now have either &skb->len or
8079 			 * &skb->pkt_type, but we don't know which
8080 			 */
8081 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8082 			/* dereference it */
8083 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8084 			BPF_EXIT_INSN(),
8085 		},
8086 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
8087 		.result = REJECT,
8088 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8089 	},
8090 	{
8091 		"variable-offset stack access",
8092 		.insns = {
8093 			/* Fill the top 8 bytes of the stack */
8094 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8095 			/* Get an unknown value */
8096 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8097 			/* Make it small and 4-byte aligned */
8098 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8099 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8100 			/* add it to fp.  We now have either fp-4 or fp-8, but
8101 			 * we don't know which
8102 			 */
8103 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8104 			/* dereference it */
8105 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8106 			BPF_EXIT_INSN(),
8107 		},
8108 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8109 		.result = REJECT,
8110 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8111 	},
8112 	{
8113 		"indirect variable-offset stack access",
8114 		.insns = {
8115 			/* Fill the top 8 bytes of the stack */
8116 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8117 			/* Get an unknown value */
8118 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8119 			/* Make it small and 4-byte aligned */
8120 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8121 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8122 			/* add it to fp.  We now have either fp-4 or fp-8, but
8123 			 * we don't know which
8124 			 */
8125 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8126 			/* dereference it indirectly */
8127 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8128 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8129 				     BPF_FUNC_map_lookup_elem),
8130 			BPF_MOV64_IMM(BPF_REG_0, 0),
8131 			BPF_EXIT_INSN(),
8132 		},
8133 		.fixup_map1 = { 5 },
8134 		.errstr = "variable stack read R2",
8135 		.result = REJECT,
8136 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8137 	},
8138 	{
8139 		"direct stack access with 32-bit wraparound. test1",
8140 		.insns = {
8141 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8142 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8143 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8144 			BPF_MOV32_IMM(BPF_REG_0, 0),
8145 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8146 			BPF_EXIT_INSN()
8147 		},
8148 		.errstr = "fp pointer and 2147483647",
8149 		.result = REJECT
8150 	},
8151 	{
8152 		"direct stack access with 32-bit wraparound. test2",
8153 		.insns = {
8154 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8155 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8156 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8157 			BPF_MOV32_IMM(BPF_REG_0, 0),
8158 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8159 			BPF_EXIT_INSN()
8160 		},
8161 		.errstr = "fp pointer and 1073741823",
8162 		.result = REJECT
8163 	},
8164 	{
8165 		"direct stack access with 32-bit wraparound. test3",
8166 		.insns = {
8167 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8168 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8169 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8170 			BPF_MOV32_IMM(BPF_REG_0, 0),
8171 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8172 			BPF_EXIT_INSN()
8173 		},
8174 		.errstr = "fp pointer offset 1073741822",
8175 		.result = REJECT
8176 	},
8177 	{
8178 		"liveness pruning and write screening",
8179 		.insns = {
8180 			/* Get an unknown value */
8181 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8182 			/* branch conditions teach us nothing about R2 */
8183 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8184 			BPF_MOV64_IMM(BPF_REG_0, 0),
8185 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8186 			BPF_MOV64_IMM(BPF_REG_0, 0),
8187 			BPF_EXIT_INSN(),
8188 		},
8189 		.errstr = "R0 !read_ok",
8190 		.result = REJECT,
8191 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8192 	},
8193 	{
8194 		"varlen_map_value_access pruning",
8195 		.insns = {
8196 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8197 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8198 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8199 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8200 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8201 				     BPF_FUNC_map_lookup_elem),
8202 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8203 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8204 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8205 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8206 			BPF_MOV32_IMM(BPF_REG_1, 0),
8207 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8208 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8209 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8210 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8211 				   offsetof(struct test_val, foo)),
8212 			BPF_EXIT_INSN(),
8213 		},
8214 		.fixup_map2 = { 3 },
8215 		.errstr_unpriv = "R0 leaks addr",
8216 		.errstr = "R0 unbounded memory access",
8217 		.result_unpriv = REJECT,
8218 		.result = REJECT,
8219 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8220 	},
8221 	{
8222 		"invalid 64-bit BPF_END",
8223 		.insns = {
8224 			BPF_MOV32_IMM(BPF_REG_0, 0),
8225 			{
8226 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
8227 				.dst_reg = BPF_REG_0,
8228 				.src_reg = 0,
8229 				.off   = 0,
8230 				.imm   = 32,
8231 			},
8232 			BPF_EXIT_INSN(),
8233 		},
8234 		.errstr = "unknown opcode d7",
8235 		.result = REJECT,
8236 	},
8237 	{
8238 		"XDP, using ifindex from netdev",
8239 		.insns = {
8240 			BPF_MOV64_IMM(BPF_REG_0, 0),
8241 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8242 				    offsetof(struct xdp_md, ingress_ifindex)),
8243 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8244 			BPF_MOV64_IMM(BPF_REG_0, 1),
8245 			BPF_EXIT_INSN(),
8246 		},
8247 		.result = ACCEPT,
8248 		.prog_type = BPF_PROG_TYPE_XDP,
8249 		.retval = 1,
8250 	},
8251 	{
8252 		"meta access, test1",
8253 		.insns = {
8254 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8255 				    offsetof(struct xdp_md, data_meta)),
8256 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8257 				    offsetof(struct xdp_md, data)),
8258 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8260 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8261 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8262 			BPF_MOV64_IMM(BPF_REG_0, 0),
8263 			BPF_EXIT_INSN(),
8264 		},
8265 		.result = ACCEPT,
8266 		.prog_type = BPF_PROG_TYPE_XDP,
8267 	},
8268 	{
8269 		"meta access, test2",
8270 		.insns = {
8271 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8272 				    offsetof(struct xdp_md, data_meta)),
8273 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8274 				    offsetof(struct xdp_md, data)),
8275 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8276 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8277 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8278 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8279 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8280 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8281 			BPF_MOV64_IMM(BPF_REG_0, 0),
8282 			BPF_EXIT_INSN(),
8283 		},
8284 		.result = REJECT,
8285 		.errstr = "invalid access to packet, off=-8",
8286 		.prog_type = BPF_PROG_TYPE_XDP,
8287 	},
8288 	{
8289 		"meta access, test3",
8290 		.insns = {
8291 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8292 				    offsetof(struct xdp_md, data_meta)),
8293 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8294 				    offsetof(struct xdp_md, data_end)),
8295 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8296 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8297 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8298 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8299 			BPF_MOV64_IMM(BPF_REG_0, 0),
8300 			BPF_EXIT_INSN(),
8301 		},
8302 		.result = REJECT,
8303 		.errstr = "invalid access to packet",
8304 		.prog_type = BPF_PROG_TYPE_XDP,
8305 	},
8306 	{
8307 		"meta access, test4",
8308 		.insns = {
8309 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8310 				    offsetof(struct xdp_md, data_meta)),
8311 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8312 				    offsetof(struct xdp_md, data_end)),
8313 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8314 				    offsetof(struct xdp_md, data)),
8315 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8316 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8317 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8318 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8319 			BPF_MOV64_IMM(BPF_REG_0, 0),
8320 			BPF_EXIT_INSN(),
8321 		},
8322 		.result = REJECT,
8323 		.errstr = "invalid access to packet",
8324 		.prog_type = BPF_PROG_TYPE_XDP,
8325 	},
8326 	{
8327 		"meta access, test5",
8328 		.insns = {
8329 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8330 				    offsetof(struct xdp_md, data_meta)),
8331 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8332 				    offsetof(struct xdp_md, data)),
8333 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8334 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8335 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8336 			BPF_MOV64_IMM(BPF_REG_2, -8),
8337 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8338 				     BPF_FUNC_xdp_adjust_meta),
8339 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8340 			BPF_MOV64_IMM(BPF_REG_0, 0),
8341 			BPF_EXIT_INSN(),
8342 		},
8343 		.result = REJECT,
8344 		.errstr = "R3 !read_ok",
8345 		.prog_type = BPF_PROG_TYPE_XDP,
8346 	},
8347 	{
8348 		"meta access, test6",
8349 		.insns = {
8350 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8351 				    offsetof(struct xdp_md, data_meta)),
8352 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8353 				    offsetof(struct xdp_md, data)),
8354 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8356 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8357 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8358 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8359 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8360 			BPF_MOV64_IMM(BPF_REG_0, 0),
8361 			BPF_EXIT_INSN(),
8362 		},
8363 		.result = REJECT,
8364 		.errstr = "invalid access to packet",
8365 		.prog_type = BPF_PROG_TYPE_XDP,
8366 	},
8367 	{
8368 		"meta access, test7",
8369 		.insns = {
8370 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8371 				    offsetof(struct xdp_md, data_meta)),
8372 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8373 				    offsetof(struct xdp_md, data)),
8374 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8375 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8376 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8377 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8378 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8379 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8380 			BPF_MOV64_IMM(BPF_REG_0, 0),
8381 			BPF_EXIT_INSN(),
8382 		},
8383 		.result = ACCEPT,
8384 		.prog_type = BPF_PROG_TYPE_XDP,
8385 	},
8386 	{
8387 		"meta access, test8",
8388 		.insns = {
8389 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8390 				    offsetof(struct xdp_md, data_meta)),
8391 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8392 				    offsetof(struct xdp_md, data)),
8393 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8394 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8395 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8396 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8397 			BPF_MOV64_IMM(BPF_REG_0, 0),
8398 			BPF_EXIT_INSN(),
8399 		},
8400 		.result = ACCEPT,
8401 		.prog_type = BPF_PROG_TYPE_XDP,
8402 	},
8403 	{
8404 		"meta access, test9",
8405 		.insns = {
8406 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8407 				    offsetof(struct xdp_md, data_meta)),
8408 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8409 				    offsetof(struct xdp_md, data)),
8410 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8411 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8412 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8413 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8414 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8415 			BPF_MOV64_IMM(BPF_REG_0, 0),
8416 			BPF_EXIT_INSN(),
8417 		},
8418 		.result = REJECT,
8419 		.errstr = "invalid access to packet",
8420 		.prog_type = BPF_PROG_TYPE_XDP,
8421 	},
8422 	{
8423 		"meta access, test10",
8424 		.insns = {
8425 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8426 				    offsetof(struct xdp_md, data_meta)),
8427 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8428 				    offsetof(struct xdp_md, data)),
8429 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8430 				    offsetof(struct xdp_md, data_end)),
8431 			BPF_MOV64_IMM(BPF_REG_5, 42),
8432 			BPF_MOV64_IMM(BPF_REG_6, 24),
8433 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8434 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8435 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8436 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8437 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8438 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8439 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8441 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8442 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8443 			BPF_MOV64_IMM(BPF_REG_0, 0),
8444 			BPF_EXIT_INSN(),
8445 		},
8446 		.result = REJECT,
8447 		.errstr = "invalid access to packet",
8448 		.prog_type = BPF_PROG_TYPE_XDP,
8449 	},
8450 	{
8451 		"meta access, test11",
8452 		.insns = {
8453 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8454 				    offsetof(struct xdp_md, data_meta)),
8455 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8456 				    offsetof(struct xdp_md, data)),
8457 			BPF_MOV64_IMM(BPF_REG_5, 42),
8458 			BPF_MOV64_IMM(BPF_REG_6, 24),
8459 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8460 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8461 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8462 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8463 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8464 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8465 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8466 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8467 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8468 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8469 			BPF_MOV64_IMM(BPF_REG_0, 0),
8470 			BPF_EXIT_INSN(),
8471 		},
8472 		.result = ACCEPT,
8473 		.prog_type = BPF_PROG_TYPE_XDP,
8474 	},
8475 	{
8476 		"meta access, test12",
8477 		.insns = {
8478 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8479 				    offsetof(struct xdp_md, data_meta)),
8480 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8481 				    offsetof(struct xdp_md, data)),
8482 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8483 				    offsetof(struct xdp_md, data_end)),
8484 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8485 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8486 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8487 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8488 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8490 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8491 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8492 			BPF_MOV64_IMM(BPF_REG_0, 0),
8493 			BPF_EXIT_INSN(),
8494 		},
8495 		.result = ACCEPT,
8496 		.prog_type = BPF_PROG_TYPE_XDP,
8497 	},
8498 	{
8499 		"arithmetic ops make PTR_TO_CTX unusable",
8500 		.insns = {
8501 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8502 				      offsetof(struct __sk_buff, data) -
8503 				      offsetof(struct __sk_buff, mark)),
8504 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8505 				    offsetof(struct __sk_buff, mark)),
8506 			BPF_EXIT_INSN(),
8507 		},
8508 		.errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
8509 		.result = REJECT,
8510 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8511 	},
8512 	{
8513 		"pkt_end - pkt_start is allowed",
8514 		.insns = {
8515 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8516 				    offsetof(struct __sk_buff, data_end)),
8517 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8518 				    offsetof(struct __sk_buff, data)),
8519 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8520 			BPF_EXIT_INSN(),
8521 		},
8522 		.result = ACCEPT,
8523 		.retval = TEST_DATA_LEN,
8524 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8525 	},
8526 	{
8527 		"XDP pkt read, pkt_end mangling, bad access 1",
8528 		.insns = {
8529 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8530 				    offsetof(struct xdp_md, data)),
8531 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8532 				    offsetof(struct xdp_md, data_end)),
8533 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8534 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8535 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8536 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8537 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8538 			BPF_MOV64_IMM(BPF_REG_0, 0),
8539 			BPF_EXIT_INSN(),
8540 		},
8541 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8542 		.result = REJECT,
8543 		.prog_type = BPF_PROG_TYPE_XDP,
8544 	},
8545 	{
8546 		"XDP pkt read, pkt_end mangling, bad access 2",
8547 		.insns = {
8548 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8549 				    offsetof(struct xdp_md, data)),
8550 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8551 				    offsetof(struct xdp_md, data_end)),
8552 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8554 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8555 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8556 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8557 			BPF_MOV64_IMM(BPF_REG_0, 0),
8558 			BPF_EXIT_INSN(),
8559 		},
8560 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8561 		.result = REJECT,
8562 		.prog_type = BPF_PROG_TYPE_XDP,
8563 	},
8564 	{
8565 		"XDP pkt read, pkt_data' > pkt_end, good access",
8566 		.insns = {
8567 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 				    offsetof(struct xdp_md, data)),
8569 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 				    offsetof(struct xdp_md, data_end)),
8571 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8572 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8573 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8574 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8575 			BPF_MOV64_IMM(BPF_REG_0, 0),
8576 			BPF_EXIT_INSN(),
8577 		},
8578 		.result = ACCEPT,
8579 		.prog_type = BPF_PROG_TYPE_XDP,
8580 	},
8581 	{
8582 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
8583 		.insns = {
8584 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8585 				    offsetof(struct xdp_md, data)),
8586 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8587 				    offsetof(struct xdp_md, data_end)),
8588 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8589 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8590 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8591 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8592 			BPF_MOV64_IMM(BPF_REG_0, 0),
8593 			BPF_EXIT_INSN(),
8594 		},
8595 		.errstr = "R1 offset is outside of the packet",
8596 		.result = REJECT,
8597 		.prog_type = BPF_PROG_TYPE_XDP,
8598 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8599 	},
8600 	{
8601 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
8602 		.insns = {
8603 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8604 				    offsetof(struct xdp_md, data)),
8605 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8606 				    offsetof(struct xdp_md, data_end)),
8607 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8609 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8610 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8611 			BPF_MOV64_IMM(BPF_REG_0, 0),
8612 			BPF_EXIT_INSN(),
8613 		},
8614 		.errstr = "R1 offset is outside of the packet",
8615 		.result = REJECT,
8616 		.prog_type = BPF_PROG_TYPE_XDP,
8617 	},
8618 	{
8619 		"XDP pkt read, pkt_end > pkt_data', good access",
8620 		.insns = {
8621 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8622 				    offsetof(struct xdp_md, data)),
8623 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8624 				    offsetof(struct xdp_md, data_end)),
8625 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8626 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8627 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8628 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8629 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8630 			BPF_MOV64_IMM(BPF_REG_0, 0),
8631 			BPF_EXIT_INSN(),
8632 		},
8633 		.result = ACCEPT,
8634 		.prog_type = BPF_PROG_TYPE_XDP,
8635 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8636 	},
8637 	{
8638 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
8639 		.insns = {
8640 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8641 				    offsetof(struct xdp_md, data)),
8642 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8643 				    offsetof(struct xdp_md, data_end)),
8644 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8645 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8646 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8647 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8648 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8649 			BPF_MOV64_IMM(BPF_REG_0, 0),
8650 			BPF_EXIT_INSN(),
8651 		},
8652 		.errstr = "R1 offset is outside of the packet",
8653 		.result = REJECT,
8654 		.prog_type = BPF_PROG_TYPE_XDP,
8655 	},
8656 	{
8657 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
8658 		.insns = {
8659 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8660 				    offsetof(struct xdp_md, data)),
8661 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8662 				    offsetof(struct xdp_md, data_end)),
8663 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8665 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8666 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8667 			BPF_MOV64_IMM(BPF_REG_0, 0),
8668 			BPF_EXIT_INSN(),
8669 		},
8670 		.errstr = "R1 offset is outside of the packet",
8671 		.result = REJECT,
8672 		.prog_type = BPF_PROG_TYPE_XDP,
8673 	},
8674 	{
8675 		"XDP pkt read, pkt_data' < pkt_end, good access",
8676 		.insns = {
8677 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8678 				    offsetof(struct xdp_md, data)),
8679 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8680 				    offsetof(struct xdp_md, data_end)),
8681 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8683 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8684 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8685 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8686 			BPF_MOV64_IMM(BPF_REG_0, 0),
8687 			BPF_EXIT_INSN(),
8688 		},
8689 		.result = ACCEPT,
8690 		.prog_type = BPF_PROG_TYPE_XDP,
8691 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8692 	},
8693 	{
8694 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
8695 		.insns = {
8696 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8697 				    offsetof(struct xdp_md, data)),
8698 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8699 				    offsetof(struct xdp_md, data_end)),
8700 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8702 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8703 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8704 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8705 			BPF_MOV64_IMM(BPF_REG_0, 0),
8706 			BPF_EXIT_INSN(),
8707 		},
8708 		.errstr = "R1 offset is outside of the packet",
8709 		.result = REJECT,
8710 		.prog_type = BPF_PROG_TYPE_XDP,
8711 	},
8712 	{
8713 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
8714 		.insns = {
8715 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8716 				    offsetof(struct xdp_md, data)),
8717 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8718 				    offsetof(struct xdp_md, data_end)),
8719 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8720 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8721 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8722 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8723 			BPF_MOV64_IMM(BPF_REG_0, 0),
8724 			BPF_EXIT_INSN(),
8725 		},
8726 		.errstr = "R1 offset is outside of the packet",
8727 		.result = REJECT,
8728 		.prog_type = BPF_PROG_TYPE_XDP,
8729 	},
8730 	{
8731 		"XDP pkt read, pkt_end < pkt_data', good access",
8732 		.insns = {
8733 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8734 				    offsetof(struct xdp_md, data)),
8735 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8736 				    offsetof(struct xdp_md, data_end)),
8737 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8738 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8739 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8740 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8741 			BPF_MOV64_IMM(BPF_REG_0, 0),
8742 			BPF_EXIT_INSN(),
8743 		},
8744 		.result = ACCEPT,
8745 		.prog_type = BPF_PROG_TYPE_XDP,
8746 	},
8747 	{
8748 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
8749 		.insns = {
8750 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8751 				    offsetof(struct xdp_md, data)),
8752 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8753 				    offsetof(struct xdp_md, data_end)),
8754 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8756 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8757 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8758 			BPF_MOV64_IMM(BPF_REG_0, 0),
8759 			BPF_EXIT_INSN(),
8760 		},
8761 		.errstr = "R1 offset is outside of the packet",
8762 		.result = REJECT,
8763 		.prog_type = BPF_PROG_TYPE_XDP,
8764 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8765 	},
8766 	{
8767 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
8768 		.insns = {
8769 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8770 				    offsetof(struct xdp_md, data)),
8771 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8772 				    offsetof(struct xdp_md, data_end)),
8773 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8775 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8776 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8777 			BPF_MOV64_IMM(BPF_REG_0, 0),
8778 			BPF_EXIT_INSN(),
8779 		},
8780 		.errstr = "R1 offset is outside of the packet",
8781 		.result = REJECT,
8782 		.prog_type = BPF_PROG_TYPE_XDP,
8783 	},
8784 	{
8785 		"XDP pkt read, pkt_data' >= pkt_end, good access",
8786 		.insns = {
8787 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8788 				    offsetof(struct xdp_md, data)),
8789 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8790 				    offsetof(struct xdp_md, data_end)),
8791 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8792 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8793 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8794 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8795 			BPF_MOV64_IMM(BPF_REG_0, 0),
8796 			BPF_EXIT_INSN(),
8797 		},
8798 		.result = ACCEPT,
8799 		.prog_type = BPF_PROG_TYPE_XDP,
8800 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8801 	},
8802 	{
8803 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8804 		.insns = {
8805 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8806 				    offsetof(struct xdp_md, data)),
8807 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8808 				    offsetof(struct xdp_md, data_end)),
8809 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8810 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8811 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8812 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8813 			BPF_MOV64_IMM(BPF_REG_0, 0),
8814 			BPF_EXIT_INSN(),
8815 		},
8816 		.errstr = "R1 offset is outside of the packet",
8817 		.result = REJECT,
8818 		.prog_type = BPF_PROG_TYPE_XDP,
8819 	},
8820 	{
8821 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8822 		.insns = {
8823 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8824 				    offsetof(struct xdp_md, data)),
8825 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8826 				    offsetof(struct xdp_md, data_end)),
8827 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8829 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8830 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8831 			BPF_MOV64_IMM(BPF_REG_0, 0),
8832 			BPF_EXIT_INSN(),
8833 		},
8834 		.errstr = "R1 offset is outside of the packet",
8835 		.result = REJECT,
8836 		.prog_type = BPF_PROG_TYPE_XDP,
8837 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8838 	},
8839 	{
8840 		"XDP pkt read, pkt_end >= pkt_data', good access",
8841 		.insns = {
8842 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8843 				    offsetof(struct xdp_md, data)),
8844 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8845 				    offsetof(struct xdp_md, data_end)),
8846 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8848 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8849 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8850 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8851 			BPF_MOV64_IMM(BPF_REG_0, 0),
8852 			BPF_EXIT_INSN(),
8853 		},
8854 		.result = ACCEPT,
8855 		.prog_type = BPF_PROG_TYPE_XDP,
8856 	},
8857 	{
8858 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
8859 		.insns = {
8860 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8861 				    offsetof(struct xdp_md, data)),
8862 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8863 				    offsetof(struct xdp_md, data_end)),
8864 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8866 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8867 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8868 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8869 			BPF_MOV64_IMM(BPF_REG_0, 0),
8870 			BPF_EXIT_INSN(),
8871 		},
8872 		.errstr = "R1 offset is outside of the packet",
8873 		.result = REJECT,
8874 		.prog_type = BPF_PROG_TYPE_XDP,
8875 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8876 	},
8877 	{
8878 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
8879 		.insns = {
8880 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8881 				    offsetof(struct xdp_md, data)),
8882 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8883 				    offsetof(struct xdp_md, data_end)),
8884 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8885 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8886 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8887 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8888 			BPF_MOV64_IMM(BPF_REG_0, 0),
8889 			BPF_EXIT_INSN(),
8890 		},
8891 		.errstr = "R1 offset is outside of the packet",
8892 		.result = REJECT,
8893 		.prog_type = BPF_PROG_TYPE_XDP,
8894 	},
8895 	{
8896 		"XDP pkt read, pkt_data' <= pkt_end, good access",
8897 		.insns = {
8898 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8899 				    offsetof(struct xdp_md, data)),
8900 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8901 				    offsetof(struct xdp_md, data_end)),
8902 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8903 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8904 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8905 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8906 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8907 			BPF_MOV64_IMM(BPF_REG_0, 0),
8908 			BPF_EXIT_INSN(),
8909 		},
8910 		.result = ACCEPT,
8911 		.prog_type = BPF_PROG_TYPE_XDP,
8912 	},
8913 	{
8914 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8915 		.insns = {
8916 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8917 				    offsetof(struct xdp_md, data)),
8918 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8919 				    offsetof(struct xdp_md, data_end)),
8920 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8921 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8922 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8923 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8924 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8925 			BPF_MOV64_IMM(BPF_REG_0, 0),
8926 			BPF_EXIT_INSN(),
8927 		},
8928 		.errstr = "R1 offset is outside of the packet",
8929 		.result = REJECT,
8930 		.prog_type = BPF_PROG_TYPE_XDP,
8931 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8932 	},
8933 	{
8934 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8935 		.insns = {
8936 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8937 				    offsetof(struct xdp_md, data)),
8938 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8939 				    offsetof(struct xdp_md, data_end)),
8940 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8942 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8943 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8944 			BPF_MOV64_IMM(BPF_REG_0, 0),
8945 			BPF_EXIT_INSN(),
8946 		},
8947 		.errstr = "R1 offset is outside of the packet",
8948 		.result = REJECT,
8949 		.prog_type = BPF_PROG_TYPE_XDP,
8950 	},
8951 	{
8952 		"XDP pkt read, pkt_end <= pkt_data', good access",
8953 		.insns = {
8954 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8955 				    offsetof(struct xdp_md, data)),
8956 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8957 				    offsetof(struct xdp_md, data_end)),
8958 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8959 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8960 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8961 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8962 			BPF_MOV64_IMM(BPF_REG_0, 0),
8963 			BPF_EXIT_INSN(),
8964 		},
8965 		.result = ACCEPT,
8966 		.prog_type = BPF_PROG_TYPE_XDP,
8967 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8968 	},
8969 	{
8970 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
8971 		.insns = {
8972 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8973 				    offsetof(struct xdp_md, data)),
8974 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8975 				    offsetof(struct xdp_md, data_end)),
8976 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8977 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8978 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8979 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8980 			BPF_MOV64_IMM(BPF_REG_0, 0),
8981 			BPF_EXIT_INSN(),
8982 		},
8983 		.errstr = "R1 offset is outside of the packet",
8984 		.result = REJECT,
8985 		.prog_type = BPF_PROG_TYPE_XDP,
8986 	},
8987 	{
8988 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
8989 		.insns = {
8990 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8991 				    offsetof(struct xdp_md, data)),
8992 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8993 				    offsetof(struct xdp_md, data_end)),
8994 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8996 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8997 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8998 			BPF_MOV64_IMM(BPF_REG_0, 0),
8999 			BPF_EXIT_INSN(),
9000 		},
9001 		.errstr = "R1 offset is outside of the packet",
9002 		.result = REJECT,
9003 		.prog_type = BPF_PROG_TYPE_XDP,
9004 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9005 	},
9006 	{
9007 		"XDP pkt read, pkt_meta' > pkt_data, good access",
9008 		.insns = {
9009 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9010 				    offsetof(struct xdp_md, data_meta)),
9011 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9012 				    offsetof(struct xdp_md, data)),
9013 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9014 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9015 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9016 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9017 			BPF_MOV64_IMM(BPF_REG_0, 0),
9018 			BPF_EXIT_INSN(),
9019 		},
9020 		.result = ACCEPT,
9021 		.prog_type = BPF_PROG_TYPE_XDP,
9022 	},
9023 	{
9024 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9025 		.insns = {
9026 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9027 				    offsetof(struct xdp_md, data_meta)),
9028 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9029 				    offsetof(struct xdp_md, data)),
9030 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9032 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9033 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9034 			BPF_MOV64_IMM(BPF_REG_0, 0),
9035 			BPF_EXIT_INSN(),
9036 		},
9037 		.errstr = "R1 offset is outside of the packet",
9038 		.result = REJECT,
9039 		.prog_type = BPF_PROG_TYPE_XDP,
9040 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9041 	},
9042 	{
9043 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9044 		.insns = {
9045 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9046 				    offsetof(struct xdp_md, data_meta)),
9047 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9048 				    offsetof(struct xdp_md, data)),
9049 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9050 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9051 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9052 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9053 			BPF_MOV64_IMM(BPF_REG_0, 0),
9054 			BPF_EXIT_INSN(),
9055 		},
9056 		.errstr = "R1 offset is outside of the packet",
9057 		.result = REJECT,
9058 		.prog_type = BPF_PROG_TYPE_XDP,
9059 	},
9060 	{
9061 		"XDP pkt read, pkt_data > pkt_meta', good access",
9062 		.insns = {
9063 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9064 				    offsetof(struct xdp_md, data_meta)),
9065 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9066 				    offsetof(struct xdp_md, data)),
9067 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9068 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9069 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9070 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9071 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9072 			BPF_MOV64_IMM(BPF_REG_0, 0),
9073 			BPF_EXIT_INSN(),
9074 		},
9075 		.result = ACCEPT,
9076 		.prog_type = BPF_PROG_TYPE_XDP,
9077 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9078 	},
9079 	{
9080 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
9081 		.insns = {
9082 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9083 				    offsetof(struct xdp_md, data_meta)),
9084 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9085 				    offsetof(struct xdp_md, data)),
9086 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9087 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9088 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9089 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9090 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9091 			BPF_MOV64_IMM(BPF_REG_0, 0),
9092 			BPF_EXIT_INSN(),
9093 		},
9094 		.errstr = "R1 offset is outside of the packet",
9095 		.result = REJECT,
9096 		.prog_type = BPF_PROG_TYPE_XDP,
9097 	},
9098 	{
9099 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
9100 		.insns = {
9101 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9102 				    offsetof(struct xdp_md, data_meta)),
9103 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9104 				    offsetof(struct xdp_md, data)),
9105 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9106 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9107 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9108 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9109 			BPF_MOV64_IMM(BPF_REG_0, 0),
9110 			BPF_EXIT_INSN(),
9111 		},
9112 		.errstr = "R1 offset is outside of the packet",
9113 		.result = REJECT,
9114 		.prog_type = BPF_PROG_TYPE_XDP,
9115 	},
9116 	{
9117 		"XDP pkt read, pkt_meta' < pkt_data, good access",
9118 		.insns = {
9119 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9120 				    offsetof(struct xdp_md, data_meta)),
9121 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9122 				    offsetof(struct xdp_md, data)),
9123 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9124 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9125 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9126 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9127 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9128 			BPF_MOV64_IMM(BPF_REG_0, 0),
9129 			BPF_EXIT_INSN(),
9130 		},
9131 		.result = ACCEPT,
9132 		.prog_type = BPF_PROG_TYPE_XDP,
9133 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9134 	},
9135 	{
9136 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9137 		.insns = {
9138 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9139 				    offsetof(struct xdp_md, data_meta)),
9140 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9141 				    offsetof(struct xdp_md, data)),
9142 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9143 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9144 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9145 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9146 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9147 			BPF_MOV64_IMM(BPF_REG_0, 0),
9148 			BPF_EXIT_INSN(),
9149 		},
9150 		.errstr = "R1 offset is outside of the packet",
9151 		.result = REJECT,
9152 		.prog_type = BPF_PROG_TYPE_XDP,
9153 	},
9154 	{
9155 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9156 		.insns = {
9157 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9158 				    offsetof(struct xdp_md, data_meta)),
9159 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9160 				    offsetof(struct xdp_md, data)),
9161 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9163 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9164 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9165 			BPF_MOV64_IMM(BPF_REG_0, 0),
9166 			BPF_EXIT_INSN(),
9167 		},
9168 		.errstr = "R1 offset is outside of the packet",
9169 		.result = REJECT,
9170 		.prog_type = BPF_PROG_TYPE_XDP,
9171 	},
9172 	{
9173 		"XDP pkt read, pkt_data < pkt_meta', good access",
9174 		.insns = {
9175 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9176 				    offsetof(struct xdp_md, data_meta)),
9177 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9178 				    offsetof(struct xdp_md, data)),
9179 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9180 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9181 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9182 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9183 			BPF_MOV64_IMM(BPF_REG_0, 0),
9184 			BPF_EXIT_INSN(),
9185 		},
9186 		.result = ACCEPT,
9187 		.prog_type = BPF_PROG_TYPE_XDP,
9188 	},
9189 	{
9190 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
9191 		.insns = {
9192 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9193 				    offsetof(struct xdp_md, data_meta)),
9194 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9195 				    offsetof(struct xdp_md, data)),
9196 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9197 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9198 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9199 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9200 			BPF_MOV64_IMM(BPF_REG_0, 0),
9201 			BPF_EXIT_INSN(),
9202 		},
9203 		.errstr = "R1 offset is outside of the packet",
9204 		.result = REJECT,
9205 		.prog_type = BPF_PROG_TYPE_XDP,
9206 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9207 	},
9208 	{
9209 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
9210 		.insns = {
9211 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9212 				    offsetof(struct xdp_md, data_meta)),
9213 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9214 				    offsetof(struct xdp_md, data)),
9215 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9216 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9217 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9218 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9219 			BPF_MOV64_IMM(BPF_REG_0, 0),
9220 			BPF_EXIT_INSN(),
9221 		},
9222 		.errstr = "R1 offset is outside of the packet",
9223 		.result = REJECT,
9224 		.prog_type = BPF_PROG_TYPE_XDP,
9225 	},
9226 	{
9227 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
9228 		.insns = {
9229 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9230 				    offsetof(struct xdp_md, data_meta)),
9231 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9232 				    offsetof(struct xdp_md, data)),
9233 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9234 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9235 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9236 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9237 			BPF_MOV64_IMM(BPF_REG_0, 0),
9238 			BPF_EXIT_INSN(),
9239 		},
9240 		.result = ACCEPT,
9241 		.prog_type = BPF_PROG_TYPE_XDP,
9242 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9243 	},
9244 	{
9245 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9246 		.insns = {
9247 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9248 				    offsetof(struct xdp_md, data_meta)),
9249 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9250 				    offsetof(struct xdp_md, data)),
9251 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9252 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9253 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9254 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9255 			BPF_MOV64_IMM(BPF_REG_0, 0),
9256 			BPF_EXIT_INSN(),
9257 		},
9258 		.errstr = "R1 offset is outside of the packet",
9259 		.result = REJECT,
9260 		.prog_type = BPF_PROG_TYPE_XDP,
9261 	},
9262 	{
9263 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9264 		.insns = {
9265 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9266 				    offsetof(struct xdp_md, data_meta)),
9267 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9268 				    offsetof(struct xdp_md, data)),
9269 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9270 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9271 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9272 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9273 			BPF_MOV64_IMM(BPF_REG_0, 0),
9274 			BPF_EXIT_INSN(),
9275 		},
9276 		.errstr = "R1 offset is outside of the packet",
9277 		.result = REJECT,
9278 		.prog_type = BPF_PROG_TYPE_XDP,
9279 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9280 	},
9281 	{
9282 		"XDP pkt read, pkt_data >= pkt_meta', good access",
9283 		.insns = {
9284 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9285 				    offsetof(struct xdp_md, data_meta)),
9286 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9287 				    offsetof(struct xdp_md, data)),
9288 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9289 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9290 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9291 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9292 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9293 			BPF_MOV64_IMM(BPF_REG_0, 0),
9294 			BPF_EXIT_INSN(),
9295 		},
9296 		.result = ACCEPT,
9297 		.prog_type = BPF_PROG_TYPE_XDP,
9298 	},
9299 	{
9300 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9301 		.insns = {
9302 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9303 				    offsetof(struct xdp_md, data_meta)),
9304 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9305 				    offsetof(struct xdp_md, data)),
9306 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9307 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9308 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9309 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9310 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9311 			BPF_MOV64_IMM(BPF_REG_0, 0),
9312 			BPF_EXIT_INSN(),
9313 		},
9314 		.errstr = "R1 offset is outside of the packet",
9315 		.result = REJECT,
9316 		.prog_type = BPF_PROG_TYPE_XDP,
9317 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9318 	},
9319 	{
9320 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9321 		.insns = {
9322 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9323 				    offsetof(struct xdp_md, data_meta)),
9324 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9325 				    offsetof(struct xdp_md, data)),
9326 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9328 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9329 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9330 			BPF_MOV64_IMM(BPF_REG_0, 0),
9331 			BPF_EXIT_INSN(),
9332 		},
9333 		.errstr = "R1 offset is outside of the packet",
9334 		.result = REJECT,
9335 		.prog_type = BPF_PROG_TYPE_XDP,
9336 	},
9337 	{
9338 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
9339 		.insns = {
9340 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9341 				    offsetof(struct xdp_md, data_meta)),
9342 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9343 				    offsetof(struct xdp_md, data)),
9344 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9345 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9346 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9347 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9348 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9349 			BPF_MOV64_IMM(BPF_REG_0, 0),
9350 			BPF_EXIT_INSN(),
9351 		},
9352 		.result = ACCEPT,
9353 		.prog_type = BPF_PROG_TYPE_XDP,
9354 	},
9355 	{
9356 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9357 		.insns = {
9358 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9359 				    offsetof(struct xdp_md, data_meta)),
9360 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9361 				    offsetof(struct xdp_md, data)),
9362 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9364 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9365 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9366 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9367 			BPF_MOV64_IMM(BPF_REG_0, 0),
9368 			BPF_EXIT_INSN(),
9369 		},
9370 		.errstr = "R1 offset is outside of the packet",
9371 		.result = REJECT,
9372 		.prog_type = BPF_PROG_TYPE_XDP,
9373 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9374 	},
9375 	{
9376 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9377 		.insns = {
9378 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9379 				    offsetof(struct xdp_md, data_meta)),
9380 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9381 				    offsetof(struct xdp_md, data)),
9382 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9383 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9384 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9385 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9386 			BPF_MOV64_IMM(BPF_REG_0, 0),
9387 			BPF_EXIT_INSN(),
9388 		},
9389 		.errstr = "R1 offset is outside of the packet",
9390 		.result = REJECT,
9391 		.prog_type = BPF_PROG_TYPE_XDP,
9392 	},
9393 	{
9394 		"XDP pkt read, pkt_data <= pkt_meta', good access",
9395 		.insns = {
9396 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9397 				    offsetof(struct xdp_md, data_meta)),
9398 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9399 				    offsetof(struct xdp_md, data)),
9400 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9402 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9403 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9404 			BPF_MOV64_IMM(BPF_REG_0, 0),
9405 			BPF_EXIT_INSN(),
9406 		},
9407 		.result = ACCEPT,
9408 		.prog_type = BPF_PROG_TYPE_XDP,
9409 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9410 	},
9411 	{
9412 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9413 		.insns = {
9414 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9415 				    offsetof(struct xdp_md, data_meta)),
9416 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9417 				    offsetof(struct xdp_md, data)),
9418 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9419 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9420 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9421 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9422 			BPF_MOV64_IMM(BPF_REG_0, 0),
9423 			BPF_EXIT_INSN(),
9424 		},
9425 		.errstr = "R1 offset is outside of the packet",
9426 		.result = REJECT,
9427 		.prog_type = BPF_PROG_TYPE_XDP,
9428 	},
9429 	{
9430 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9431 		.insns = {
9432 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9433 				    offsetof(struct xdp_md, data_meta)),
9434 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9435 				    offsetof(struct xdp_md, data)),
9436 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9437 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9438 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9439 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9440 			BPF_MOV64_IMM(BPF_REG_0, 0),
9441 			BPF_EXIT_INSN(),
9442 		},
9443 		.errstr = "R1 offset is outside of the packet",
9444 		.result = REJECT,
9445 		.prog_type = BPF_PROG_TYPE_XDP,
9446 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9447 	},
9448 	{
9449 		"check deducing bounds from const, 1",
9450 		.insns = {
9451 			BPF_MOV64_IMM(BPF_REG_0, 1),
9452 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9453 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9454 			BPF_EXIT_INSN(),
9455 		},
9456 		.result = REJECT,
9457 		.errstr = "R0 tried to subtract pointer from scalar",
9458 	},
9459 	{
9460 		"check deducing bounds from const, 2",
9461 		.insns = {
9462 			BPF_MOV64_IMM(BPF_REG_0, 1),
9463 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9464 			BPF_EXIT_INSN(),
9465 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9466 			BPF_EXIT_INSN(),
9467 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9468 			BPF_EXIT_INSN(),
9469 		},
9470 		.result = ACCEPT,
9471 		.retval = 1,
9472 	},
9473 	{
9474 		"check deducing bounds from const, 3",
9475 		.insns = {
9476 			BPF_MOV64_IMM(BPF_REG_0, 0),
9477 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9478 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9479 			BPF_EXIT_INSN(),
9480 		},
9481 		.result = REJECT,
9482 		.errstr = "R0 tried to subtract pointer from scalar",
9483 	},
9484 	{
9485 		"check deducing bounds from const, 4",
9486 		.insns = {
9487 			BPF_MOV64_IMM(BPF_REG_0, 0),
9488 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9489 			BPF_EXIT_INSN(),
9490 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9491 			BPF_EXIT_INSN(),
9492 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9493 			BPF_EXIT_INSN(),
9494 		},
9495 		.result = ACCEPT,
9496 	},
9497 	{
9498 		"check deducing bounds from const, 5",
9499 		.insns = {
9500 			BPF_MOV64_IMM(BPF_REG_0, 0),
9501 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9502 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9503 			BPF_EXIT_INSN(),
9504 		},
9505 		.result = REJECT,
9506 		.errstr = "R0 tried to subtract pointer from scalar",
9507 	},
9508 	{
9509 		"check deducing bounds from const, 6",
9510 		.insns = {
9511 			BPF_MOV64_IMM(BPF_REG_0, 0),
9512 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9513 			BPF_EXIT_INSN(),
9514 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9515 			BPF_EXIT_INSN(),
9516 		},
9517 		.result = REJECT,
9518 		.errstr = "R0 tried to subtract pointer from scalar",
9519 	},
9520 	{
9521 		"check deducing bounds from const, 7",
9522 		.insns = {
9523 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9524 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9525 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9526 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9527 				    offsetof(struct __sk_buff, mark)),
9528 			BPF_EXIT_INSN(),
9529 		},
9530 		.result = REJECT,
9531 		.errstr = "dereference of modified ctx ptr",
9532 	},
9533 	{
9534 		"check deducing bounds from const, 8",
9535 		.insns = {
9536 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9537 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9538 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9539 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9540 				    offsetof(struct __sk_buff, mark)),
9541 			BPF_EXIT_INSN(),
9542 		},
9543 		.result = REJECT,
9544 		.errstr = "dereference of modified ctx ptr",
9545 	},
9546 	{
9547 		"check deducing bounds from const, 9",
9548 		.insns = {
9549 			BPF_MOV64_IMM(BPF_REG_0, 0),
9550 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9551 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9552 			BPF_EXIT_INSN(),
9553 		},
9554 		.result = REJECT,
9555 		.errstr = "R0 tried to subtract pointer from scalar",
9556 	},
9557 	{
9558 		"check deducing bounds from const, 10",
9559 		.insns = {
9560 			BPF_MOV64_IMM(BPF_REG_0, 0),
9561 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9562 			/* Marks reg as unknown. */
9563 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9564 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9565 			BPF_EXIT_INSN(),
9566 		},
9567 		.result = REJECT,
9568 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9569 	},
9570 	{
9571 		"bpf_exit with invalid return code. test1",
9572 		.insns = {
9573 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9574 			BPF_EXIT_INSN(),
9575 		},
9576 		.errstr = "R0 has value (0x0; 0xffffffff)",
9577 		.result = REJECT,
9578 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9579 	},
9580 	{
9581 		"bpf_exit with invalid return code. test2",
9582 		.insns = {
9583 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9584 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9585 			BPF_EXIT_INSN(),
9586 		},
9587 		.result = ACCEPT,
9588 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9589 	},
9590 	{
9591 		"bpf_exit with invalid return code. test3",
9592 		.insns = {
9593 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9594 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9595 			BPF_EXIT_INSN(),
9596 		},
9597 		.errstr = "R0 has value (0x0; 0x3)",
9598 		.result = REJECT,
9599 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9600 	},
9601 	{
9602 		"bpf_exit with invalid return code. test4",
9603 		.insns = {
9604 			BPF_MOV64_IMM(BPF_REG_0, 1),
9605 			BPF_EXIT_INSN(),
9606 		},
9607 		.result = ACCEPT,
9608 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9609 	},
9610 	{
9611 		"bpf_exit with invalid return code. test5",
9612 		.insns = {
9613 			BPF_MOV64_IMM(BPF_REG_0, 2),
9614 			BPF_EXIT_INSN(),
9615 		},
9616 		.errstr = "R0 has value (0x2; 0x0)",
9617 		.result = REJECT,
9618 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9619 	},
9620 	{
9621 		"bpf_exit with invalid return code. test6",
9622 		.insns = {
9623 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9624 			BPF_EXIT_INSN(),
9625 		},
9626 		.errstr = "R0 is not a known value (ctx)",
9627 		.result = REJECT,
9628 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9629 	},
9630 	{
9631 		"bpf_exit with invalid return code. test7",
9632 		.insns = {
9633 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9634 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9635 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9636 			BPF_EXIT_INSN(),
9637 		},
9638 		.errstr = "R0 has unknown scalar value",
9639 		.result = REJECT,
9640 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9641 	},
9642 	{
9643 		"calls: basic sanity",
9644 		.insns = {
9645 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9646 			BPF_MOV64_IMM(BPF_REG_0, 1),
9647 			BPF_EXIT_INSN(),
9648 			BPF_MOV64_IMM(BPF_REG_0, 2),
9649 			BPF_EXIT_INSN(),
9650 		},
9651 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9652 		.result = ACCEPT,
9653 	},
9654 	{
9655 		"calls: not on unpriviledged",
9656 		.insns = {
9657 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9658 			BPF_MOV64_IMM(BPF_REG_0, 1),
9659 			BPF_EXIT_INSN(),
9660 			BPF_MOV64_IMM(BPF_REG_0, 2),
9661 			BPF_EXIT_INSN(),
9662 		},
9663 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9664 		.result_unpriv = REJECT,
9665 		.result = ACCEPT,
9666 		.retval = 1,
9667 	},
9668 	{
9669 		"calls: div by 0 in subprog",
9670 		.insns = {
9671 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9672 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9673 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9674 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9675 				    offsetof(struct __sk_buff, data_end)),
9676 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9677 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9678 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9679 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9680 			BPF_MOV64_IMM(BPF_REG_0, 1),
9681 			BPF_EXIT_INSN(),
9682 			BPF_MOV32_IMM(BPF_REG_2, 0),
9683 			BPF_MOV32_IMM(BPF_REG_3, 1),
9684 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9685 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9686 				    offsetof(struct __sk_buff, data)),
9687 			BPF_EXIT_INSN(),
9688 		},
9689 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9690 		.result = ACCEPT,
9691 		.retval = 1,
9692 	},
9693 	{
9694 		"calls: multiple ret types in subprog 1",
9695 		.insns = {
9696 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9697 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9698 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9699 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9700 				    offsetof(struct __sk_buff, data_end)),
9701 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9702 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9703 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9704 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9705 			BPF_MOV64_IMM(BPF_REG_0, 1),
9706 			BPF_EXIT_INSN(),
9707 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9708 				    offsetof(struct __sk_buff, data)),
9709 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9710 			BPF_MOV32_IMM(BPF_REG_0, 42),
9711 			BPF_EXIT_INSN(),
9712 		},
9713 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9714 		.result = REJECT,
9715 		.errstr = "R0 invalid mem access 'inv'",
9716 	},
9717 	{
9718 		"calls: multiple ret types in subprog 2",
9719 		.insns = {
9720 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9721 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9722 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9723 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9724 				    offsetof(struct __sk_buff, data_end)),
9725 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9727 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9728 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9729 			BPF_MOV64_IMM(BPF_REG_0, 1),
9730 			BPF_EXIT_INSN(),
9731 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9732 				    offsetof(struct __sk_buff, data)),
9733 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9734 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9735 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9736 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9737 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9738 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9739 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9740 				     BPF_FUNC_map_lookup_elem),
9741 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9742 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9743 				    offsetof(struct __sk_buff, data)),
9744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9745 			BPF_EXIT_INSN(),
9746 		},
9747 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9748 		.fixup_map1 = { 16 },
9749 		.result = REJECT,
9750 		.errstr = "R0 min value is outside of the array range",
9751 	},
9752 	{
9753 		"calls: overlapping caller/callee",
9754 		.insns = {
9755 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9756 			BPF_MOV64_IMM(BPF_REG_0, 1),
9757 			BPF_EXIT_INSN(),
9758 		},
9759 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9760 		.errstr = "last insn is not an exit or jmp",
9761 		.result = REJECT,
9762 	},
9763 	{
9764 		"calls: wrong recursive calls",
9765 		.insns = {
9766 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9767 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9768 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9769 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9770 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9771 			BPF_MOV64_IMM(BPF_REG_0, 1),
9772 			BPF_EXIT_INSN(),
9773 		},
9774 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9775 		.errstr = "jump out of range",
9776 		.result = REJECT,
9777 	},
9778 	{
9779 		"calls: wrong src reg",
9780 		.insns = {
9781 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9782 			BPF_MOV64_IMM(BPF_REG_0, 1),
9783 			BPF_EXIT_INSN(),
9784 		},
9785 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9786 		.errstr = "BPF_CALL uses reserved fields",
9787 		.result = REJECT,
9788 	},
9789 	{
9790 		"calls: wrong off value",
9791 		.insns = {
9792 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9793 			BPF_MOV64_IMM(BPF_REG_0, 1),
9794 			BPF_EXIT_INSN(),
9795 			BPF_MOV64_IMM(BPF_REG_0, 2),
9796 			BPF_EXIT_INSN(),
9797 		},
9798 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9799 		.errstr = "BPF_CALL uses reserved fields",
9800 		.result = REJECT,
9801 	},
9802 	{
9803 		"calls: jump back loop",
9804 		.insns = {
9805 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9806 			BPF_MOV64_IMM(BPF_REG_0, 1),
9807 			BPF_EXIT_INSN(),
9808 		},
9809 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9810 		.errstr = "back-edge from insn 0 to 0",
9811 		.result = REJECT,
9812 	},
9813 	{
9814 		"calls: conditional call",
9815 		.insns = {
9816 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9817 				    offsetof(struct __sk_buff, mark)),
9818 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9819 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9820 			BPF_MOV64_IMM(BPF_REG_0, 1),
9821 			BPF_EXIT_INSN(),
9822 			BPF_MOV64_IMM(BPF_REG_0, 2),
9823 			BPF_EXIT_INSN(),
9824 		},
9825 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9826 		.errstr = "jump out of range",
9827 		.result = REJECT,
9828 	},
9829 	{
9830 		"calls: conditional call 2",
9831 		.insns = {
9832 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9833 				    offsetof(struct __sk_buff, mark)),
9834 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9835 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9836 			BPF_MOV64_IMM(BPF_REG_0, 1),
9837 			BPF_EXIT_INSN(),
9838 			BPF_MOV64_IMM(BPF_REG_0, 2),
9839 			BPF_EXIT_INSN(),
9840 			BPF_MOV64_IMM(BPF_REG_0, 3),
9841 			BPF_EXIT_INSN(),
9842 		},
9843 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9844 		.result = ACCEPT,
9845 	},
9846 	{
9847 		"calls: conditional call 3",
9848 		.insns = {
9849 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9850 				    offsetof(struct __sk_buff, mark)),
9851 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9852 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9853 			BPF_MOV64_IMM(BPF_REG_0, 1),
9854 			BPF_EXIT_INSN(),
9855 			BPF_MOV64_IMM(BPF_REG_0, 1),
9856 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9857 			BPF_MOV64_IMM(BPF_REG_0, 3),
9858 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9859 		},
9860 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9861 		.errstr = "back-edge from insn",
9862 		.result = REJECT,
9863 	},
9864 	{
9865 		"calls: conditional call 4",
9866 		.insns = {
9867 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9868 				    offsetof(struct __sk_buff, mark)),
9869 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9870 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9871 			BPF_MOV64_IMM(BPF_REG_0, 1),
9872 			BPF_EXIT_INSN(),
9873 			BPF_MOV64_IMM(BPF_REG_0, 1),
9874 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
9875 			BPF_MOV64_IMM(BPF_REG_0, 3),
9876 			BPF_EXIT_INSN(),
9877 		},
9878 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9879 		.result = ACCEPT,
9880 	},
9881 	{
9882 		"calls: conditional call 5",
9883 		.insns = {
9884 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9885 				    offsetof(struct __sk_buff, mark)),
9886 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9887 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9888 			BPF_MOV64_IMM(BPF_REG_0, 1),
9889 			BPF_EXIT_INSN(),
9890 			BPF_MOV64_IMM(BPF_REG_0, 1),
9891 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9892 			BPF_MOV64_IMM(BPF_REG_0, 3),
9893 			BPF_EXIT_INSN(),
9894 		},
9895 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9896 		.errstr = "back-edge from insn",
9897 		.result = REJECT,
9898 	},
9899 	{
9900 		"calls: conditional call 6",
9901 		.insns = {
9902 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9903 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
9904 			BPF_EXIT_INSN(),
9905 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9906 				    offsetof(struct __sk_buff, mark)),
9907 			BPF_EXIT_INSN(),
9908 		},
9909 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9910 		.errstr = "back-edge from insn",
9911 		.result = REJECT,
9912 	},
9913 	{
9914 		"calls: using r0 returned by callee",
9915 		.insns = {
9916 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9917 			BPF_EXIT_INSN(),
9918 			BPF_MOV64_IMM(BPF_REG_0, 2),
9919 			BPF_EXIT_INSN(),
9920 		},
9921 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9922 		.result = ACCEPT,
9923 	},
9924 	{
9925 		"calls: using uninit r0 from callee",
9926 		.insns = {
9927 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9928 			BPF_EXIT_INSN(),
9929 			BPF_EXIT_INSN(),
9930 		},
9931 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9932 		.errstr = "!read_ok",
9933 		.result = REJECT,
9934 	},
9935 	{
9936 		"calls: callee is using r1",
9937 		.insns = {
9938 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9939 			BPF_EXIT_INSN(),
9940 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9941 				    offsetof(struct __sk_buff, len)),
9942 			BPF_EXIT_INSN(),
9943 		},
9944 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
9945 		.result = ACCEPT,
9946 		.retval = TEST_DATA_LEN,
9947 	},
9948 	{
9949 		"calls: callee using args1",
9950 		.insns = {
9951 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9952 			BPF_EXIT_INSN(),
9953 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9954 			BPF_EXIT_INSN(),
9955 		},
9956 		.errstr_unpriv = "allowed for root only",
9957 		.result_unpriv = REJECT,
9958 		.result = ACCEPT,
9959 		.retval = POINTER_VALUE,
9960 	},
9961 	{
9962 		"calls: callee using wrong args2",
9963 		.insns = {
9964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9965 			BPF_EXIT_INSN(),
9966 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9967 			BPF_EXIT_INSN(),
9968 		},
9969 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9970 		.errstr = "R2 !read_ok",
9971 		.result = REJECT,
9972 	},
9973 	{
9974 		"calls: callee using two args",
9975 		.insns = {
9976 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9977 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
9978 				    offsetof(struct __sk_buff, len)),
9979 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
9980 				    offsetof(struct __sk_buff, len)),
9981 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9982 			BPF_EXIT_INSN(),
9983 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9984 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9985 			BPF_EXIT_INSN(),
9986 		},
9987 		.errstr_unpriv = "allowed for root only",
9988 		.result_unpriv = REJECT,
9989 		.result = ACCEPT,
9990 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
9991 	},
9992 	{
9993 		"calls: callee changing pkt pointers",
9994 		.insns = {
9995 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9996 				    offsetof(struct xdp_md, data)),
9997 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
9998 				    offsetof(struct xdp_md, data_end)),
9999 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10001 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10002 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10003 			/* clear_all_pkt_pointers() has to walk all frames
10004 			 * to make sure that pkt pointers in the caller
10005 			 * are cleared when callee is calling a helper that
10006 			 * adjusts packet size
10007 			 */
10008 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10009 			BPF_MOV32_IMM(BPF_REG_0, 0),
10010 			BPF_EXIT_INSN(),
10011 			BPF_MOV64_IMM(BPF_REG_2, 0),
10012 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10013 				     BPF_FUNC_xdp_adjust_head),
10014 			BPF_EXIT_INSN(),
10015 		},
10016 		.result = REJECT,
10017 		.errstr = "R6 invalid mem access 'inv'",
10018 		.prog_type = BPF_PROG_TYPE_XDP,
10019 	},
10020 	{
10021 		"calls: two calls with args",
10022 		.insns = {
10023 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10024 			BPF_EXIT_INSN(),
10025 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10026 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10027 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10028 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10029 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10030 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10031 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10032 			BPF_EXIT_INSN(),
10033 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10034 				    offsetof(struct __sk_buff, len)),
10035 			BPF_EXIT_INSN(),
10036 		},
10037 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10038 		.result = ACCEPT,
10039 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
10040 	},
10041 	{
10042 		"calls: calls with stack arith",
10043 		.insns = {
10044 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10045 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10046 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10047 			BPF_EXIT_INSN(),
10048 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10049 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10050 			BPF_EXIT_INSN(),
10051 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10052 			BPF_MOV64_IMM(BPF_REG_0, 42),
10053 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10054 			BPF_EXIT_INSN(),
10055 		},
10056 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10057 		.result = ACCEPT,
10058 		.retval = 42,
10059 	},
10060 	{
10061 		"calls: calls with misaligned stack access",
10062 		.insns = {
10063 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10064 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10065 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10066 			BPF_EXIT_INSN(),
10067 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10068 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10069 			BPF_EXIT_INSN(),
10070 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10071 			BPF_MOV64_IMM(BPF_REG_0, 42),
10072 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10073 			BPF_EXIT_INSN(),
10074 		},
10075 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10076 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10077 		.errstr = "misaligned stack access",
10078 		.result = REJECT,
10079 	},
10080 	{
10081 		"calls: calls control flow, jump test",
10082 		.insns = {
10083 			BPF_MOV64_IMM(BPF_REG_0, 42),
10084 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10085 			BPF_MOV64_IMM(BPF_REG_0, 43),
10086 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10087 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10088 			BPF_EXIT_INSN(),
10089 		},
10090 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10091 		.result = ACCEPT,
10092 		.retval = 43,
10093 	},
10094 	{
10095 		"calls: calls control flow, jump test 2",
10096 		.insns = {
10097 			BPF_MOV64_IMM(BPF_REG_0, 42),
10098 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10099 			BPF_MOV64_IMM(BPF_REG_0, 43),
10100 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10101 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10102 			BPF_EXIT_INSN(),
10103 		},
10104 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10105 		.errstr = "jump out of range from insn 1 to 4",
10106 		.result = REJECT,
10107 	},
10108 	{
10109 		"calls: two calls with bad jump",
10110 		.insns = {
10111 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10112 			BPF_EXIT_INSN(),
10113 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10114 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10115 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10116 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10117 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10118 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10119 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10120 			BPF_EXIT_INSN(),
10121 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10122 				    offsetof(struct __sk_buff, len)),
10123 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10124 			BPF_EXIT_INSN(),
10125 		},
10126 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10127 		.errstr = "jump out of range from insn 11 to 9",
10128 		.result = REJECT,
10129 	},
10130 	{
10131 		"calls: recursive call. test1",
10132 		.insns = {
10133 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10134 			BPF_EXIT_INSN(),
10135 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10136 			BPF_EXIT_INSN(),
10137 		},
10138 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10139 		.errstr = "back-edge",
10140 		.result = REJECT,
10141 	},
10142 	{
10143 		"calls: recursive call. test2",
10144 		.insns = {
10145 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10146 			BPF_EXIT_INSN(),
10147 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10148 			BPF_EXIT_INSN(),
10149 		},
10150 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10151 		.errstr = "back-edge",
10152 		.result = REJECT,
10153 	},
10154 	{
10155 		"calls: unreachable code",
10156 		.insns = {
10157 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10158 			BPF_EXIT_INSN(),
10159 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10160 			BPF_EXIT_INSN(),
10161 			BPF_MOV64_IMM(BPF_REG_0, 0),
10162 			BPF_EXIT_INSN(),
10163 			BPF_MOV64_IMM(BPF_REG_0, 0),
10164 			BPF_EXIT_INSN(),
10165 		},
10166 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10167 		.errstr = "unreachable insn 6",
10168 		.result = REJECT,
10169 	},
10170 	{
10171 		"calls: invalid call",
10172 		.insns = {
10173 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10174 			BPF_EXIT_INSN(),
10175 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10176 			BPF_EXIT_INSN(),
10177 		},
10178 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10179 		.errstr = "invalid destination",
10180 		.result = REJECT,
10181 	},
10182 	{
10183 		"calls: invalid call 2",
10184 		.insns = {
10185 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10186 			BPF_EXIT_INSN(),
10187 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10188 			BPF_EXIT_INSN(),
10189 		},
10190 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10191 		.errstr = "invalid destination",
10192 		.result = REJECT,
10193 	},
10194 	{
10195 		"calls: jumping across function bodies. test1",
10196 		.insns = {
10197 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10198 			BPF_MOV64_IMM(BPF_REG_0, 0),
10199 			BPF_EXIT_INSN(),
10200 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10201 			BPF_EXIT_INSN(),
10202 		},
10203 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10204 		.errstr = "jump out of range",
10205 		.result = REJECT,
10206 	},
10207 	{
10208 		"calls: jumping across function bodies. test2",
10209 		.insns = {
10210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10211 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10212 			BPF_MOV64_IMM(BPF_REG_0, 0),
10213 			BPF_EXIT_INSN(),
10214 			BPF_EXIT_INSN(),
10215 		},
10216 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10217 		.errstr = "jump out of range",
10218 		.result = REJECT,
10219 	},
10220 	{
10221 		"calls: call without exit",
10222 		.insns = {
10223 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10224 			BPF_EXIT_INSN(),
10225 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10226 			BPF_EXIT_INSN(),
10227 			BPF_MOV64_IMM(BPF_REG_0, 0),
10228 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10229 		},
10230 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10231 		.errstr = "not an exit",
10232 		.result = REJECT,
10233 	},
10234 	{
10235 		"calls: call into middle of ld_imm64",
10236 		.insns = {
10237 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10238 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10239 			BPF_MOV64_IMM(BPF_REG_0, 0),
10240 			BPF_EXIT_INSN(),
10241 			BPF_LD_IMM64(BPF_REG_0, 0),
10242 			BPF_EXIT_INSN(),
10243 		},
10244 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10245 		.errstr = "last insn",
10246 		.result = REJECT,
10247 	},
10248 	{
10249 		"calls: call into middle of other call",
10250 		.insns = {
10251 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10252 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10253 			BPF_MOV64_IMM(BPF_REG_0, 0),
10254 			BPF_EXIT_INSN(),
10255 			BPF_MOV64_IMM(BPF_REG_0, 0),
10256 			BPF_MOV64_IMM(BPF_REG_0, 0),
10257 			BPF_EXIT_INSN(),
10258 		},
10259 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10260 		.errstr = "last insn",
10261 		.result = REJECT,
10262 	},
10263 	{
10264 		"calls: ld_abs with changing ctx data in callee",
10265 		.insns = {
10266 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10267 			BPF_LD_ABS(BPF_B, 0),
10268 			BPF_LD_ABS(BPF_H, 0),
10269 			BPF_LD_ABS(BPF_W, 0),
10270 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10271 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10272 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10273 			BPF_LD_ABS(BPF_B, 0),
10274 			BPF_LD_ABS(BPF_H, 0),
10275 			BPF_LD_ABS(BPF_W, 0),
10276 			BPF_EXIT_INSN(),
10277 			BPF_MOV64_IMM(BPF_REG_2, 1),
10278 			BPF_MOV64_IMM(BPF_REG_3, 2),
10279 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10280 				     BPF_FUNC_skb_vlan_push),
10281 			BPF_EXIT_INSN(),
10282 		},
10283 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10284 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10285 		.result = REJECT,
10286 	},
10287 	{
10288 		"calls: two calls with bad fallthrough",
10289 		.insns = {
10290 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10291 			BPF_EXIT_INSN(),
10292 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10293 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10294 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10295 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10296 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10297 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10298 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10299 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10300 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10301 				    offsetof(struct __sk_buff, len)),
10302 			BPF_EXIT_INSN(),
10303 		},
10304 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10305 		.errstr = "not an exit",
10306 		.result = REJECT,
10307 	},
10308 	{
10309 		"calls: two calls with stack read",
10310 		.insns = {
10311 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10312 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10313 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10314 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10315 			BPF_EXIT_INSN(),
10316 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10317 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10318 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10319 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10320 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10321 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10322 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10323 			BPF_EXIT_INSN(),
10324 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10325 			BPF_EXIT_INSN(),
10326 		},
10327 		.prog_type = BPF_PROG_TYPE_XDP,
10328 		.result = ACCEPT,
10329 	},
10330 	{
10331 		"calls: two calls with stack write",
10332 		.insns = {
10333 			/* main prog */
10334 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10335 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10336 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10337 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10339 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10340 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10341 			BPF_EXIT_INSN(),
10342 
10343 			/* subprog 1 */
10344 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10345 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10346 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10347 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10348 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10349 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10350 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10351 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10352 			/* write into stack frame of main prog */
10353 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10354 			BPF_EXIT_INSN(),
10355 
10356 			/* subprog 2 */
10357 			/* read from stack frame of main prog */
10358 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10359 			BPF_EXIT_INSN(),
10360 		},
10361 		.prog_type = BPF_PROG_TYPE_XDP,
10362 		.result = ACCEPT,
10363 	},
10364 	{
10365 		"calls: stack overflow using two frames (pre-call access)",
10366 		.insns = {
10367 			/* prog 1 */
10368 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10369 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10370 			BPF_EXIT_INSN(),
10371 
10372 			/* prog 2 */
10373 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10374 			BPF_MOV64_IMM(BPF_REG_0, 0),
10375 			BPF_EXIT_INSN(),
10376 		},
10377 		.prog_type = BPF_PROG_TYPE_XDP,
10378 		.errstr = "combined stack size",
10379 		.result = REJECT,
10380 	},
10381 	{
10382 		"calls: stack overflow using two frames (post-call access)",
10383 		.insns = {
10384 			/* prog 1 */
10385 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10386 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10387 			BPF_EXIT_INSN(),
10388 
10389 			/* prog 2 */
10390 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10391 			BPF_MOV64_IMM(BPF_REG_0, 0),
10392 			BPF_EXIT_INSN(),
10393 		},
10394 		.prog_type = BPF_PROG_TYPE_XDP,
10395 		.errstr = "combined stack size",
10396 		.result = REJECT,
10397 	},
10398 	{
10399 		"calls: stack depth check using three frames. test1",
10400 		.insns = {
10401 			/* main */
10402 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10403 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10404 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10405 			BPF_MOV64_IMM(BPF_REG_0, 0),
10406 			BPF_EXIT_INSN(),
10407 			/* A */
10408 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10409 			BPF_EXIT_INSN(),
10410 			/* B */
10411 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10412 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10413 			BPF_EXIT_INSN(),
10414 		},
10415 		.prog_type = BPF_PROG_TYPE_XDP,
10416 		/* stack_main=32, stack_A=256, stack_B=64
10417 		 * and max(main+A, main+A+B) < 512
10418 		 */
10419 		.result = ACCEPT,
10420 	},
10421 	{
10422 		"calls: stack depth check using three frames. test2",
10423 		.insns = {
10424 			/* main */
10425 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10426 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10427 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10428 			BPF_MOV64_IMM(BPF_REG_0, 0),
10429 			BPF_EXIT_INSN(),
10430 			/* A */
10431 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10432 			BPF_EXIT_INSN(),
10433 			/* B */
10434 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10435 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10436 			BPF_EXIT_INSN(),
10437 		},
10438 		.prog_type = BPF_PROG_TYPE_XDP,
10439 		/* stack_main=32, stack_A=64, stack_B=256
10440 		 * and max(main+A, main+A+B) < 512
10441 		 */
10442 		.result = ACCEPT,
10443 	},
10444 	{
10445 		"calls: stack depth check using three frames. test3",
10446 		.insns = {
10447 			/* main */
10448 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10449 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10450 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10451 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10452 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10453 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10454 			BPF_MOV64_IMM(BPF_REG_0, 0),
10455 			BPF_EXIT_INSN(),
10456 			/* A */
10457 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10458 			BPF_EXIT_INSN(),
10459 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10460 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10461 			/* B */
10462 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10463 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10464 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10465 			BPF_EXIT_INSN(),
10466 		},
10467 		.prog_type = BPF_PROG_TYPE_XDP,
10468 		/* stack_main=64, stack_A=224, stack_B=256
10469 		 * and max(main+A, main+A+B) > 512
10470 		 */
10471 		.errstr = "combined stack",
10472 		.result = REJECT,
10473 	},
10474 	{
10475 		"calls: stack depth check using three frames. test4",
10476 		/* void main(void) {
10477 		 *   func1(0);
10478 		 *   func1(1);
10479 		 *   func2(1);
10480 		 * }
10481 		 * void func1(int alloc_or_recurse) {
10482 		 *   if (alloc_or_recurse) {
10483 		 *     frame_pointer[-300] = 1;
10484 		 *   } else {
10485 		 *     func2(alloc_or_recurse);
10486 		 *   }
10487 		 * }
10488 		 * void func2(int alloc_or_recurse) {
10489 		 *   if (alloc_or_recurse) {
10490 		 *     frame_pointer[-300] = 1;
10491 		 *   }
10492 		 * }
10493 		 */
10494 		.insns = {
10495 			/* main */
10496 			BPF_MOV64_IMM(BPF_REG_1, 0),
10497 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10498 			BPF_MOV64_IMM(BPF_REG_1, 1),
10499 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10500 			BPF_MOV64_IMM(BPF_REG_1, 1),
10501 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10502 			BPF_MOV64_IMM(BPF_REG_0, 0),
10503 			BPF_EXIT_INSN(),
10504 			/* A */
10505 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10506 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10507 			BPF_EXIT_INSN(),
10508 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10509 			BPF_EXIT_INSN(),
10510 			/* B */
10511 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10512 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10513 			BPF_EXIT_INSN(),
10514 		},
10515 		.prog_type = BPF_PROG_TYPE_XDP,
10516 		.result = REJECT,
10517 		.errstr = "combined stack",
10518 	},
10519 	{
10520 		"calls: stack depth check using three frames. test5",
10521 		.insns = {
10522 			/* main */
10523 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10524 			BPF_EXIT_INSN(),
10525 			/* A */
10526 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10527 			BPF_EXIT_INSN(),
10528 			/* B */
10529 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10530 			BPF_EXIT_INSN(),
10531 			/* C */
10532 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10533 			BPF_EXIT_INSN(),
10534 			/* D */
10535 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10536 			BPF_EXIT_INSN(),
10537 			/* E */
10538 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10539 			BPF_EXIT_INSN(),
10540 			/* F */
10541 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10542 			BPF_EXIT_INSN(),
10543 			/* G */
10544 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10545 			BPF_EXIT_INSN(),
10546 			/* H */
10547 			BPF_MOV64_IMM(BPF_REG_0, 0),
10548 			BPF_EXIT_INSN(),
10549 		},
10550 		.prog_type = BPF_PROG_TYPE_XDP,
10551 		.errstr = "call stack",
10552 		.result = REJECT,
10553 	},
10554 	{
10555 		"calls: spill into caller stack frame",
10556 		.insns = {
10557 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10558 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10559 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10560 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10561 			BPF_EXIT_INSN(),
10562 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10563 			BPF_MOV64_IMM(BPF_REG_0, 0),
10564 			BPF_EXIT_INSN(),
10565 		},
10566 		.prog_type = BPF_PROG_TYPE_XDP,
10567 		.errstr = "cannot spill",
10568 		.result = REJECT,
10569 	},
10570 	{
10571 		"calls: write into caller stack frame",
10572 		.insns = {
10573 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10574 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10575 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10576 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10577 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10578 			BPF_EXIT_INSN(),
10579 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10580 			BPF_MOV64_IMM(BPF_REG_0, 0),
10581 			BPF_EXIT_INSN(),
10582 		},
10583 		.prog_type = BPF_PROG_TYPE_XDP,
10584 		.result = ACCEPT,
10585 		.retval = 42,
10586 	},
10587 	{
10588 		"calls: write into callee stack frame",
10589 		.insns = {
10590 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10591 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10592 			BPF_EXIT_INSN(),
10593 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10594 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10595 			BPF_EXIT_INSN(),
10596 		},
10597 		.prog_type = BPF_PROG_TYPE_XDP,
10598 		.errstr = "cannot return stack pointer",
10599 		.result = REJECT,
10600 	},
10601 	{
10602 		"calls: two calls with stack write and void return",
10603 		.insns = {
10604 			/* main prog */
10605 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10606 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10607 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10608 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10609 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10610 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10611 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10612 			BPF_EXIT_INSN(),
10613 
10614 			/* subprog 1 */
10615 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10616 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10617 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10618 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10619 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10620 			BPF_EXIT_INSN(),
10621 
10622 			/* subprog 2 */
10623 			/* write into stack frame of main prog */
10624 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10625 			BPF_EXIT_INSN(), /* void return */
10626 		},
10627 		.prog_type = BPF_PROG_TYPE_XDP,
10628 		.result = ACCEPT,
10629 	},
10630 	{
10631 		"calls: ambiguous return value",
10632 		.insns = {
10633 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10634 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10635 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10636 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10637 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10638 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10639 			BPF_EXIT_INSN(),
10640 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10641 			BPF_MOV64_IMM(BPF_REG_0, 0),
10642 			BPF_EXIT_INSN(),
10643 		},
10644 		.errstr_unpriv = "allowed for root only",
10645 		.result_unpriv = REJECT,
10646 		.errstr = "R0 !read_ok",
10647 		.result = REJECT,
10648 	},
10649 	{
10650 		"calls: two calls that return map_value",
10651 		.insns = {
10652 			/* main prog */
10653 			/* pass fp-16, fp-8 into a function */
10654 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10655 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10656 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10657 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10658 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10659 
10660 			/* fetch map_value_ptr from the stack of this function */
10661 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10662 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10663 			/* write into map value */
10664 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10665 			/* fetch secound map_value_ptr from the stack */
10666 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10667 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10668 			/* write into map value */
10669 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10670 			BPF_MOV64_IMM(BPF_REG_0, 0),
10671 			BPF_EXIT_INSN(),
10672 
10673 			/* subprog 1 */
10674 			/* call 3rd function twice */
10675 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10676 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10677 			/* first time with fp-8 */
10678 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10679 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10680 			/* second time with fp-16 */
10681 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10682 			BPF_EXIT_INSN(),
10683 
10684 			/* subprog 2 */
10685 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10686 			/* lookup from map */
10687 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10688 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10689 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10690 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10691 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10692 				     BPF_FUNC_map_lookup_elem),
10693 			/* write map_value_ptr into stack frame of main prog */
10694 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10695 			BPF_MOV64_IMM(BPF_REG_0, 0),
10696 			BPF_EXIT_INSN(), /* return 0 */
10697 		},
10698 		.prog_type = BPF_PROG_TYPE_XDP,
10699 		.fixup_map1 = { 23 },
10700 		.result = ACCEPT,
10701 	},
10702 	{
10703 		"calls: two calls that return map_value with bool condition",
10704 		.insns = {
10705 			/* main prog */
10706 			/* pass fp-16, fp-8 into a function */
10707 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10709 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10710 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10711 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10712 			BPF_MOV64_IMM(BPF_REG_0, 0),
10713 			BPF_EXIT_INSN(),
10714 
10715 			/* subprog 1 */
10716 			/* call 3rd function twice */
10717 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10718 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10719 			/* first time with fp-8 */
10720 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10721 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10722 			/* fetch map_value_ptr from the stack of this function */
10723 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10724 			/* write into map value */
10725 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10726 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10727 			/* second time with fp-16 */
10728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10729 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10730 			/* fetch secound map_value_ptr from the stack */
10731 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10732 			/* write into map value */
10733 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10734 			BPF_EXIT_INSN(),
10735 
10736 			/* subprog 2 */
10737 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10738 			/* lookup from map */
10739 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10740 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10741 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10742 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10743 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10744 				     BPF_FUNC_map_lookup_elem),
10745 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10746 			BPF_MOV64_IMM(BPF_REG_0, 0),
10747 			BPF_EXIT_INSN(), /* return 0 */
10748 			/* write map_value_ptr into stack frame of main prog */
10749 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10750 			BPF_MOV64_IMM(BPF_REG_0, 1),
10751 			BPF_EXIT_INSN(), /* return 1 */
10752 		},
10753 		.prog_type = BPF_PROG_TYPE_XDP,
10754 		.fixup_map1 = { 23 },
10755 		.result = ACCEPT,
10756 	},
10757 	{
10758 		"calls: two calls that return map_value with incorrect bool check",
10759 		.insns = {
10760 			/* main prog */
10761 			/* pass fp-16, fp-8 into a function */
10762 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10763 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10764 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10765 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10766 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10767 			BPF_MOV64_IMM(BPF_REG_0, 0),
10768 			BPF_EXIT_INSN(),
10769 
10770 			/* subprog 1 */
10771 			/* call 3rd function twice */
10772 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10773 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10774 			/* first time with fp-8 */
10775 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10776 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10777 			/* fetch map_value_ptr from the stack of this function */
10778 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10779 			/* write into map value */
10780 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10781 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10782 			/* second time with fp-16 */
10783 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10784 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10785 			/* fetch secound map_value_ptr from the stack */
10786 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10787 			/* write into map value */
10788 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10789 			BPF_EXIT_INSN(),
10790 
10791 			/* subprog 2 */
10792 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10793 			/* lookup from map */
10794 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10795 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10796 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10797 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10798 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10799 				     BPF_FUNC_map_lookup_elem),
10800 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10801 			BPF_MOV64_IMM(BPF_REG_0, 0),
10802 			BPF_EXIT_INSN(), /* return 0 */
10803 			/* write map_value_ptr into stack frame of main prog */
10804 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10805 			BPF_MOV64_IMM(BPF_REG_0, 1),
10806 			BPF_EXIT_INSN(), /* return 1 */
10807 		},
10808 		.prog_type = BPF_PROG_TYPE_XDP,
10809 		.fixup_map1 = { 23 },
10810 		.result = REJECT,
10811 		.errstr = "invalid read from stack off -16+0 size 8",
10812 	},
10813 	{
10814 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10815 		.insns = {
10816 			/* main prog */
10817 			/* pass fp-16, fp-8 into a function */
10818 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10819 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10820 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10821 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10822 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10823 			BPF_MOV64_IMM(BPF_REG_0, 0),
10824 			BPF_EXIT_INSN(),
10825 
10826 			/* subprog 1 */
10827 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10828 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10829 			/* 1st lookup from map */
10830 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10831 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10832 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10833 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10834 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10835 				     BPF_FUNC_map_lookup_elem),
10836 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10837 			BPF_MOV64_IMM(BPF_REG_8, 0),
10838 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10839 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10840 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10841 			BPF_MOV64_IMM(BPF_REG_8, 1),
10842 
10843 			/* 2nd lookup from map */
10844 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10846 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10847 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10848 				     BPF_FUNC_map_lookup_elem),
10849 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10850 			BPF_MOV64_IMM(BPF_REG_9, 0),
10851 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10852 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10853 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10854 			BPF_MOV64_IMM(BPF_REG_9, 1),
10855 
10856 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10857 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10858 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10859 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10860 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10861 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
10862 			BPF_EXIT_INSN(),
10863 
10864 			/* subprog 2 */
10865 			/* if arg2 == 1 do *arg1 = 0 */
10866 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10867 			/* fetch map_value_ptr from the stack of this function */
10868 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10869 			/* write into map value */
10870 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10871 
10872 			/* if arg4 == 1 do *arg3 = 0 */
10873 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10874 			/* fetch map_value_ptr from the stack of this function */
10875 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10876 			/* write into map value */
10877 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10878 			BPF_EXIT_INSN(),
10879 		},
10880 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10881 		.fixup_map1 = { 12, 22 },
10882 		.result = REJECT,
10883 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
10884 	},
10885 	{
10886 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
10887 		.insns = {
10888 			/* main prog */
10889 			/* pass fp-16, fp-8 into a function */
10890 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10891 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10892 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10893 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10894 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10895 			BPF_MOV64_IMM(BPF_REG_0, 0),
10896 			BPF_EXIT_INSN(),
10897 
10898 			/* subprog 1 */
10899 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10900 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10901 			/* 1st lookup from map */
10902 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10903 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10904 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10905 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10906 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10907 				     BPF_FUNC_map_lookup_elem),
10908 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10909 			BPF_MOV64_IMM(BPF_REG_8, 0),
10910 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10911 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10912 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10913 			BPF_MOV64_IMM(BPF_REG_8, 1),
10914 
10915 			/* 2nd lookup from map */
10916 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10918 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10919 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10920 				     BPF_FUNC_map_lookup_elem),
10921 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10922 			BPF_MOV64_IMM(BPF_REG_9, 0),
10923 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10924 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10925 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10926 			BPF_MOV64_IMM(BPF_REG_9, 1),
10927 
10928 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10929 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10930 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10931 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10932 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10933 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
10934 			BPF_EXIT_INSN(),
10935 
10936 			/* subprog 2 */
10937 			/* if arg2 == 1 do *arg1 = 0 */
10938 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10939 			/* fetch map_value_ptr from the stack of this function */
10940 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10941 			/* write into map value */
10942 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10943 
10944 			/* if arg4 == 1 do *arg3 = 0 */
10945 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10946 			/* fetch map_value_ptr from the stack of this function */
10947 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10948 			/* write into map value */
10949 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10950 			BPF_EXIT_INSN(),
10951 		},
10952 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10953 		.fixup_map1 = { 12, 22 },
10954 		.result = ACCEPT,
10955 	},
10956 	{
10957 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
10958 		.insns = {
10959 			/* main prog */
10960 			/* pass fp-16, fp-8 into a function */
10961 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10963 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10964 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10965 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
10966 			BPF_MOV64_IMM(BPF_REG_0, 0),
10967 			BPF_EXIT_INSN(),
10968 
10969 			/* subprog 1 */
10970 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10971 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10972 			/* 1st lookup from map */
10973 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
10974 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10976 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10977 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10978 				     BPF_FUNC_map_lookup_elem),
10979 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10980 			BPF_MOV64_IMM(BPF_REG_8, 0),
10981 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10982 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10983 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10984 			BPF_MOV64_IMM(BPF_REG_8, 1),
10985 
10986 			/* 2nd lookup from map */
10987 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10988 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
10989 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10990 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10991 				     BPF_FUNC_map_lookup_elem),
10992 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10993 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
10994 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10995 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10996 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10997 			BPF_MOV64_IMM(BPF_REG_9, 1),
10998 
10999 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11000 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11001 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11002 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11003 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11004 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11005 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11006 
11007 			/* subprog 2 */
11008 			/* if arg2 == 1 do *arg1 = 0 */
11009 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11010 			/* fetch map_value_ptr from the stack of this function */
11011 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11012 			/* write into map value */
11013 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11014 
11015 			/* if arg4 == 1 do *arg3 = 0 */
11016 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11017 			/* fetch map_value_ptr from the stack of this function */
11018 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11019 			/* write into map value */
11020 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11021 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11022 		},
11023 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11024 		.fixup_map1 = { 12, 22 },
11025 		.result = REJECT,
11026 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11027 	},
11028 	{
11029 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
11030 		.insns = {
11031 			/* main prog */
11032 			/* pass fp-16, fp-8 into a function */
11033 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11034 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11035 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11036 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11037 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11038 			BPF_MOV64_IMM(BPF_REG_0, 0),
11039 			BPF_EXIT_INSN(),
11040 
11041 			/* subprog 1 */
11042 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11043 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11044 			/* 1st lookup from map */
11045 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11046 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11047 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11048 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11049 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11050 				     BPF_FUNC_map_lookup_elem),
11051 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11052 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11053 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11054 			BPF_MOV64_IMM(BPF_REG_8, 0),
11055 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11056 			BPF_MOV64_IMM(BPF_REG_8, 1),
11057 
11058 			/* 2nd lookup from map */
11059 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11060 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11061 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11062 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11063 				     BPF_FUNC_map_lookup_elem),
11064 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11065 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11066 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11067 			BPF_MOV64_IMM(BPF_REG_9, 0),
11068 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11069 			BPF_MOV64_IMM(BPF_REG_9, 1),
11070 
11071 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11072 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11073 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11074 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11075 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11076 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11077 			BPF_EXIT_INSN(),
11078 
11079 			/* subprog 2 */
11080 			/* if arg2 == 1 do *arg1 = 0 */
11081 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11082 			/* fetch map_value_ptr from the stack of this function */
11083 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11084 			/* write into map value */
11085 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11086 
11087 			/* if arg4 == 1 do *arg3 = 0 */
11088 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11089 			/* fetch map_value_ptr from the stack of this function */
11090 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11091 			/* write into map value */
11092 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11093 			BPF_EXIT_INSN(),
11094 		},
11095 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11096 		.fixup_map1 = { 12, 22 },
11097 		.result = ACCEPT,
11098 	},
11099 	{
11100 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
11101 		.insns = {
11102 			/* main prog */
11103 			/* pass fp-16, fp-8 into a function */
11104 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11105 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11106 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11107 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11108 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11109 			BPF_MOV64_IMM(BPF_REG_0, 0),
11110 			BPF_EXIT_INSN(),
11111 
11112 			/* subprog 1 */
11113 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11114 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11115 			/* 1st lookup from map */
11116 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11117 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11118 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11119 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11120 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11121 				     BPF_FUNC_map_lookup_elem),
11122 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11123 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11124 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11125 			BPF_MOV64_IMM(BPF_REG_8, 0),
11126 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11127 			BPF_MOV64_IMM(BPF_REG_8, 1),
11128 
11129 			/* 2nd lookup from map */
11130 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11132 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11133 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11134 				     BPF_FUNC_map_lookup_elem),
11135 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11136 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11137 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11138 			BPF_MOV64_IMM(BPF_REG_9, 0),
11139 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11140 			BPF_MOV64_IMM(BPF_REG_9, 1),
11141 
11142 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11143 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11144 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11145 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11146 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11147 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11148 			BPF_EXIT_INSN(),
11149 
11150 			/* subprog 2 */
11151 			/* if arg2 == 1 do *arg1 = 0 */
11152 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11153 			/* fetch map_value_ptr from the stack of this function */
11154 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11155 			/* write into map value */
11156 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11157 
11158 			/* if arg4 == 0 do *arg3 = 0 */
11159 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11160 			/* fetch map_value_ptr from the stack of this function */
11161 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11162 			/* write into map value */
11163 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11164 			BPF_EXIT_INSN(),
11165 		},
11166 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11167 		.fixup_map1 = { 12, 22 },
11168 		.result = REJECT,
11169 		.errstr = "R0 invalid mem access 'inv'",
11170 	},
11171 	{
11172 		"calls: pkt_ptr spill into caller stack",
11173 		.insns = {
11174 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11175 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11176 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11177 			BPF_EXIT_INSN(),
11178 
11179 			/* subprog 1 */
11180 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11181 				    offsetof(struct __sk_buff, data)),
11182 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11183 				    offsetof(struct __sk_buff, data_end)),
11184 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11185 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11186 			/* spill unchecked pkt_ptr into stack of caller */
11187 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11188 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11189 			/* now the pkt range is verified, read pkt_ptr from stack */
11190 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11191 			/* write 4 bytes into packet */
11192 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11193 			BPF_EXIT_INSN(),
11194 		},
11195 		.result = ACCEPT,
11196 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11197 		.retval = POINTER_VALUE,
11198 	},
11199 	{
11200 		"calls: pkt_ptr spill into caller stack 2",
11201 		.insns = {
11202 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11203 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11204 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11205 			/* Marking is still kept, but not in all cases safe. */
11206 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11207 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11208 			BPF_EXIT_INSN(),
11209 
11210 			/* subprog 1 */
11211 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11212 				    offsetof(struct __sk_buff, data)),
11213 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11214 				    offsetof(struct __sk_buff, data_end)),
11215 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11216 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11217 			/* spill unchecked pkt_ptr into stack of caller */
11218 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11219 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11220 			/* now the pkt range is verified, read pkt_ptr from stack */
11221 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11222 			/* write 4 bytes into packet */
11223 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11224 			BPF_EXIT_INSN(),
11225 		},
11226 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11227 		.errstr = "invalid access to packet",
11228 		.result = REJECT,
11229 	},
11230 	{
11231 		"calls: pkt_ptr spill into caller stack 3",
11232 		.insns = {
11233 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11234 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11235 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11237 			/* Marking is still kept and safe here. */
11238 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11239 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11240 			BPF_EXIT_INSN(),
11241 
11242 			/* subprog 1 */
11243 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11244 				    offsetof(struct __sk_buff, data)),
11245 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11246 				    offsetof(struct __sk_buff, data_end)),
11247 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11249 			/* spill unchecked pkt_ptr into stack of caller */
11250 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11251 			BPF_MOV64_IMM(BPF_REG_5, 0),
11252 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11253 			BPF_MOV64_IMM(BPF_REG_5, 1),
11254 			/* now the pkt range is verified, read pkt_ptr from stack */
11255 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11256 			/* write 4 bytes into packet */
11257 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11258 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11259 			BPF_EXIT_INSN(),
11260 		},
11261 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11262 		.result = ACCEPT,
11263 		.retval = 1,
11264 	},
11265 	{
11266 		"calls: pkt_ptr spill into caller stack 4",
11267 		.insns = {
11268 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11269 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11270 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11271 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11272 			/* Check marking propagated. */
11273 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11274 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11275 			BPF_EXIT_INSN(),
11276 
11277 			/* subprog 1 */
11278 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11279 				    offsetof(struct __sk_buff, data)),
11280 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11281 				    offsetof(struct __sk_buff, data_end)),
11282 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11284 			/* spill unchecked pkt_ptr into stack of caller */
11285 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11286 			BPF_MOV64_IMM(BPF_REG_5, 0),
11287 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11288 			BPF_MOV64_IMM(BPF_REG_5, 1),
11289 			/* don't read back pkt_ptr from stack here */
11290 			/* write 4 bytes into packet */
11291 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11292 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11293 			BPF_EXIT_INSN(),
11294 		},
11295 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11296 		.result = ACCEPT,
11297 		.retval = 1,
11298 	},
11299 	{
11300 		"calls: pkt_ptr spill into caller stack 5",
11301 		.insns = {
11302 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11303 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11304 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11305 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11306 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11307 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11308 			BPF_EXIT_INSN(),
11309 
11310 			/* subprog 1 */
11311 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11312 				    offsetof(struct __sk_buff, data)),
11313 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11314 				    offsetof(struct __sk_buff, data_end)),
11315 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11316 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11317 			BPF_MOV64_IMM(BPF_REG_5, 0),
11318 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11319 			/* spill checked pkt_ptr into stack of caller */
11320 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11321 			BPF_MOV64_IMM(BPF_REG_5, 1),
11322 			/* don't read back pkt_ptr from stack here */
11323 			/* write 4 bytes into packet */
11324 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11325 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11326 			BPF_EXIT_INSN(),
11327 		},
11328 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11329 		.errstr = "same insn cannot be used with different",
11330 		.result = REJECT,
11331 	},
11332 	{
11333 		"calls: pkt_ptr spill into caller stack 6",
11334 		.insns = {
11335 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11336 				    offsetof(struct __sk_buff, data_end)),
11337 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11339 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11340 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11341 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11342 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11343 			BPF_EXIT_INSN(),
11344 
11345 			/* subprog 1 */
11346 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11347 				    offsetof(struct __sk_buff, data)),
11348 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11349 				    offsetof(struct __sk_buff, data_end)),
11350 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11352 			BPF_MOV64_IMM(BPF_REG_5, 0),
11353 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11354 			/* spill checked pkt_ptr into stack of caller */
11355 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11356 			BPF_MOV64_IMM(BPF_REG_5, 1),
11357 			/* don't read back pkt_ptr from stack here */
11358 			/* write 4 bytes into packet */
11359 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11360 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11361 			BPF_EXIT_INSN(),
11362 		},
11363 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11364 		.errstr = "R4 invalid mem access",
11365 		.result = REJECT,
11366 	},
11367 	{
11368 		"calls: pkt_ptr spill into caller stack 7",
11369 		.insns = {
11370 			BPF_MOV64_IMM(BPF_REG_2, 0),
11371 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11372 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11373 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11374 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11375 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11376 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11377 			BPF_EXIT_INSN(),
11378 
11379 			/* subprog 1 */
11380 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11381 				    offsetof(struct __sk_buff, data)),
11382 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11383 				    offsetof(struct __sk_buff, data_end)),
11384 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11385 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11386 			BPF_MOV64_IMM(BPF_REG_5, 0),
11387 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11388 			/* spill checked pkt_ptr into stack of caller */
11389 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11390 			BPF_MOV64_IMM(BPF_REG_5, 1),
11391 			/* don't read back pkt_ptr from stack here */
11392 			/* write 4 bytes into packet */
11393 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11394 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11395 			BPF_EXIT_INSN(),
11396 		},
11397 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11398 		.errstr = "R4 invalid mem access",
11399 		.result = REJECT,
11400 	},
11401 	{
11402 		"calls: pkt_ptr spill into caller stack 8",
11403 		.insns = {
11404 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11405 				    offsetof(struct __sk_buff, data)),
11406 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11407 				    offsetof(struct __sk_buff, data_end)),
11408 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11409 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11410 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11411 			BPF_EXIT_INSN(),
11412 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11413 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11414 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11415 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11416 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11417 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11418 			BPF_EXIT_INSN(),
11419 
11420 			/* subprog 1 */
11421 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11422 				    offsetof(struct __sk_buff, data)),
11423 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11424 				    offsetof(struct __sk_buff, data_end)),
11425 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11426 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11427 			BPF_MOV64_IMM(BPF_REG_5, 0),
11428 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11429 			/* spill checked pkt_ptr into stack of caller */
11430 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11431 			BPF_MOV64_IMM(BPF_REG_5, 1),
11432 			/* don't read back pkt_ptr from stack here */
11433 			/* write 4 bytes into packet */
11434 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11435 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11436 			BPF_EXIT_INSN(),
11437 		},
11438 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11439 		.result = ACCEPT,
11440 	},
11441 	{
11442 		"calls: pkt_ptr spill into caller stack 9",
11443 		.insns = {
11444 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11445 				    offsetof(struct __sk_buff, data)),
11446 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11447 				    offsetof(struct __sk_buff, data_end)),
11448 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11449 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11450 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11451 			BPF_EXIT_INSN(),
11452 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11453 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11454 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11455 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11456 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11457 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11458 			BPF_EXIT_INSN(),
11459 
11460 			/* subprog 1 */
11461 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11462 				    offsetof(struct __sk_buff, data)),
11463 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11464 				    offsetof(struct __sk_buff, data_end)),
11465 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11466 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11467 			BPF_MOV64_IMM(BPF_REG_5, 0),
11468 			/* spill unchecked pkt_ptr into stack of caller */
11469 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11470 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11471 			BPF_MOV64_IMM(BPF_REG_5, 1),
11472 			/* don't read back pkt_ptr from stack here */
11473 			/* write 4 bytes into packet */
11474 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11475 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11476 			BPF_EXIT_INSN(),
11477 		},
11478 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11479 		.errstr = "invalid access to packet",
11480 		.result = REJECT,
11481 	},
11482 	{
11483 		"calls: caller stack init to zero or map_value_or_null",
11484 		.insns = {
11485 			BPF_MOV64_IMM(BPF_REG_0, 0),
11486 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11487 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11488 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11489 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11490 			/* fetch map_value_or_null or const_zero from stack */
11491 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11492 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11493 			/* store into map_value */
11494 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11495 			BPF_EXIT_INSN(),
11496 
11497 			/* subprog 1 */
11498 			/* if (ctx == 0) return; */
11499 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11500 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
11501 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11502 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11503 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11504 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11505 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11506 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11507 				     BPF_FUNC_map_lookup_elem),
11508 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11509 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11510 			BPF_EXIT_INSN(),
11511 		},
11512 		.fixup_map1 = { 13 },
11513 		.result = ACCEPT,
11514 		.prog_type = BPF_PROG_TYPE_XDP,
11515 	},
11516 	{
11517 		"calls: stack init to zero and pruning",
11518 		.insns = {
11519 			/* first make allocated_stack 16 byte */
11520 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11521 			/* now fork the execution such that the false branch
11522 			 * of JGT insn will be verified second and it skisp zero
11523 			 * init of fp-8 stack slot. If stack liveness marking
11524 			 * is missing live_read marks from call map_lookup
11525 			 * processing then pruning will incorrectly assume
11526 			 * that fp-8 stack slot was unused in the fall-through
11527 			 * branch and will accept the program incorrectly
11528 			 */
11529 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11530 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11531 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11532 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11533 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11534 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11535 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11536 				     BPF_FUNC_map_lookup_elem),
11537 			BPF_EXIT_INSN(),
11538 		},
11539 		.fixup_map2 = { 6 },
11540 		.errstr = "invalid indirect read from stack off -8+0 size 8",
11541 		.result = REJECT,
11542 		.prog_type = BPF_PROG_TYPE_XDP,
11543 	},
11544 	{
11545 		"search pruning: all branches should be verified (nop operation)",
11546 		.insns = {
11547 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11548 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11549 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11550 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11551 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11552 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11553 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11554 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11555 			BPF_MOV64_IMM(BPF_REG_4, 0),
11556 			BPF_JMP_A(1),
11557 			BPF_MOV64_IMM(BPF_REG_4, 1),
11558 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11559 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11560 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11561 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11562 			BPF_MOV64_IMM(BPF_REG_6, 0),
11563 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11564 			BPF_EXIT_INSN(),
11565 		},
11566 		.fixup_map1 = { 3 },
11567 		.errstr = "R6 invalid mem access 'inv'",
11568 		.result = REJECT,
11569 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11570 	},
11571 	{
11572 		"search pruning: all branches should be verified (invalid stack access)",
11573 		.insns = {
11574 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11575 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11576 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11577 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11578 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11579 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11580 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11581 			BPF_MOV64_IMM(BPF_REG_4, 0),
11582 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11583 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11584 			BPF_JMP_A(1),
11585 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11586 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11587 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11588 			BPF_EXIT_INSN(),
11589 		},
11590 		.fixup_map1 = { 3 },
11591 		.errstr = "invalid read from stack off -16+0 size 8",
11592 		.result = REJECT,
11593 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11594 	},
11595 	{
11596 		"jit: lsh, rsh, arsh by 1",
11597 		.insns = {
11598 			BPF_MOV64_IMM(BPF_REG_0, 1),
11599 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
11600 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11601 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11602 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11603 			BPF_EXIT_INSN(),
11604 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11605 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11606 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11607 			BPF_EXIT_INSN(),
11608 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11609 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11610 			BPF_EXIT_INSN(),
11611 			BPF_MOV64_IMM(BPF_REG_0, 2),
11612 			BPF_EXIT_INSN(),
11613 		},
11614 		.result = ACCEPT,
11615 		.retval = 2,
11616 	},
11617 	{
11618 		"jit: mov32 for ldimm64, 1",
11619 		.insns = {
11620 			BPF_MOV64_IMM(BPF_REG_0, 2),
11621 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11622 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11623 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11624 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11625 			BPF_MOV64_IMM(BPF_REG_0, 1),
11626 			BPF_EXIT_INSN(),
11627 		},
11628 		.result = ACCEPT,
11629 		.retval = 2,
11630 	},
11631 	{
11632 		"jit: mov32 for ldimm64, 2",
11633 		.insns = {
11634 			BPF_MOV64_IMM(BPF_REG_0, 1),
11635 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11636 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11637 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11638 			BPF_MOV64_IMM(BPF_REG_0, 2),
11639 			BPF_EXIT_INSN(),
11640 		},
11641 		.result = ACCEPT,
11642 		.retval = 2,
11643 	},
11644 	{
11645 		"jit: various mul tests",
11646 		.insns = {
11647 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11648 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11649 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11650 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11651 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11652 			BPF_MOV64_IMM(BPF_REG_0, 1),
11653 			BPF_EXIT_INSN(),
11654 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11655 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11656 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11657 			BPF_MOV64_IMM(BPF_REG_0, 1),
11658 			BPF_EXIT_INSN(),
11659 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11660 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11661 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11662 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11663 			BPF_MOV64_IMM(BPF_REG_0, 1),
11664 			BPF_EXIT_INSN(),
11665 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11666 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11667 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11668 			BPF_MOV64_IMM(BPF_REG_0, 1),
11669 			BPF_EXIT_INSN(),
11670 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11671 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11672 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11673 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11674 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11675 			BPF_MOV64_IMM(BPF_REG_0, 1),
11676 			BPF_EXIT_INSN(),
11677 			BPF_MOV64_IMM(BPF_REG_0, 2),
11678 			BPF_EXIT_INSN(),
11679 		},
11680 		.result = ACCEPT,
11681 		.retval = 2,
11682 	},
11683 	{
11684 		"xadd/w check unaligned stack",
11685 		.insns = {
11686 			BPF_MOV64_IMM(BPF_REG_0, 1),
11687 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11688 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11689 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11690 			BPF_EXIT_INSN(),
11691 		},
11692 		.result = REJECT,
11693 		.errstr = "misaligned stack access off",
11694 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11695 	},
11696 	{
11697 		"xadd/w check unaligned map",
11698 		.insns = {
11699 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11700 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11702 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11703 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11704 				     BPF_FUNC_map_lookup_elem),
11705 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11706 			BPF_EXIT_INSN(),
11707 			BPF_MOV64_IMM(BPF_REG_1, 1),
11708 			BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11709 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11710 			BPF_EXIT_INSN(),
11711 		},
11712 		.fixup_map1 = { 3 },
11713 		.result = REJECT,
11714 		.errstr = "misaligned value access off",
11715 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11716 	},
11717 	{
11718 		"xadd/w check unaligned pkt",
11719 		.insns = {
11720 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11721 				    offsetof(struct xdp_md, data)),
11722 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11723 				    offsetof(struct xdp_md, data_end)),
11724 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11725 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11726 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11727 			BPF_MOV64_IMM(BPF_REG_0, 99),
11728 			BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11729 			BPF_MOV64_IMM(BPF_REG_0, 1),
11730 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11731 			BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11732 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11733 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11734 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11735 			BPF_EXIT_INSN(),
11736 		},
11737 		.result = REJECT,
11738 		.errstr = "BPF_XADD stores into R2 packet",
11739 		.prog_type = BPF_PROG_TYPE_XDP,
11740 	},
11741 	{
11742 		"bpf_get_stack return R0 within range",
11743 		.insns = {
11744 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11745 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11746 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11747 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11748 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11749 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11750 				     BPF_FUNC_map_lookup_elem),
11751 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
11752 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11753 			BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
11754 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11755 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
11756 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
11757 			BPF_MOV64_IMM(BPF_REG_4, 256),
11758 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
11759 			BPF_MOV64_IMM(BPF_REG_1, 0),
11760 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11761 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
11762 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
11763 			BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
11764 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
11765 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
11766 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
11767 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
11768 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
11769 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
11770 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
11771 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
11772 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11773 			BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
11774 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
11775 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
11776 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11777 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
11778 			BPF_MOV64_IMM(BPF_REG_4, 0),
11779 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
11780 			BPF_EXIT_INSN(),
11781 		},
11782 		.fixup_map2 = { 4 },
11783 		.result = ACCEPT,
11784 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11785 	},
11786 	{
11787 		"ld_abs: invalid op 1",
11788 		.insns = {
11789 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11790 			BPF_LD_ABS(BPF_DW, 0),
11791 			BPF_EXIT_INSN(),
11792 		},
11793 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11794 		.result = REJECT,
11795 		.errstr = "unknown opcode",
11796 	},
11797 	{
11798 		"ld_abs: invalid op 2",
11799 		.insns = {
11800 			BPF_MOV32_IMM(BPF_REG_0, 256),
11801 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11802 			BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
11803 			BPF_EXIT_INSN(),
11804 		},
11805 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11806 		.result = REJECT,
11807 		.errstr = "unknown opcode",
11808 	},
11809 	{
11810 		"ld_abs: nmap reduced",
11811 		.insns = {
11812 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11813 			BPF_LD_ABS(BPF_H, 12),
11814 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
11815 			BPF_LD_ABS(BPF_H, 12),
11816 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
11817 			BPF_MOV32_IMM(BPF_REG_0, 18),
11818 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
11819 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
11820 			BPF_LD_IND(BPF_W, BPF_REG_7, 14),
11821 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
11822 			BPF_MOV32_IMM(BPF_REG_0, 280971478),
11823 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
11824 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
11825 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
11826 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
11827 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
11828 			BPF_LD_ABS(BPF_H, 12),
11829 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
11830 			BPF_MOV32_IMM(BPF_REG_0, 22),
11831 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
11832 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
11833 			BPF_LD_IND(BPF_H, BPF_REG_7, 14),
11834 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
11835 			BPF_MOV32_IMM(BPF_REG_0, 17366),
11836 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
11837 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
11838 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
11839 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
11840 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11841 			BPF_MOV32_IMM(BPF_REG_0, 256),
11842 			BPF_EXIT_INSN(),
11843 			BPF_MOV32_IMM(BPF_REG_0, 0),
11844 			BPF_EXIT_INSN(),
11845 		},
11846 		.data = {
11847 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
11848 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
11849 			0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
11850 		},
11851 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11852 		.result = ACCEPT,
11853 		.retval = 256,
11854 	},
11855 	{
11856 		"ld_abs: div + abs, test 1",
11857 		.insns = {
11858 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11859 			BPF_LD_ABS(BPF_B, 3),
11860 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
11861 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
11862 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
11863 			BPF_LD_ABS(BPF_B, 4),
11864 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11865 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
11866 			BPF_EXIT_INSN(),
11867 		},
11868 		.data = {
11869 			10, 20, 30, 40, 50,
11870 		},
11871 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11872 		.result = ACCEPT,
11873 		.retval = 10,
11874 	},
11875 	{
11876 		"ld_abs: div + abs, test 2",
11877 		.insns = {
11878 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11879 			BPF_LD_ABS(BPF_B, 3),
11880 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
11881 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
11882 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
11883 			BPF_LD_ABS(BPF_B, 128),
11884 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11885 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
11886 			BPF_EXIT_INSN(),
11887 		},
11888 		.data = {
11889 			10, 20, 30, 40, 50,
11890 		},
11891 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11892 		.result = ACCEPT,
11893 		.retval = 0,
11894 	},
11895 	{
11896 		"ld_abs: div + abs, test 3",
11897 		.insns = {
11898 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11899 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
11900 			BPF_LD_ABS(BPF_B, 3),
11901 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
11902 			BPF_EXIT_INSN(),
11903 		},
11904 		.data = {
11905 			10, 20, 30, 40, 50,
11906 		},
11907 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11908 		.result = ACCEPT,
11909 		.retval = 0,
11910 	},
11911 	{
11912 		"ld_abs: div + abs, test 4",
11913 		.insns = {
11914 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11915 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
11916 			BPF_LD_ABS(BPF_B, 256),
11917 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
11918 			BPF_EXIT_INSN(),
11919 		},
11920 		.data = {
11921 			10, 20, 30, 40, 50,
11922 		},
11923 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11924 		.result = ACCEPT,
11925 		.retval = 0,
11926 	},
11927 	{
11928 		"ld_abs: vlan + abs, test 1",
11929 		.insns = { },
11930 		.data = {
11931 			0x34,
11932 		},
11933 		.fill_helper = bpf_fill_ld_abs_vlan_push_pop,
11934 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11935 		.result = ACCEPT,
11936 		.retval = 0xbef,
11937 	},
11938 	{
11939 		"ld_abs: vlan + abs, test 2",
11940 		.insns = {
11941 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11942 			BPF_LD_ABS(BPF_B, 0),
11943 			BPF_LD_ABS(BPF_H, 0),
11944 			BPF_LD_ABS(BPF_W, 0),
11945 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11946 			BPF_MOV64_IMM(BPF_REG_6, 0),
11947 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11948 			BPF_MOV64_IMM(BPF_REG_2, 1),
11949 			BPF_MOV64_IMM(BPF_REG_3, 2),
11950 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11951 				     BPF_FUNC_skb_vlan_push),
11952 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11953 			BPF_LD_ABS(BPF_B, 0),
11954 			BPF_LD_ABS(BPF_H, 0),
11955 			BPF_LD_ABS(BPF_W, 0),
11956 			BPF_MOV64_IMM(BPF_REG_0, 42),
11957 			BPF_EXIT_INSN(),
11958 		},
11959 		.data = {
11960 			0x34,
11961 		},
11962 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11963 		.result = ACCEPT,
11964 		.retval = 42,
11965 	},
11966 	{
11967 		"ld_abs: jump around ld_abs",
11968 		.insns = { },
11969 		.data = {
11970 			10, 11,
11971 		},
11972 		.fill_helper = bpf_fill_jump_around_ld_abs,
11973 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11974 		.result = ACCEPT,
11975 		.retval = 10,
11976 	},
11977 };
11978 
11979 static int probe_filter_length(const struct bpf_insn *fp)
11980 {
11981 	int len;
11982 
11983 	for (len = MAX_INSNS - 1; len > 0; --len)
11984 		if (fp[len].code != 0 || fp[len].imm != 0)
11985 			break;
11986 	return len + 1;
11987 }
11988 
11989 static int create_map(uint32_t size_value, uint32_t max_elem)
11990 {
11991 	int fd;
11992 
11993 	fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
11994 			    size_value, max_elem, BPF_F_NO_PREALLOC);
11995 	if (fd < 0)
11996 		printf("Failed to create hash map '%s'!\n", strerror(errno));
11997 
11998 	return fd;
11999 }
12000 
12001 static int create_prog_dummy1(void)
12002 {
12003 	struct bpf_insn prog[] = {
12004 		BPF_MOV64_IMM(BPF_REG_0, 42),
12005 		BPF_EXIT_INSN(),
12006 	};
12007 
12008 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12009 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12010 }
12011 
12012 static int create_prog_dummy2(int mfd, int idx)
12013 {
12014 	struct bpf_insn prog[] = {
12015 		BPF_MOV64_IMM(BPF_REG_3, idx),
12016 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
12017 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12018 			     BPF_FUNC_tail_call),
12019 		BPF_MOV64_IMM(BPF_REG_0, 41),
12020 		BPF_EXIT_INSN(),
12021 	};
12022 
12023 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12024 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12025 }
12026 
12027 static int create_prog_array(void)
12028 {
12029 	int p1key = 0, p2key = 1;
12030 	int mfd, p1fd, p2fd;
12031 
12032 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12033 			     sizeof(int), 4, 0);
12034 	if (mfd < 0) {
12035 		printf("Failed to create prog array '%s'!\n", strerror(errno));
12036 		return -1;
12037 	}
12038 
12039 	p1fd = create_prog_dummy1();
12040 	p2fd = create_prog_dummy2(mfd, p2key);
12041 	if (p1fd < 0 || p2fd < 0)
12042 		goto out;
12043 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12044 		goto out;
12045 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12046 		goto out;
12047 	close(p2fd);
12048 	close(p1fd);
12049 
12050 	return mfd;
12051 out:
12052 	close(p2fd);
12053 	close(p1fd);
12054 	close(mfd);
12055 	return -1;
12056 }
12057 
12058 static int create_map_in_map(void)
12059 {
12060 	int inner_map_fd, outer_map_fd;
12061 
12062 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12063 				      sizeof(int), 1, 0);
12064 	if (inner_map_fd < 0) {
12065 		printf("Failed to create array '%s'!\n", strerror(errno));
12066 		return inner_map_fd;
12067 	}
12068 
12069 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12070 					     sizeof(int), inner_map_fd, 1, 0);
12071 	if (outer_map_fd < 0)
12072 		printf("Failed to create array of maps '%s'!\n",
12073 		       strerror(errno));
12074 
12075 	close(inner_map_fd);
12076 
12077 	return outer_map_fd;
12078 }
12079 
12080 static char bpf_vlog[UINT_MAX >> 8];
12081 
12082 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12083 			  int *map_fds)
12084 {
12085 	int *fixup_map1 = test->fixup_map1;
12086 	int *fixup_map2 = test->fixup_map2;
12087 	int *fixup_map3 = test->fixup_map3;
12088 	int *fixup_prog = test->fixup_prog;
12089 	int *fixup_map_in_map = test->fixup_map_in_map;
12090 
12091 	if (test->fill_helper)
12092 		test->fill_helper(test);
12093 
12094 	/* Allocating HTs with 1 elem is fine here, since we only test
12095 	 * for verifier and not do a runtime lookup, so the only thing
12096 	 * that really matters is value size in this case.
12097 	 */
12098 	if (*fixup_map1) {
12099 		map_fds[0] = create_map(sizeof(long long), 1);
12100 		do {
12101 			prog[*fixup_map1].imm = map_fds[0];
12102 			fixup_map1++;
12103 		} while (*fixup_map1);
12104 	}
12105 
12106 	if (*fixup_map2) {
12107 		map_fds[1] = create_map(sizeof(struct test_val), 1);
12108 		do {
12109 			prog[*fixup_map2].imm = map_fds[1];
12110 			fixup_map2++;
12111 		} while (*fixup_map2);
12112 	}
12113 
12114 	if (*fixup_map3) {
12115 		map_fds[1] = create_map(sizeof(struct other_val), 1);
12116 		do {
12117 			prog[*fixup_map3].imm = map_fds[1];
12118 			fixup_map3++;
12119 		} while (*fixup_map3);
12120 	}
12121 
12122 	if (*fixup_prog) {
12123 		map_fds[2] = create_prog_array();
12124 		do {
12125 			prog[*fixup_prog].imm = map_fds[2];
12126 			fixup_prog++;
12127 		} while (*fixup_prog);
12128 	}
12129 
12130 	if (*fixup_map_in_map) {
12131 		map_fds[3] = create_map_in_map();
12132 		do {
12133 			prog[*fixup_map_in_map].imm = map_fds[3];
12134 			fixup_map_in_map++;
12135 		} while (*fixup_map_in_map);
12136 	}
12137 }
12138 
12139 static void do_test_single(struct bpf_test *test, bool unpriv,
12140 			   int *passes, int *errors)
12141 {
12142 	int fd_prog, expected_ret, reject_from_alignment;
12143 	int prog_len, prog_type = test->prog_type;
12144 	struct bpf_insn *prog = test->insns;
12145 	int map_fds[MAX_NR_MAPS];
12146 	const char *expected_err;
12147 	uint32_t retval;
12148 	int i, err;
12149 
12150 	for (i = 0; i < MAX_NR_MAPS; i++)
12151 		map_fds[i] = -1;
12152 
12153 	do_test_fixup(test, prog, map_fds);
12154 	prog_len = probe_filter_length(prog);
12155 
12156 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12157 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12158 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12159 
12160 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
12161 		       test->result_unpriv : test->result;
12162 	expected_err = unpriv && test->errstr_unpriv ?
12163 		       test->errstr_unpriv : test->errstr;
12164 
12165 	reject_from_alignment = fd_prog < 0 &&
12166 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12167 				strstr(bpf_vlog, "Unknown alignment.");
12168 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12169 	if (reject_from_alignment) {
12170 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12171 		       strerror(errno));
12172 		goto fail_log;
12173 	}
12174 #endif
12175 	if (expected_ret == ACCEPT) {
12176 		if (fd_prog < 0 && !reject_from_alignment) {
12177 			printf("FAIL\nFailed to load prog '%s'!\n",
12178 			       strerror(errno));
12179 			goto fail_log;
12180 		}
12181 	} else {
12182 		if (fd_prog >= 0) {
12183 			printf("FAIL\nUnexpected success to load!\n");
12184 			goto fail_log;
12185 		}
12186 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12187 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12188 			      expected_err, bpf_vlog);
12189 			goto fail_log;
12190 		}
12191 	}
12192 
12193 	if (fd_prog >= 0) {
12194 		err = bpf_prog_test_run(fd_prog, 1, test->data,
12195 					sizeof(test->data), NULL, NULL,
12196 					&retval, NULL);
12197 		if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12198 			printf("Unexpected bpf_prog_test_run error\n");
12199 			goto fail_log;
12200 		}
12201 		if (!err && retval != test->retval &&
12202 		    test->retval != POINTER_VALUE) {
12203 			printf("FAIL retval %d != %d\n", retval, test->retval);
12204 			goto fail_log;
12205 		}
12206 	}
12207 	(*passes)++;
12208 	printf("OK%s\n", reject_from_alignment ?
12209 	       " (NOTE: reject due to unknown alignment)" : "");
12210 close_fds:
12211 	close(fd_prog);
12212 	for (i = 0; i < MAX_NR_MAPS; i++)
12213 		close(map_fds[i]);
12214 	sched_yield();
12215 	return;
12216 fail_log:
12217 	(*errors)++;
12218 	printf("%s", bpf_vlog);
12219 	goto close_fds;
12220 }
12221 
12222 static bool is_admin(void)
12223 {
12224 	cap_t caps;
12225 	cap_flag_value_t sysadmin = CAP_CLEAR;
12226 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12227 
12228 #ifdef CAP_IS_SUPPORTED
12229 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12230 		perror("cap_get_flag");
12231 		return false;
12232 	}
12233 #endif
12234 	caps = cap_get_proc();
12235 	if (!caps) {
12236 		perror("cap_get_proc");
12237 		return false;
12238 	}
12239 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12240 		perror("cap_get_flag");
12241 	if (cap_free(caps))
12242 		perror("cap_free");
12243 	return (sysadmin == CAP_SET);
12244 }
12245 
12246 static int set_admin(bool admin)
12247 {
12248 	cap_t caps;
12249 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12250 	int ret = -1;
12251 
12252 	caps = cap_get_proc();
12253 	if (!caps) {
12254 		perror("cap_get_proc");
12255 		return -1;
12256 	}
12257 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12258 				admin ? CAP_SET : CAP_CLEAR)) {
12259 		perror("cap_set_flag");
12260 		goto out;
12261 	}
12262 	if (cap_set_proc(caps)) {
12263 		perror("cap_set_proc");
12264 		goto out;
12265 	}
12266 	ret = 0;
12267 out:
12268 	if (cap_free(caps))
12269 		perror("cap_free");
12270 	return ret;
12271 }
12272 
12273 static void get_unpriv_disabled()
12274 {
12275 	char buf[2];
12276 	FILE *fd;
12277 
12278 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12279 	if (fgets(buf, 2, fd) == buf && atoi(buf))
12280 		unpriv_disabled = true;
12281 	fclose(fd);
12282 }
12283 
12284 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12285 {
12286 	int i, passes = 0, errors = 0, skips = 0;
12287 
12288 	for (i = from; i < to; i++) {
12289 		struct bpf_test *test = &tests[i];
12290 
12291 		/* Program types that are not supported by non-root we
12292 		 * skip right away.
12293 		 */
12294 		if (!test->prog_type && unpriv_disabled) {
12295 			printf("#%d/u %s SKIP\n", i, test->descr);
12296 			skips++;
12297 		} else if (!test->prog_type) {
12298 			if (!unpriv)
12299 				set_admin(false);
12300 			printf("#%d/u %s ", i, test->descr);
12301 			do_test_single(test, true, &passes, &errors);
12302 			if (!unpriv)
12303 				set_admin(true);
12304 		}
12305 
12306 		if (unpriv) {
12307 			printf("#%d/p %s SKIP\n", i, test->descr);
12308 			skips++;
12309 		} else {
12310 			printf("#%d/p %s ", i, test->descr);
12311 			do_test_single(test, false, &passes, &errors);
12312 		}
12313 	}
12314 
12315 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12316 	       skips, errors);
12317 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12318 }
12319 
12320 int main(int argc, char **argv)
12321 {
12322 	unsigned int from = 0, to = ARRAY_SIZE(tests);
12323 	bool unpriv = !is_admin();
12324 
12325 	if (argc == 3) {
12326 		unsigned int l = atoi(argv[argc - 2]);
12327 		unsigned int u = atoi(argv[argc - 1]);
12328 
12329 		if (l < to && u < to) {
12330 			from = l;
12331 			to   = u + 1;
12332 		}
12333 	} else if (argc == 2) {
12334 		unsigned int t = atoi(argv[argc - 1]);
12335 
12336 		if (t < to) {
12337 			from = t;
12338 			to   = t + 1;
12339 		}
12340 	}
12341 
12342 	get_unpriv_disabled();
12343 	if (unpriv && unpriv_disabled) {
12344 		printf("Cannot run as unprivileged user with sysctl %s.\n",
12345 		       UNPRIV_SYSCTL);
12346 		return EXIT_FAILURE;
12347 	}
12348 
12349 	return do_test(unpriv, from, to);
12350 }
12351