xref: /linux/tools/testing/selftests/bpf/test_verifier.c (revision fe8ecccc10b3adc071de05ca7af728ca1a4ac9aa) 
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of version 2 of the GNU General Public
10  * License as published by the Free Software Foundation.
11  */
12 
13 #include <endian.h>
14 #include <asm/types.h>
15 #include <linux/types.h>
16 #include <stdint.h>
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <errno.h>
21 #include <string.h>
22 #include <stddef.h>
23 #include <stdbool.h>
24 #include <sched.h>
25 #include <limits.h>
26 
27 #include <sys/capability.h>
28 
29 #include <linux/unistd.h>
30 #include <linux/filter.h>
31 #include <linux/bpf_perf_event.h>
32 #include <linux/bpf.h>
33 #include <linux/if_ether.h>
34 
35 #include <bpf/bpf.h>
36 
37 #ifdef HAVE_GENHDR
38 # include "autoconf.h"
39 #else
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 # endif
43 #endif
44 #include "bpf_rlimit.h"
45 #include "bpf_rand.h"
46 #include "bpf_util.h"
47 #include "../../../include/linux/filter.h"
48 
49 #define MAX_INSNS	BPF_MAXINSNS
50 #define MAX_FIXUPS	8
51 #define MAX_NR_MAPS	13
52 #define POINTER_VALUE	0xcafe4all
53 #define TEST_DATA_LEN	64
54 
55 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
56 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
57 
58 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59 static bool unpriv_disabled = false;
60 
61 struct bpf_test {
62 	const char *descr;
63 	struct bpf_insn	insns[MAX_INSNS];
64 	int fixup_map_hash_8b[MAX_FIXUPS];
65 	int fixup_map_hash_48b[MAX_FIXUPS];
66 	int fixup_map_hash_16b[MAX_FIXUPS];
67 	int fixup_map_array_48b[MAX_FIXUPS];
68 	int fixup_map_sockmap[MAX_FIXUPS];
69 	int fixup_map_sockhash[MAX_FIXUPS];
70 	int fixup_map_xskmap[MAX_FIXUPS];
71 	int fixup_map_stacktrace[MAX_FIXUPS];
72 	int fixup_prog1[MAX_FIXUPS];
73 	int fixup_prog2[MAX_FIXUPS];
74 	int fixup_map_in_map[MAX_FIXUPS];
75 	int fixup_cgroup_storage[MAX_FIXUPS];
76 	int fixup_percpu_cgroup_storage[MAX_FIXUPS];
77 	const char *errstr;
78 	const char *errstr_unpriv;
79 	uint32_t retval;
80 	enum {
81 		UNDEF,
82 		ACCEPT,
83 		REJECT
84 	} result, result_unpriv;
85 	enum bpf_prog_type prog_type;
86 	uint8_t flags;
87 	__u8 data[TEST_DATA_LEN];
88 	void (*fill_helper)(struct bpf_test *self);
89 };
90 
91 /* Note we want this to be 64 bit aligned so that the end of our array is
92  * actually the end of the structure.
93  */
94 #define MAX_ENTRIES 11
95 
96 struct test_val {
97 	unsigned int index;
98 	int foo[MAX_ENTRIES];
99 };
100 
101 struct other_val {
102 	long long foo;
103 	long long bar;
104 };
105 
106 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
107 {
108 	/* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
109 #define PUSH_CNT 51
110 	unsigned int len = BPF_MAXINSNS;
111 	struct bpf_insn *insn = self->insns;
112 	int i = 0, j, k = 0;
113 
114 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
115 loop:
116 	for (j = 0; j < PUSH_CNT; j++) {
117 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
118 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
119 		i++;
120 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121 		insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122 		insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124 					 BPF_FUNC_skb_vlan_push),
125 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
126 		i++;
127 	}
128 
129 	for (j = 0; j < PUSH_CNT; j++) {
130 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
131 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
132 		i++;
133 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135 					 BPF_FUNC_skb_vlan_pop),
136 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
137 		i++;
138 	}
139 	if (++k < 5)
140 		goto loop;
141 
142 	for (; i < len - 1; i++)
143 		insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144 	insn[len - 1] = BPF_EXIT_INSN();
145 }
146 
147 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
148 {
149 	struct bpf_insn *insn = self->insns;
150 	unsigned int len = BPF_MAXINSNS;
151 	int i = 0;
152 
153 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154 	insn[i++] = BPF_LD_ABS(BPF_B, 0);
155 	insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
156 	i++;
157 	while (i < len - 1)
158 		insn[i++] = BPF_LD_ABS(BPF_B, 1);
159 	insn[i] = BPF_EXIT_INSN();
160 }
161 
162 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
163 {
164 	struct bpf_insn *insn = self->insns;
165 	uint64_t res = 0;
166 	int i = 0;
167 
168 	insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169 	while (i < self->retval) {
170 		uint64_t val = bpf_semi_rand_get();
171 		struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
172 
173 		res ^= val;
174 		insn[i++] = tmp[0];
175 		insn[i++] = tmp[1];
176 		insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
177 	}
178 	insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179 	insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180 	insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181 	insn[i] = BPF_EXIT_INSN();
182 	res ^= (res >> 32);
183 	self->retval = (uint32_t)res;
184 }
185 
186 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187 #define BPF_SK_LOOKUP							\
188 	/* struct bpf_sock_tuple tuple = {} */				\
189 	BPF_MOV64_IMM(BPF_REG_2, 0),					\
190 	BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),			\
191 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16),		\
192 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24),		\
193 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32),		\
194 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40),		\
195 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48),		\
196 	/* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */	\
197 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),				\
198 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),				\
199 	BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),	\
200 	BPF_MOV64_IMM(BPF_REG_4, 0),					\
201 	BPF_MOV64_IMM(BPF_REG_5, 0),					\
202 	BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
203 
204 static struct bpf_test tests[] = {
205 	{
206 		"add+sub+mul",
207 		.insns = {
208 			BPF_MOV64_IMM(BPF_REG_1, 1),
209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210 			BPF_MOV64_IMM(BPF_REG_2, 3),
211 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
215 			BPF_EXIT_INSN(),
216 		},
217 		.result = ACCEPT,
218 		.retval = -3,
219 	},
220 	{
221 		"DIV32 by 0, zero check 1",
222 		.insns = {
223 			BPF_MOV32_IMM(BPF_REG_0, 42),
224 			BPF_MOV32_IMM(BPF_REG_1, 0),
225 			BPF_MOV32_IMM(BPF_REG_2, 1),
226 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227 			BPF_EXIT_INSN(),
228 		},
229 		.result = ACCEPT,
230 		.retval = 42,
231 	},
232 	{
233 		"DIV32 by 0, zero check 2",
234 		.insns = {
235 			BPF_MOV32_IMM(BPF_REG_0, 42),
236 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237 			BPF_MOV32_IMM(BPF_REG_2, 1),
238 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
239 			BPF_EXIT_INSN(),
240 		},
241 		.result = ACCEPT,
242 		.retval = 42,
243 	},
244 	{
245 		"DIV64 by 0, zero check",
246 		.insns = {
247 			BPF_MOV32_IMM(BPF_REG_0, 42),
248 			BPF_MOV32_IMM(BPF_REG_1, 0),
249 			BPF_MOV32_IMM(BPF_REG_2, 1),
250 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
251 			BPF_EXIT_INSN(),
252 		},
253 		.result = ACCEPT,
254 		.retval = 42,
255 	},
256 	{
257 		"MOD32 by 0, zero check 1",
258 		.insns = {
259 			BPF_MOV32_IMM(BPF_REG_0, 42),
260 			BPF_MOV32_IMM(BPF_REG_1, 0),
261 			BPF_MOV32_IMM(BPF_REG_2, 1),
262 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263 			BPF_EXIT_INSN(),
264 		},
265 		.result = ACCEPT,
266 		.retval = 42,
267 	},
268 	{
269 		"MOD32 by 0, zero check 2",
270 		.insns = {
271 			BPF_MOV32_IMM(BPF_REG_0, 42),
272 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273 			BPF_MOV32_IMM(BPF_REG_2, 1),
274 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
275 			BPF_EXIT_INSN(),
276 		},
277 		.result = ACCEPT,
278 		.retval = 42,
279 	},
280 	{
281 		"MOD64 by 0, zero check",
282 		.insns = {
283 			BPF_MOV32_IMM(BPF_REG_0, 42),
284 			BPF_MOV32_IMM(BPF_REG_1, 0),
285 			BPF_MOV32_IMM(BPF_REG_2, 1),
286 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
287 			BPF_EXIT_INSN(),
288 		},
289 		.result = ACCEPT,
290 		.retval = 42,
291 	},
292 	{
293 		"DIV32 by 0, zero check ok, cls",
294 		.insns = {
295 			BPF_MOV32_IMM(BPF_REG_0, 42),
296 			BPF_MOV32_IMM(BPF_REG_1, 2),
297 			BPF_MOV32_IMM(BPF_REG_2, 16),
298 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
300 			BPF_EXIT_INSN(),
301 		},
302 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
303 		.result = ACCEPT,
304 		.retval = 8,
305 	},
306 	{
307 		"DIV32 by 0, zero check 1, cls",
308 		.insns = {
309 			BPF_MOV32_IMM(BPF_REG_1, 0),
310 			BPF_MOV32_IMM(BPF_REG_0, 1),
311 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312 			BPF_EXIT_INSN(),
313 		},
314 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
315 		.result = ACCEPT,
316 		.retval = 0,
317 	},
318 	{
319 		"DIV32 by 0, zero check 2, cls",
320 		.insns = {
321 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322 			BPF_MOV32_IMM(BPF_REG_0, 1),
323 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
324 			BPF_EXIT_INSN(),
325 		},
326 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
327 		.result = ACCEPT,
328 		.retval = 0,
329 	},
330 	{
331 		"DIV64 by 0, zero check, cls",
332 		.insns = {
333 			BPF_MOV32_IMM(BPF_REG_1, 0),
334 			BPF_MOV32_IMM(BPF_REG_0, 1),
335 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
336 			BPF_EXIT_INSN(),
337 		},
338 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
339 		.result = ACCEPT,
340 		.retval = 0,
341 	},
342 	{
343 		"MOD32 by 0, zero check ok, cls",
344 		.insns = {
345 			BPF_MOV32_IMM(BPF_REG_0, 42),
346 			BPF_MOV32_IMM(BPF_REG_1, 3),
347 			BPF_MOV32_IMM(BPF_REG_2, 5),
348 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
350 			BPF_EXIT_INSN(),
351 		},
352 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 		.result = ACCEPT,
354 		.retval = 2,
355 	},
356 	{
357 		"MOD32 by 0, zero check 1, cls",
358 		.insns = {
359 			BPF_MOV32_IMM(BPF_REG_1, 0),
360 			BPF_MOV32_IMM(BPF_REG_0, 1),
361 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362 			BPF_EXIT_INSN(),
363 		},
364 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 		.result = ACCEPT,
366 		.retval = 1,
367 	},
368 	{
369 		"MOD32 by 0, zero check 2, cls",
370 		.insns = {
371 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372 			BPF_MOV32_IMM(BPF_REG_0, 1),
373 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 			BPF_EXIT_INSN(),
375 		},
376 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
377 		.result = ACCEPT,
378 		.retval = 1,
379 	},
380 	{
381 		"MOD64 by 0, zero check 1, cls",
382 		.insns = {
383 			BPF_MOV32_IMM(BPF_REG_1, 0),
384 			BPF_MOV32_IMM(BPF_REG_0, 2),
385 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
386 			BPF_EXIT_INSN(),
387 		},
388 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
389 		.result = ACCEPT,
390 		.retval = 2,
391 	},
392 	{
393 		"MOD64 by 0, zero check 2, cls",
394 		.insns = {
395 			BPF_MOV32_IMM(BPF_REG_1, 0),
396 			BPF_MOV32_IMM(BPF_REG_0, -1),
397 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
398 			BPF_EXIT_INSN(),
399 		},
400 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
401 		.result = ACCEPT,
402 		.retval = -1,
403 	},
404 	/* Just make sure that JITs used udiv/umod as otherwise we get
405 	 * an exception from INT_MIN/-1 overflow similarly as with div
406 	 * by zero.
407 	 */
408 	{
409 		"DIV32 overflow, check 1",
410 		.insns = {
411 			BPF_MOV32_IMM(BPF_REG_1, -1),
412 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
414 			BPF_EXIT_INSN(),
415 		},
416 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
417 		.result = ACCEPT,
418 		.retval = 0,
419 	},
420 	{
421 		"DIV32 overflow, check 2",
422 		.insns = {
423 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
425 			BPF_EXIT_INSN(),
426 		},
427 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
428 		.result = ACCEPT,
429 		.retval = 0,
430 	},
431 	{
432 		"DIV64 overflow, check 1",
433 		.insns = {
434 			BPF_MOV64_IMM(BPF_REG_1, -1),
435 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
437 			BPF_EXIT_INSN(),
438 		},
439 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
440 		.result = ACCEPT,
441 		.retval = 0,
442 	},
443 	{
444 		"DIV64 overflow, check 2",
445 		.insns = {
446 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
448 			BPF_EXIT_INSN(),
449 		},
450 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
451 		.result = ACCEPT,
452 		.retval = 0,
453 	},
454 	{
455 		"MOD32 overflow, check 1",
456 		.insns = {
457 			BPF_MOV32_IMM(BPF_REG_1, -1),
458 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
460 			BPF_EXIT_INSN(),
461 		},
462 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
463 		.result = ACCEPT,
464 		.retval = INT_MIN,
465 	},
466 	{
467 		"MOD32 overflow, check 2",
468 		.insns = {
469 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
471 			BPF_EXIT_INSN(),
472 		},
473 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
474 		.result = ACCEPT,
475 		.retval = INT_MIN,
476 	},
477 	{
478 		"MOD64 overflow, check 1",
479 		.insns = {
480 			BPF_MOV64_IMM(BPF_REG_1, -1),
481 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484 			BPF_MOV32_IMM(BPF_REG_0, 0),
485 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486 			BPF_MOV32_IMM(BPF_REG_0, 1),
487 			BPF_EXIT_INSN(),
488 		},
489 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
490 		.result = ACCEPT,
491 		.retval = 1,
492 	},
493 	{
494 		"MOD64 overflow, check 2",
495 		.insns = {
496 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499 			BPF_MOV32_IMM(BPF_REG_0, 0),
500 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501 			BPF_MOV32_IMM(BPF_REG_0, 1),
502 			BPF_EXIT_INSN(),
503 		},
504 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
505 		.result = ACCEPT,
506 		.retval = 1,
507 	},
508 	{
509 		"xor32 zero extend check",
510 		.insns = {
511 			BPF_MOV32_IMM(BPF_REG_2, -1),
512 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515 			BPF_MOV32_IMM(BPF_REG_0, 2),
516 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517 			BPF_MOV32_IMM(BPF_REG_0, 1),
518 			BPF_EXIT_INSN(),
519 		},
520 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
521 		.result = ACCEPT,
522 		.retval = 1,
523 	},
524 	{
525 		"empty prog",
526 		.insns = {
527 		},
528 		.errstr = "unknown opcode 00",
529 		.result = REJECT,
530 	},
531 	{
532 		"only exit insn",
533 		.insns = {
534 			BPF_EXIT_INSN(),
535 		},
536 		.errstr = "R0 !read_ok",
537 		.result = REJECT,
538 	},
539 	{
540 		"unreachable",
541 		.insns = {
542 			BPF_EXIT_INSN(),
543 			BPF_EXIT_INSN(),
544 		},
545 		.errstr = "unreachable",
546 		.result = REJECT,
547 	},
548 	{
549 		"unreachable2",
550 		.insns = {
551 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
553 			BPF_EXIT_INSN(),
554 		},
555 		.errstr = "unreachable",
556 		.result = REJECT,
557 	},
558 	{
559 		"out of range jump",
560 		.insns = {
561 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562 			BPF_EXIT_INSN(),
563 		},
564 		.errstr = "jump out of range",
565 		.result = REJECT,
566 	},
567 	{
568 		"out of range jump2",
569 		.insns = {
570 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
571 			BPF_EXIT_INSN(),
572 		},
573 		.errstr = "jump out of range",
574 		.result = REJECT,
575 	},
576 	{
577 		"test1 ld_imm64",
578 		.insns = {
579 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580 			BPF_LD_IMM64(BPF_REG_0, 0),
581 			BPF_LD_IMM64(BPF_REG_0, 0),
582 			BPF_LD_IMM64(BPF_REG_0, 1),
583 			BPF_LD_IMM64(BPF_REG_0, 1),
584 			BPF_MOV64_IMM(BPF_REG_0, 2),
585 			BPF_EXIT_INSN(),
586 		},
587 		.errstr = "invalid BPF_LD_IMM insn",
588 		.errstr_unpriv = "R1 pointer comparison",
589 		.result = REJECT,
590 	},
591 	{
592 		"test2 ld_imm64",
593 		.insns = {
594 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595 			BPF_LD_IMM64(BPF_REG_0, 0),
596 			BPF_LD_IMM64(BPF_REG_0, 0),
597 			BPF_LD_IMM64(BPF_REG_0, 1),
598 			BPF_LD_IMM64(BPF_REG_0, 1),
599 			BPF_EXIT_INSN(),
600 		},
601 		.errstr = "invalid BPF_LD_IMM insn",
602 		.errstr_unpriv = "R1 pointer comparison",
603 		.result = REJECT,
604 	},
605 	{
606 		"test3 ld_imm64",
607 		.insns = {
608 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 			BPF_LD_IMM64(BPF_REG_0, 0),
611 			BPF_LD_IMM64(BPF_REG_0, 0),
612 			BPF_LD_IMM64(BPF_REG_0, 1),
613 			BPF_LD_IMM64(BPF_REG_0, 1),
614 			BPF_EXIT_INSN(),
615 		},
616 		.errstr = "invalid bpf_ld_imm64 insn",
617 		.result = REJECT,
618 	},
619 	{
620 		"test4 ld_imm64",
621 		.insns = {
622 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
623 			BPF_EXIT_INSN(),
624 		},
625 		.errstr = "invalid bpf_ld_imm64 insn",
626 		.result = REJECT,
627 	},
628 	{
629 		"test5 ld_imm64",
630 		.insns = {
631 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
632 		},
633 		.errstr = "invalid bpf_ld_imm64 insn",
634 		.result = REJECT,
635 	},
636 	{
637 		"test6 ld_imm64",
638 		.insns = {
639 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640 			BPF_RAW_INSN(0, 0, 0, 0, 0),
641 			BPF_EXIT_INSN(),
642 		},
643 		.result = ACCEPT,
644 	},
645 	{
646 		"test7 ld_imm64",
647 		.insns = {
648 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649 			BPF_RAW_INSN(0, 0, 0, 0, 1),
650 			BPF_EXIT_INSN(),
651 		},
652 		.result = ACCEPT,
653 		.retval = 1,
654 	},
655 	{
656 		"test8 ld_imm64",
657 		.insns = {
658 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659 			BPF_RAW_INSN(0, 0, 0, 0, 1),
660 			BPF_EXIT_INSN(),
661 		},
662 		.errstr = "uses reserved fields",
663 		.result = REJECT,
664 	},
665 	{
666 		"test9 ld_imm64",
667 		.insns = {
668 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669 			BPF_RAW_INSN(0, 0, 0, 1, 1),
670 			BPF_EXIT_INSN(),
671 		},
672 		.errstr = "invalid bpf_ld_imm64 insn",
673 		.result = REJECT,
674 	},
675 	{
676 		"test10 ld_imm64",
677 		.insns = {
678 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
680 			BPF_EXIT_INSN(),
681 		},
682 		.errstr = "invalid bpf_ld_imm64 insn",
683 		.result = REJECT,
684 	},
685 	{
686 		"test11 ld_imm64",
687 		.insns = {
688 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690 			BPF_EXIT_INSN(),
691 		},
692 		.errstr = "invalid bpf_ld_imm64 insn",
693 		.result = REJECT,
694 	},
695 	{
696 		"test12 ld_imm64",
697 		.insns = {
698 			BPF_MOV64_IMM(BPF_REG_1, 0),
699 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700 			BPF_RAW_INSN(0, 0, 0, 0, 1),
701 			BPF_EXIT_INSN(),
702 		},
703 		.errstr = "not pointing to valid bpf_map",
704 		.result = REJECT,
705 	},
706 	{
707 		"test13 ld_imm64",
708 		.insns = {
709 			BPF_MOV64_IMM(BPF_REG_1, 0),
710 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
712 			BPF_EXIT_INSN(),
713 		},
714 		.errstr = "invalid bpf_ld_imm64 insn",
715 		.result = REJECT,
716 	},
717 	{
718 		"arsh32 on imm",
719 		.insns = {
720 			BPF_MOV64_IMM(BPF_REG_0, 1),
721 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
722 			BPF_EXIT_INSN(),
723 		},
724 		.result = REJECT,
725 		.errstr = "unknown opcode c4",
726 	},
727 	{
728 		"arsh32 on reg",
729 		.insns = {
730 			BPF_MOV64_IMM(BPF_REG_0, 1),
731 			BPF_MOV64_IMM(BPF_REG_1, 5),
732 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
733 			BPF_EXIT_INSN(),
734 		},
735 		.result = REJECT,
736 		.errstr = "unknown opcode cc",
737 	},
738 	{
739 		"arsh64 on imm",
740 		.insns = {
741 			BPF_MOV64_IMM(BPF_REG_0, 1),
742 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
743 			BPF_EXIT_INSN(),
744 		},
745 		.result = ACCEPT,
746 	},
747 	{
748 		"arsh64 on reg",
749 		.insns = {
750 			BPF_MOV64_IMM(BPF_REG_0, 1),
751 			BPF_MOV64_IMM(BPF_REG_1, 5),
752 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
753 			BPF_EXIT_INSN(),
754 		},
755 		.result = ACCEPT,
756 	},
757 	{
758 		"no bpf_exit",
759 		.insns = {
760 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
761 		},
762 		.errstr = "not an exit",
763 		.result = REJECT,
764 	},
765 	{
766 		"loop (back-edge)",
767 		.insns = {
768 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
769 			BPF_EXIT_INSN(),
770 		},
771 		.errstr = "back-edge",
772 		.result = REJECT,
773 	},
774 	{
775 		"loop2 (back-edge)",
776 		.insns = {
777 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
778 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
780 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
781 			BPF_EXIT_INSN(),
782 		},
783 		.errstr = "back-edge",
784 		.result = REJECT,
785 	},
786 	{
787 		"conditional loop",
788 		.insns = {
789 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
790 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
791 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
793 			BPF_EXIT_INSN(),
794 		},
795 		.errstr = "back-edge",
796 		.result = REJECT,
797 	},
798 	{
799 		"read uninitialized register",
800 		.insns = {
801 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
802 			BPF_EXIT_INSN(),
803 		},
804 		.errstr = "R2 !read_ok",
805 		.result = REJECT,
806 	},
807 	{
808 		"read invalid register",
809 		.insns = {
810 			BPF_MOV64_REG(BPF_REG_0, -1),
811 			BPF_EXIT_INSN(),
812 		},
813 		.errstr = "R15 is invalid",
814 		.result = REJECT,
815 	},
816 	{
817 		"program doesn't init R0 before exit",
818 		.insns = {
819 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
820 			BPF_EXIT_INSN(),
821 		},
822 		.errstr = "R0 !read_ok",
823 		.result = REJECT,
824 	},
825 	{
826 		"program doesn't init R0 before exit in all branches",
827 		.insns = {
828 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829 			BPF_MOV64_IMM(BPF_REG_0, 1),
830 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
831 			BPF_EXIT_INSN(),
832 		},
833 		.errstr = "R0 !read_ok",
834 		.errstr_unpriv = "R1 pointer comparison",
835 		.result = REJECT,
836 	},
837 	{
838 		"stack out of bounds",
839 		.insns = {
840 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
841 			BPF_EXIT_INSN(),
842 		},
843 		.errstr = "invalid stack",
844 		.result = REJECT,
845 	},
846 	{
847 		"invalid call insn1",
848 		.insns = {
849 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
850 			BPF_EXIT_INSN(),
851 		},
852 		.errstr = "unknown opcode 8d",
853 		.result = REJECT,
854 	},
855 	{
856 		"invalid call insn2",
857 		.insns = {
858 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
859 			BPF_EXIT_INSN(),
860 		},
861 		.errstr = "BPF_CALL uses reserved",
862 		.result = REJECT,
863 	},
864 	{
865 		"invalid function call",
866 		.insns = {
867 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
868 			BPF_EXIT_INSN(),
869 		},
870 		.errstr = "invalid func unknown#1234567",
871 		.result = REJECT,
872 	},
873 	{
874 		"uninitialized stack1",
875 		.insns = {
876 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
878 			BPF_LD_MAP_FD(BPF_REG_1, 0),
879 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
880 				     BPF_FUNC_map_lookup_elem),
881 			BPF_EXIT_INSN(),
882 		},
883 		.fixup_map_hash_8b = { 2 },
884 		.errstr = "invalid indirect read from stack",
885 		.result = REJECT,
886 	},
887 	{
888 		"uninitialized stack2",
889 		.insns = {
890 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
891 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
892 			BPF_EXIT_INSN(),
893 		},
894 		.errstr = "invalid read from stack",
895 		.result = REJECT,
896 	},
897 	{
898 		"invalid fp arithmetic",
899 		/* If this gets ever changed, make sure JITs can deal with it. */
900 		.insns = {
901 			BPF_MOV64_IMM(BPF_REG_0, 0),
902 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
903 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
904 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
905 			BPF_EXIT_INSN(),
906 		},
907 		.errstr = "R1 subtraction from stack pointer",
908 		.result = REJECT,
909 	},
910 	{
911 		"non-invalid fp arithmetic",
912 		.insns = {
913 			BPF_MOV64_IMM(BPF_REG_0, 0),
914 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
915 			BPF_EXIT_INSN(),
916 		},
917 		.result = ACCEPT,
918 	},
919 	{
920 		"invalid argument register",
921 		.insns = {
922 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
923 				     BPF_FUNC_get_cgroup_classid),
924 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
925 				     BPF_FUNC_get_cgroup_classid),
926 			BPF_EXIT_INSN(),
927 		},
928 		.errstr = "R1 !read_ok",
929 		.result = REJECT,
930 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
931 	},
932 	{
933 		"non-invalid argument register",
934 		.insns = {
935 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
936 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
937 				     BPF_FUNC_get_cgroup_classid),
938 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
939 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
940 				     BPF_FUNC_get_cgroup_classid),
941 			BPF_EXIT_INSN(),
942 		},
943 		.result = ACCEPT,
944 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
945 	},
946 	{
947 		"check valid spill/fill",
948 		.insns = {
949 			/* spill R1(ctx) into stack */
950 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
951 			/* fill it back into R2 */
952 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
953 			/* should be able to access R0 = *(R2 + 8) */
954 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
955 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
956 			BPF_EXIT_INSN(),
957 		},
958 		.errstr_unpriv = "R0 leaks addr",
959 		.result = ACCEPT,
960 		.result_unpriv = REJECT,
961 		.retval = POINTER_VALUE,
962 	},
963 	{
964 		"check valid spill/fill, skb mark",
965 		.insns = {
966 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
968 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
969 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
970 				    offsetof(struct __sk_buff, mark)),
971 			BPF_EXIT_INSN(),
972 		},
973 		.result = ACCEPT,
974 		.result_unpriv = ACCEPT,
975 	},
976 	{
977 		"check corrupted spill/fill",
978 		.insns = {
979 			/* spill R1(ctx) into stack */
980 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
981 			/* mess up with R1 pointer on stack */
982 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
983 			/* fill back into R0 should fail */
984 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
985 			BPF_EXIT_INSN(),
986 		},
987 		.errstr_unpriv = "attempt to corrupt spilled",
988 		.errstr = "corrupted spill",
989 		.result = REJECT,
990 	},
991 	{
992 		"invalid src register in STX",
993 		.insns = {
994 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
995 			BPF_EXIT_INSN(),
996 		},
997 		.errstr = "R15 is invalid",
998 		.result = REJECT,
999 	},
1000 	{
1001 		"invalid dst register in STX",
1002 		.insns = {
1003 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1004 			BPF_EXIT_INSN(),
1005 		},
1006 		.errstr = "R14 is invalid",
1007 		.result = REJECT,
1008 	},
1009 	{
1010 		"invalid dst register in ST",
1011 		.insns = {
1012 			BPF_ST_MEM(BPF_B, 14, -1, -1),
1013 			BPF_EXIT_INSN(),
1014 		},
1015 		.errstr = "R14 is invalid",
1016 		.result = REJECT,
1017 	},
1018 	{
1019 		"invalid src register in LDX",
1020 		.insns = {
1021 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1022 			BPF_EXIT_INSN(),
1023 		},
1024 		.errstr = "R12 is invalid",
1025 		.result = REJECT,
1026 	},
1027 	{
1028 		"invalid dst register in LDX",
1029 		.insns = {
1030 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1031 			BPF_EXIT_INSN(),
1032 		},
1033 		.errstr = "R11 is invalid",
1034 		.result = REJECT,
1035 	},
1036 	{
1037 		"junk insn",
1038 		.insns = {
1039 			BPF_RAW_INSN(0, 0, 0, 0, 0),
1040 			BPF_EXIT_INSN(),
1041 		},
1042 		.errstr = "unknown opcode 00",
1043 		.result = REJECT,
1044 	},
1045 	{
1046 		"junk insn2",
1047 		.insns = {
1048 			BPF_RAW_INSN(1, 0, 0, 0, 0),
1049 			BPF_EXIT_INSN(),
1050 		},
1051 		.errstr = "BPF_LDX uses reserved fields",
1052 		.result = REJECT,
1053 	},
1054 	{
1055 		"junk insn3",
1056 		.insns = {
1057 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
1058 			BPF_EXIT_INSN(),
1059 		},
1060 		.errstr = "unknown opcode ff",
1061 		.result = REJECT,
1062 	},
1063 	{
1064 		"junk insn4",
1065 		.insns = {
1066 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
1067 			BPF_EXIT_INSN(),
1068 		},
1069 		.errstr = "unknown opcode ff",
1070 		.result = REJECT,
1071 	},
1072 	{
1073 		"junk insn5",
1074 		.insns = {
1075 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1076 			BPF_EXIT_INSN(),
1077 		},
1078 		.errstr = "BPF_ALU uses reserved fields",
1079 		.result = REJECT,
1080 	},
1081 	{
1082 		"misaligned read from stack",
1083 		.insns = {
1084 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1085 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1086 			BPF_EXIT_INSN(),
1087 		},
1088 		.errstr = "misaligned stack access",
1089 		.result = REJECT,
1090 	},
1091 	{
1092 		"invalid map_fd for function call",
1093 		.insns = {
1094 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1095 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1096 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1097 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1098 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1099 				     BPF_FUNC_map_delete_elem),
1100 			BPF_EXIT_INSN(),
1101 		},
1102 		.errstr = "fd 0 is not pointing to valid bpf_map",
1103 		.result = REJECT,
1104 	},
1105 	{
1106 		"don't check return value before access",
1107 		.insns = {
1108 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1109 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1110 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1111 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1112 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1113 				     BPF_FUNC_map_lookup_elem),
1114 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1115 			BPF_EXIT_INSN(),
1116 		},
1117 		.fixup_map_hash_8b = { 3 },
1118 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1119 		.result = REJECT,
1120 	},
1121 	{
1122 		"access memory with incorrect alignment",
1123 		.insns = {
1124 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1125 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1126 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1127 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1128 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1129 				     BPF_FUNC_map_lookup_elem),
1130 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1131 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1132 			BPF_EXIT_INSN(),
1133 		},
1134 		.fixup_map_hash_8b = { 3 },
1135 		.errstr = "misaligned value access",
1136 		.result = REJECT,
1137 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1138 	},
1139 	{
1140 		"sometimes access memory with incorrect alignment",
1141 		.insns = {
1142 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1143 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1145 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1146 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1147 				     BPF_FUNC_map_lookup_elem),
1148 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1149 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1150 			BPF_EXIT_INSN(),
1151 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1152 			BPF_EXIT_INSN(),
1153 		},
1154 		.fixup_map_hash_8b = { 3 },
1155 		.errstr = "R0 invalid mem access",
1156 		.errstr_unpriv = "R0 leaks addr",
1157 		.result = REJECT,
1158 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1159 	},
1160 	{
1161 		"jump test 1",
1162 		.insns = {
1163 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1165 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1166 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1168 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1169 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1170 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1171 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1172 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1173 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1174 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1175 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1176 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1177 			BPF_MOV64_IMM(BPF_REG_0, 0),
1178 			BPF_EXIT_INSN(),
1179 		},
1180 		.errstr_unpriv = "R1 pointer comparison",
1181 		.result_unpriv = REJECT,
1182 		.result = ACCEPT,
1183 	},
1184 	{
1185 		"jump test 2",
1186 		.insns = {
1187 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1188 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1189 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1190 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1191 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1192 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1193 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1194 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1195 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1196 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1197 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1198 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1199 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1200 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1201 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1202 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1203 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1204 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1205 			BPF_MOV64_IMM(BPF_REG_0, 0),
1206 			BPF_EXIT_INSN(),
1207 		},
1208 		.errstr_unpriv = "R1 pointer comparison",
1209 		.result_unpriv = REJECT,
1210 		.result = ACCEPT,
1211 	},
1212 	{
1213 		"jump test 3",
1214 		.insns = {
1215 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1216 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1217 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1218 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1219 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1220 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1221 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1222 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1223 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1224 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1225 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1226 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1227 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1228 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1229 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1231 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1232 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1233 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1234 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1235 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1237 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1238 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1239 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1240 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1241 				     BPF_FUNC_map_delete_elem),
1242 			BPF_EXIT_INSN(),
1243 		},
1244 		.fixup_map_hash_8b = { 24 },
1245 		.errstr_unpriv = "R1 pointer comparison",
1246 		.result_unpriv = REJECT,
1247 		.result = ACCEPT,
1248 		.retval = -ENOENT,
1249 	},
1250 	{
1251 		"jump test 4",
1252 		.insns = {
1253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1266 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1267 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1268 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1269 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1270 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1271 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1272 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1273 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1274 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1275 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1276 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1277 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1278 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1279 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1280 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1281 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1282 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1283 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1284 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1285 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1286 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1287 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1288 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1289 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1290 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1291 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1292 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1293 			BPF_MOV64_IMM(BPF_REG_0, 0),
1294 			BPF_EXIT_INSN(),
1295 		},
1296 		.errstr_unpriv = "R1 pointer comparison",
1297 		.result_unpriv = REJECT,
1298 		.result = ACCEPT,
1299 	},
1300 	{
1301 		"jump test 5",
1302 		.insns = {
1303 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1304 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1305 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 			BPF_MOV64_IMM(BPF_REG_0, 0),
1311 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1312 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1313 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1314 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1315 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1316 			BPF_MOV64_IMM(BPF_REG_0, 0),
1317 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1318 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1319 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1320 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1321 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1322 			BPF_MOV64_IMM(BPF_REG_0, 0),
1323 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1324 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1325 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1326 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1327 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1328 			BPF_MOV64_IMM(BPF_REG_0, 0),
1329 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1330 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1331 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1332 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1333 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1334 			BPF_MOV64_IMM(BPF_REG_0, 0),
1335 			BPF_EXIT_INSN(),
1336 		},
1337 		.errstr_unpriv = "R1 pointer comparison",
1338 		.result_unpriv = REJECT,
1339 		.result = ACCEPT,
1340 	},
1341 	{
1342 		"access skb fields ok",
1343 		.insns = {
1344 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345 				    offsetof(struct __sk_buff, len)),
1346 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1348 				    offsetof(struct __sk_buff, mark)),
1349 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1350 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351 				    offsetof(struct __sk_buff, pkt_type)),
1352 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1353 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1354 				    offsetof(struct __sk_buff, queue_mapping)),
1355 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1356 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1357 				    offsetof(struct __sk_buff, protocol)),
1358 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1359 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1360 				    offsetof(struct __sk_buff, vlan_present)),
1361 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1362 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1363 				    offsetof(struct __sk_buff, vlan_tci)),
1364 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1365 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366 				    offsetof(struct __sk_buff, napi_id)),
1367 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1368 			BPF_EXIT_INSN(),
1369 		},
1370 		.result = ACCEPT,
1371 	},
1372 	{
1373 		"access skb fields bad1",
1374 		.insns = {
1375 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1376 			BPF_EXIT_INSN(),
1377 		},
1378 		.errstr = "invalid bpf_context access",
1379 		.result = REJECT,
1380 	},
1381 	{
1382 		"access skb fields bad2",
1383 		.insns = {
1384 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1385 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1389 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390 				     BPF_FUNC_map_lookup_elem),
1391 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1392 			BPF_EXIT_INSN(),
1393 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1395 				    offsetof(struct __sk_buff, pkt_type)),
1396 			BPF_EXIT_INSN(),
1397 		},
1398 		.fixup_map_hash_8b = { 4 },
1399 		.errstr = "different pointers",
1400 		.errstr_unpriv = "R1 pointer comparison",
1401 		.result = REJECT,
1402 	},
1403 	{
1404 		"access skb fields bad3",
1405 		.insns = {
1406 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1407 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1408 				    offsetof(struct __sk_buff, pkt_type)),
1409 			BPF_EXIT_INSN(),
1410 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 				     BPF_FUNC_map_lookup_elem),
1416 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417 			BPF_EXIT_INSN(),
1418 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1420 		},
1421 		.fixup_map_hash_8b = { 6 },
1422 		.errstr = "different pointers",
1423 		.errstr_unpriv = "R1 pointer comparison",
1424 		.result = REJECT,
1425 	},
1426 	{
1427 		"access skb fields bad4",
1428 		.insns = {
1429 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1430 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1431 				    offsetof(struct __sk_buff, len)),
1432 			BPF_MOV64_IMM(BPF_REG_0, 0),
1433 			BPF_EXIT_INSN(),
1434 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1435 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1436 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1437 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1438 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1439 				     BPF_FUNC_map_lookup_elem),
1440 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1441 			BPF_EXIT_INSN(),
1442 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1443 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1444 		},
1445 		.fixup_map_hash_8b = { 7 },
1446 		.errstr = "different pointers",
1447 		.errstr_unpriv = "R1 pointer comparison",
1448 		.result = REJECT,
1449 	},
1450 	{
1451 		"invalid access __sk_buff family",
1452 		.insns = {
1453 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1454 				    offsetof(struct __sk_buff, family)),
1455 			BPF_EXIT_INSN(),
1456 		},
1457 		.errstr = "invalid bpf_context access",
1458 		.result = REJECT,
1459 	},
1460 	{
1461 		"invalid access __sk_buff remote_ip4",
1462 		.insns = {
1463 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1464 				    offsetof(struct __sk_buff, remote_ip4)),
1465 			BPF_EXIT_INSN(),
1466 		},
1467 		.errstr = "invalid bpf_context access",
1468 		.result = REJECT,
1469 	},
1470 	{
1471 		"invalid access __sk_buff local_ip4",
1472 		.insns = {
1473 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474 				    offsetof(struct __sk_buff, local_ip4)),
1475 			BPF_EXIT_INSN(),
1476 		},
1477 		.errstr = "invalid bpf_context access",
1478 		.result = REJECT,
1479 	},
1480 	{
1481 		"invalid access __sk_buff remote_ip6",
1482 		.insns = {
1483 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1484 				    offsetof(struct __sk_buff, remote_ip6)),
1485 			BPF_EXIT_INSN(),
1486 		},
1487 		.errstr = "invalid bpf_context access",
1488 		.result = REJECT,
1489 	},
1490 	{
1491 		"invalid access __sk_buff local_ip6",
1492 		.insns = {
1493 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494 				    offsetof(struct __sk_buff, local_ip6)),
1495 			BPF_EXIT_INSN(),
1496 		},
1497 		.errstr = "invalid bpf_context access",
1498 		.result = REJECT,
1499 	},
1500 	{
1501 		"invalid access __sk_buff remote_port",
1502 		.insns = {
1503 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504 				    offsetof(struct __sk_buff, remote_port)),
1505 			BPF_EXIT_INSN(),
1506 		},
1507 		.errstr = "invalid bpf_context access",
1508 		.result = REJECT,
1509 	},
1510 	{
1511 		"invalid access __sk_buff remote_port",
1512 		.insns = {
1513 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1514 				    offsetof(struct __sk_buff, local_port)),
1515 			BPF_EXIT_INSN(),
1516 		},
1517 		.errstr = "invalid bpf_context access",
1518 		.result = REJECT,
1519 	},
1520 	{
1521 		"valid access __sk_buff family",
1522 		.insns = {
1523 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1524 				    offsetof(struct __sk_buff, family)),
1525 			BPF_EXIT_INSN(),
1526 		},
1527 		.result = ACCEPT,
1528 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1529 	},
1530 	{
1531 		"valid access __sk_buff remote_ip4",
1532 		.insns = {
1533 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 				    offsetof(struct __sk_buff, remote_ip4)),
1535 			BPF_EXIT_INSN(),
1536 		},
1537 		.result = ACCEPT,
1538 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1539 	},
1540 	{
1541 		"valid access __sk_buff local_ip4",
1542 		.insns = {
1543 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1544 				    offsetof(struct __sk_buff, local_ip4)),
1545 			BPF_EXIT_INSN(),
1546 		},
1547 		.result = ACCEPT,
1548 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1549 	},
1550 	{
1551 		"valid access __sk_buff remote_ip6",
1552 		.insns = {
1553 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 				    offsetof(struct __sk_buff, remote_ip6[0])),
1555 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1556 				    offsetof(struct __sk_buff, remote_ip6[1])),
1557 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1558 				    offsetof(struct __sk_buff, remote_ip6[2])),
1559 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1560 				    offsetof(struct __sk_buff, remote_ip6[3])),
1561 			BPF_EXIT_INSN(),
1562 		},
1563 		.result = ACCEPT,
1564 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1565 	},
1566 	{
1567 		"valid access __sk_buff local_ip6",
1568 		.insns = {
1569 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 				    offsetof(struct __sk_buff, local_ip6[0])),
1571 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 				    offsetof(struct __sk_buff, local_ip6[1])),
1573 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 				    offsetof(struct __sk_buff, local_ip6[2])),
1575 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576 				    offsetof(struct __sk_buff, local_ip6[3])),
1577 			BPF_EXIT_INSN(),
1578 		},
1579 		.result = ACCEPT,
1580 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1581 	},
1582 	{
1583 		"valid access __sk_buff remote_port",
1584 		.insns = {
1585 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1586 				    offsetof(struct __sk_buff, remote_port)),
1587 			BPF_EXIT_INSN(),
1588 		},
1589 		.result = ACCEPT,
1590 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1591 	},
1592 	{
1593 		"valid access __sk_buff remote_port",
1594 		.insns = {
1595 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596 				    offsetof(struct __sk_buff, local_port)),
1597 			BPF_EXIT_INSN(),
1598 		},
1599 		.result = ACCEPT,
1600 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1601 	},
1602 	{
1603 		"invalid access of tc_classid for SK_SKB",
1604 		.insns = {
1605 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1606 				    offsetof(struct __sk_buff, tc_classid)),
1607 			BPF_EXIT_INSN(),
1608 		},
1609 		.result = REJECT,
1610 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1611 		.errstr = "invalid bpf_context access",
1612 	},
1613 	{
1614 		"invalid access of skb->mark for SK_SKB",
1615 		.insns = {
1616 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 				    offsetof(struct __sk_buff, mark)),
1618 			BPF_EXIT_INSN(),
1619 		},
1620 		.result =  REJECT,
1621 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1622 		.errstr = "invalid bpf_context access",
1623 	},
1624 	{
1625 		"check skb->mark is not writeable by SK_SKB",
1626 		.insns = {
1627 			BPF_MOV64_IMM(BPF_REG_0, 0),
1628 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629 				    offsetof(struct __sk_buff, mark)),
1630 			BPF_EXIT_INSN(),
1631 		},
1632 		.result =  REJECT,
1633 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1634 		.errstr = "invalid bpf_context access",
1635 	},
1636 	{
1637 		"check skb->tc_index is writeable by SK_SKB",
1638 		.insns = {
1639 			BPF_MOV64_IMM(BPF_REG_0, 0),
1640 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1641 				    offsetof(struct __sk_buff, tc_index)),
1642 			BPF_EXIT_INSN(),
1643 		},
1644 		.result = ACCEPT,
1645 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1646 	},
1647 	{
1648 		"check skb->priority is writeable by SK_SKB",
1649 		.insns = {
1650 			BPF_MOV64_IMM(BPF_REG_0, 0),
1651 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1652 				    offsetof(struct __sk_buff, priority)),
1653 			BPF_EXIT_INSN(),
1654 		},
1655 		.result = ACCEPT,
1656 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1657 	},
1658 	{
1659 		"direct packet read for SK_SKB",
1660 		.insns = {
1661 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1662 				    offsetof(struct __sk_buff, data)),
1663 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1664 				    offsetof(struct __sk_buff, data_end)),
1665 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1666 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1667 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1668 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1669 			BPF_MOV64_IMM(BPF_REG_0, 0),
1670 			BPF_EXIT_INSN(),
1671 		},
1672 		.result = ACCEPT,
1673 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1674 	},
1675 	{
1676 		"direct packet write for SK_SKB",
1677 		.insns = {
1678 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1679 				    offsetof(struct __sk_buff, data)),
1680 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1681 				    offsetof(struct __sk_buff, data_end)),
1682 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1683 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1684 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1685 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1686 			BPF_MOV64_IMM(BPF_REG_0, 0),
1687 			BPF_EXIT_INSN(),
1688 		},
1689 		.result = ACCEPT,
1690 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1691 	},
1692 	{
1693 		"overlapping checks for direct packet access SK_SKB",
1694 		.insns = {
1695 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696 				    offsetof(struct __sk_buff, data)),
1697 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698 				    offsetof(struct __sk_buff, data_end)),
1699 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1702 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1703 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1704 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1705 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1706 			BPF_MOV64_IMM(BPF_REG_0, 0),
1707 			BPF_EXIT_INSN(),
1708 		},
1709 		.result = ACCEPT,
1710 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1711 	},
1712 	{
1713 		"valid access family in SK_MSG",
1714 		.insns = {
1715 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1716 				    offsetof(struct sk_msg_md, family)),
1717 			BPF_EXIT_INSN(),
1718 		},
1719 		.result = ACCEPT,
1720 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1721 	},
1722 	{
1723 		"valid access remote_ip4 in SK_MSG",
1724 		.insns = {
1725 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1726 				    offsetof(struct sk_msg_md, remote_ip4)),
1727 			BPF_EXIT_INSN(),
1728 		},
1729 		.result = ACCEPT,
1730 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1731 	},
1732 	{
1733 		"valid access local_ip4 in SK_MSG",
1734 		.insns = {
1735 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1736 				    offsetof(struct sk_msg_md, local_ip4)),
1737 			BPF_EXIT_INSN(),
1738 		},
1739 		.result = ACCEPT,
1740 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1741 	},
1742 	{
1743 		"valid access remote_port in SK_MSG",
1744 		.insns = {
1745 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 				    offsetof(struct sk_msg_md, remote_port)),
1747 			BPF_EXIT_INSN(),
1748 		},
1749 		.result = ACCEPT,
1750 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1751 	},
1752 	{
1753 		"valid access local_port in SK_MSG",
1754 		.insns = {
1755 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1756 				    offsetof(struct sk_msg_md, local_port)),
1757 			BPF_EXIT_INSN(),
1758 		},
1759 		.result = ACCEPT,
1760 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1761 	},
1762 	{
1763 		"valid access remote_ip6 in SK_MSG",
1764 		.insns = {
1765 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 				    offsetof(struct sk_msg_md, remote_ip6[0])),
1767 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1768 				    offsetof(struct sk_msg_md, remote_ip6[1])),
1769 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1770 				    offsetof(struct sk_msg_md, remote_ip6[2])),
1771 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1772 				    offsetof(struct sk_msg_md, remote_ip6[3])),
1773 			BPF_EXIT_INSN(),
1774 		},
1775 		.result = ACCEPT,
1776 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1777 	},
1778 	{
1779 		"valid access local_ip6 in SK_MSG",
1780 		.insns = {
1781 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1782 				    offsetof(struct sk_msg_md, local_ip6[0])),
1783 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1784 				    offsetof(struct sk_msg_md, local_ip6[1])),
1785 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1786 				    offsetof(struct sk_msg_md, local_ip6[2])),
1787 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1788 				    offsetof(struct sk_msg_md, local_ip6[3])),
1789 			BPF_EXIT_INSN(),
1790 		},
1791 		.result = ACCEPT,
1792 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1793 	},
1794 	{
1795 		"invalid 64B read of family in SK_MSG",
1796 		.insns = {
1797 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1798 				    offsetof(struct sk_msg_md, family)),
1799 			BPF_EXIT_INSN(),
1800 		},
1801 		.errstr = "invalid bpf_context access",
1802 		.result = REJECT,
1803 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1804 	},
1805 	{
1806 		"invalid read past end of SK_MSG",
1807 		.insns = {
1808 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1809 				    offsetof(struct sk_msg_md, local_port) + 4),
1810 			BPF_EXIT_INSN(),
1811 		},
1812 		.errstr = "R0 !read_ok",
1813 		.result = REJECT,
1814 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1815 	},
1816 	{
1817 		"invalid read offset in SK_MSG",
1818 		.insns = {
1819 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1820 				    offsetof(struct sk_msg_md, family) + 1),
1821 			BPF_EXIT_INSN(),
1822 		},
1823 		.errstr = "invalid bpf_context access",
1824 		.result = REJECT,
1825 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1826 	},
1827 	{
1828 		"direct packet read for SK_MSG",
1829 		.insns = {
1830 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1831 				    offsetof(struct sk_msg_md, data)),
1832 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1833 				    offsetof(struct sk_msg_md, data_end)),
1834 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1835 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1836 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1837 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1838 			BPF_MOV64_IMM(BPF_REG_0, 0),
1839 			BPF_EXIT_INSN(),
1840 		},
1841 		.result = ACCEPT,
1842 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1843 	},
1844 	{
1845 		"direct packet write for SK_MSG",
1846 		.insns = {
1847 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1848 				    offsetof(struct sk_msg_md, data)),
1849 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1850 				    offsetof(struct sk_msg_md, data_end)),
1851 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1852 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1853 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1854 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1855 			BPF_MOV64_IMM(BPF_REG_0, 0),
1856 			BPF_EXIT_INSN(),
1857 		},
1858 		.result = ACCEPT,
1859 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1860 	},
1861 	{
1862 		"overlapping checks for direct packet access SK_MSG",
1863 		.insns = {
1864 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1865 				    offsetof(struct sk_msg_md, data)),
1866 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1867 				    offsetof(struct sk_msg_md, data_end)),
1868 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1869 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1870 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1871 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1873 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1874 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1875 			BPF_MOV64_IMM(BPF_REG_0, 0),
1876 			BPF_EXIT_INSN(),
1877 		},
1878 		.result = ACCEPT,
1879 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1880 	},
1881 	{
1882 		"check skb->mark is not writeable by sockets",
1883 		.insns = {
1884 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1885 				    offsetof(struct __sk_buff, mark)),
1886 			BPF_EXIT_INSN(),
1887 		},
1888 		.errstr = "invalid bpf_context access",
1889 		.errstr_unpriv = "R1 leaks addr",
1890 		.result = REJECT,
1891 	},
1892 	{
1893 		"check skb->tc_index is not writeable by sockets",
1894 		.insns = {
1895 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1896 				    offsetof(struct __sk_buff, tc_index)),
1897 			BPF_EXIT_INSN(),
1898 		},
1899 		.errstr = "invalid bpf_context access",
1900 		.errstr_unpriv = "R1 leaks addr",
1901 		.result = REJECT,
1902 	},
1903 	{
1904 		"check cb access: byte",
1905 		.insns = {
1906 			BPF_MOV64_IMM(BPF_REG_0, 0),
1907 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 				    offsetof(struct __sk_buff, cb[0])),
1909 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 				    offsetof(struct __sk_buff, cb[0]) + 1),
1911 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 				    offsetof(struct __sk_buff, cb[0]) + 2),
1913 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 				    offsetof(struct __sk_buff, cb[0]) + 3),
1915 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 				    offsetof(struct __sk_buff, cb[1])),
1917 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 				    offsetof(struct __sk_buff, cb[1]) + 1),
1919 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 				    offsetof(struct __sk_buff, cb[1]) + 2),
1921 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 				    offsetof(struct __sk_buff, cb[1]) + 3),
1923 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 				    offsetof(struct __sk_buff, cb[2])),
1925 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1926 				    offsetof(struct __sk_buff, cb[2]) + 1),
1927 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1928 				    offsetof(struct __sk_buff, cb[2]) + 2),
1929 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930 				    offsetof(struct __sk_buff, cb[2]) + 3),
1931 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 				    offsetof(struct __sk_buff, cb[3])),
1933 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934 				    offsetof(struct __sk_buff, cb[3]) + 1),
1935 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936 				    offsetof(struct __sk_buff, cb[3]) + 2),
1937 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938 				    offsetof(struct __sk_buff, cb[3]) + 3),
1939 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940 				    offsetof(struct __sk_buff, cb[4])),
1941 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942 				    offsetof(struct __sk_buff, cb[4]) + 1),
1943 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944 				    offsetof(struct __sk_buff, cb[4]) + 2),
1945 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946 				    offsetof(struct __sk_buff, cb[4]) + 3),
1947 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 				    offsetof(struct __sk_buff, cb[0])),
1949 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 				    offsetof(struct __sk_buff, cb[0]) + 1),
1951 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 				    offsetof(struct __sk_buff, cb[0]) + 2),
1953 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 				    offsetof(struct __sk_buff, cb[0]) + 3),
1955 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 				    offsetof(struct __sk_buff, cb[1])),
1957 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 				    offsetof(struct __sk_buff, cb[1]) + 1),
1959 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 				    offsetof(struct __sk_buff, cb[1]) + 2),
1961 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 				    offsetof(struct __sk_buff, cb[1]) + 3),
1963 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 				    offsetof(struct __sk_buff, cb[2])),
1965 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1966 				    offsetof(struct __sk_buff, cb[2]) + 1),
1967 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1968 				    offsetof(struct __sk_buff, cb[2]) + 2),
1969 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970 				    offsetof(struct __sk_buff, cb[2]) + 3),
1971 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972 				    offsetof(struct __sk_buff, cb[3])),
1973 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974 				    offsetof(struct __sk_buff, cb[3]) + 1),
1975 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976 				    offsetof(struct __sk_buff, cb[3]) + 2),
1977 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978 				    offsetof(struct __sk_buff, cb[3]) + 3),
1979 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980 				    offsetof(struct __sk_buff, cb[4])),
1981 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982 				    offsetof(struct __sk_buff, cb[4]) + 1),
1983 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984 				    offsetof(struct __sk_buff, cb[4]) + 2),
1985 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986 				    offsetof(struct __sk_buff, cb[4]) + 3),
1987 			BPF_EXIT_INSN(),
1988 		},
1989 		.result = ACCEPT,
1990 	},
1991 	{
1992 		"__sk_buff->hash, offset 0, byte store not permitted",
1993 		.insns = {
1994 			BPF_MOV64_IMM(BPF_REG_0, 0),
1995 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 				    offsetof(struct __sk_buff, hash)),
1997 			BPF_EXIT_INSN(),
1998 		},
1999 		.errstr = "invalid bpf_context access",
2000 		.result = REJECT,
2001 	},
2002 	{
2003 		"__sk_buff->tc_index, offset 3, byte store not permitted",
2004 		.insns = {
2005 			BPF_MOV64_IMM(BPF_REG_0, 0),
2006 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2007 				    offsetof(struct __sk_buff, tc_index) + 3),
2008 			BPF_EXIT_INSN(),
2009 		},
2010 		.errstr = "invalid bpf_context access",
2011 		.result = REJECT,
2012 	},
2013 	{
2014 		"check skb->hash byte load permitted",
2015 		.insns = {
2016 			BPF_MOV64_IMM(BPF_REG_0, 0),
2017 #if __BYTE_ORDER == __LITTLE_ENDIAN
2018 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019 				    offsetof(struct __sk_buff, hash)),
2020 #else
2021 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 				    offsetof(struct __sk_buff, hash) + 3),
2023 #endif
2024 			BPF_EXIT_INSN(),
2025 		},
2026 		.result = ACCEPT,
2027 	},
2028 	{
2029 		"check skb->hash byte load not permitted 1",
2030 		.insns = {
2031 			BPF_MOV64_IMM(BPF_REG_0, 0),
2032 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033 				    offsetof(struct __sk_buff, hash) + 1),
2034 			BPF_EXIT_INSN(),
2035 		},
2036 		.errstr = "invalid bpf_context access",
2037 		.result = REJECT,
2038 	},
2039 	{
2040 		"check skb->hash byte load not permitted 2",
2041 		.insns = {
2042 			BPF_MOV64_IMM(BPF_REG_0, 0),
2043 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 				    offsetof(struct __sk_buff, hash) + 2),
2045 			BPF_EXIT_INSN(),
2046 		},
2047 		.errstr = "invalid bpf_context access",
2048 		.result = REJECT,
2049 	},
2050 	{
2051 		"check skb->hash byte load not permitted 3",
2052 		.insns = {
2053 			BPF_MOV64_IMM(BPF_REG_0, 0),
2054 #if __BYTE_ORDER == __LITTLE_ENDIAN
2055 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 				    offsetof(struct __sk_buff, hash) + 3),
2057 #else
2058 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2059 				    offsetof(struct __sk_buff, hash)),
2060 #endif
2061 			BPF_EXIT_INSN(),
2062 		},
2063 		.errstr = "invalid bpf_context access",
2064 		.result = REJECT,
2065 	},
2066 	{
2067 		"check cb access: byte, wrong type",
2068 		.insns = {
2069 			BPF_MOV64_IMM(BPF_REG_0, 0),
2070 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2071 				    offsetof(struct __sk_buff, cb[0])),
2072 			BPF_EXIT_INSN(),
2073 		},
2074 		.errstr = "invalid bpf_context access",
2075 		.result = REJECT,
2076 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2077 	},
2078 	{
2079 		"check cb access: half",
2080 		.insns = {
2081 			BPF_MOV64_IMM(BPF_REG_0, 0),
2082 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2083 				    offsetof(struct __sk_buff, cb[0])),
2084 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2085 				    offsetof(struct __sk_buff, cb[0]) + 2),
2086 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2087 				    offsetof(struct __sk_buff, cb[1])),
2088 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2089 				    offsetof(struct __sk_buff, cb[1]) + 2),
2090 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2091 				    offsetof(struct __sk_buff, cb[2])),
2092 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2093 				    offsetof(struct __sk_buff, cb[2]) + 2),
2094 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2095 				    offsetof(struct __sk_buff, cb[3])),
2096 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2097 				    offsetof(struct __sk_buff, cb[3]) + 2),
2098 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2099 				    offsetof(struct __sk_buff, cb[4])),
2100 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2101 				    offsetof(struct __sk_buff, cb[4]) + 2),
2102 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2103 				    offsetof(struct __sk_buff, cb[0])),
2104 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2105 				    offsetof(struct __sk_buff, cb[0]) + 2),
2106 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2107 				    offsetof(struct __sk_buff, cb[1])),
2108 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2109 				    offsetof(struct __sk_buff, cb[1]) + 2),
2110 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2111 				    offsetof(struct __sk_buff, cb[2])),
2112 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2113 				    offsetof(struct __sk_buff, cb[2]) + 2),
2114 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2115 				    offsetof(struct __sk_buff, cb[3])),
2116 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2117 				    offsetof(struct __sk_buff, cb[3]) + 2),
2118 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2119 				    offsetof(struct __sk_buff, cb[4])),
2120 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2121 				    offsetof(struct __sk_buff, cb[4]) + 2),
2122 			BPF_EXIT_INSN(),
2123 		},
2124 		.result = ACCEPT,
2125 	},
2126 	{
2127 		"check cb access: half, unaligned",
2128 		.insns = {
2129 			BPF_MOV64_IMM(BPF_REG_0, 0),
2130 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131 				    offsetof(struct __sk_buff, cb[0]) + 1),
2132 			BPF_EXIT_INSN(),
2133 		},
2134 		.errstr = "misaligned context access",
2135 		.result = REJECT,
2136 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2137 	},
2138 	{
2139 		"check __sk_buff->hash, offset 0, half store not permitted",
2140 		.insns = {
2141 			BPF_MOV64_IMM(BPF_REG_0, 0),
2142 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2143 				    offsetof(struct __sk_buff, hash)),
2144 			BPF_EXIT_INSN(),
2145 		},
2146 		.errstr = "invalid bpf_context access",
2147 		.result = REJECT,
2148 	},
2149 	{
2150 		"check __sk_buff->tc_index, offset 2, half store not permitted",
2151 		.insns = {
2152 			BPF_MOV64_IMM(BPF_REG_0, 0),
2153 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 				    offsetof(struct __sk_buff, tc_index) + 2),
2155 			BPF_EXIT_INSN(),
2156 		},
2157 		.errstr = "invalid bpf_context access",
2158 		.result = REJECT,
2159 	},
2160 	{
2161 		"check skb->hash half load permitted",
2162 		.insns = {
2163 			BPF_MOV64_IMM(BPF_REG_0, 0),
2164 #if __BYTE_ORDER == __LITTLE_ENDIAN
2165 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2166 				    offsetof(struct __sk_buff, hash)),
2167 #else
2168 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169 				    offsetof(struct __sk_buff, hash) + 2),
2170 #endif
2171 			BPF_EXIT_INSN(),
2172 		},
2173 		.result = ACCEPT,
2174 	},
2175 	{
2176 		"check skb->hash half load not permitted",
2177 		.insns = {
2178 			BPF_MOV64_IMM(BPF_REG_0, 0),
2179 #if __BYTE_ORDER == __LITTLE_ENDIAN
2180 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2181 				    offsetof(struct __sk_buff, hash) + 2),
2182 #else
2183 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 				    offsetof(struct __sk_buff, hash)),
2185 #endif
2186 			BPF_EXIT_INSN(),
2187 		},
2188 		.errstr = "invalid bpf_context access",
2189 		.result = REJECT,
2190 	},
2191 	{
2192 		"check cb access: half, wrong type",
2193 		.insns = {
2194 			BPF_MOV64_IMM(BPF_REG_0, 0),
2195 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2196 				    offsetof(struct __sk_buff, cb[0])),
2197 			BPF_EXIT_INSN(),
2198 		},
2199 		.errstr = "invalid bpf_context access",
2200 		.result = REJECT,
2201 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2202 	},
2203 	{
2204 		"check cb access: word",
2205 		.insns = {
2206 			BPF_MOV64_IMM(BPF_REG_0, 0),
2207 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2208 				    offsetof(struct __sk_buff, cb[0])),
2209 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2210 				    offsetof(struct __sk_buff, cb[1])),
2211 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 				    offsetof(struct __sk_buff, cb[2])),
2213 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 				    offsetof(struct __sk_buff, cb[3])),
2215 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216 				    offsetof(struct __sk_buff, cb[4])),
2217 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2218 				    offsetof(struct __sk_buff, cb[0])),
2219 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2220 				    offsetof(struct __sk_buff, cb[1])),
2221 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222 				    offsetof(struct __sk_buff, cb[2])),
2223 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224 				    offsetof(struct __sk_buff, cb[3])),
2225 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226 				    offsetof(struct __sk_buff, cb[4])),
2227 			BPF_EXIT_INSN(),
2228 		},
2229 		.result = ACCEPT,
2230 	},
2231 	{
2232 		"check cb access: word, unaligned 1",
2233 		.insns = {
2234 			BPF_MOV64_IMM(BPF_REG_0, 0),
2235 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 				    offsetof(struct __sk_buff, cb[0]) + 2),
2237 			BPF_EXIT_INSN(),
2238 		},
2239 		.errstr = "misaligned context access",
2240 		.result = REJECT,
2241 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2242 	},
2243 	{
2244 		"check cb access: word, unaligned 2",
2245 		.insns = {
2246 			BPF_MOV64_IMM(BPF_REG_0, 0),
2247 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 				    offsetof(struct __sk_buff, cb[4]) + 1),
2249 			BPF_EXIT_INSN(),
2250 		},
2251 		.errstr = "misaligned context access",
2252 		.result = REJECT,
2253 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2254 	},
2255 	{
2256 		"check cb access: word, unaligned 3",
2257 		.insns = {
2258 			BPF_MOV64_IMM(BPF_REG_0, 0),
2259 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260 				    offsetof(struct __sk_buff, cb[4]) + 2),
2261 			BPF_EXIT_INSN(),
2262 		},
2263 		.errstr = "misaligned context access",
2264 		.result = REJECT,
2265 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2266 	},
2267 	{
2268 		"check cb access: word, unaligned 4",
2269 		.insns = {
2270 			BPF_MOV64_IMM(BPF_REG_0, 0),
2271 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2272 				    offsetof(struct __sk_buff, cb[4]) + 3),
2273 			BPF_EXIT_INSN(),
2274 		},
2275 		.errstr = "misaligned context access",
2276 		.result = REJECT,
2277 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2278 	},
2279 	{
2280 		"check cb access: double",
2281 		.insns = {
2282 			BPF_MOV64_IMM(BPF_REG_0, 0),
2283 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2284 				    offsetof(struct __sk_buff, cb[0])),
2285 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2286 				    offsetof(struct __sk_buff, cb[2])),
2287 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2288 				    offsetof(struct __sk_buff, cb[0])),
2289 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2290 				    offsetof(struct __sk_buff, cb[2])),
2291 			BPF_EXIT_INSN(),
2292 		},
2293 		.result = ACCEPT,
2294 	},
2295 	{
2296 		"check cb access: double, unaligned 1",
2297 		.insns = {
2298 			BPF_MOV64_IMM(BPF_REG_0, 0),
2299 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 				    offsetof(struct __sk_buff, cb[1])),
2301 			BPF_EXIT_INSN(),
2302 		},
2303 		.errstr = "misaligned context access",
2304 		.result = REJECT,
2305 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2306 	},
2307 	{
2308 		"check cb access: double, unaligned 2",
2309 		.insns = {
2310 			BPF_MOV64_IMM(BPF_REG_0, 0),
2311 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2312 				    offsetof(struct __sk_buff, cb[3])),
2313 			BPF_EXIT_INSN(),
2314 		},
2315 		.errstr = "misaligned context access",
2316 		.result = REJECT,
2317 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2318 	},
2319 	{
2320 		"check cb access: double, oob 1",
2321 		.insns = {
2322 			BPF_MOV64_IMM(BPF_REG_0, 0),
2323 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 				    offsetof(struct __sk_buff, cb[4])),
2325 			BPF_EXIT_INSN(),
2326 		},
2327 		.errstr = "invalid bpf_context access",
2328 		.result = REJECT,
2329 	},
2330 	{
2331 		"check cb access: double, oob 2",
2332 		.insns = {
2333 			BPF_MOV64_IMM(BPF_REG_0, 0),
2334 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 				    offsetof(struct __sk_buff, cb[4])),
2336 			BPF_EXIT_INSN(),
2337 		},
2338 		.errstr = "invalid bpf_context access",
2339 		.result = REJECT,
2340 	},
2341 	{
2342 		"check __sk_buff->ifindex dw store not permitted",
2343 		.insns = {
2344 			BPF_MOV64_IMM(BPF_REG_0, 0),
2345 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 				    offsetof(struct __sk_buff, ifindex)),
2347 			BPF_EXIT_INSN(),
2348 		},
2349 		.errstr = "invalid bpf_context access",
2350 		.result = REJECT,
2351 	},
2352 	{
2353 		"check __sk_buff->ifindex dw load not permitted",
2354 		.insns = {
2355 			BPF_MOV64_IMM(BPF_REG_0, 0),
2356 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2357 				    offsetof(struct __sk_buff, ifindex)),
2358 			BPF_EXIT_INSN(),
2359 		},
2360 		.errstr = "invalid bpf_context access",
2361 		.result = REJECT,
2362 	},
2363 	{
2364 		"check cb access: double, wrong type",
2365 		.insns = {
2366 			BPF_MOV64_IMM(BPF_REG_0, 0),
2367 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2368 				    offsetof(struct __sk_buff, cb[0])),
2369 			BPF_EXIT_INSN(),
2370 		},
2371 		.errstr = "invalid bpf_context access",
2372 		.result = REJECT,
2373 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2374 	},
2375 	{
2376 		"check out of range skb->cb access",
2377 		.insns = {
2378 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2379 				    offsetof(struct __sk_buff, cb[0]) + 256),
2380 			BPF_EXIT_INSN(),
2381 		},
2382 		.errstr = "invalid bpf_context access",
2383 		.errstr_unpriv = "",
2384 		.result = REJECT,
2385 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2386 	},
2387 	{
2388 		"write skb fields from socket prog",
2389 		.insns = {
2390 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391 				    offsetof(struct __sk_buff, cb[4])),
2392 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2393 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 				    offsetof(struct __sk_buff, mark)),
2395 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2396 				    offsetof(struct __sk_buff, tc_index)),
2397 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2398 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2399 				    offsetof(struct __sk_buff, cb[0])),
2400 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2401 				    offsetof(struct __sk_buff, cb[2])),
2402 			BPF_EXIT_INSN(),
2403 		},
2404 		.result = ACCEPT,
2405 		.errstr_unpriv = "R1 leaks addr",
2406 		.result_unpriv = REJECT,
2407 	},
2408 	{
2409 		"write skb fields from tc_cls_act prog",
2410 		.insns = {
2411 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2412 				    offsetof(struct __sk_buff, cb[0])),
2413 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2414 				    offsetof(struct __sk_buff, mark)),
2415 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416 				    offsetof(struct __sk_buff, tc_index)),
2417 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418 				    offsetof(struct __sk_buff, tc_index)),
2419 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2420 				    offsetof(struct __sk_buff, cb[3])),
2421 			BPF_EXIT_INSN(),
2422 		},
2423 		.errstr_unpriv = "",
2424 		.result_unpriv = REJECT,
2425 		.result = ACCEPT,
2426 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2427 	},
2428 	{
2429 		"PTR_TO_STACK store/load",
2430 		.insns = {
2431 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2434 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2435 			BPF_EXIT_INSN(),
2436 		},
2437 		.result = ACCEPT,
2438 		.retval = 0xfaceb00c,
2439 	},
2440 	{
2441 		"PTR_TO_STACK store/load - bad alignment on off",
2442 		.insns = {
2443 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2445 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2446 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2447 			BPF_EXIT_INSN(),
2448 		},
2449 		.result = REJECT,
2450 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2451 	},
2452 	{
2453 		"PTR_TO_STACK store/load - bad alignment on reg",
2454 		.insns = {
2455 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2457 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2459 			BPF_EXIT_INSN(),
2460 		},
2461 		.result = REJECT,
2462 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2463 	},
2464 	{
2465 		"PTR_TO_STACK store/load - out of bounds low",
2466 		.insns = {
2467 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2468 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2469 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2470 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2471 			BPF_EXIT_INSN(),
2472 		},
2473 		.result = REJECT,
2474 		.errstr = "invalid stack off=-79992 size=8",
2475 	},
2476 	{
2477 		"PTR_TO_STACK store/load - out of bounds high",
2478 		.insns = {
2479 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2481 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2482 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2483 			BPF_EXIT_INSN(),
2484 		},
2485 		.result = REJECT,
2486 		.errstr = "invalid stack off=0 size=8",
2487 	},
2488 	{
2489 		"unpriv: return pointer",
2490 		.insns = {
2491 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2492 			BPF_EXIT_INSN(),
2493 		},
2494 		.result = ACCEPT,
2495 		.result_unpriv = REJECT,
2496 		.errstr_unpriv = "R0 leaks addr",
2497 		.retval = POINTER_VALUE,
2498 	},
2499 	{
2500 		"unpriv: add const to pointer",
2501 		.insns = {
2502 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2503 			BPF_MOV64_IMM(BPF_REG_0, 0),
2504 			BPF_EXIT_INSN(),
2505 		},
2506 		.result = ACCEPT,
2507 	},
2508 	{
2509 		"unpriv: add pointer to pointer",
2510 		.insns = {
2511 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2512 			BPF_MOV64_IMM(BPF_REG_0, 0),
2513 			BPF_EXIT_INSN(),
2514 		},
2515 		.result = REJECT,
2516 		.errstr = "R1 pointer += pointer",
2517 	},
2518 	{
2519 		"unpriv: neg pointer",
2520 		.insns = {
2521 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2522 			BPF_MOV64_IMM(BPF_REG_0, 0),
2523 			BPF_EXIT_INSN(),
2524 		},
2525 		.result = ACCEPT,
2526 		.result_unpriv = REJECT,
2527 		.errstr_unpriv = "R1 pointer arithmetic",
2528 	},
2529 	{
2530 		"unpriv: cmp pointer with const",
2531 		.insns = {
2532 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2533 			BPF_MOV64_IMM(BPF_REG_0, 0),
2534 			BPF_EXIT_INSN(),
2535 		},
2536 		.result = ACCEPT,
2537 		.result_unpriv = REJECT,
2538 		.errstr_unpriv = "R1 pointer comparison",
2539 	},
2540 	{
2541 		"unpriv: cmp pointer with pointer",
2542 		.insns = {
2543 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2544 			BPF_MOV64_IMM(BPF_REG_0, 0),
2545 			BPF_EXIT_INSN(),
2546 		},
2547 		.result = ACCEPT,
2548 		.result_unpriv = REJECT,
2549 		.errstr_unpriv = "R10 pointer comparison",
2550 	},
2551 	{
2552 		"unpriv: check that printk is disallowed",
2553 		.insns = {
2554 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2555 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2557 			BPF_MOV64_IMM(BPF_REG_2, 8),
2558 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2559 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560 				     BPF_FUNC_trace_printk),
2561 			BPF_MOV64_IMM(BPF_REG_0, 0),
2562 			BPF_EXIT_INSN(),
2563 		},
2564 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2565 		.result_unpriv = REJECT,
2566 		.result = ACCEPT,
2567 	},
2568 	{
2569 		"unpriv: pass pointer to helper function",
2570 		.insns = {
2571 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2572 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2573 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2574 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2575 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2576 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2577 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2578 				     BPF_FUNC_map_update_elem),
2579 			BPF_MOV64_IMM(BPF_REG_0, 0),
2580 			BPF_EXIT_INSN(),
2581 		},
2582 		.fixup_map_hash_8b = { 3 },
2583 		.errstr_unpriv = "R4 leaks addr",
2584 		.result_unpriv = REJECT,
2585 		.result = ACCEPT,
2586 	},
2587 	{
2588 		"unpriv: indirectly pass pointer on stack to helper function",
2589 		.insns = {
2590 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2591 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2592 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2593 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2594 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595 				     BPF_FUNC_map_lookup_elem),
2596 			BPF_MOV64_IMM(BPF_REG_0, 0),
2597 			BPF_EXIT_INSN(),
2598 		},
2599 		.fixup_map_hash_8b = { 3 },
2600 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2601 		.result = REJECT,
2602 	},
2603 	{
2604 		"unpriv: mangle pointer on stack 1",
2605 		.insns = {
2606 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2608 			BPF_MOV64_IMM(BPF_REG_0, 0),
2609 			BPF_EXIT_INSN(),
2610 		},
2611 		.errstr_unpriv = "attempt to corrupt spilled",
2612 		.result_unpriv = REJECT,
2613 		.result = ACCEPT,
2614 	},
2615 	{
2616 		"unpriv: mangle pointer on stack 2",
2617 		.insns = {
2618 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2619 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2620 			BPF_MOV64_IMM(BPF_REG_0, 0),
2621 			BPF_EXIT_INSN(),
2622 		},
2623 		.errstr_unpriv = "attempt to corrupt spilled",
2624 		.result_unpriv = REJECT,
2625 		.result = ACCEPT,
2626 	},
2627 	{
2628 		"unpriv: read pointer from stack in small chunks",
2629 		.insns = {
2630 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2631 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2632 			BPF_MOV64_IMM(BPF_REG_0, 0),
2633 			BPF_EXIT_INSN(),
2634 		},
2635 		.errstr = "invalid size",
2636 		.result = REJECT,
2637 	},
2638 	{
2639 		"unpriv: write pointer into ctx",
2640 		.insns = {
2641 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2642 			BPF_MOV64_IMM(BPF_REG_0, 0),
2643 			BPF_EXIT_INSN(),
2644 		},
2645 		.errstr_unpriv = "R1 leaks addr",
2646 		.result_unpriv = REJECT,
2647 		.errstr = "invalid bpf_context access",
2648 		.result = REJECT,
2649 	},
2650 	{
2651 		"unpriv: spill/fill of ctx",
2652 		.insns = {
2653 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2655 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2656 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2657 			BPF_MOV64_IMM(BPF_REG_0, 0),
2658 			BPF_EXIT_INSN(),
2659 		},
2660 		.result = ACCEPT,
2661 	},
2662 	{
2663 		"unpriv: spill/fill of ctx 2",
2664 		.insns = {
2665 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2666 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2667 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2668 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2669 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2670 				     BPF_FUNC_get_hash_recalc),
2671 			BPF_MOV64_IMM(BPF_REG_0, 0),
2672 			BPF_EXIT_INSN(),
2673 		},
2674 		.result = ACCEPT,
2675 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2676 	},
2677 	{
2678 		"unpriv: spill/fill of ctx 3",
2679 		.insns = {
2680 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2681 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2682 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2683 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2684 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2685 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2686 				     BPF_FUNC_get_hash_recalc),
2687 			BPF_EXIT_INSN(),
2688 		},
2689 		.result = REJECT,
2690 		.errstr = "R1 type=fp expected=ctx",
2691 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2692 	},
2693 	{
2694 		"unpriv: spill/fill of ctx 4",
2695 		.insns = {
2696 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2698 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 			BPF_MOV64_IMM(BPF_REG_0, 1),
2700 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2701 				     BPF_REG_0, -8, 0),
2702 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2703 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2704 				     BPF_FUNC_get_hash_recalc),
2705 			BPF_EXIT_INSN(),
2706 		},
2707 		.result = REJECT,
2708 		.errstr = "R1 type=inv expected=ctx",
2709 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2710 	},
2711 	{
2712 		"unpriv: spill/fill of different pointers stx",
2713 		.insns = {
2714 			BPF_MOV64_IMM(BPF_REG_3, 42),
2715 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2720 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2725 				    offsetof(struct __sk_buff, mark)),
2726 			BPF_MOV64_IMM(BPF_REG_0, 0),
2727 			BPF_EXIT_INSN(),
2728 		},
2729 		.result = REJECT,
2730 		.errstr = "same insn cannot be used with different pointers",
2731 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2732 	},
2733 	{
2734 		"unpriv: spill/fill of different pointers stx - ctx and sock",
2735 		.insns = {
2736 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2737 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2738 			BPF_SK_LOOKUP,
2739 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2740 			/* u64 foo; */
2741 			/* void *target = &foo; */
2742 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2743 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2744 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2745 			/* if (skb == NULL) *target = sock; */
2746 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2747 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2748 			/* else *target = skb; */
2749 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751 			/* struct __sk_buff *skb = *target; */
2752 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2753 			/* skb->mark = 42; */
2754 			BPF_MOV64_IMM(BPF_REG_3, 42),
2755 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2756 				    offsetof(struct __sk_buff, mark)),
2757 			/* if (sk) bpf_sk_release(sk) */
2758 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2759 				BPF_EMIT_CALL(BPF_FUNC_sk_release),
2760 			BPF_MOV64_IMM(BPF_REG_0, 0),
2761 			BPF_EXIT_INSN(),
2762 		},
2763 		.result = REJECT,
2764 		.errstr = "type=ctx expected=sock",
2765 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2766 	},
2767 	{
2768 		"unpriv: spill/fill of different pointers stx - leak sock",
2769 		.insns = {
2770 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2771 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2772 			BPF_SK_LOOKUP,
2773 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2774 			/* u64 foo; */
2775 			/* void *target = &foo; */
2776 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2777 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2778 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2779 			/* if (skb == NULL) *target = sock; */
2780 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2781 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2782 			/* else *target = skb; */
2783 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2784 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2785 			/* struct __sk_buff *skb = *target; */
2786 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2787 			/* skb->mark = 42; */
2788 			BPF_MOV64_IMM(BPF_REG_3, 42),
2789 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2790 				    offsetof(struct __sk_buff, mark)),
2791 			BPF_EXIT_INSN(),
2792 		},
2793 		.result = REJECT,
2794 		//.errstr = "same insn cannot be used with different pointers",
2795 		.errstr = "Unreleased reference",
2796 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2797 	},
2798 	{
2799 		"unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2800 		.insns = {
2801 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2802 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2803 			BPF_SK_LOOKUP,
2804 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2805 			/* u64 foo; */
2806 			/* void *target = &foo; */
2807 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2808 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2809 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2810 			/* if (skb) *target = skb */
2811 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2812 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2813 			/* else *target = sock */
2814 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2815 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2816 			/* struct bpf_sock *sk = *target; */
2817 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2818 			/* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2819 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2820 				BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2821 					    offsetof(struct bpf_sock, mark)),
2822 				BPF_EMIT_CALL(BPF_FUNC_sk_release),
2823 			BPF_MOV64_IMM(BPF_REG_0, 0),
2824 			BPF_EXIT_INSN(),
2825 		},
2826 		.result = REJECT,
2827 		.errstr = "same insn cannot be used with different pointers",
2828 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2829 	},
2830 	{
2831 		"unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2832 		.insns = {
2833 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2834 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2835 			BPF_SK_LOOKUP,
2836 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2837 			/* u64 foo; */
2838 			/* void *target = &foo; */
2839 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2840 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2841 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2842 			/* if (skb) *target = skb */
2843 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2844 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2845 			/* else *target = sock */
2846 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2847 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2848 			/* struct bpf_sock *sk = *target; */
2849 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2850 			/* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2851 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2852 				BPF_MOV64_IMM(BPF_REG_3, 42),
2853 				BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2854 					    offsetof(struct bpf_sock, mark)),
2855 				BPF_EMIT_CALL(BPF_FUNC_sk_release),
2856 			BPF_MOV64_IMM(BPF_REG_0, 0),
2857 			BPF_EXIT_INSN(),
2858 		},
2859 		.result = REJECT,
2860 		//.errstr = "same insn cannot be used with different pointers",
2861 		.errstr = "cannot write into socket",
2862 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2863 	},
2864 	{
2865 		"unpriv: spill/fill of different pointers ldx",
2866 		.insns = {
2867 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2868 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2869 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2870 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2872 				      -(__s32)offsetof(struct bpf_perf_event_data,
2873 						       sample_period) - 8),
2874 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2875 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2876 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2877 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2878 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2879 				    offsetof(struct bpf_perf_event_data,
2880 					     sample_period)),
2881 			BPF_MOV64_IMM(BPF_REG_0, 0),
2882 			BPF_EXIT_INSN(),
2883 		},
2884 		.result = REJECT,
2885 		.errstr = "same insn cannot be used with different pointers",
2886 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2887 	},
2888 	{
2889 		"unpriv: write pointer into map elem value",
2890 		.insns = {
2891 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2892 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2893 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2894 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2895 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 				     BPF_FUNC_map_lookup_elem),
2897 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2898 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2899 			BPF_EXIT_INSN(),
2900 		},
2901 		.fixup_map_hash_8b = { 3 },
2902 		.errstr_unpriv = "R0 leaks addr",
2903 		.result_unpriv = REJECT,
2904 		.result = ACCEPT,
2905 	},
2906 	{
2907 		"unpriv: partial copy of pointer",
2908 		.insns = {
2909 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2910 			BPF_MOV64_IMM(BPF_REG_0, 0),
2911 			BPF_EXIT_INSN(),
2912 		},
2913 		.errstr_unpriv = "R10 partial copy",
2914 		.result_unpriv = REJECT,
2915 		.result = ACCEPT,
2916 	},
2917 	{
2918 		"unpriv: pass pointer to tail_call",
2919 		.insns = {
2920 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2921 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2922 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2923 				     BPF_FUNC_tail_call),
2924 			BPF_MOV64_IMM(BPF_REG_0, 0),
2925 			BPF_EXIT_INSN(),
2926 		},
2927 		.fixup_prog1 = { 1 },
2928 		.errstr_unpriv = "R3 leaks addr into helper",
2929 		.result_unpriv = REJECT,
2930 		.result = ACCEPT,
2931 	},
2932 	{
2933 		"unpriv: cmp map pointer with zero",
2934 		.insns = {
2935 			BPF_MOV64_IMM(BPF_REG_1, 0),
2936 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2937 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2938 			BPF_MOV64_IMM(BPF_REG_0, 0),
2939 			BPF_EXIT_INSN(),
2940 		},
2941 		.fixup_map_hash_8b = { 1 },
2942 		.errstr_unpriv = "R1 pointer comparison",
2943 		.result_unpriv = REJECT,
2944 		.result = ACCEPT,
2945 	},
2946 	{
2947 		"unpriv: write into frame pointer",
2948 		.insns = {
2949 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2950 			BPF_MOV64_IMM(BPF_REG_0, 0),
2951 			BPF_EXIT_INSN(),
2952 		},
2953 		.errstr = "frame pointer is read only",
2954 		.result = REJECT,
2955 	},
2956 	{
2957 		"unpriv: spill/fill frame pointer",
2958 		.insns = {
2959 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2960 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2961 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2962 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2963 			BPF_MOV64_IMM(BPF_REG_0, 0),
2964 			BPF_EXIT_INSN(),
2965 		},
2966 		.errstr = "frame pointer is read only",
2967 		.result = REJECT,
2968 	},
2969 	{
2970 		"unpriv: cmp of frame pointer",
2971 		.insns = {
2972 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2973 			BPF_MOV64_IMM(BPF_REG_0, 0),
2974 			BPF_EXIT_INSN(),
2975 		},
2976 		.errstr_unpriv = "R10 pointer comparison",
2977 		.result_unpriv = REJECT,
2978 		.result = ACCEPT,
2979 	},
2980 	{
2981 		"unpriv: adding of fp",
2982 		.insns = {
2983 			BPF_MOV64_IMM(BPF_REG_0, 0),
2984 			BPF_MOV64_IMM(BPF_REG_1, 0),
2985 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2986 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2987 			BPF_EXIT_INSN(),
2988 		},
2989 		.result = ACCEPT,
2990 	},
2991 	{
2992 		"unpriv: cmp of stack pointer",
2993 		.insns = {
2994 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2996 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2997 			BPF_MOV64_IMM(BPF_REG_0, 0),
2998 			BPF_EXIT_INSN(),
2999 		},
3000 		.errstr_unpriv = "R2 pointer comparison",
3001 		.result_unpriv = REJECT,
3002 		.result = ACCEPT,
3003 	},
3004 	{
3005 		"runtime/jit: tail_call within bounds, prog once",
3006 		.insns = {
3007 			BPF_MOV64_IMM(BPF_REG_3, 0),
3008 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3009 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3010 				     BPF_FUNC_tail_call),
3011 			BPF_MOV64_IMM(BPF_REG_0, 1),
3012 			BPF_EXIT_INSN(),
3013 		},
3014 		.fixup_prog1 = { 1 },
3015 		.result = ACCEPT,
3016 		.retval = 42,
3017 	},
3018 	{
3019 		"runtime/jit: tail_call within bounds, prog loop",
3020 		.insns = {
3021 			BPF_MOV64_IMM(BPF_REG_3, 1),
3022 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3023 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3024 				     BPF_FUNC_tail_call),
3025 			BPF_MOV64_IMM(BPF_REG_0, 1),
3026 			BPF_EXIT_INSN(),
3027 		},
3028 		.fixup_prog1 = { 1 },
3029 		.result = ACCEPT,
3030 		.retval = 41,
3031 	},
3032 	{
3033 		"runtime/jit: tail_call within bounds, no prog",
3034 		.insns = {
3035 			BPF_MOV64_IMM(BPF_REG_3, 2),
3036 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3037 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3038 				     BPF_FUNC_tail_call),
3039 			BPF_MOV64_IMM(BPF_REG_0, 1),
3040 			BPF_EXIT_INSN(),
3041 		},
3042 		.fixup_prog1 = { 1 },
3043 		.result = ACCEPT,
3044 		.retval = 1,
3045 	},
3046 	{
3047 		"runtime/jit: tail_call out of bounds",
3048 		.insns = {
3049 			BPF_MOV64_IMM(BPF_REG_3, 256),
3050 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3051 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3052 				     BPF_FUNC_tail_call),
3053 			BPF_MOV64_IMM(BPF_REG_0, 2),
3054 			BPF_EXIT_INSN(),
3055 		},
3056 		.fixup_prog1 = { 1 },
3057 		.result = ACCEPT,
3058 		.retval = 2,
3059 	},
3060 	{
3061 		"runtime/jit: pass negative index to tail_call",
3062 		.insns = {
3063 			BPF_MOV64_IMM(BPF_REG_3, -1),
3064 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3065 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3066 				     BPF_FUNC_tail_call),
3067 			BPF_MOV64_IMM(BPF_REG_0, 2),
3068 			BPF_EXIT_INSN(),
3069 		},
3070 		.fixup_prog1 = { 1 },
3071 		.result = ACCEPT,
3072 		.retval = 2,
3073 	},
3074 	{
3075 		"runtime/jit: pass > 32bit index to tail_call",
3076 		.insns = {
3077 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3078 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3079 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3080 				     BPF_FUNC_tail_call),
3081 			BPF_MOV64_IMM(BPF_REG_0, 2),
3082 			BPF_EXIT_INSN(),
3083 		},
3084 		.fixup_prog1 = { 2 },
3085 		.result = ACCEPT,
3086 		.retval = 42,
3087 	},
3088 	{
3089 		"stack pointer arithmetic",
3090 		.insns = {
3091 			BPF_MOV64_IMM(BPF_REG_1, 4),
3092 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3093 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3094 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3096 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3097 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3098 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3099 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3100 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3101 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3102 			BPF_MOV64_IMM(BPF_REG_0, 0),
3103 			BPF_EXIT_INSN(),
3104 		},
3105 		.result = ACCEPT,
3106 	},
3107 	{
3108 		"raw_stack: no skb_load_bytes",
3109 		.insns = {
3110 			BPF_MOV64_IMM(BPF_REG_2, 4),
3111 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3113 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3114 			BPF_MOV64_IMM(BPF_REG_4, 8),
3115 			/* Call to skb_load_bytes() omitted. */
3116 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3117 			BPF_EXIT_INSN(),
3118 		},
3119 		.result = REJECT,
3120 		.errstr = "invalid read from stack off -8+0 size 8",
3121 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3122 	},
3123 	{
3124 		"raw_stack: skb_load_bytes, negative len",
3125 		.insns = {
3126 			BPF_MOV64_IMM(BPF_REG_2, 4),
3127 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3128 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3129 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3130 			BPF_MOV64_IMM(BPF_REG_4, -8),
3131 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 				     BPF_FUNC_skb_load_bytes),
3133 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3134 			BPF_EXIT_INSN(),
3135 		},
3136 		.result = REJECT,
3137 		.errstr = "R4 min value is negative",
3138 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3139 	},
3140 	{
3141 		"raw_stack: skb_load_bytes, negative len 2",
3142 		.insns = {
3143 			BPF_MOV64_IMM(BPF_REG_2, 4),
3144 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3145 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3146 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3147 			BPF_MOV64_IMM(BPF_REG_4, ~0),
3148 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3149 				     BPF_FUNC_skb_load_bytes),
3150 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3151 			BPF_EXIT_INSN(),
3152 		},
3153 		.result = REJECT,
3154 		.errstr = "R4 min value is negative",
3155 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3156 	},
3157 	{
3158 		"raw_stack: skb_load_bytes, zero len",
3159 		.insns = {
3160 			BPF_MOV64_IMM(BPF_REG_2, 4),
3161 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3163 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3164 			BPF_MOV64_IMM(BPF_REG_4, 0),
3165 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3166 				     BPF_FUNC_skb_load_bytes),
3167 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3168 			BPF_EXIT_INSN(),
3169 		},
3170 		.result = REJECT,
3171 		.errstr = "invalid stack type R3",
3172 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3173 	},
3174 	{
3175 		"raw_stack: skb_load_bytes, no init",
3176 		.insns = {
3177 			BPF_MOV64_IMM(BPF_REG_2, 4),
3178 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3179 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3180 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3181 			BPF_MOV64_IMM(BPF_REG_4, 8),
3182 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3183 				     BPF_FUNC_skb_load_bytes),
3184 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3185 			BPF_EXIT_INSN(),
3186 		},
3187 		.result = ACCEPT,
3188 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3189 	},
3190 	{
3191 		"raw_stack: skb_load_bytes, init",
3192 		.insns = {
3193 			BPF_MOV64_IMM(BPF_REG_2, 4),
3194 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3195 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3196 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3197 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3198 			BPF_MOV64_IMM(BPF_REG_4, 8),
3199 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3200 				     BPF_FUNC_skb_load_bytes),
3201 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3202 			BPF_EXIT_INSN(),
3203 		},
3204 		.result = ACCEPT,
3205 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3206 	},
3207 	{
3208 		"raw_stack: skb_load_bytes, spilled regs around bounds",
3209 		.insns = {
3210 			BPF_MOV64_IMM(BPF_REG_2, 4),
3211 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3213 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3214 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3215 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3216 			BPF_MOV64_IMM(BPF_REG_4, 8),
3217 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3218 				     BPF_FUNC_skb_load_bytes),
3219 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3220 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3221 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3222 				    offsetof(struct __sk_buff, mark)),
3223 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3224 				    offsetof(struct __sk_buff, priority)),
3225 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3226 			BPF_EXIT_INSN(),
3227 		},
3228 		.result = ACCEPT,
3229 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3230 	},
3231 	{
3232 		"raw_stack: skb_load_bytes, spilled regs corruption",
3233 		.insns = {
3234 			BPF_MOV64_IMM(BPF_REG_2, 4),
3235 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3236 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3237 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3238 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3239 			BPF_MOV64_IMM(BPF_REG_4, 8),
3240 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3241 				     BPF_FUNC_skb_load_bytes),
3242 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3243 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3244 				    offsetof(struct __sk_buff, mark)),
3245 			BPF_EXIT_INSN(),
3246 		},
3247 		.result = REJECT,
3248 		.errstr = "R0 invalid mem access 'inv'",
3249 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3250 	},
3251 	{
3252 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
3253 		.insns = {
3254 			BPF_MOV64_IMM(BPF_REG_2, 4),
3255 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3256 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3257 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3258 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3259 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3260 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3261 			BPF_MOV64_IMM(BPF_REG_4, 8),
3262 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3263 				     BPF_FUNC_skb_load_bytes),
3264 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3265 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3266 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3267 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3268 				    offsetof(struct __sk_buff, mark)),
3269 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3270 				    offsetof(struct __sk_buff, priority)),
3271 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3272 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3273 				    offsetof(struct __sk_buff, pkt_type)),
3274 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3275 			BPF_EXIT_INSN(),
3276 		},
3277 		.result = REJECT,
3278 		.errstr = "R3 invalid mem access 'inv'",
3279 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3280 	},
3281 	{
3282 		"raw_stack: skb_load_bytes, spilled regs + data",
3283 		.insns = {
3284 			BPF_MOV64_IMM(BPF_REG_2, 4),
3285 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3287 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3288 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3289 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3290 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3291 			BPF_MOV64_IMM(BPF_REG_4, 8),
3292 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3293 				     BPF_FUNC_skb_load_bytes),
3294 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3295 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3296 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3297 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3298 				    offsetof(struct __sk_buff, mark)),
3299 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3300 				    offsetof(struct __sk_buff, priority)),
3301 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3302 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3303 			BPF_EXIT_INSN(),
3304 		},
3305 		.result = ACCEPT,
3306 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3307 	},
3308 	{
3309 		"raw_stack: skb_load_bytes, invalid access 1",
3310 		.insns = {
3311 			BPF_MOV64_IMM(BPF_REG_2, 4),
3312 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3313 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3314 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3315 			BPF_MOV64_IMM(BPF_REG_4, 8),
3316 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3317 				     BPF_FUNC_skb_load_bytes),
3318 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3319 			BPF_EXIT_INSN(),
3320 		},
3321 		.result = REJECT,
3322 		.errstr = "invalid stack type R3 off=-513 access_size=8",
3323 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3324 	},
3325 	{
3326 		"raw_stack: skb_load_bytes, invalid access 2",
3327 		.insns = {
3328 			BPF_MOV64_IMM(BPF_REG_2, 4),
3329 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3331 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3332 			BPF_MOV64_IMM(BPF_REG_4, 8),
3333 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3334 				     BPF_FUNC_skb_load_bytes),
3335 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3336 			BPF_EXIT_INSN(),
3337 		},
3338 		.result = REJECT,
3339 		.errstr = "invalid stack type R3 off=-1 access_size=8",
3340 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3341 	},
3342 	{
3343 		"raw_stack: skb_load_bytes, invalid access 3",
3344 		.insns = {
3345 			BPF_MOV64_IMM(BPF_REG_2, 4),
3346 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3347 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3348 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3349 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3350 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3351 				     BPF_FUNC_skb_load_bytes),
3352 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3353 			BPF_EXIT_INSN(),
3354 		},
3355 		.result = REJECT,
3356 		.errstr = "R4 min value is negative",
3357 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3358 	},
3359 	{
3360 		"raw_stack: skb_load_bytes, invalid access 4",
3361 		.insns = {
3362 			BPF_MOV64_IMM(BPF_REG_2, 4),
3363 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3364 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3365 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3366 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3367 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3368 				     BPF_FUNC_skb_load_bytes),
3369 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3370 			BPF_EXIT_INSN(),
3371 		},
3372 		.result = REJECT,
3373 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3374 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3375 	},
3376 	{
3377 		"raw_stack: skb_load_bytes, invalid access 5",
3378 		.insns = {
3379 			BPF_MOV64_IMM(BPF_REG_2, 4),
3380 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3381 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3382 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3383 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3384 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3385 				     BPF_FUNC_skb_load_bytes),
3386 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3387 			BPF_EXIT_INSN(),
3388 		},
3389 		.result = REJECT,
3390 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3391 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3392 	},
3393 	{
3394 		"raw_stack: skb_load_bytes, invalid access 6",
3395 		.insns = {
3396 			BPF_MOV64_IMM(BPF_REG_2, 4),
3397 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3399 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3400 			BPF_MOV64_IMM(BPF_REG_4, 0),
3401 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3402 				     BPF_FUNC_skb_load_bytes),
3403 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3404 			BPF_EXIT_INSN(),
3405 		},
3406 		.result = REJECT,
3407 		.errstr = "invalid stack type R3 off=-512 access_size=0",
3408 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3409 	},
3410 	{
3411 		"raw_stack: skb_load_bytes, large access",
3412 		.insns = {
3413 			BPF_MOV64_IMM(BPF_REG_2, 4),
3414 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3415 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3416 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3417 			BPF_MOV64_IMM(BPF_REG_4, 512),
3418 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3419 				     BPF_FUNC_skb_load_bytes),
3420 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3421 			BPF_EXIT_INSN(),
3422 		},
3423 		.result = ACCEPT,
3424 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3425 	},
3426 	{
3427 		"context stores via ST",
3428 		.insns = {
3429 			BPF_MOV64_IMM(BPF_REG_0, 0),
3430 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3431 			BPF_EXIT_INSN(),
3432 		},
3433 		.errstr = "BPF_ST stores into R1 ctx is not allowed",
3434 		.result = REJECT,
3435 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3436 	},
3437 	{
3438 		"context stores via XADD",
3439 		.insns = {
3440 			BPF_MOV64_IMM(BPF_REG_0, 0),
3441 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3442 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3443 			BPF_EXIT_INSN(),
3444 		},
3445 		.errstr = "BPF_XADD stores into R1 ctx is not allowed",
3446 		.result = REJECT,
3447 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3448 	},
3449 	{
3450 		"direct packet access: test1",
3451 		.insns = {
3452 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3453 				    offsetof(struct __sk_buff, data)),
3454 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3455 				    offsetof(struct __sk_buff, data_end)),
3456 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3457 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3458 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3459 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3460 			BPF_MOV64_IMM(BPF_REG_0, 0),
3461 			BPF_EXIT_INSN(),
3462 		},
3463 		.result = ACCEPT,
3464 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3465 	},
3466 	{
3467 		"direct packet access: test2",
3468 		.insns = {
3469 			BPF_MOV64_IMM(BPF_REG_0, 1),
3470 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3471 				    offsetof(struct __sk_buff, data_end)),
3472 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3473 				    offsetof(struct __sk_buff, data)),
3474 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3475 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3476 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3477 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3478 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3479 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3480 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3481 				    offsetof(struct __sk_buff, data)),
3482 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3483 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3484 				    offsetof(struct __sk_buff, len)),
3485 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3486 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3487 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3488 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3490 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3491 				    offsetof(struct __sk_buff, data_end)),
3492 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3493 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3494 			BPF_MOV64_IMM(BPF_REG_0, 0),
3495 			BPF_EXIT_INSN(),
3496 		},
3497 		.result = ACCEPT,
3498 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3499 	},
3500 	{
3501 		"direct packet access: test3",
3502 		.insns = {
3503 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3504 				    offsetof(struct __sk_buff, data)),
3505 			BPF_MOV64_IMM(BPF_REG_0, 0),
3506 			BPF_EXIT_INSN(),
3507 		},
3508 		.errstr = "invalid bpf_context access off=76",
3509 		.result = REJECT,
3510 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3511 	},
3512 	{
3513 		"direct packet access: test4 (write)",
3514 		.insns = {
3515 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3516 				    offsetof(struct __sk_buff, data)),
3517 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3518 				    offsetof(struct __sk_buff, data_end)),
3519 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3520 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3521 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3522 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3523 			BPF_MOV64_IMM(BPF_REG_0, 0),
3524 			BPF_EXIT_INSN(),
3525 		},
3526 		.result = ACCEPT,
3527 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3528 	},
3529 	{
3530 		"direct packet access: test5 (pkt_end >= reg, good access)",
3531 		.insns = {
3532 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3533 				    offsetof(struct __sk_buff, data)),
3534 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3535 				    offsetof(struct __sk_buff, data_end)),
3536 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3537 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3538 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3539 			BPF_MOV64_IMM(BPF_REG_0, 1),
3540 			BPF_EXIT_INSN(),
3541 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3542 			BPF_MOV64_IMM(BPF_REG_0, 0),
3543 			BPF_EXIT_INSN(),
3544 		},
3545 		.result = ACCEPT,
3546 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3547 	},
3548 	{
3549 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3550 		.insns = {
3551 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552 				    offsetof(struct __sk_buff, data)),
3553 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 				    offsetof(struct __sk_buff, data_end)),
3555 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3557 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3558 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3559 			BPF_MOV64_IMM(BPF_REG_0, 1),
3560 			BPF_EXIT_INSN(),
3561 			BPF_MOV64_IMM(BPF_REG_0, 0),
3562 			BPF_EXIT_INSN(),
3563 		},
3564 		.errstr = "invalid access to packet",
3565 		.result = REJECT,
3566 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3567 	},
3568 	{
3569 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3570 		.insns = {
3571 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3572 				    offsetof(struct __sk_buff, data)),
3573 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3574 				    offsetof(struct __sk_buff, data_end)),
3575 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3576 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3577 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3578 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3579 			BPF_MOV64_IMM(BPF_REG_0, 1),
3580 			BPF_EXIT_INSN(),
3581 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3582 			BPF_MOV64_IMM(BPF_REG_0, 0),
3583 			BPF_EXIT_INSN(),
3584 		},
3585 		.errstr = "invalid access to packet",
3586 		.result = REJECT,
3587 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3588 	},
3589 	{
3590 		"direct packet access: test8 (double test, variant 1)",
3591 		.insns = {
3592 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3593 				    offsetof(struct __sk_buff, data)),
3594 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3595 				    offsetof(struct __sk_buff, data_end)),
3596 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3597 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3598 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3599 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3600 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3601 			BPF_MOV64_IMM(BPF_REG_0, 1),
3602 			BPF_EXIT_INSN(),
3603 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3604 			BPF_MOV64_IMM(BPF_REG_0, 0),
3605 			BPF_EXIT_INSN(),
3606 		},
3607 		.result = ACCEPT,
3608 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3609 	},
3610 	{
3611 		"direct packet access: test9 (double test, variant 2)",
3612 		.insns = {
3613 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3614 				    offsetof(struct __sk_buff, data)),
3615 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3616 				    offsetof(struct __sk_buff, data_end)),
3617 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3619 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3620 			BPF_MOV64_IMM(BPF_REG_0, 1),
3621 			BPF_EXIT_INSN(),
3622 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3623 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3624 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3625 			BPF_MOV64_IMM(BPF_REG_0, 0),
3626 			BPF_EXIT_INSN(),
3627 		},
3628 		.result = ACCEPT,
3629 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3630 	},
3631 	{
3632 		"direct packet access: test10 (write invalid)",
3633 		.insns = {
3634 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3635 				    offsetof(struct __sk_buff, data)),
3636 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3637 				    offsetof(struct __sk_buff, data_end)),
3638 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3639 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3640 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3641 			BPF_MOV64_IMM(BPF_REG_0, 0),
3642 			BPF_EXIT_INSN(),
3643 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3644 			BPF_MOV64_IMM(BPF_REG_0, 0),
3645 			BPF_EXIT_INSN(),
3646 		},
3647 		.errstr = "invalid access to packet",
3648 		.result = REJECT,
3649 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3650 	},
3651 	{
3652 		"direct packet access: test11 (shift, good access)",
3653 		.insns = {
3654 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3655 				    offsetof(struct __sk_buff, data)),
3656 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3657 				    offsetof(struct __sk_buff, data_end)),
3658 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3660 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3661 			BPF_MOV64_IMM(BPF_REG_3, 144),
3662 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3664 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3665 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3666 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3667 			BPF_MOV64_IMM(BPF_REG_0, 1),
3668 			BPF_EXIT_INSN(),
3669 			BPF_MOV64_IMM(BPF_REG_0, 0),
3670 			BPF_EXIT_INSN(),
3671 		},
3672 		.result = ACCEPT,
3673 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3674 		.retval = 1,
3675 	},
3676 	{
3677 		"direct packet access: test12 (and, good access)",
3678 		.insns = {
3679 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3680 				    offsetof(struct __sk_buff, data)),
3681 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3682 				    offsetof(struct __sk_buff, data_end)),
3683 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3684 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3685 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3686 			BPF_MOV64_IMM(BPF_REG_3, 144),
3687 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3688 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3689 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3690 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3691 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3692 			BPF_MOV64_IMM(BPF_REG_0, 1),
3693 			BPF_EXIT_INSN(),
3694 			BPF_MOV64_IMM(BPF_REG_0, 0),
3695 			BPF_EXIT_INSN(),
3696 		},
3697 		.result = ACCEPT,
3698 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3699 		.retval = 1,
3700 	},
3701 	{
3702 		"direct packet access: test13 (branches, good access)",
3703 		.insns = {
3704 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3705 				    offsetof(struct __sk_buff, data)),
3706 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3707 				    offsetof(struct __sk_buff, data_end)),
3708 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3709 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3710 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3711 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3712 				    offsetof(struct __sk_buff, mark)),
3713 			BPF_MOV64_IMM(BPF_REG_4, 1),
3714 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3715 			BPF_MOV64_IMM(BPF_REG_3, 14),
3716 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3717 			BPF_MOV64_IMM(BPF_REG_3, 24),
3718 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3719 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3720 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3721 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3722 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3723 			BPF_MOV64_IMM(BPF_REG_0, 1),
3724 			BPF_EXIT_INSN(),
3725 			BPF_MOV64_IMM(BPF_REG_0, 0),
3726 			BPF_EXIT_INSN(),
3727 		},
3728 		.result = ACCEPT,
3729 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3730 		.retval = 1,
3731 	},
3732 	{
3733 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3734 		.insns = {
3735 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3736 				    offsetof(struct __sk_buff, data)),
3737 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3738 				    offsetof(struct __sk_buff, data_end)),
3739 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3740 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3741 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3742 			BPF_MOV64_IMM(BPF_REG_5, 12),
3743 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3744 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3745 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3746 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3747 			BPF_MOV64_IMM(BPF_REG_0, 1),
3748 			BPF_EXIT_INSN(),
3749 			BPF_MOV64_IMM(BPF_REG_0, 0),
3750 			BPF_EXIT_INSN(),
3751 		},
3752 		.result = ACCEPT,
3753 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3754 		.retval = 1,
3755 	},
3756 	{
3757 		"direct packet access: test15 (spill with xadd)",
3758 		.insns = {
3759 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3760 				    offsetof(struct __sk_buff, data)),
3761 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3762 				    offsetof(struct __sk_buff, data_end)),
3763 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3764 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3765 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3766 			BPF_MOV64_IMM(BPF_REG_5, 4096),
3767 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3769 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3770 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3771 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3772 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3773 			BPF_MOV64_IMM(BPF_REG_0, 0),
3774 			BPF_EXIT_INSN(),
3775 		},
3776 		.errstr = "R2 invalid mem access 'inv'",
3777 		.result = REJECT,
3778 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3779 	},
3780 	{
3781 		"direct packet access: test16 (arith on data_end)",
3782 		.insns = {
3783 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3784 				    offsetof(struct __sk_buff, data)),
3785 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3786 				    offsetof(struct __sk_buff, data_end)),
3787 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3789 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3790 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3791 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3792 			BPF_MOV64_IMM(BPF_REG_0, 0),
3793 			BPF_EXIT_INSN(),
3794 		},
3795 		.errstr = "R3 pointer arithmetic on pkt_end",
3796 		.result = REJECT,
3797 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3798 	},
3799 	{
3800 		"direct packet access: test17 (pruning, alignment)",
3801 		.insns = {
3802 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3803 				    offsetof(struct __sk_buff, data)),
3804 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3805 				    offsetof(struct __sk_buff, data_end)),
3806 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3807 				    offsetof(struct __sk_buff, mark)),
3808 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3809 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3810 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3811 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3812 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3813 			BPF_MOV64_IMM(BPF_REG_0, 0),
3814 			BPF_EXIT_INSN(),
3815 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3816 			BPF_JMP_A(-6),
3817 		},
3818 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3819 		.result = REJECT,
3820 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3821 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3822 	},
3823 	{
3824 		"direct packet access: test18 (imm += pkt_ptr, 1)",
3825 		.insns = {
3826 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3827 				    offsetof(struct __sk_buff, data)),
3828 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3829 				    offsetof(struct __sk_buff, data_end)),
3830 			BPF_MOV64_IMM(BPF_REG_0, 8),
3831 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3832 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3833 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3834 			BPF_MOV64_IMM(BPF_REG_0, 0),
3835 			BPF_EXIT_INSN(),
3836 		},
3837 		.result = ACCEPT,
3838 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3839 	},
3840 	{
3841 		"direct packet access: test19 (imm += pkt_ptr, 2)",
3842 		.insns = {
3843 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3844 				    offsetof(struct __sk_buff, data)),
3845 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3846 				    offsetof(struct __sk_buff, data_end)),
3847 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3849 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3850 			BPF_MOV64_IMM(BPF_REG_4, 4),
3851 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3852 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3853 			BPF_MOV64_IMM(BPF_REG_0, 0),
3854 			BPF_EXIT_INSN(),
3855 		},
3856 		.result = ACCEPT,
3857 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3858 	},
3859 	{
3860 		"direct packet access: test20 (x += pkt_ptr, 1)",
3861 		.insns = {
3862 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3863 				    offsetof(struct __sk_buff, data)),
3864 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3865 				    offsetof(struct __sk_buff, data_end)),
3866 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3867 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3868 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3869 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3870 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3871 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3872 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3873 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3874 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3875 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3876 			BPF_MOV64_IMM(BPF_REG_0, 0),
3877 			BPF_EXIT_INSN(),
3878 		},
3879 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3880 		.result = ACCEPT,
3881 	},
3882 	{
3883 		"direct packet access: test21 (x += pkt_ptr, 2)",
3884 		.insns = {
3885 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3886 				    offsetof(struct __sk_buff, data)),
3887 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3888 				    offsetof(struct __sk_buff, data_end)),
3889 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3891 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3892 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3893 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3894 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3895 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3896 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3897 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3898 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3899 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3900 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3901 			BPF_MOV64_IMM(BPF_REG_0, 0),
3902 			BPF_EXIT_INSN(),
3903 		},
3904 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3905 		.result = ACCEPT,
3906 	},
3907 	{
3908 		"direct packet access: test22 (x += pkt_ptr, 3)",
3909 		.insns = {
3910 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3911 				    offsetof(struct __sk_buff, data)),
3912 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3913 				    offsetof(struct __sk_buff, data_end)),
3914 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3915 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3916 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3917 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3918 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3919 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3920 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3921 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3922 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3923 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3924 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3925 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3926 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3927 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3928 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3929 			BPF_MOV64_IMM(BPF_REG_2, 1),
3930 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3931 			BPF_MOV64_IMM(BPF_REG_0, 0),
3932 			BPF_EXIT_INSN(),
3933 		},
3934 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3935 		.result = ACCEPT,
3936 	},
3937 	{
3938 		"direct packet access: test23 (x += pkt_ptr, 4)",
3939 		.insns = {
3940 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3941 				    offsetof(struct __sk_buff, data)),
3942 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3943 				    offsetof(struct __sk_buff, data_end)),
3944 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3945 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3946 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3947 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3948 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3949 			BPF_MOV64_IMM(BPF_REG_0, 31),
3950 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3951 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3952 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3953 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3954 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3955 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3956 			BPF_MOV64_IMM(BPF_REG_0, 0),
3957 			BPF_EXIT_INSN(),
3958 		},
3959 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3960 		.result = REJECT,
3961 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3962 	},
3963 	{
3964 		"direct packet access: test24 (x += pkt_ptr, 5)",
3965 		.insns = {
3966 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3967 				    offsetof(struct __sk_buff, data)),
3968 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3969 				    offsetof(struct __sk_buff, data_end)),
3970 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3971 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3972 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3973 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3974 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3975 			BPF_MOV64_IMM(BPF_REG_0, 64),
3976 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3977 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3978 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3979 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3980 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3981 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3982 			BPF_MOV64_IMM(BPF_REG_0, 0),
3983 			BPF_EXIT_INSN(),
3984 		},
3985 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3986 		.result = ACCEPT,
3987 	},
3988 	{
3989 		"direct packet access: test25 (marking on <, good access)",
3990 		.insns = {
3991 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3992 				    offsetof(struct __sk_buff, data)),
3993 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3994 				    offsetof(struct __sk_buff, data_end)),
3995 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3996 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3997 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3998 			BPF_MOV64_IMM(BPF_REG_0, 0),
3999 			BPF_EXIT_INSN(),
4000 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4001 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4002 		},
4003 		.result = ACCEPT,
4004 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4005 	},
4006 	{
4007 		"direct packet access: test26 (marking on <, bad access)",
4008 		.insns = {
4009 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4010 				    offsetof(struct __sk_buff, data)),
4011 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4012 				    offsetof(struct __sk_buff, data_end)),
4013 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4014 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4015 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4016 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4017 			BPF_MOV64_IMM(BPF_REG_0, 0),
4018 			BPF_EXIT_INSN(),
4019 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4020 		},
4021 		.result = REJECT,
4022 		.errstr = "invalid access to packet",
4023 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4024 	},
4025 	{
4026 		"direct packet access: test27 (marking on <=, good access)",
4027 		.insns = {
4028 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4029 				    offsetof(struct __sk_buff, data)),
4030 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4031 				    offsetof(struct __sk_buff, data_end)),
4032 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4033 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4034 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4035 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4036 			BPF_MOV64_IMM(BPF_REG_0, 1),
4037 			BPF_EXIT_INSN(),
4038 		},
4039 		.result = ACCEPT,
4040 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4041 		.retval = 1,
4042 	},
4043 	{
4044 		"direct packet access: test28 (marking on <=, bad access)",
4045 		.insns = {
4046 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4047 				    offsetof(struct __sk_buff, data)),
4048 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4049 				    offsetof(struct __sk_buff, data_end)),
4050 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4051 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4052 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4053 			BPF_MOV64_IMM(BPF_REG_0, 1),
4054 			BPF_EXIT_INSN(),
4055 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4056 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4057 		},
4058 		.result = REJECT,
4059 		.errstr = "invalid access to packet",
4060 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4061 	},
4062 	{
4063 		"helper access to packet: test1, valid packet_ptr range",
4064 		.insns = {
4065 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4066 				    offsetof(struct xdp_md, data)),
4067 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4068 				    offsetof(struct xdp_md, data_end)),
4069 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4070 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4071 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4072 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4073 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4074 			BPF_MOV64_IMM(BPF_REG_4, 0),
4075 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4076 				     BPF_FUNC_map_update_elem),
4077 			BPF_MOV64_IMM(BPF_REG_0, 0),
4078 			BPF_EXIT_INSN(),
4079 		},
4080 		.fixup_map_hash_8b = { 5 },
4081 		.result_unpriv = ACCEPT,
4082 		.result = ACCEPT,
4083 		.prog_type = BPF_PROG_TYPE_XDP,
4084 	},
4085 	{
4086 		"helper access to packet: test2, unchecked packet_ptr",
4087 		.insns = {
4088 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089 				    offsetof(struct xdp_md, data)),
4090 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4091 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4092 				     BPF_FUNC_map_lookup_elem),
4093 			BPF_MOV64_IMM(BPF_REG_0, 0),
4094 			BPF_EXIT_INSN(),
4095 		},
4096 		.fixup_map_hash_8b = { 1 },
4097 		.result = REJECT,
4098 		.errstr = "invalid access to packet",
4099 		.prog_type = BPF_PROG_TYPE_XDP,
4100 	},
4101 	{
4102 		"helper access to packet: test3, variable add",
4103 		.insns = {
4104 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4105 					offsetof(struct xdp_md, data)),
4106 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4107 					offsetof(struct xdp_md, data_end)),
4108 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4110 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4111 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4112 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4113 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4114 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4115 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4116 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4117 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4118 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4119 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4120 				     BPF_FUNC_map_lookup_elem),
4121 			BPF_MOV64_IMM(BPF_REG_0, 0),
4122 			BPF_EXIT_INSN(),
4123 		},
4124 		.fixup_map_hash_8b = { 11 },
4125 		.result = ACCEPT,
4126 		.prog_type = BPF_PROG_TYPE_XDP,
4127 	},
4128 	{
4129 		"helper access to packet: test4, packet_ptr with bad range",
4130 		.insns = {
4131 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4132 				    offsetof(struct xdp_md, data)),
4133 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4134 				    offsetof(struct xdp_md, data_end)),
4135 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4136 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4137 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4138 			BPF_MOV64_IMM(BPF_REG_0, 0),
4139 			BPF_EXIT_INSN(),
4140 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4141 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4142 				     BPF_FUNC_map_lookup_elem),
4143 			BPF_MOV64_IMM(BPF_REG_0, 0),
4144 			BPF_EXIT_INSN(),
4145 		},
4146 		.fixup_map_hash_8b = { 7 },
4147 		.result = REJECT,
4148 		.errstr = "invalid access to packet",
4149 		.prog_type = BPF_PROG_TYPE_XDP,
4150 	},
4151 	{
4152 		"helper access to packet: test5, packet_ptr with too short range",
4153 		.insns = {
4154 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4155 				    offsetof(struct xdp_md, data)),
4156 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4157 				    offsetof(struct xdp_md, data_end)),
4158 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4159 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4160 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4161 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4162 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4163 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4164 				     BPF_FUNC_map_lookup_elem),
4165 			BPF_MOV64_IMM(BPF_REG_0, 0),
4166 			BPF_EXIT_INSN(),
4167 		},
4168 		.fixup_map_hash_8b = { 6 },
4169 		.result = REJECT,
4170 		.errstr = "invalid access to packet",
4171 		.prog_type = BPF_PROG_TYPE_XDP,
4172 	},
4173 	{
4174 		"helper access to packet: test6, cls valid packet_ptr range",
4175 		.insns = {
4176 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4177 				    offsetof(struct __sk_buff, data)),
4178 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4179 				    offsetof(struct __sk_buff, data_end)),
4180 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4182 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4183 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4184 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4185 			BPF_MOV64_IMM(BPF_REG_4, 0),
4186 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4187 				     BPF_FUNC_map_update_elem),
4188 			BPF_MOV64_IMM(BPF_REG_0, 0),
4189 			BPF_EXIT_INSN(),
4190 		},
4191 		.fixup_map_hash_8b = { 5 },
4192 		.result = ACCEPT,
4193 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4194 	},
4195 	{
4196 		"helper access to packet: test7, cls unchecked packet_ptr",
4197 		.insns = {
4198 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4199 				    offsetof(struct __sk_buff, data)),
4200 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4201 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4202 				     BPF_FUNC_map_lookup_elem),
4203 			BPF_MOV64_IMM(BPF_REG_0, 0),
4204 			BPF_EXIT_INSN(),
4205 		},
4206 		.fixup_map_hash_8b = { 1 },
4207 		.result = REJECT,
4208 		.errstr = "invalid access to packet",
4209 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4210 	},
4211 	{
4212 		"helper access to packet: test8, cls variable add",
4213 		.insns = {
4214 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4215 					offsetof(struct __sk_buff, data)),
4216 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4217 					offsetof(struct __sk_buff, data_end)),
4218 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4220 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4221 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4222 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4223 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4224 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4225 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4226 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4227 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4228 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4229 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4230 				     BPF_FUNC_map_lookup_elem),
4231 			BPF_MOV64_IMM(BPF_REG_0, 0),
4232 			BPF_EXIT_INSN(),
4233 		},
4234 		.fixup_map_hash_8b = { 11 },
4235 		.result = ACCEPT,
4236 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4237 	},
4238 	{
4239 		"helper access to packet: test9, cls packet_ptr with bad range",
4240 		.insns = {
4241 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4242 				    offsetof(struct __sk_buff, data)),
4243 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4244 				    offsetof(struct __sk_buff, data_end)),
4245 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4246 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4247 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4248 			BPF_MOV64_IMM(BPF_REG_0, 0),
4249 			BPF_EXIT_INSN(),
4250 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4251 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4252 				     BPF_FUNC_map_lookup_elem),
4253 			BPF_MOV64_IMM(BPF_REG_0, 0),
4254 			BPF_EXIT_INSN(),
4255 		},
4256 		.fixup_map_hash_8b = { 7 },
4257 		.result = REJECT,
4258 		.errstr = "invalid access to packet",
4259 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4260 	},
4261 	{
4262 		"helper access to packet: test10, cls packet_ptr with too short range",
4263 		.insns = {
4264 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4265 				    offsetof(struct __sk_buff, data)),
4266 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4267 				    offsetof(struct __sk_buff, data_end)),
4268 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4269 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4270 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4271 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4272 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4273 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4274 				     BPF_FUNC_map_lookup_elem),
4275 			BPF_MOV64_IMM(BPF_REG_0, 0),
4276 			BPF_EXIT_INSN(),
4277 		},
4278 		.fixup_map_hash_8b = { 6 },
4279 		.result = REJECT,
4280 		.errstr = "invalid access to packet",
4281 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4282 	},
4283 	{
4284 		"helper access to packet: test11, cls unsuitable helper 1",
4285 		.insns = {
4286 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4287 				    offsetof(struct __sk_buff, data)),
4288 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4289 				    offsetof(struct __sk_buff, data_end)),
4290 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4291 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4292 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4293 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4294 			BPF_MOV64_IMM(BPF_REG_2, 0),
4295 			BPF_MOV64_IMM(BPF_REG_4, 42),
4296 			BPF_MOV64_IMM(BPF_REG_5, 0),
4297 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4298 				     BPF_FUNC_skb_store_bytes),
4299 			BPF_MOV64_IMM(BPF_REG_0, 0),
4300 			BPF_EXIT_INSN(),
4301 		},
4302 		.result = REJECT,
4303 		.errstr = "helper access to the packet",
4304 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4305 	},
4306 	{
4307 		"helper access to packet: test12, cls unsuitable helper 2",
4308 		.insns = {
4309 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4310 				    offsetof(struct __sk_buff, data)),
4311 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4312 				    offsetof(struct __sk_buff, data_end)),
4313 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4314 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4315 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4316 			BPF_MOV64_IMM(BPF_REG_2, 0),
4317 			BPF_MOV64_IMM(BPF_REG_4, 4),
4318 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4319 				     BPF_FUNC_skb_load_bytes),
4320 			BPF_MOV64_IMM(BPF_REG_0, 0),
4321 			BPF_EXIT_INSN(),
4322 		},
4323 		.result = REJECT,
4324 		.errstr = "helper access to the packet",
4325 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4326 	},
4327 	{
4328 		"helper access to packet: test13, cls helper ok",
4329 		.insns = {
4330 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4331 				    offsetof(struct __sk_buff, data)),
4332 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4333 				    offsetof(struct __sk_buff, data_end)),
4334 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4335 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4336 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4337 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4338 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4339 			BPF_MOV64_IMM(BPF_REG_2, 4),
4340 			BPF_MOV64_IMM(BPF_REG_3, 0),
4341 			BPF_MOV64_IMM(BPF_REG_4, 0),
4342 			BPF_MOV64_IMM(BPF_REG_5, 0),
4343 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4344 				     BPF_FUNC_csum_diff),
4345 			BPF_MOV64_IMM(BPF_REG_0, 0),
4346 			BPF_EXIT_INSN(),
4347 		},
4348 		.result = ACCEPT,
4349 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4350 	},
4351 	{
4352 		"helper access to packet: test14, cls helper ok sub",
4353 		.insns = {
4354 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4355 				    offsetof(struct __sk_buff, data)),
4356 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4357 				    offsetof(struct __sk_buff, data_end)),
4358 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4359 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4360 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4361 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4362 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4363 			BPF_MOV64_IMM(BPF_REG_2, 4),
4364 			BPF_MOV64_IMM(BPF_REG_3, 0),
4365 			BPF_MOV64_IMM(BPF_REG_4, 0),
4366 			BPF_MOV64_IMM(BPF_REG_5, 0),
4367 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4368 				     BPF_FUNC_csum_diff),
4369 			BPF_MOV64_IMM(BPF_REG_0, 0),
4370 			BPF_EXIT_INSN(),
4371 		},
4372 		.result = ACCEPT,
4373 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4374 	},
4375 	{
4376 		"helper access to packet: test15, cls helper fail sub",
4377 		.insns = {
4378 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4379 				    offsetof(struct __sk_buff, data)),
4380 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4381 				    offsetof(struct __sk_buff, data_end)),
4382 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4383 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4384 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4385 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4386 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4387 			BPF_MOV64_IMM(BPF_REG_2, 4),
4388 			BPF_MOV64_IMM(BPF_REG_3, 0),
4389 			BPF_MOV64_IMM(BPF_REG_4, 0),
4390 			BPF_MOV64_IMM(BPF_REG_5, 0),
4391 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4392 				     BPF_FUNC_csum_diff),
4393 			BPF_MOV64_IMM(BPF_REG_0, 0),
4394 			BPF_EXIT_INSN(),
4395 		},
4396 		.result = REJECT,
4397 		.errstr = "invalid access to packet",
4398 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4399 	},
4400 	{
4401 		"helper access to packet: test16, cls helper fail range 1",
4402 		.insns = {
4403 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4404 				    offsetof(struct __sk_buff, data)),
4405 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4406 				    offsetof(struct __sk_buff, data_end)),
4407 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4408 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4409 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4410 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4411 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4412 			BPF_MOV64_IMM(BPF_REG_2, 8),
4413 			BPF_MOV64_IMM(BPF_REG_3, 0),
4414 			BPF_MOV64_IMM(BPF_REG_4, 0),
4415 			BPF_MOV64_IMM(BPF_REG_5, 0),
4416 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4417 				     BPF_FUNC_csum_diff),
4418 			BPF_MOV64_IMM(BPF_REG_0, 0),
4419 			BPF_EXIT_INSN(),
4420 		},
4421 		.result = REJECT,
4422 		.errstr = "invalid access to packet",
4423 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4424 	},
4425 	{
4426 		"helper access to packet: test17, cls helper fail range 2",
4427 		.insns = {
4428 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4429 				    offsetof(struct __sk_buff, data)),
4430 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4431 				    offsetof(struct __sk_buff, data_end)),
4432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4433 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4434 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4435 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4436 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4437 			BPF_MOV64_IMM(BPF_REG_2, -9),
4438 			BPF_MOV64_IMM(BPF_REG_3, 0),
4439 			BPF_MOV64_IMM(BPF_REG_4, 0),
4440 			BPF_MOV64_IMM(BPF_REG_5, 0),
4441 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4442 				     BPF_FUNC_csum_diff),
4443 			BPF_MOV64_IMM(BPF_REG_0, 0),
4444 			BPF_EXIT_INSN(),
4445 		},
4446 		.result = REJECT,
4447 		.errstr = "R2 min value is negative",
4448 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4449 	},
4450 	{
4451 		"helper access to packet: test18, cls helper fail range 3",
4452 		.insns = {
4453 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4454 				    offsetof(struct __sk_buff, data)),
4455 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4456 				    offsetof(struct __sk_buff, data_end)),
4457 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4458 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4460 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4461 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4462 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4463 			BPF_MOV64_IMM(BPF_REG_3, 0),
4464 			BPF_MOV64_IMM(BPF_REG_4, 0),
4465 			BPF_MOV64_IMM(BPF_REG_5, 0),
4466 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 				     BPF_FUNC_csum_diff),
4468 			BPF_MOV64_IMM(BPF_REG_0, 0),
4469 			BPF_EXIT_INSN(),
4470 		},
4471 		.result = REJECT,
4472 		.errstr = "R2 min value is negative",
4473 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4474 	},
4475 	{
4476 		"helper access to packet: test19, cls helper range zero",
4477 		.insns = {
4478 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4479 				    offsetof(struct __sk_buff, data)),
4480 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4481 				    offsetof(struct __sk_buff, data_end)),
4482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4483 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4484 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4485 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4486 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4487 			BPF_MOV64_IMM(BPF_REG_2, 0),
4488 			BPF_MOV64_IMM(BPF_REG_3, 0),
4489 			BPF_MOV64_IMM(BPF_REG_4, 0),
4490 			BPF_MOV64_IMM(BPF_REG_5, 0),
4491 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4492 				     BPF_FUNC_csum_diff),
4493 			BPF_MOV64_IMM(BPF_REG_0, 0),
4494 			BPF_EXIT_INSN(),
4495 		},
4496 		.result = ACCEPT,
4497 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4498 	},
4499 	{
4500 		"helper access to packet: test20, pkt end as input",
4501 		.insns = {
4502 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4503 				    offsetof(struct __sk_buff, data)),
4504 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4505 				    offsetof(struct __sk_buff, data_end)),
4506 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4507 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4508 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4509 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4510 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4511 			BPF_MOV64_IMM(BPF_REG_2, 4),
4512 			BPF_MOV64_IMM(BPF_REG_3, 0),
4513 			BPF_MOV64_IMM(BPF_REG_4, 0),
4514 			BPF_MOV64_IMM(BPF_REG_5, 0),
4515 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4516 				     BPF_FUNC_csum_diff),
4517 			BPF_MOV64_IMM(BPF_REG_0, 0),
4518 			BPF_EXIT_INSN(),
4519 		},
4520 		.result = REJECT,
4521 		.errstr = "R1 type=pkt_end expected=fp",
4522 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4523 	},
4524 	{
4525 		"helper access to packet: test21, wrong reg",
4526 		.insns = {
4527 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4528 				    offsetof(struct __sk_buff, data)),
4529 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4530 				    offsetof(struct __sk_buff, data_end)),
4531 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4532 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4533 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4534 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4535 			BPF_MOV64_IMM(BPF_REG_2, 4),
4536 			BPF_MOV64_IMM(BPF_REG_3, 0),
4537 			BPF_MOV64_IMM(BPF_REG_4, 0),
4538 			BPF_MOV64_IMM(BPF_REG_5, 0),
4539 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4540 				     BPF_FUNC_csum_diff),
4541 			BPF_MOV64_IMM(BPF_REG_0, 0),
4542 			BPF_EXIT_INSN(),
4543 		},
4544 		.result = REJECT,
4545 		.errstr = "invalid access to packet",
4546 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4547 	},
4548 	{
4549 		"prevent map lookup in sockmap",
4550 		.insns = {
4551 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4552 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4554 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4555 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556 				     BPF_FUNC_map_lookup_elem),
4557 			BPF_EXIT_INSN(),
4558 		},
4559 		.fixup_map_sockmap = { 3 },
4560 		.result = REJECT,
4561 		.errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4562 		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
4563 	},
4564 	{
4565 		"prevent map lookup in sockhash",
4566 		.insns = {
4567 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4568 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4569 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4570 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4571 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4572 				     BPF_FUNC_map_lookup_elem),
4573 			BPF_EXIT_INSN(),
4574 		},
4575 		.fixup_map_sockhash = { 3 },
4576 		.result = REJECT,
4577 		.errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4578 		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
4579 	},
4580 	{
4581 		"prevent map lookup in xskmap",
4582 		.insns = {
4583 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4584 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4585 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4586 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4587 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4588 				     BPF_FUNC_map_lookup_elem),
4589 			BPF_EXIT_INSN(),
4590 		},
4591 		.fixup_map_xskmap = { 3 },
4592 		.result = REJECT,
4593 		.errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4594 		.prog_type = BPF_PROG_TYPE_XDP,
4595 	},
4596 	{
4597 		"prevent map lookup in stack trace",
4598 		.insns = {
4599 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4600 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4601 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4602 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4603 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4604 				     BPF_FUNC_map_lookup_elem),
4605 			BPF_EXIT_INSN(),
4606 		},
4607 		.fixup_map_stacktrace = { 3 },
4608 		.result = REJECT,
4609 		.errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4610 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
4611 	},
4612 	{
4613 		"prevent map lookup in prog array",
4614 		.insns = {
4615 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4616 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4617 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4618 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4619 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4620 				     BPF_FUNC_map_lookup_elem),
4621 			BPF_EXIT_INSN(),
4622 		},
4623 		.fixup_prog2 = { 3 },
4624 		.result = REJECT,
4625 		.errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4626 	},
4627 	{
4628 		"valid map access into an array with a constant",
4629 		.insns = {
4630 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4631 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4632 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4633 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4634 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4635 				     BPF_FUNC_map_lookup_elem),
4636 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4637 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4638 				   offsetof(struct test_val, foo)),
4639 			BPF_EXIT_INSN(),
4640 		},
4641 		.fixup_map_hash_48b = { 3 },
4642 		.errstr_unpriv = "R0 leaks addr",
4643 		.result_unpriv = REJECT,
4644 		.result = ACCEPT,
4645 	},
4646 	{
4647 		"valid map access into an array with a register",
4648 		.insns = {
4649 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4650 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4651 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4652 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4653 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4654 				     BPF_FUNC_map_lookup_elem),
4655 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4656 			BPF_MOV64_IMM(BPF_REG_1, 4),
4657 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4658 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4659 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4660 				   offsetof(struct test_val, foo)),
4661 			BPF_EXIT_INSN(),
4662 		},
4663 		.fixup_map_hash_48b = { 3 },
4664 		.errstr_unpriv = "R0 leaks addr",
4665 		.result_unpriv = REJECT,
4666 		.result = ACCEPT,
4667 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4668 	},
4669 	{
4670 		"valid map access into an array with a variable",
4671 		.insns = {
4672 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4673 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4674 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4675 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4676 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4677 				     BPF_FUNC_map_lookup_elem),
4678 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4679 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4680 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4681 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4682 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4683 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4684 				   offsetof(struct test_val, foo)),
4685 			BPF_EXIT_INSN(),
4686 		},
4687 		.fixup_map_hash_48b = { 3 },
4688 		.errstr_unpriv = "R0 leaks addr",
4689 		.result_unpriv = REJECT,
4690 		.result = ACCEPT,
4691 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4692 	},
4693 	{
4694 		"valid map access into an array with a signed variable",
4695 		.insns = {
4696 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4697 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4698 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4699 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4700 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4701 				     BPF_FUNC_map_lookup_elem),
4702 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4703 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4704 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4705 			BPF_MOV32_IMM(BPF_REG_1, 0),
4706 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4707 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4708 			BPF_MOV32_IMM(BPF_REG_1, 0),
4709 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4710 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4711 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4712 				   offsetof(struct test_val, foo)),
4713 			BPF_EXIT_INSN(),
4714 		},
4715 		.fixup_map_hash_48b = { 3 },
4716 		.errstr_unpriv = "R0 leaks addr",
4717 		.result_unpriv = REJECT,
4718 		.result = ACCEPT,
4719 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4720 	},
4721 	{
4722 		"invalid map access into an array with a constant",
4723 		.insns = {
4724 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4725 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4727 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4729 				     BPF_FUNC_map_lookup_elem),
4730 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4731 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4732 				   offsetof(struct test_val, foo)),
4733 			BPF_EXIT_INSN(),
4734 		},
4735 		.fixup_map_hash_48b = { 3 },
4736 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
4737 		.result = REJECT,
4738 	},
4739 	{
4740 		"invalid map access into an array with a register",
4741 		.insns = {
4742 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4743 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4745 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4746 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4747 				     BPF_FUNC_map_lookup_elem),
4748 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4749 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4750 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4751 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4752 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4753 				   offsetof(struct test_val, foo)),
4754 			BPF_EXIT_INSN(),
4755 		},
4756 		.fixup_map_hash_48b = { 3 },
4757 		.errstr = "R0 min value is outside of the array range",
4758 		.result = REJECT,
4759 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4760 	},
4761 	{
4762 		"invalid map access into an array with a variable",
4763 		.insns = {
4764 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4765 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4766 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4767 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4768 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4769 				     BPF_FUNC_map_lookup_elem),
4770 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4771 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4772 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4773 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4774 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4775 				   offsetof(struct test_val, foo)),
4776 			BPF_EXIT_INSN(),
4777 		},
4778 		.fixup_map_hash_48b = { 3 },
4779 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4780 		.result = REJECT,
4781 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4782 	},
4783 	{
4784 		"invalid map access into an array with no floor check",
4785 		.insns = {
4786 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4787 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4789 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4790 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4791 				     BPF_FUNC_map_lookup_elem),
4792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4793 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4794 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4795 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4796 			BPF_MOV32_IMM(BPF_REG_1, 0),
4797 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4798 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4799 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4800 				   offsetof(struct test_val, foo)),
4801 			BPF_EXIT_INSN(),
4802 		},
4803 		.fixup_map_hash_48b = { 3 },
4804 		.errstr_unpriv = "R0 leaks addr",
4805 		.errstr = "R0 unbounded memory access",
4806 		.result_unpriv = REJECT,
4807 		.result = REJECT,
4808 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4809 	},
4810 	{
4811 		"invalid map access into an array with a invalid max check",
4812 		.insns = {
4813 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4814 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4815 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4816 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4817 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4818 				     BPF_FUNC_map_lookup_elem),
4819 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4820 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4821 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4822 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4823 			BPF_MOV32_IMM(BPF_REG_1, 0),
4824 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4825 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4826 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4827 				   offsetof(struct test_val, foo)),
4828 			BPF_EXIT_INSN(),
4829 		},
4830 		.fixup_map_hash_48b = { 3 },
4831 		.errstr_unpriv = "R0 leaks addr",
4832 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
4833 		.result_unpriv = REJECT,
4834 		.result = REJECT,
4835 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4836 	},
4837 	{
4838 		"invalid map access into an array with a invalid max check",
4839 		.insns = {
4840 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4841 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4842 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4843 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4844 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4845 				     BPF_FUNC_map_lookup_elem),
4846 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4847 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4848 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4849 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4851 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4852 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4853 				     BPF_FUNC_map_lookup_elem),
4854 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4855 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4856 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4857 				    offsetof(struct test_val, foo)),
4858 			BPF_EXIT_INSN(),
4859 		},
4860 		.fixup_map_hash_48b = { 3, 11 },
4861 		.errstr = "R0 pointer += pointer",
4862 		.result = REJECT,
4863 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4864 	},
4865 	{
4866 		"direct packet read test#1 for CGROUP_SKB",
4867 		.insns = {
4868 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4869 				    offsetof(struct __sk_buff, data)),
4870 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4871 				    offsetof(struct __sk_buff, data_end)),
4872 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4873 				    offsetof(struct __sk_buff, len)),
4874 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4875 				    offsetof(struct __sk_buff, pkt_type)),
4876 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4877 				    offsetof(struct __sk_buff, mark)),
4878 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4879 				    offsetof(struct __sk_buff, mark)),
4880 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4881 				    offsetof(struct __sk_buff, queue_mapping)),
4882 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4883 				    offsetof(struct __sk_buff, protocol)),
4884 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4885 				    offsetof(struct __sk_buff, vlan_present)),
4886 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4887 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4888 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4889 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4890 			BPF_MOV64_IMM(BPF_REG_0, 0),
4891 			BPF_EXIT_INSN(),
4892 		},
4893 		.result = ACCEPT,
4894 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4895 	},
4896 	{
4897 		"direct packet read test#2 for CGROUP_SKB",
4898 		.insns = {
4899 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4900 				    offsetof(struct __sk_buff, vlan_tci)),
4901 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4902 				    offsetof(struct __sk_buff, vlan_proto)),
4903 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4904 				    offsetof(struct __sk_buff, priority)),
4905 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4906 				    offsetof(struct __sk_buff, priority)),
4907 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4908 				    offsetof(struct __sk_buff,
4909 					     ingress_ifindex)),
4910 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4911 				    offsetof(struct __sk_buff, tc_index)),
4912 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4913 				    offsetof(struct __sk_buff, hash)),
4914 			BPF_MOV64_IMM(BPF_REG_0, 0),
4915 			BPF_EXIT_INSN(),
4916 		},
4917 		.result = ACCEPT,
4918 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4919 	},
4920 	{
4921 		"direct packet read test#3 for CGROUP_SKB",
4922 		.insns = {
4923 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4924 				    offsetof(struct __sk_buff, cb[0])),
4925 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4926 				    offsetof(struct __sk_buff, cb[1])),
4927 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4928 				    offsetof(struct __sk_buff, cb[2])),
4929 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4930 				    offsetof(struct __sk_buff, cb[3])),
4931 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4932 				    offsetof(struct __sk_buff, cb[4])),
4933 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
4934 				    offsetof(struct __sk_buff, napi_id)),
4935 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
4936 				    offsetof(struct __sk_buff, cb[0])),
4937 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
4938 				    offsetof(struct __sk_buff, cb[1])),
4939 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
4940 				    offsetof(struct __sk_buff, cb[2])),
4941 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
4942 				    offsetof(struct __sk_buff, cb[3])),
4943 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
4944 				    offsetof(struct __sk_buff, cb[4])),
4945 			BPF_MOV64_IMM(BPF_REG_0, 0),
4946 			BPF_EXIT_INSN(),
4947 		},
4948 		.result = ACCEPT,
4949 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4950 	},
4951 	{
4952 		"direct packet read test#4 for CGROUP_SKB",
4953 		.insns = {
4954 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4955 				    offsetof(struct __sk_buff, family)),
4956 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4957 				    offsetof(struct __sk_buff, remote_ip4)),
4958 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
4959 				    offsetof(struct __sk_buff, local_ip4)),
4960 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4961 				    offsetof(struct __sk_buff, remote_ip6[0])),
4962 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4963 				    offsetof(struct __sk_buff, remote_ip6[1])),
4964 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4965 				    offsetof(struct __sk_buff, remote_ip6[2])),
4966 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
4967 				    offsetof(struct __sk_buff, remote_ip6[3])),
4968 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4969 				    offsetof(struct __sk_buff, local_ip6[0])),
4970 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4971 				    offsetof(struct __sk_buff, local_ip6[1])),
4972 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4973 				    offsetof(struct __sk_buff, local_ip6[2])),
4974 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4975 				    offsetof(struct __sk_buff, local_ip6[3])),
4976 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4977 				    offsetof(struct __sk_buff, remote_port)),
4978 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
4979 				    offsetof(struct __sk_buff, local_port)),
4980 			BPF_MOV64_IMM(BPF_REG_0, 0),
4981 			BPF_EXIT_INSN(),
4982 		},
4983 		.result = ACCEPT,
4984 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4985 	},
4986 	{
4987 		"invalid access of tc_classid for CGROUP_SKB",
4988 		.insns = {
4989 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4990 				    offsetof(struct __sk_buff, tc_classid)),
4991 			BPF_MOV64_IMM(BPF_REG_0, 0),
4992 			BPF_EXIT_INSN(),
4993 		},
4994 		.result = REJECT,
4995 		.errstr = "invalid bpf_context access",
4996 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4997 	},
4998 	{
4999 		"invalid access of data_meta for CGROUP_SKB",
5000 		.insns = {
5001 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5002 				    offsetof(struct __sk_buff, data_meta)),
5003 			BPF_MOV64_IMM(BPF_REG_0, 0),
5004 			BPF_EXIT_INSN(),
5005 		},
5006 		.result = REJECT,
5007 		.errstr = "invalid bpf_context access",
5008 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5009 	},
5010 	{
5011 		"invalid access of flow_keys for CGROUP_SKB",
5012 		.insns = {
5013 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5014 				    offsetof(struct __sk_buff, flow_keys)),
5015 			BPF_MOV64_IMM(BPF_REG_0, 0),
5016 			BPF_EXIT_INSN(),
5017 		},
5018 		.result = REJECT,
5019 		.errstr = "invalid bpf_context access",
5020 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5021 	},
5022 	{
5023 		"invalid write access to napi_id for CGROUP_SKB",
5024 		.insns = {
5025 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5026 				    offsetof(struct __sk_buff, napi_id)),
5027 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5028 				    offsetof(struct __sk_buff, napi_id)),
5029 			BPF_MOV64_IMM(BPF_REG_0, 0),
5030 			BPF_EXIT_INSN(),
5031 		},
5032 		.result = REJECT,
5033 		.errstr = "invalid bpf_context access",
5034 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5035 	},
5036 	{
5037 		"valid cgroup storage access",
5038 		.insns = {
5039 			BPF_MOV64_IMM(BPF_REG_2, 0),
5040 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5041 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5042 				     BPF_FUNC_get_local_storage),
5043 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5044 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5045 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5046 			BPF_EXIT_INSN(),
5047 		},
5048 		.fixup_cgroup_storage = { 1 },
5049 		.result = ACCEPT,
5050 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5051 	},
5052 	{
5053 		"invalid cgroup storage access 1",
5054 		.insns = {
5055 			BPF_MOV64_IMM(BPF_REG_2, 0),
5056 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5057 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5058 				     BPF_FUNC_get_local_storage),
5059 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5060 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5061 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5062 			BPF_EXIT_INSN(),
5063 		},
5064 		.fixup_map_hash_8b = { 1 },
5065 		.result = REJECT,
5066 		.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5067 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5068 	},
5069 	{
5070 		"invalid cgroup storage access 2",
5071 		.insns = {
5072 			BPF_MOV64_IMM(BPF_REG_2, 0),
5073 			BPF_LD_MAP_FD(BPF_REG_1, 1),
5074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5075 				     BPF_FUNC_get_local_storage),
5076 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5077 			BPF_EXIT_INSN(),
5078 		},
5079 		.result = REJECT,
5080 		.errstr = "fd 1 is not pointing to valid bpf_map",
5081 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5082 	},
5083 	{
5084 		"invalid cgroup storage access 3",
5085 		.insns = {
5086 			BPF_MOV64_IMM(BPF_REG_2, 0),
5087 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5088 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5089 				     BPF_FUNC_get_local_storage),
5090 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5091 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5092 			BPF_MOV64_IMM(BPF_REG_0, 0),
5093 			BPF_EXIT_INSN(),
5094 		},
5095 		.fixup_cgroup_storage = { 1 },
5096 		.result = REJECT,
5097 		.errstr = "invalid access to map value, value_size=64 off=256 size=4",
5098 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5099 	},
5100 	{
5101 		"invalid cgroup storage access 4",
5102 		.insns = {
5103 			BPF_MOV64_IMM(BPF_REG_2, 0),
5104 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5105 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5106 				     BPF_FUNC_get_local_storage),
5107 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5108 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5110 			BPF_EXIT_INSN(),
5111 		},
5112 		.fixup_cgroup_storage = { 1 },
5113 		.result = REJECT,
5114 		.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5115 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5116 	},
5117 	{
5118 		"invalid cgroup storage access 5",
5119 		.insns = {
5120 			BPF_MOV64_IMM(BPF_REG_2, 7),
5121 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5122 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5123 				     BPF_FUNC_get_local_storage),
5124 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5125 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5126 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5127 			BPF_EXIT_INSN(),
5128 		},
5129 		.fixup_cgroup_storage = { 1 },
5130 		.result = REJECT,
5131 		.errstr = "get_local_storage() doesn't support non-zero flags",
5132 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5133 	},
5134 	{
5135 		"invalid cgroup storage access 6",
5136 		.insns = {
5137 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5138 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5139 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5140 				     BPF_FUNC_get_local_storage),
5141 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5142 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5143 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5144 			BPF_EXIT_INSN(),
5145 		},
5146 		.fixup_cgroup_storage = { 1 },
5147 		.result = REJECT,
5148 		.errstr = "get_local_storage() doesn't support non-zero flags",
5149 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5150 	},
5151 	{
5152 		"valid per-cpu cgroup storage access",
5153 		.insns = {
5154 			BPF_MOV64_IMM(BPF_REG_2, 0),
5155 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5156 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5157 				     BPF_FUNC_get_local_storage),
5158 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5159 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5160 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5161 			BPF_EXIT_INSN(),
5162 		},
5163 		.fixup_percpu_cgroup_storage = { 1 },
5164 		.result = ACCEPT,
5165 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5166 	},
5167 	{
5168 		"invalid per-cpu cgroup storage access 1",
5169 		.insns = {
5170 			BPF_MOV64_IMM(BPF_REG_2, 0),
5171 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5172 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5173 				     BPF_FUNC_get_local_storage),
5174 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5175 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5176 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5177 			BPF_EXIT_INSN(),
5178 		},
5179 		.fixup_map_hash_8b = { 1 },
5180 		.result = REJECT,
5181 		.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5182 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5183 	},
5184 	{
5185 		"invalid per-cpu cgroup storage access 2",
5186 		.insns = {
5187 			BPF_MOV64_IMM(BPF_REG_2, 0),
5188 			BPF_LD_MAP_FD(BPF_REG_1, 1),
5189 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5190 				     BPF_FUNC_get_local_storage),
5191 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5192 			BPF_EXIT_INSN(),
5193 		},
5194 		.result = REJECT,
5195 		.errstr = "fd 1 is not pointing to valid bpf_map",
5196 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5197 	},
5198 	{
5199 		"invalid per-cpu cgroup storage access 3",
5200 		.insns = {
5201 			BPF_MOV64_IMM(BPF_REG_2, 0),
5202 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5203 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5204 				     BPF_FUNC_get_local_storage),
5205 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5207 			BPF_MOV64_IMM(BPF_REG_0, 0),
5208 			BPF_EXIT_INSN(),
5209 		},
5210 		.fixup_percpu_cgroup_storage = { 1 },
5211 		.result = REJECT,
5212 		.errstr = "invalid access to map value, value_size=64 off=256 size=4",
5213 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5214 	},
5215 	{
5216 		"invalid per-cpu cgroup storage access 4",
5217 		.insns = {
5218 			BPF_MOV64_IMM(BPF_REG_2, 0),
5219 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5220 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5221 				     BPF_FUNC_get_local_storage),
5222 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5223 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5224 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5225 			BPF_EXIT_INSN(),
5226 		},
5227 		.fixup_cgroup_storage = { 1 },
5228 		.result = REJECT,
5229 		.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5230 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5231 	},
5232 	{
5233 		"invalid per-cpu cgroup storage access 5",
5234 		.insns = {
5235 			BPF_MOV64_IMM(BPF_REG_2, 7),
5236 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5237 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5238 				     BPF_FUNC_get_local_storage),
5239 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5240 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5241 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5242 			BPF_EXIT_INSN(),
5243 		},
5244 		.fixup_percpu_cgroup_storage = { 1 },
5245 		.result = REJECT,
5246 		.errstr = "get_local_storage() doesn't support non-zero flags",
5247 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5248 	},
5249 	{
5250 		"invalid per-cpu cgroup storage access 6",
5251 		.insns = {
5252 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5253 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5254 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5255 				     BPF_FUNC_get_local_storage),
5256 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5257 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5258 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5259 			BPF_EXIT_INSN(),
5260 		},
5261 		.fixup_percpu_cgroup_storage = { 1 },
5262 		.result = REJECT,
5263 		.errstr = "get_local_storage() doesn't support non-zero flags",
5264 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5265 	},
5266 	{
5267 		"multiple registers share map_lookup_elem result",
5268 		.insns = {
5269 			BPF_MOV64_IMM(BPF_REG_1, 10),
5270 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5271 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5272 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5273 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5274 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5275 				     BPF_FUNC_map_lookup_elem),
5276 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5277 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5278 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5279 			BPF_EXIT_INSN(),
5280 		},
5281 		.fixup_map_hash_8b = { 4 },
5282 		.result = ACCEPT,
5283 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5284 	},
5285 	{
5286 		"alu ops on ptr_to_map_value_or_null, 1",
5287 		.insns = {
5288 			BPF_MOV64_IMM(BPF_REG_1, 10),
5289 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5290 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5291 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5292 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5293 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5294 				     BPF_FUNC_map_lookup_elem),
5295 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5296 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5298 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5299 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5300 			BPF_EXIT_INSN(),
5301 		},
5302 		.fixup_map_hash_8b = { 4 },
5303 		.errstr = "R4 pointer arithmetic on map_value_or_null",
5304 		.result = REJECT,
5305 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5306 	},
5307 	{
5308 		"alu ops on ptr_to_map_value_or_null, 2",
5309 		.insns = {
5310 			BPF_MOV64_IMM(BPF_REG_1, 10),
5311 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5312 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5313 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5314 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5315 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5316 				     BPF_FUNC_map_lookup_elem),
5317 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5318 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5319 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5320 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5321 			BPF_EXIT_INSN(),
5322 		},
5323 		.fixup_map_hash_8b = { 4 },
5324 		.errstr = "R4 pointer arithmetic on map_value_or_null",
5325 		.result = REJECT,
5326 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5327 	},
5328 	{
5329 		"alu ops on ptr_to_map_value_or_null, 3",
5330 		.insns = {
5331 			BPF_MOV64_IMM(BPF_REG_1, 10),
5332 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5333 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5334 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5335 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5336 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5337 				     BPF_FUNC_map_lookup_elem),
5338 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5339 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5340 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5341 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5342 			BPF_EXIT_INSN(),
5343 		},
5344 		.fixup_map_hash_8b = { 4 },
5345 		.errstr = "R4 pointer arithmetic on map_value_or_null",
5346 		.result = REJECT,
5347 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5348 	},
5349 	{
5350 		"invalid memory access with multiple map_lookup_elem calls",
5351 		.insns = {
5352 			BPF_MOV64_IMM(BPF_REG_1, 10),
5353 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5354 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5356 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5357 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5358 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5359 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5360 				     BPF_FUNC_map_lookup_elem),
5361 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5362 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5363 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5364 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5365 				     BPF_FUNC_map_lookup_elem),
5366 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5367 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5368 			BPF_EXIT_INSN(),
5369 		},
5370 		.fixup_map_hash_8b = { 4 },
5371 		.result = REJECT,
5372 		.errstr = "R4 !read_ok",
5373 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5374 	},
5375 	{
5376 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
5377 		.insns = {
5378 			BPF_MOV64_IMM(BPF_REG_1, 10),
5379 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5380 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5381 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5382 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5383 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5384 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5385 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5386 				     BPF_FUNC_map_lookup_elem),
5387 			BPF_MOV64_IMM(BPF_REG_2, 10),
5388 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5389 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5390 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5391 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5392 				     BPF_FUNC_map_lookup_elem),
5393 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5394 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5395 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5396 			BPF_EXIT_INSN(),
5397 		},
5398 		.fixup_map_hash_8b = { 4 },
5399 		.result = ACCEPT,
5400 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5401 	},
5402 	{
5403 		"invalid map access from else condition",
5404 		.insns = {
5405 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5406 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5407 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5408 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5409 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5410 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5411 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5412 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5413 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5414 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5415 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5416 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5417 			BPF_EXIT_INSN(),
5418 		},
5419 		.fixup_map_hash_48b = { 3 },
5420 		.errstr = "R0 unbounded memory access",
5421 		.result = REJECT,
5422 		.errstr_unpriv = "R0 leaks addr",
5423 		.result_unpriv = REJECT,
5424 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5425 	},
5426 	{
5427 		"constant register |= constant should keep constant type",
5428 		.insns = {
5429 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5430 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5431 			BPF_MOV64_IMM(BPF_REG_2, 34),
5432 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5433 			BPF_MOV64_IMM(BPF_REG_3, 0),
5434 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5435 			BPF_EXIT_INSN(),
5436 		},
5437 		.result = ACCEPT,
5438 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5439 	},
5440 	{
5441 		"constant register |= constant should not bypass stack boundary checks",
5442 		.insns = {
5443 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5444 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5445 			BPF_MOV64_IMM(BPF_REG_2, 34),
5446 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5447 			BPF_MOV64_IMM(BPF_REG_3, 0),
5448 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5449 			BPF_EXIT_INSN(),
5450 		},
5451 		.errstr = "invalid stack type R1 off=-48 access_size=58",
5452 		.result = REJECT,
5453 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5454 	},
5455 	{
5456 		"constant register |= constant register should keep constant type",
5457 		.insns = {
5458 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5460 			BPF_MOV64_IMM(BPF_REG_2, 34),
5461 			BPF_MOV64_IMM(BPF_REG_4, 13),
5462 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5463 			BPF_MOV64_IMM(BPF_REG_3, 0),
5464 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5465 			BPF_EXIT_INSN(),
5466 		},
5467 		.result = ACCEPT,
5468 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5469 	},
5470 	{
5471 		"constant register |= constant register should not bypass stack boundary checks",
5472 		.insns = {
5473 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5474 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5475 			BPF_MOV64_IMM(BPF_REG_2, 34),
5476 			BPF_MOV64_IMM(BPF_REG_4, 24),
5477 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5478 			BPF_MOV64_IMM(BPF_REG_3, 0),
5479 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5480 			BPF_EXIT_INSN(),
5481 		},
5482 		.errstr = "invalid stack type R1 off=-48 access_size=58",
5483 		.result = REJECT,
5484 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5485 	},
5486 	{
5487 		"invalid direct packet write for LWT_IN",
5488 		.insns = {
5489 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5490 				    offsetof(struct __sk_buff, data)),
5491 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5492 				    offsetof(struct __sk_buff, data_end)),
5493 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5495 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5496 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5497 			BPF_MOV64_IMM(BPF_REG_0, 0),
5498 			BPF_EXIT_INSN(),
5499 		},
5500 		.errstr = "cannot write into packet",
5501 		.result = REJECT,
5502 		.prog_type = BPF_PROG_TYPE_LWT_IN,
5503 	},
5504 	{
5505 		"invalid direct packet write for LWT_OUT",
5506 		.insns = {
5507 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5508 				    offsetof(struct __sk_buff, data)),
5509 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5510 				    offsetof(struct __sk_buff, data_end)),
5511 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5512 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5513 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5514 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5515 			BPF_MOV64_IMM(BPF_REG_0, 0),
5516 			BPF_EXIT_INSN(),
5517 		},
5518 		.errstr = "cannot write into packet",
5519 		.result = REJECT,
5520 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
5521 	},
5522 	{
5523 		"direct packet write for LWT_XMIT",
5524 		.insns = {
5525 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5526 				    offsetof(struct __sk_buff, data)),
5527 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5528 				    offsetof(struct __sk_buff, data_end)),
5529 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5530 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5531 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5532 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5533 			BPF_MOV64_IMM(BPF_REG_0, 0),
5534 			BPF_EXIT_INSN(),
5535 		},
5536 		.result = ACCEPT,
5537 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5538 	},
5539 	{
5540 		"direct packet read for LWT_IN",
5541 		.insns = {
5542 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5543 				    offsetof(struct __sk_buff, data)),
5544 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5545 				    offsetof(struct __sk_buff, data_end)),
5546 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5547 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5548 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5549 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5550 			BPF_MOV64_IMM(BPF_REG_0, 0),
5551 			BPF_EXIT_INSN(),
5552 		},
5553 		.result = ACCEPT,
5554 		.prog_type = BPF_PROG_TYPE_LWT_IN,
5555 	},
5556 	{
5557 		"direct packet read for LWT_OUT",
5558 		.insns = {
5559 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5560 				    offsetof(struct __sk_buff, data)),
5561 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5562 				    offsetof(struct __sk_buff, data_end)),
5563 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5564 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5565 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5566 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5567 			BPF_MOV64_IMM(BPF_REG_0, 0),
5568 			BPF_EXIT_INSN(),
5569 		},
5570 		.result = ACCEPT,
5571 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
5572 	},
5573 	{
5574 		"direct packet read for LWT_XMIT",
5575 		.insns = {
5576 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5577 				    offsetof(struct __sk_buff, data)),
5578 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5579 				    offsetof(struct __sk_buff, data_end)),
5580 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5581 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5582 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5583 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5584 			BPF_MOV64_IMM(BPF_REG_0, 0),
5585 			BPF_EXIT_INSN(),
5586 		},
5587 		.result = ACCEPT,
5588 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5589 	},
5590 	{
5591 		"overlapping checks for direct packet access",
5592 		.insns = {
5593 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5594 				    offsetof(struct __sk_buff, data)),
5595 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5596 				    offsetof(struct __sk_buff, data_end)),
5597 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5598 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5599 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5600 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5601 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5602 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5603 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5604 			BPF_MOV64_IMM(BPF_REG_0, 0),
5605 			BPF_EXIT_INSN(),
5606 		},
5607 		.result = ACCEPT,
5608 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5609 	},
5610 	{
5611 		"make headroom for LWT_XMIT",
5612 		.insns = {
5613 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5614 			BPF_MOV64_IMM(BPF_REG_2, 34),
5615 			BPF_MOV64_IMM(BPF_REG_3, 0),
5616 			BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5617 			/* split for s390 to succeed */
5618 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5619 			BPF_MOV64_IMM(BPF_REG_2, 42),
5620 			BPF_MOV64_IMM(BPF_REG_3, 0),
5621 			BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5622 			BPF_MOV64_IMM(BPF_REG_0, 0),
5623 			BPF_EXIT_INSN(),
5624 		},
5625 		.result = ACCEPT,
5626 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5627 	},
5628 	{
5629 		"invalid access of tc_classid for LWT_IN",
5630 		.insns = {
5631 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5632 				    offsetof(struct __sk_buff, tc_classid)),
5633 			BPF_EXIT_INSN(),
5634 		},
5635 		.result = REJECT,
5636 		.errstr = "invalid bpf_context access",
5637 	},
5638 	{
5639 		"invalid access of tc_classid for LWT_OUT",
5640 		.insns = {
5641 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5642 				    offsetof(struct __sk_buff, tc_classid)),
5643 			BPF_EXIT_INSN(),
5644 		},
5645 		.result = REJECT,
5646 		.errstr = "invalid bpf_context access",
5647 	},
5648 	{
5649 		"invalid access of tc_classid for LWT_XMIT",
5650 		.insns = {
5651 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5652 				    offsetof(struct __sk_buff, tc_classid)),
5653 			BPF_EXIT_INSN(),
5654 		},
5655 		.result = REJECT,
5656 		.errstr = "invalid bpf_context access",
5657 	},
5658 	{
5659 		"leak pointer into ctx 1",
5660 		.insns = {
5661 			BPF_MOV64_IMM(BPF_REG_0, 0),
5662 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5663 				    offsetof(struct __sk_buff, cb[0])),
5664 			BPF_LD_MAP_FD(BPF_REG_2, 0),
5665 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5666 				      offsetof(struct __sk_buff, cb[0])),
5667 			BPF_EXIT_INSN(),
5668 		},
5669 		.fixup_map_hash_8b = { 2 },
5670 		.errstr_unpriv = "R2 leaks addr into mem",
5671 		.result_unpriv = REJECT,
5672 		.result = REJECT,
5673 		.errstr = "BPF_XADD stores into R1 ctx is not allowed",
5674 	},
5675 	{
5676 		"leak pointer into ctx 2",
5677 		.insns = {
5678 			BPF_MOV64_IMM(BPF_REG_0, 0),
5679 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5680 				    offsetof(struct __sk_buff, cb[0])),
5681 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5682 				      offsetof(struct __sk_buff, cb[0])),
5683 			BPF_EXIT_INSN(),
5684 		},
5685 		.errstr_unpriv = "R10 leaks addr into mem",
5686 		.result_unpriv = REJECT,
5687 		.result = REJECT,
5688 		.errstr = "BPF_XADD stores into R1 ctx is not allowed",
5689 	},
5690 	{
5691 		"leak pointer into ctx 3",
5692 		.insns = {
5693 			BPF_MOV64_IMM(BPF_REG_0, 0),
5694 			BPF_LD_MAP_FD(BPF_REG_2, 0),
5695 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5696 				      offsetof(struct __sk_buff, cb[0])),
5697 			BPF_EXIT_INSN(),
5698 		},
5699 		.fixup_map_hash_8b = { 1 },
5700 		.errstr_unpriv = "R2 leaks addr into ctx",
5701 		.result_unpriv = REJECT,
5702 		.result = ACCEPT,
5703 	},
5704 	{
5705 		"leak pointer into map val",
5706 		.insns = {
5707 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5708 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5709 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5710 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5711 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5712 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5713 				     BPF_FUNC_map_lookup_elem),
5714 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5715 			BPF_MOV64_IMM(BPF_REG_3, 0),
5716 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5717 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5718 			BPF_MOV64_IMM(BPF_REG_0, 0),
5719 			BPF_EXIT_INSN(),
5720 		},
5721 		.fixup_map_hash_8b = { 4 },
5722 		.errstr_unpriv = "R6 leaks addr into mem",
5723 		.result_unpriv = REJECT,
5724 		.result = ACCEPT,
5725 	},
5726 	{
5727 		"helper access to map: full range",
5728 		.insns = {
5729 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5731 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5732 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5733 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5734 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5735 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5736 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5737 			BPF_MOV64_IMM(BPF_REG_3, 0),
5738 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5739 			BPF_EXIT_INSN(),
5740 		},
5741 		.fixup_map_hash_48b = { 3 },
5742 		.result = ACCEPT,
5743 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5744 	},
5745 	{
5746 		"helper access to map: partial range",
5747 		.insns = {
5748 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5749 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5750 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5751 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5752 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5753 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5754 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5755 			BPF_MOV64_IMM(BPF_REG_2, 8),
5756 			BPF_MOV64_IMM(BPF_REG_3, 0),
5757 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5758 			BPF_EXIT_INSN(),
5759 		},
5760 		.fixup_map_hash_48b = { 3 },
5761 		.result = ACCEPT,
5762 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5763 	},
5764 	{
5765 		"helper access to map: empty range",
5766 		.insns = {
5767 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5769 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5770 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5771 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5772 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5773 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5774 			BPF_MOV64_IMM(BPF_REG_2, 0),
5775 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5776 			BPF_EXIT_INSN(),
5777 		},
5778 		.fixup_map_hash_48b = { 3 },
5779 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
5780 		.result = REJECT,
5781 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5782 	},
5783 	{
5784 		"helper access to map: out-of-bound range",
5785 		.insns = {
5786 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5787 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5788 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5789 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5790 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5791 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5792 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5793 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5794 			BPF_MOV64_IMM(BPF_REG_3, 0),
5795 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5796 			BPF_EXIT_INSN(),
5797 		},
5798 		.fixup_map_hash_48b = { 3 },
5799 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
5800 		.result = REJECT,
5801 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5802 	},
5803 	{
5804 		"helper access to map: negative range",
5805 		.insns = {
5806 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5807 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5808 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5809 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5810 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5811 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5812 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5813 			BPF_MOV64_IMM(BPF_REG_2, -8),
5814 			BPF_MOV64_IMM(BPF_REG_3, 0),
5815 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5816 			BPF_EXIT_INSN(),
5817 		},
5818 		.fixup_map_hash_48b = { 3 },
5819 		.errstr = "R2 min value is negative",
5820 		.result = REJECT,
5821 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5822 	},
5823 	{
5824 		"helper access to adjusted map (via const imm): full range",
5825 		.insns = {
5826 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5827 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5828 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5829 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5830 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5831 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5832 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5833 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5834 				offsetof(struct test_val, foo)),
5835 			BPF_MOV64_IMM(BPF_REG_2,
5836 				sizeof(struct test_val) -
5837 				offsetof(struct test_val, foo)),
5838 			BPF_MOV64_IMM(BPF_REG_3, 0),
5839 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5840 			BPF_EXIT_INSN(),
5841 		},
5842 		.fixup_map_hash_48b = { 3 },
5843 		.result = ACCEPT,
5844 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5845 	},
5846 	{
5847 		"helper access to adjusted map (via const imm): partial range",
5848 		.insns = {
5849 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5851 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5852 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5853 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5854 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5855 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5856 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5857 				offsetof(struct test_val, foo)),
5858 			BPF_MOV64_IMM(BPF_REG_2, 8),
5859 			BPF_MOV64_IMM(BPF_REG_3, 0),
5860 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5861 			BPF_EXIT_INSN(),
5862 		},
5863 		.fixup_map_hash_48b = { 3 },
5864 		.result = ACCEPT,
5865 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5866 	},
5867 	{
5868 		"helper access to adjusted map (via const imm): empty range",
5869 		.insns = {
5870 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5872 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5873 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5874 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5875 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5876 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5878 				offsetof(struct test_val, foo)),
5879 			BPF_MOV64_IMM(BPF_REG_2, 0),
5880 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5881 			BPF_EXIT_INSN(),
5882 		},
5883 		.fixup_map_hash_48b = { 3 },
5884 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
5885 		.result = REJECT,
5886 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5887 	},
5888 	{
5889 		"helper access to adjusted map (via const imm): out-of-bound range",
5890 		.insns = {
5891 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5892 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5893 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5894 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5895 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5896 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5897 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5898 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5899 				offsetof(struct test_val, foo)),
5900 			BPF_MOV64_IMM(BPF_REG_2,
5901 				sizeof(struct test_val) -
5902 				offsetof(struct test_val, foo) + 8),
5903 			BPF_MOV64_IMM(BPF_REG_3, 0),
5904 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5905 			BPF_EXIT_INSN(),
5906 		},
5907 		.fixup_map_hash_48b = { 3 },
5908 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5909 		.result = REJECT,
5910 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5911 	},
5912 	{
5913 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
5914 		.insns = {
5915 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5917 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5918 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5919 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5920 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5921 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5922 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5923 				offsetof(struct test_val, foo)),
5924 			BPF_MOV64_IMM(BPF_REG_2, -8),
5925 			BPF_MOV64_IMM(BPF_REG_3, 0),
5926 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5927 			BPF_EXIT_INSN(),
5928 		},
5929 		.fixup_map_hash_48b = { 3 },
5930 		.errstr = "R2 min value is negative",
5931 		.result = REJECT,
5932 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5933 	},
5934 	{
5935 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
5936 		.insns = {
5937 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5938 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5939 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5940 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5941 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5942 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5943 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5944 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5945 				offsetof(struct test_val, foo)),
5946 			BPF_MOV64_IMM(BPF_REG_2, -1),
5947 			BPF_MOV64_IMM(BPF_REG_3, 0),
5948 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5949 			BPF_EXIT_INSN(),
5950 		},
5951 		.fixup_map_hash_48b = { 3 },
5952 		.errstr = "R2 min value is negative",
5953 		.result = REJECT,
5954 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5955 	},
5956 	{
5957 		"helper access to adjusted map (via const reg): full range",
5958 		.insns = {
5959 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5960 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5961 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5962 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5963 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5964 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5965 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5966 			BPF_MOV64_IMM(BPF_REG_3,
5967 				offsetof(struct test_val, foo)),
5968 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5969 			BPF_MOV64_IMM(BPF_REG_2,
5970 				sizeof(struct test_val) -
5971 				offsetof(struct test_val, foo)),
5972 			BPF_MOV64_IMM(BPF_REG_3, 0),
5973 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5974 			BPF_EXIT_INSN(),
5975 		},
5976 		.fixup_map_hash_48b = { 3 },
5977 		.result = ACCEPT,
5978 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5979 	},
5980 	{
5981 		"helper access to adjusted map (via const reg): partial range",
5982 		.insns = {
5983 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5984 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5985 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5986 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5987 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5988 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5989 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5990 			BPF_MOV64_IMM(BPF_REG_3,
5991 				offsetof(struct test_val, foo)),
5992 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5993 			BPF_MOV64_IMM(BPF_REG_2, 8),
5994 			BPF_MOV64_IMM(BPF_REG_3, 0),
5995 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5996 			BPF_EXIT_INSN(),
5997 		},
5998 		.fixup_map_hash_48b = { 3 },
5999 		.result = ACCEPT,
6000 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6001 	},
6002 	{
6003 		"helper access to adjusted map (via const reg): empty range",
6004 		.insns = {
6005 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6006 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6007 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6008 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6009 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6010 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6011 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6012 			BPF_MOV64_IMM(BPF_REG_3, 0),
6013 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6014 			BPF_MOV64_IMM(BPF_REG_2, 0),
6015 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6016 			BPF_EXIT_INSN(),
6017 		},
6018 		.fixup_map_hash_48b = { 3 },
6019 		.errstr = "R1 min value is outside of the array range",
6020 		.result = REJECT,
6021 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6022 	},
6023 	{
6024 		"helper access to adjusted map (via const reg): out-of-bound range",
6025 		.insns = {
6026 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6028 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6029 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6030 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6031 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6032 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6033 			BPF_MOV64_IMM(BPF_REG_3,
6034 				offsetof(struct test_val, foo)),
6035 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6036 			BPF_MOV64_IMM(BPF_REG_2,
6037 				sizeof(struct test_val) -
6038 				offsetof(struct test_val, foo) + 8),
6039 			BPF_MOV64_IMM(BPF_REG_3, 0),
6040 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6041 			BPF_EXIT_INSN(),
6042 		},
6043 		.fixup_map_hash_48b = { 3 },
6044 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
6045 		.result = REJECT,
6046 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6047 	},
6048 	{
6049 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
6050 		.insns = {
6051 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6052 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6053 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6054 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6055 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6056 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6057 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6058 			BPF_MOV64_IMM(BPF_REG_3,
6059 				offsetof(struct test_val, foo)),
6060 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6061 			BPF_MOV64_IMM(BPF_REG_2, -8),
6062 			BPF_MOV64_IMM(BPF_REG_3, 0),
6063 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6064 			BPF_EXIT_INSN(),
6065 		},
6066 		.fixup_map_hash_48b = { 3 },
6067 		.errstr = "R2 min value is negative",
6068 		.result = REJECT,
6069 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6070 	},
6071 	{
6072 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
6073 		.insns = {
6074 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6075 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6076 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6077 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6078 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6079 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6080 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6081 			BPF_MOV64_IMM(BPF_REG_3,
6082 				offsetof(struct test_val, foo)),
6083 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6084 			BPF_MOV64_IMM(BPF_REG_2, -1),
6085 			BPF_MOV64_IMM(BPF_REG_3, 0),
6086 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6087 			BPF_EXIT_INSN(),
6088 		},
6089 		.fixup_map_hash_48b = { 3 },
6090 		.errstr = "R2 min value is negative",
6091 		.result = REJECT,
6092 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6093 	},
6094 	{
6095 		"helper access to adjusted map (via variable): full range",
6096 		.insns = {
6097 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6098 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6099 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6100 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6101 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6102 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6103 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6104 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6105 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6106 				offsetof(struct test_val, foo), 4),
6107 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6108 			BPF_MOV64_IMM(BPF_REG_2,
6109 				sizeof(struct test_val) -
6110 				offsetof(struct test_val, foo)),
6111 			BPF_MOV64_IMM(BPF_REG_3, 0),
6112 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6113 			BPF_EXIT_INSN(),
6114 		},
6115 		.fixup_map_hash_48b = { 3 },
6116 		.result = ACCEPT,
6117 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6118 	},
6119 	{
6120 		"helper access to adjusted map (via variable): partial range",
6121 		.insns = {
6122 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6123 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6124 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6125 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6126 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6127 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6128 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6129 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6130 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6131 				offsetof(struct test_val, foo), 4),
6132 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6133 			BPF_MOV64_IMM(BPF_REG_2, 8),
6134 			BPF_MOV64_IMM(BPF_REG_3, 0),
6135 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6136 			BPF_EXIT_INSN(),
6137 		},
6138 		.fixup_map_hash_48b = { 3 },
6139 		.result = ACCEPT,
6140 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6141 	},
6142 	{
6143 		"helper access to adjusted map (via variable): empty range",
6144 		.insns = {
6145 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6146 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6147 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6148 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6149 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6150 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6151 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6152 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6153 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6154 				offsetof(struct test_val, foo), 3),
6155 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6156 			BPF_MOV64_IMM(BPF_REG_2, 0),
6157 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6158 			BPF_EXIT_INSN(),
6159 		},
6160 		.fixup_map_hash_48b = { 3 },
6161 		.errstr = "R1 min value is outside of the array range",
6162 		.result = REJECT,
6163 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6164 	},
6165 	{
6166 		"helper access to adjusted map (via variable): no max check",
6167 		.insns = {
6168 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6169 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6170 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6171 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6172 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6173 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6174 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6175 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6176 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6177 			BPF_MOV64_IMM(BPF_REG_2, 1),
6178 			BPF_MOV64_IMM(BPF_REG_3, 0),
6179 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6180 			BPF_EXIT_INSN(),
6181 		},
6182 		.fixup_map_hash_48b = { 3 },
6183 		.errstr = "R1 unbounded memory access",
6184 		.result = REJECT,
6185 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6186 	},
6187 	{
6188 		"helper access to adjusted map (via variable): wrong max check",
6189 		.insns = {
6190 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6191 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6192 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6193 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6194 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6195 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6196 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6197 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6198 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6199 				offsetof(struct test_val, foo), 4),
6200 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6201 			BPF_MOV64_IMM(BPF_REG_2,
6202 				sizeof(struct test_val) -
6203 				offsetof(struct test_val, foo) + 1),
6204 			BPF_MOV64_IMM(BPF_REG_3, 0),
6205 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6206 			BPF_EXIT_INSN(),
6207 		},
6208 		.fixup_map_hash_48b = { 3 },
6209 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
6210 		.result = REJECT,
6211 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6212 	},
6213 	{
6214 		"helper access to map: bounds check using <, good access",
6215 		.insns = {
6216 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6217 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6218 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6219 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6220 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6221 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6222 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6223 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6224 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6225 			BPF_MOV64_IMM(BPF_REG_0, 0),
6226 			BPF_EXIT_INSN(),
6227 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6228 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6229 			BPF_MOV64_IMM(BPF_REG_0, 0),
6230 			BPF_EXIT_INSN(),
6231 		},
6232 		.fixup_map_hash_48b = { 3 },
6233 		.result = ACCEPT,
6234 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6235 	},
6236 	{
6237 		"helper access to map: bounds check using <, bad access",
6238 		.insns = {
6239 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6240 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6241 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6242 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6243 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6244 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6245 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6246 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6247 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6248 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6249 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6250 			BPF_MOV64_IMM(BPF_REG_0, 0),
6251 			BPF_EXIT_INSN(),
6252 			BPF_MOV64_IMM(BPF_REG_0, 0),
6253 			BPF_EXIT_INSN(),
6254 		},
6255 		.fixup_map_hash_48b = { 3 },
6256 		.result = REJECT,
6257 		.errstr = "R1 unbounded memory access",
6258 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6259 	},
6260 	{
6261 		"helper access to map: bounds check using <=, good access",
6262 		.insns = {
6263 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6264 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6265 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6266 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6267 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6268 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6269 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6270 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6271 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6272 			BPF_MOV64_IMM(BPF_REG_0, 0),
6273 			BPF_EXIT_INSN(),
6274 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6275 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6276 			BPF_MOV64_IMM(BPF_REG_0, 0),
6277 			BPF_EXIT_INSN(),
6278 		},
6279 		.fixup_map_hash_48b = { 3 },
6280 		.result = ACCEPT,
6281 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6282 	},
6283 	{
6284 		"helper access to map: bounds check using <=, bad access",
6285 		.insns = {
6286 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6287 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6288 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6289 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6290 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6291 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6292 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6293 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6294 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6295 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6296 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6297 			BPF_MOV64_IMM(BPF_REG_0, 0),
6298 			BPF_EXIT_INSN(),
6299 			BPF_MOV64_IMM(BPF_REG_0, 0),
6300 			BPF_EXIT_INSN(),
6301 		},
6302 		.fixup_map_hash_48b = { 3 },
6303 		.result = REJECT,
6304 		.errstr = "R1 unbounded memory access",
6305 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6306 	},
6307 	{
6308 		"helper access to map: bounds check using s<, good access",
6309 		.insns = {
6310 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6313 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6314 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6315 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6316 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6317 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6318 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6319 			BPF_MOV64_IMM(BPF_REG_0, 0),
6320 			BPF_EXIT_INSN(),
6321 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6322 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6323 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6324 			BPF_MOV64_IMM(BPF_REG_0, 0),
6325 			BPF_EXIT_INSN(),
6326 		},
6327 		.fixup_map_hash_48b = { 3 },
6328 		.result = ACCEPT,
6329 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6330 	},
6331 	{
6332 		"helper access to map: bounds check using s<, good access 2",
6333 		.insns = {
6334 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6335 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6336 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6337 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6338 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6339 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6340 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6341 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6342 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6343 			BPF_MOV64_IMM(BPF_REG_0, 0),
6344 			BPF_EXIT_INSN(),
6345 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6346 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6347 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6348 			BPF_MOV64_IMM(BPF_REG_0, 0),
6349 			BPF_EXIT_INSN(),
6350 		},
6351 		.fixup_map_hash_48b = { 3 },
6352 		.result = ACCEPT,
6353 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6354 	},
6355 	{
6356 		"helper access to map: bounds check using s<, bad access",
6357 		.insns = {
6358 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6359 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6360 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6361 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6362 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6363 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6364 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6365 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6366 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6367 			BPF_MOV64_IMM(BPF_REG_0, 0),
6368 			BPF_EXIT_INSN(),
6369 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6370 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6371 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6372 			BPF_MOV64_IMM(BPF_REG_0, 0),
6373 			BPF_EXIT_INSN(),
6374 		},
6375 		.fixup_map_hash_48b = { 3 },
6376 		.result = REJECT,
6377 		.errstr = "R1 min value is negative",
6378 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6379 	},
6380 	{
6381 		"helper access to map: bounds check using s<=, good access",
6382 		.insns = {
6383 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6384 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6385 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6386 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6387 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6388 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6389 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6390 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6391 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6392 			BPF_MOV64_IMM(BPF_REG_0, 0),
6393 			BPF_EXIT_INSN(),
6394 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6395 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6396 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6397 			BPF_MOV64_IMM(BPF_REG_0, 0),
6398 			BPF_EXIT_INSN(),
6399 		},
6400 		.fixup_map_hash_48b = { 3 },
6401 		.result = ACCEPT,
6402 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6403 	},
6404 	{
6405 		"helper access to map: bounds check using s<=, good access 2",
6406 		.insns = {
6407 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6408 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6409 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6410 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6411 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6412 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6413 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6414 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6415 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6416 			BPF_MOV64_IMM(BPF_REG_0, 0),
6417 			BPF_EXIT_INSN(),
6418 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6419 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6420 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6421 			BPF_MOV64_IMM(BPF_REG_0, 0),
6422 			BPF_EXIT_INSN(),
6423 		},
6424 		.fixup_map_hash_48b = { 3 },
6425 		.result = ACCEPT,
6426 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6427 	},
6428 	{
6429 		"helper access to map: bounds check using s<=, bad access",
6430 		.insns = {
6431 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6433 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6434 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6435 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6436 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6437 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6438 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6439 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6440 			BPF_MOV64_IMM(BPF_REG_0, 0),
6441 			BPF_EXIT_INSN(),
6442 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6443 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6444 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6445 			BPF_MOV64_IMM(BPF_REG_0, 0),
6446 			BPF_EXIT_INSN(),
6447 		},
6448 		.fixup_map_hash_48b = { 3 },
6449 		.result = REJECT,
6450 		.errstr = "R1 min value is negative",
6451 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6452 	},
6453 	{
6454 		"map lookup helper access to map",
6455 		.insns = {
6456 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6457 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6458 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6459 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6460 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6461 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6462 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6463 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6464 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6465 			BPF_EXIT_INSN(),
6466 		},
6467 		.fixup_map_hash_16b = { 3, 8 },
6468 		.result = ACCEPT,
6469 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6470 	},
6471 	{
6472 		"map update helper access to map",
6473 		.insns = {
6474 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6475 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6476 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6477 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6478 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6479 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6480 			BPF_MOV64_IMM(BPF_REG_4, 0),
6481 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6482 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6483 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6484 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6485 			BPF_EXIT_INSN(),
6486 		},
6487 		.fixup_map_hash_16b = { 3, 10 },
6488 		.result = ACCEPT,
6489 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6490 	},
6491 	{
6492 		"map update helper access to map: wrong size",
6493 		.insns = {
6494 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6495 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6496 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6497 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6498 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6499 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6500 			BPF_MOV64_IMM(BPF_REG_4, 0),
6501 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
6502 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6503 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6504 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
6505 			BPF_EXIT_INSN(),
6506 		},
6507 		.fixup_map_hash_8b = { 3 },
6508 		.fixup_map_hash_16b = { 10 },
6509 		.result = REJECT,
6510 		.errstr = "invalid access to map value, value_size=8 off=0 size=16",
6511 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6512 	},
6513 	{
6514 		"map helper access to adjusted map (via const imm)",
6515 		.insns = {
6516 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6517 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6518 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6519 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6520 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6521 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6522 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6523 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6524 				      offsetof(struct other_val, bar)),
6525 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6526 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6527 			BPF_EXIT_INSN(),
6528 		},
6529 		.fixup_map_hash_16b = { 3, 9 },
6530 		.result = ACCEPT,
6531 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6532 	},
6533 	{
6534 		"map helper access to adjusted map (via const imm): out-of-bound 1",
6535 		.insns = {
6536 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6537 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6538 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6539 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6540 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6541 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6542 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6543 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6544 				      sizeof(struct other_val) - 4),
6545 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6546 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6547 			BPF_EXIT_INSN(),
6548 		},
6549 		.fixup_map_hash_16b = { 3, 9 },
6550 		.result = REJECT,
6551 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
6552 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6553 	},
6554 	{
6555 		"map helper access to adjusted map (via const imm): out-of-bound 2",
6556 		.insns = {
6557 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6558 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6559 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6560 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6561 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6562 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6563 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6564 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6565 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6566 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6567 			BPF_EXIT_INSN(),
6568 		},
6569 		.fixup_map_hash_16b = { 3, 9 },
6570 		.result = REJECT,
6571 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6572 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6573 	},
6574 	{
6575 		"map helper access to adjusted map (via const reg)",
6576 		.insns = {
6577 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6579 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6580 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6581 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6582 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6583 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6584 			BPF_MOV64_IMM(BPF_REG_3,
6585 				      offsetof(struct other_val, bar)),
6586 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6587 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6588 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6589 			BPF_EXIT_INSN(),
6590 		},
6591 		.fixup_map_hash_16b = { 3, 10 },
6592 		.result = ACCEPT,
6593 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6594 	},
6595 	{
6596 		"map helper access to adjusted map (via const reg): out-of-bound 1",
6597 		.insns = {
6598 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6600 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6601 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6602 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6603 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6604 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6605 			BPF_MOV64_IMM(BPF_REG_3,
6606 				      sizeof(struct other_val) - 4),
6607 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6608 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6609 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6610 			BPF_EXIT_INSN(),
6611 		},
6612 		.fixup_map_hash_16b = { 3, 10 },
6613 		.result = REJECT,
6614 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
6615 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6616 	},
6617 	{
6618 		"map helper access to adjusted map (via const reg): out-of-bound 2",
6619 		.insns = {
6620 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6621 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6622 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6623 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6624 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6625 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6626 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6627 			BPF_MOV64_IMM(BPF_REG_3, -4),
6628 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6629 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6630 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6631 			BPF_EXIT_INSN(),
6632 		},
6633 		.fixup_map_hash_16b = { 3, 10 },
6634 		.result = REJECT,
6635 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6636 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6637 	},
6638 	{
6639 		"map helper access to adjusted map (via variable)",
6640 		.insns = {
6641 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6642 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6643 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6644 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6645 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6646 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6647 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6648 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6649 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6650 				    offsetof(struct other_val, bar), 4),
6651 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6652 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6653 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6654 			BPF_EXIT_INSN(),
6655 		},
6656 		.fixup_map_hash_16b = { 3, 11 },
6657 		.result = ACCEPT,
6658 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6659 	},
6660 	{
6661 		"map helper access to adjusted map (via variable): no max check",
6662 		.insns = {
6663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6665 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6666 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6667 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6669 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6670 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6671 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6672 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6673 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6674 			BPF_EXIT_INSN(),
6675 		},
6676 		.fixup_map_hash_16b = { 3, 10 },
6677 		.result = REJECT,
6678 		.errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6679 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6680 	},
6681 	{
6682 		"map helper access to adjusted map (via variable): wrong max check",
6683 		.insns = {
6684 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6685 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6686 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6687 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6688 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6689 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6690 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6691 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6692 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6693 				    offsetof(struct other_val, bar) + 1, 4),
6694 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6695 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6696 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6697 			BPF_EXIT_INSN(),
6698 		},
6699 		.fixup_map_hash_16b = { 3, 11 },
6700 		.result = REJECT,
6701 		.errstr = "invalid access to map value, value_size=16 off=9 size=8",
6702 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6703 	},
6704 	{
6705 		"map element value is preserved across register spilling",
6706 		.insns = {
6707 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6709 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6710 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6711 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6712 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6713 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6714 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6715 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6716 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6717 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6718 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6719 			BPF_EXIT_INSN(),
6720 		},
6721 		.fixup_map_hash_48b = { 3 },
6722 		.errstr_unpriv = "R0 leaks addr",
6723 		.result = ACCEPT,
6724 		.result_unpriv = REJECT,
6725 	},
6726 	{
6727 		"map element value or null is marked on register spilling",
6728 		.insns = {
6729 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6731 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6732 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6733 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6734 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6736 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6737 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6738 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6739 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6740 			BPF_EXIT_INSN(),
6741 		},
6742 		.fixup_map_hash_48b = { 3 },
6743 		.errstr_unpriv = "R0 leaks addr",
6744 		.result = ACCEPT,
6745 		.result_unpriv = REJECT,
6746 	},
6747 	{
6748 		"map element value store of cleared call register",
6749 		.insns = {
6750 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6751 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6752 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6753 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6754 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6755 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6756 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6757 			BPF_EXIT_INSN(),
6758 		},
6759 		.fixup_map_hash_48b = { 3 },
6760 		.errstr_unpriv = "R1 !read_ok",
6761 		.errstr = "R1 !read_ok",
6762 		.result = REJECT,
6763 		.result_unpriv = REJECT,
6764 	},
6765 	{
6766 		"map element value with unaligned store",
6767 		.insns = {
6768 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6769 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6770 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6771 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6772 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6773 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6775 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6776 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6777 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6778 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6779 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6780 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6781 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6782 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6783 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6784 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6785 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6786 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6787 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6788 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6789 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6790 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6791 			BPF_EXIT_INSN(),
6792 		},
6793 		.fixup_map_hash_48b = { 3 },
6794 		.errstr_unpriv = "R0 leaks addr",
6795 		.result = ACCEPT,
6796 		.result_unpriv = REJECT,
6797 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6798 	},
6799 	{
6800 		"map element value with unaligned load",
6801 		.insns = {
6802 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6803 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6804 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6805 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6806 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6807 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6808 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6809 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6810 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6811 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6812 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6813 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6814 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6815 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6816 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6817 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6818 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6819 			BPF_EXIT_INSN(),
6820 		},
6821 		.fixup_map_hash_48b = { 3 },
6822 		.errstr_unpriv = "R0 leaks addr",
6823 		.result = ACCEPT,
6824 		.result_unpriv = REJECT,
6825 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6826 	},
6827 	{
6828 		"map element value illegal alu op, 1",
6829 		.insns = {
6830 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6832 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6833 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6834 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6835 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6836 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6837 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6838 			BPF_EXIT_INSN(),
6839 		},
6840 		.fixup_map_hash_48b = { 3 },
6841 		.errstr = "R0 bitwise operator &= on pointer",
6842 		.result = REJECT,
6843 	},
6844 	{
6845 		"map element value illegal alu op, 2",
6846 		.insns = {
6847 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6849 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6850 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6851 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6852 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6853 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6854 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6855 			BPF_EXIT_INSN(),
6856 		},
6857 		.fixup_map_hash_48b = { 3 },
6858 		.errstr = "R0 32-bit pointer arithmetic prohibited",
6859 		.result = REJECT,
6860 	},
6861 	{
6862 		"map element value illegal alu op, 3",
6863 		.insns = {
6864 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6866 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6867 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6868 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6869 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6870 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6871 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6872 			BPF_EXIT_INSN(),
6873 		},
6874 		.fixup_map_hash_48b = { 3 },
6875 		.errstr = "R0 pointer arithmetic with /= operator",
6876 		.result = REJECT,
6877 	},
6878 	{
6879 		"map element value illegal alu op, 4",
6880 		.insns = {
6881 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6882 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6883 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6884 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6885 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6886 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6887 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6888 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6889 			BPF_EXIT_INSN(),
6890 		},
6891 		.fixup_map_hash_48b = { 3 },
6892 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
6893 		.errstr = "invalid mem access 'inv'",
6894 		.result = REJECT,
6895 		.result_unpriv = REJECT,
6896 	},
6897 	{
6898 		"map element value illegal alu op, 5",
6899 		.insns = {
6900 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6901 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6902 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6903 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6904 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6905 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6906 			BPF_MOV64_IMM(BPF_REG_3, 4096),
6907 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6908 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6909 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6910 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6911 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6912 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6913 			BPF_EXIT_INSN(),
6914 		},
6915 		.fixup_map_hash_48b = { 3 },
6916 		.errstr = "R0 invalid mem access 'inv'",
6917 		.result = REJECT,
6918 	},
6919 	{
6920 		"map element value is preserved across register spilling",
6921 		.insns = {
6922 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6923 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6924 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6925 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6926 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6927 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6928 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6929 				offsetof(struct test_val, foo)),
6930 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6931 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6932 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6933 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6934 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6935 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6936 			BPF_EXIT_INSN(),
6937 		},
6938 		.fixup_map_hash_48b = { 3 },
6939 		.errstr_unpriv = "R0 leaks addr",
6940 		.result = ACCEPT,
6941 		.result_unpriv = REJECT,
6942 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6943 	},
6944 	{
6945 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6946 		.insns = {
6947 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6948 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6949 			BPF_MOV64_IMM(BPF_REG_0, 0),
6950 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6951 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6952 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6953 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6954 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6955 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6956 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6957 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6958 			BPF_MOV64_IMM(BPF_REG_2, 16),
6959 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6960 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6961 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6962 			BPF_MOV64_IMM(BPF_REG_4, 0),
6963 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6964 			BPF_MOV64_IMM(BPF_REG_3, 0),
6965 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6966 			BPF_MOV64_IMM(BPF_REG_0, 0),
6967 			BPF_EXIT_INSN(),
6968 		},
6969 		.result = ACCEPT,
6970 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6971 	},
6972 	{
6973 		"helper access to variable memory: stack, bitwise AND, zero included",
6974 		.insns = {
6975 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6977 			BPF_MOV64_IMM(BPF_REG_2, 16),
6978 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6979 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6980 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6981 			BPF_MOV64_IMM(BPF_REG_3, 0),
6982 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6983 			BPF_EXIT_INSN(),
6984 		},
6985 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6986 		.result = REJECT,
6987 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6988 	},
6989 	{
6990 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6991 		.insns = {
6992 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6993 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6994 			BPF_MOV64_IMM(BPF_REG_2, 16),
6995 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6996 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6997 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6998 			BPF_MOV64_IMM(BPF_REG_4, 0),
6999 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7000 			BPF_MOV64_IMM(BPF_REG_3, 0),
7001 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7002 			BPF_MOV64_IMM(BPF_REG_0, 0),
7003 			BPF_EXIT_INSN(),
7004 		},
7005 		.errstr = "invalid stack type R1 off=-64 access_size=65",
7006 		.result = REJECT,
7007 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7008 	},
7009 	{
7010 		"helper access to variable memory: stack, JMP, correct bounds",
7011 		.insns = {
7012 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7013 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7014 			BPF_MOV64_IMM(BPF_REG_0, 0),
7015 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7016 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7017 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7018 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7019 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7020 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7021 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7022 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7023 			BPF_MOV64_IMM(BPF_REG_2, 16),
7024 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7025 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7026 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
7027 			BPF_MOV64_IMM(BPF_REG_4, 0),
7028 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7029 			BPF_MOV64_IMM(BPF_REG_3, 0),
7030 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7031 			BPF_MOV64_IMM(BPF_REG_0, 0),
7032 			BPF_EXIT_INSN(),
7033 		},
7034 		.result = ACCEPT,
7035 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7036 	},
7037 	{
7038 		"helper access to variable memory: stack, JMP (signed), correct bounds",
7039 		.insns = {
7040 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7042 			BPF_MOV64_IMM(BPF_REG_0, 0),
7043 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7044 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7045 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7046 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7047 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7048 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7049 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7050 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7051 			BPF_MOV64_IMM(BPF_REG_2, 16),
7052 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7053 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7054 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
7055 			BPF_MOV64_IMM(BPF_REG_4, 0),
7056 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7057 			BPF_MOV64_IMM(BPF_REG_3, 0),
7058 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7059 			BPF_MOV64_IMM(BPF_REG_0, 0),
7060 			BPF_EXIT_INSN(),
7061 		},
7062 		.result = ACCEPT,
7063 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7064 	},
7065 	{
7066 		"helper access to variable memory: stack, JMP, bounds + offset",
7067 		.insns = {
7068 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7069 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7070 			BPF_MOV64_IMM(BPF_REG_2, 16),
7071 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7072 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7073 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
7074 			BPF_MOV64_IMM(BPF_REG_4, 0),
7075 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
7076 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7077 			BPF_MOV64_IMM(BPF_REG_3, 0),
7078 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7079 			BPF_MOV64_IMM(BPF_REG_0, 0),
7080 			BPF_EXIT_INSN(),
7081 		},
7082 		.errstr = "invalid stack type R1 off=-64 access_size=65",
7083 		.result = REJECT,
7084 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7085 	},
7086 	{
7087 		"helper access to variable memory: stack, JMP, wrong max",
7088 		.insns = {
7089 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7090 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7091 			BPF_MOV64_IMM(BPF_REG_2, 16),
7092 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7093 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7094 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
7095 			BPF_MOV64_IMM(BPF_REG_4, 0),
7096 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7097 			BPF_MOV64_IMM(BPF_REG_3, 0),
7098 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7099 			BPF_MOV64_IMM(BPF_REG_0, 0),
7100 			BPF_EXIT_INSN(),
7101 		},
7102 		.errstr = "invalid stack type R1 off=-64 access_size=65",
7103 		.result = REJECT,
7104 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7105 	},
7106 	{
7107 		"helper access to variable memory: stack, JMP, no max check",
7108 		.insns = {
7109 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7110 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7111 			BPF_MOV64_IMM(BPF_REG_2, 16),
7112 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7113 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7114 			BPF_MOV64_IMM(BPF_REG_4, 0),
7115 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
7116 			BPF_MOV64_IMM(BPF_REG_3, 0),
7117 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7118 			BPF_MOV64_IMM(BPF_REG_0, 0),
7119 			BPF_EXIT_INSN(),
7120 		},
7121 		/* because max wasn't checked, signed min is negative */
7122 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
7123 		.result = REJECT,
7124 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7125 	},
7126 	{
7127 		"helper access to variable memory: stack, JMP, no min check",
7128 		.insns = {
7129 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7130 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7131 			BPF_MOV64_IMM(BPF_REG_2, 16),
7132 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7133 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7134 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
7135 			BPF_MOV64_IMM(BPF_REG_3, 0),
7136 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7137 			BPF_MOV64_IMM(BPF_REG_0, 0),
7138 			BPF_EXIT_INSN(),
7139 		},
7140 		.errstr = "invalid indirect read from stack off -64+0 size 64",
7141 		.result = REJECT,
7142 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7143 	},
7144 	{
7145 		"helper access to variable memory: stack, JMP (signed), no min check",
7146 		.insns = {
7147 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7148 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7149 			BPF_MOV64_IMM(BPF_REG_2, 16),
7150 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
7151 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
7152 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
7153 			BPF_MOV64_IMM(BPF_REG_3, 0),
7154 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7155 			BPF_MOV64_IMM(BPF_REG_0, 0),
7156 			BPF_EXIT_INSN(),
7157 		},
7158 		.errstr = "R2 min value is negative",
7159 		.result = REJECT,
7160 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7161 	},
7162 	{
7163 		"helper access to variable memory: map, JMP, correct bounds",
7164 		.insns = {
7165 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7166 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7167 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7168 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7169 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7170 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7171 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7172 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7173 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7174 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7175 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7176 				sizeof(struct test_val), 4),
7177 			BPF_MOV64_IMM(BPF_REG_4, 0),
7178 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7179 			BPF_MOV64_IMM(BPF_REG_3, 0),
7180 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7181 			BPF_MOV64_IMM(BPF_REG_0, 0),
7182 			BPF_EXIT_INSN(),
7183 		},
7184 		.fixup_map_hash_48b = { 3 },
7185 		.result = ACCEPT,
7186 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7187 	},
7188 	{
7189 		"helper access to variable memory: map, JMP, wrong max",
7190 		.insns = {
7191 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7193 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7194 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7195 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7196 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7197 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7198 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7199 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7200 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7201 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7202 				sizeof(struct test_val) + 1, 4),
7203 			BPF_MOV64_IMM(BPF_REG_4, 0),
7204 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7205 			BPF_MOV64_IMM(BPF_REG_3, 0),
7206 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7207 			BPF_MOV64_IMM(BPF_REG_0, 0),
7208 			BPF_EXIT_INSN(),
7209 		},
7210 		.fixup_map_hash_48b = { 3 },
7211 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
7212 		.result = REJECT,
7213 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7214 	},
7215 	{
7216 		"helper access to variable memory: map adjusted, JMP, correct bounds",
7217 		.insns = {
7218 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7220 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7221 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7222 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7223 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7224 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7225 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7226 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7227 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7228 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7229 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7230 				sizeof(struct test_val) - 20, 4),
7231 			BPF_MOV64_IMM(BPF_REG_4, 0),
7232 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7233 			BPF_MOV64_IMM(BPF_REG_3, 0),
7234 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7235 			BPF_MOV64_IMM(BPF_REG_0, 0),
7236 			BPF_EXIT_INSN(),
7237 		},
7238 		.fixup_map_hash_48b = { 3 },
7239 		.result = ACCEPT,
7240 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7241 	},
7242 	{
7243 		"helper access to variable memory: map adjusted, JMP, wrong max",
7244 		.insns = {
7245 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7246 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7247 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7248 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7249 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7250 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7251 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7252 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
7253 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
7254 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7255 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7256 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
7257 				sizeof(struct test_val) - 19, 4),
7258 			BPF_MOV64_IMM(BPF_REG_4, 0),
7259 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
7260 			BPF_MOV64_IMM(BPF_REG_3, 0),
7261 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7262 			BPF_MOV64_IMM(BPF_REG_0, 0),
7263 			BPF_EXIT_INSN(),
7264 		},
7265 		.fixup_map_hash_48b = { 3 },
7266 		.errstr = "R1 min value is outside of the array range",
7267 		.result = REJECT,
7268 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7269 	},
7270 	{
7271 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7272 		.insns = {
7273 			BPF_MOV64_IMM(BPF_REG_1, 0),
7274 			BPF_MOV64_IMM(BPF_REG_2, 0),
7275 			BPF_MOV64_IMM(BPF_REG_3, 0),
7276 			BPF_MOV64_IMM(BPF_REG_4, 0),
7277 			BPF_MOV64_IMM(BPF_REG_5, 0),
7278 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7279 			BPF_EXIT_INSN(),
7280 		},
7281 		.result = ACCEPT,
7282 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7283 	},
7284 	{
7285 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
7286 		.insns = {
7287 			BPF_MOV64_IMM(BPF_REG_1, 0),
7288 			BPF_MOV64_IMM(BPF_REG_2, 1),
7289 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7290 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7291 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
7292 			BPF_MOV64_IMM(BPF_REG_3, 0),
7293 			BPF_MOV64_IMM(BPF_REG_4, 0),
7294 			BPF_MOV64_IMM(BPF_REG_5, 0),
7295 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7296 			BPF_EXIT_INSN(),
7297 		},
7298 		.errstr = "R1 type=inv expected=fp",
7299 		.result = REJECT,
7300 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7301 	},
7302 	{
7303 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7304 		.insns = {
7305 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7306 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7307 			BPF_MOV64_IMM(BPF_REG_2, 0),
7308 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7309 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
7310 			BPF_MOV64_IMM(BPF_REG_3, 0),
7311 			BPF_MOV64_IMM(BPF_REG_4, 0),
7312 			BPF_MOV64_IMM(BPF_REG_5, 0),
7313 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7314 			BPF_EXIT_INSN(),
7315 		},
7316 		.result = ACCEPT,
7317 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7318 	},
7319 	{
7320 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7321 		.insns = {
7322 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7323 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7324 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7325 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7326 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7327 				     BPF_FUNC_map_lookup_elem),
7328 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7329 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7330 			BPF_MOV64_IMM(BPF_REG_2, 0),
7331 			BPF_MOV64_IMM(BPF_REG_3, 0),
7332 			BPF_MOV64_IMM(BPF_REG_4, 0),
7333 			BPF_MOV64_IMM(BPF_REG_5, 0),
7334 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7335 			BPF_EXIT_INSN(),
7336 		},
7337 		.fixup_map_hash_8b = { 3 },
7338 		.result = ACCEPT,
7339 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7340 	},
7341 	{
7342 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
7343 		.insns = {
7344 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7345 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7346 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7347 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7348 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7349 				     BPF_FUNC_map_lookup_elem),
7350 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7351 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7352 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
7353 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7354 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7355 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
7356 			BPF_MOV64_IMM(BPF_REG_3, 0),
7357 			BPF_MOV64_IMM(BPF_REG_4, 0),
7358 			BPF_MOV64_IMM(BPF_REG_5, 0),
7359 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7360 			BPF_EXIT_INSN(),
7361 		},
7362 		.fixup_map_hash_8b = { 3 },
7363 		.result = ACCEPT,
7364 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7365 	},
7366 	{
7367 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
7368 		.insns = {
7369 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7370 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7371 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7372 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7373 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7374 				     BPF_FUNC_map_lookup_elem),
7375 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7376 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7377 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7378 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7379 			BPF_MOV64_IMM(BPF_REG_3, 0),
7380 			BPF_MOV64_IMM(BPF_REG_4, 0),
7381 			BPF_MOV64_IMM(BPF_REG_5, 0),
7382 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7383 			BPF_EXIT_INSN(),
7384 		},
7385 		.fixup_map_hash_8b = { 3 },
7386 		.result = ACCEPT,
7387 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7388 	},
7389 	{
7390 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
7391 		.insns = {
7392 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7393 				    offsetof(struct __sk_buff, data)),
7394 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7395 				    offsetof(struct __sk_buff, data_end)),
7396 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
7397 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7398 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
7399 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
7400 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
7401 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7402 			BPF_MOV64_IMM(BPF_REG_3, 0),
7403 			BPF_MOV64_IMM(BPF_REG_4, 0),
7404 			BPF_MOV64_IMM(BPF_REG_5, 0),
7405 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
7406 			BPF_EXIT_INSN(),
7407 		},
7408 		.result = ACCEPT,
7409 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7410 		.retval = 0 /* csum_diff of 64-byte packet */,
7411 	},
7412 	{
7413 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7414 		.insns = {
7415 			BPF_MOV64_IMM(BPF_REG_1, 0),
7416 			BPF_MOV64_IMM(BPF_REG_2, 0),
7417 			BPF_MOV64_IMM(BPF_REG_3, 0),
7418 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7419 			BPF_EXIT_INSN(),
7420 		},
7421 		.errstr = "R1 type=inv expected=fp",
7422 		.result = REJECT,
7423 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7424 	},
7425 	{
7426 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
7427 		.insns = {
7428 			BPF_MOV64_IMM(BPF_REG_1, 0),
7429 			BPF_MOV64_IMM(BPF_REG_2, 1),
7430 			BPF_MOV64_IMM(BPF_REG_3, 0),
7431 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7432 			BPF_EXIT_INSN(),
7433 		},
7434 		.errstr = "R1 type=inv expected=fp",
7435 		.result = REJECT,
7436 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7437 	},
7438 	{
7439 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7440 		.insns = {
7441 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7442 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7443 			BPF_MOV64_IMM(BPF_REG_2, 0),
7444 			BPF_MOV64_IMM(BPF_REG_3, 0),
7445 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7446 			BPF_EXIT_INSN(),
7447 		},
7448 		.result = ACCEPT,
7449 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7450 	},
7451 	{
7452 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7453 		.insns = {
7454 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7455 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7456 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7457 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7458 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7459 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7460 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7461 			BPF_MOV64_IMM(BPF_REG_2, 0),
7462 			BPF_MOV64_IMM(BPF_REG_3, 0),
7463 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7464 			BPF_EXIT_INSN(),
7465 		},
7466 		.fixup_map_hash_8b = { 3 },
7467 		.result = ACCEPT,
7468 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7469 	},
7470 	{
7471 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7472 		.insns = {
7473 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7474 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7475 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7476 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7477 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7478 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7479 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7480 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
7481 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
7483 			BPF_MOV64_IMM(BPF_REG_3, 0),
7484 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7485 			BPF_EXIT_INSN(),
7486 		},
7487 		.fixup_map_hash_8b = { 3 },
7488 		.result = ACCEPT,
7489 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7490 	},
7491 	{
7492 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
7493 		.insns = {
7494 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7495 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7496 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7497 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7498 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7499 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7500 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7501 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
7502 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
7503 			BPF_MOV64_IMM(BPF_REG_3, 0),
7504 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7505 			BPF_EXIT_INSN(),
7506 		},
7507 		.fixup_map_hash_8b = { 3 },
7508 		.result = ACCEPT,
7509 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7510 	},
7511 	{
7512 		"helper access to variable memory: 8 bytes leak",
7513 		.insns = {
7514 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7515 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7516 			BPF_MOV64_IMM(BPF_REG_0, 0),
7517 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7518 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7519 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7520 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7521 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7522 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7523 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7524 			BPF_MOV64_IMM(BPF_REG_2, 1),
7525 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7526 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7527 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7528 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7529 			BPF_MOV64_IMM(BPF_REG_3, 0),
7530 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7531 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7532 			BPF_EXIT_INSN(),
7533 		},
7534 		.errstr = "invalid indirect read from stack off -64+32 size 64",
7535 		.result = REJECT,
7536 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7537 	},
7538 	{
7539 		"helper access to variable memory: 8 bytes no leak (init memory)",
7540 		.insns = {
7541 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7542 			BPF_MOV64_IMM(BPF_REG_0, 0),
7543 			BPF_MOV64_IMM(BPF_REG_0, 0),
7544 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7545 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7546 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7547 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7548 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7549 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7550 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7551 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7552 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7553 			BPF_MOV64_IMM(BPF_REG_2, 0),
7554 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7555 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7556 			BPF_MOV64_IMM(BPF_REG_3, 0),
7557 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7558 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7559 			BPF_EXIT_INSN(),
7560 		},
7561 		.result = ACCEPT,
7562 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7563 	},
7564 	{
7565 		"invalid and of negative number",
7566 		.insns = {
7567 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7568 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7569 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7570 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7571 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7572 				     BPF_FUNC_map_lookup_elem),
7573 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7574 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7575 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7576 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7577 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7578 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7579 				   offsetof(struct test_val, foo)),
7580 			BPF_EXIT_INSN(),
7581 		},
7582 		.fixup_map_hash_48b = { 3 },
7583 		.errstr = "R0 max value is outside of the array range",
7584 		.result = REJECT,
7585 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7586 	},
7587 	{
7588 		"invalid range check",
7589 		.insns = {
7590 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7591 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7592 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7593 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7594 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7595 				     BPF_FUNC_map_lookup_elem),
7596 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7597 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7598 			BPF_MOV64_IMM(BPF_REG_9, 1),
7599 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7600 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7601 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7602 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7603 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7604 			BPF_MOV32_IMM(BPF_REG_3, 1),
7605 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7606 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7607 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7608 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7609 			BPF_MOV64_REG(BPF_REG_0, 0),
7610 			BPF_EXIT_INSN(),
7611 		},
7612 		.fixup_map_hash_48b = { 3 },
7613 		.errstr = "R0 max value is outside of the array range",
7614 		.result = REJECT,
7615 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7616 	},
7617 	{
7618 		"map in map access",
7619 		.insns = {
7620 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7621 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7622 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7623 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7624 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7625 				     BPF_FUNC_map_lookup_elem),
7626 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7627 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7628 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7629 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7630 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7631 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7632 				     BPF_FUNC_map_lookup_elem),
7633 			BPF_MOV64_IMM(BPF_REG_0, 0),
7634 			BPF_EXIT_INSN(),
7635 		},
7636 		.fixup_map_in_map = { 3 },
7637 		.result = ACCEPT,
7638 	},
7639 	{
7640 		"invalid inner map pointer",
7641 		.insns = {
7642 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7643 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7644 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7645 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7646 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7647 				     BPF_FUNC_map_lookup_elem),
7648 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7649 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7650 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7651 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7652 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7653 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7654 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7655 				     BPF_FUNC_map_lookup_elem),
7656 			BPF_MOV64_IMM(BPF_REG_0, 0),
7657 			BPF_EXIT_INSN(),
7658 		},
7659 		.fixup_map_in_map = { 3 },
7660 		.errstr = "R1 pointer arithmetic on map_ptr prohibited",
7661 		.result = REJECT,
7662 	},
7663 	{
7664 		"forgot null checking on the inner map pointer",
7665 		.insns = {
7666 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7667 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7668 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7669 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7670 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7671 				     BPF_FUNC_map_lookup_elem),
7672 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7673 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7674 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7675 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7676 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7677 				     BPF_FUNC_map_lookup_elem),
7678 			BPF_MOV64_IMM(BPF_REG_0, 0),
7679 			BPF_EXIT_INSN(),
7680 		},
7681 		.fixup_map_in_map = { 3 },
7682 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
7683 		.result = REJECT,
7684 	},
7685 	{
7686 		"ld_abs: check calling conv, r1",
7687 		.insns = {
7688 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7689 			BPF_MOV64_IMM(BPF_REG_1, 0),
7690 			BPF_LD_ABS(BPF_W, -0x200000),
7691 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7692 			BPF_EXIT_INSN(),
7693 		},
7694 		.errstr = "R1 !read_ok",
7695 		.result = REJECT,
7696 	},
7697 	{
7698 		"ld_abs: check calling conv, r2",
7699 		.insns = {
7700 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7701 			BPF_MOV64_IMM(BPF_REG_2, 0),
7702 			BPF_LD_ABS(BPF_W, -0x200000),
7703 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7704 			BPF_EXIT_INSN(),
7705 		},
7706 		.errstr = "R2 !read_ok",
7707 		.result = REJECT,
7708 	},
7709 	{
7710 		"ld_abs: check calling conv, r3",
7711 		.insns = {
7712 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7713 			BPF_MOV64_IMM(BPF_REG_3, 0),
7714 			BPF_LD_ABS(BPF_W, -0x200000),
7715 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7716 			BPF_EXIT_INSN(),
7717 		},
7718 		.errstr = "R3 !read_ok",
7719 		.result = REJECT,
7720 	},
7721 	{
7722 		"ld_abs: check calling conv, r4",
7723 		.insns = {
7724 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7725 			BPF_MOV64_IMM(BPF_REG_4, 0),
7726 			BPF_LD_ABS(BPF_W, -0x200000),
7727 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7728 			BPF_EXIT_INSN(),
7729 		},
7730 		.errstr = "R4 !read_ok",
7731 		.result = REJECT,
7732 	},
7733 	{
7734 		"ld_abs: check calling conv, r5",
7735 		.insns = {
7736 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7737 			BPF_MOV64_IMM(BPF_REG_5, 0),
7738 			BPF_LD_ABS(BPF_W, -0x200000),
7739 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7740 			BPF_EXIT_INSN(),
7741 		},
7742 		.errstr = "R5 !read_ok",
7743 		.result = REJECT,
7744 	},
7745 	{
7746 		"ld_abs: check calling conv, r7",
7747 		.insns = {
7748 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7749 			BPF_MOV64_IMM(BPF_REG_7, 0),
7750 			BPF_LD_ABS(BPF_W, -0x200000),
7751 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7752 			BPF_EXIT_INSN(),
7753 		},
7754 		.result = ACCEPT,
7755 	},
7756 	{
7757 		"ld_abs: tests on r6 and skb data reload helper",
7758 		.insns = {
7759 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7760 			BPF_LD_ABS(BPF_B, 0),
7761 			BPF_LD_ABS(BPF_H, 0),
7762 			BPF_LD_ABS(BPF_W, 0),
7763 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7764 			BPF_MOV64_IMM(BPF_REG_6, 0),
7765 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7766 			BPF_MOV64_IMM(BPF_REG_2, 1),
7767 			BPF_MOV64_IMM(BPF_REG_3, 2),
7768 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7769 				     BPF_FUNC_skb_vlan_push),
7770 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7771 			BPF_LD_ABS(BPF_B, 0),
7772 			BPF_LD_ABS(BPF_H, 0),
7773 			BPF_LD_ABS(BPF_W, 0),
7774 			BPF_MOV64_IMM(BPF_REG_0, 42),
7775 			BPF_EXIT_INSN(),
7776 		},
7777 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7778 		.result = ACCEPT,
7779 		.retval = 42 /* ultimate return value */,
7780 	},
7781 	{
7782 		"ld_ind: check calling conv, r1",
7783 		.insns = {
7784 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7785 			BPF_MOV64_IMM(BPF_REG_1, 1),
7786 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7787 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7788 			BPF_EXIT_INSN(),
7789 		},
7790 		.errstr = "R1 !read_ok",
7791 		.result = REJECT,
7792 	},
7793 	{
7794 		"ld_ind: check calling conv, r2",
7795 		.insns = {
7796 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7797 			BPF_MOV64_IMM(BPF_REG_2, 1),
7798 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7799 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7800 			BPF_EXIT_INSN(),
7801 		},
7802 		.errstr = "R2 !read_ok",
7803 		.result = REJECT,
7804 	},
7805 	{
7806 		"ld_ind: check calling conv, r3",
7807 		.insns = {
7808 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7809 			BPF_MOV64_IMM(BPF_REG_3, 1),
7810 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7811 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7812 			BPF_EXIT_INSN(),
7813 		},
7814 		.errstr = "R3 !read_ok",
7815 		.result = REJECT,
7816 	},
7817 	{
7818 		"ld_ind: check calling conv, r4",
7819 		.insns = {
7820 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7821 			BPF_MOV64_IMM(BPF_REG_4, 1),
7822 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7823 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7824 			BPF_EXIT_INSN(),
7825 		},
7826 		.errstr = "R4 !read_ok",
7827 		.result = REJECT,
7828 	},
7829 	{
7830 		"ld_ind: check calling conv, r5",
7831 		.insns = {
7832 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7833 			BPF_MOV64_IMM(BPF_REG_5, 1),
7834 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7835 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7836 			BPF_EXIT_INSN(),
7837 		},
7838 		.errstr = "R5 !read_ok",
7839 		.result = REJECT,
7840 	},
7841 	{
7842 		"ld_ind: check calling conv, r7",
7843 		.insns = {
7844 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7845 			BPF_MOV64_IMM(BPF_REG_7, 1),
7846 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7847 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7848 			BPF_EXIT_INSN(),
7849 		},
7850 		.result = ACCEPT,
7851 		.retval = 1,
7852 	},
7853 	{
7854 		"check bpf_perf_event_data->sample_period byte load permitted",
7855 		.insns = {
7856 			BPF_MOV64_IMM(BPF_REG_0, 0),
7857 #if __BYTE_ORDER == __LITTLE_ENDIAN
7858 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7859 				    offsetof(struct bpf_perf_event_data, sample_period)),
7860 #else
7861 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7862 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
7863 #endif
7864 			BPF_EXIT_INSN(),
7865 		},
7866 		.result = ACCEPT,
7867 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7868 	},
7869 	{
7870 		"check bpf_perf_event_data->sample_period half load permitted",
7871 		.insns = {
7872 			BPF_MOV64_IMM(BPF_REG_0, 0),
7873 #if __BYTE_ORDER == __LITTLE_ENDIAN
7874 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7875 				    offsetof(struct bpf_perf_event_data, sample_period)),
7876 #else
7877 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7878 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
7879 #endif
7880 			BPF_EXIT_INSN(),
7881 		},
7882 		.result = ACCEPT,
7883 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7884 	},
7885 	{
7886 		"check bpf_perf_event_data->sample_period word load permitted",
7887 		.insns = {
7888 			BPF_MOV64_IMM(BPF_REG_0, 0),
7889 #if __BYTE_ORDER == __LITTLE_ENDIAN
7890 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7891 				    offsetof(struct bpf_perf_event_data, sample_period)),
7892 #else
7893 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7894 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
7895 #endif
7896 			BPF_EXIT_INSN(),
7897 		},
7898 		.result = ACCEPT,
7899 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7900 	},
7901 	{
7902 		"check bpf_perf_event_data->sample_period dword load permitted",
7903 		.insns = {
7904 			BPF_MOV64_IMM(BPF_REG_0, 0),
7905 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7906 				    offsetof(struct bpf_perf_event_data, sample_period)),
7907 			BPF_EXIT_INSN(),
7908 		},
7909 		.result = ACCEPT,
7910 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7911 	},
7912 	{
7913 		"check skb->data half load not permitted",
7914 		.insns = {
7915 			BPF_MOV64_IMM(BPF_REG_0, 0),
7916 #if __BYTE_ORDER == __LITTLE_ENDIAN
7917 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7918 				    offsetof(struct __sk_buff, data)),
7919 #else
7920 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7921 				    offsetof(struct __sk_buff, data) + 2),
7922 #endif
7923 			BPF_EXIT_INSN(),
7924 		},
7925 		.result = REJECT,
7926 		.errstr = "invalid bpf_context access",
7927 	},
7928 	{
7929 		"check skb->tc_classid half load not permitted for lwt prog",
7930 		.insns = {
7931 			BPF_MOV64_IMM(BPF_REG_0, 0),
7932 #if __BYTE_ORDER == __LITTLE_ENDIAN
7933 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7934 				    offsetof(struct __sk_buff, tc_classid)),
7935 #else
7936 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7937 				    offsetof(struct __sk_buff, tc_classid) + 2),
7938 #endif
7939 			BPF_EXIT_INSN(),
7940 		},
7941 		.result = REJECT,
7942 		.errstr = "invalid bpf_context access",
7943 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7944 	},
7945 	{
7946 		"bounds checks mixing signed and unsigned, positive bounds",
7947 		.insns = {
7948 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7949 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7950 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7951 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7952 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7953 				     BPF_FUNC_map_lookup_elem),
7954 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7955 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7956 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7957 			BPF_MOV64_IMM(BPF_REG_2, 2),
7958 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7959 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7960 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7961 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7962 			BPF_MOV64_IMM(BPF_REG_0, 0),
7963 			BPF_EXIT_INSN(),
7964 		},
7965 		.fixup_map_hash_8b = { 3 },
7966 		.errstr = "unbounded min value",
7967 		.result = REJECT,
7968 	},
7969 	{
7970 		"bounds checks mixing signed and unsigned",
7971 		.insns = {
7972 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7973 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7974 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7975 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7976 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7977 				     BPF_FUNC_map_lookup_elem),
7978 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7979 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7980 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7981 			BPF_MOV64_IMM(BPF_REG_2, -1),
7982 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7983 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7984 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7985 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7986 			BPF_MOV64_IMM(BPF_REG_0, 0),
7987 			BPF_EXIT_INSN(),
7988 		},
7989 		.fixup_map_hash_8b = { 3 },
7990 		.errstr = "unbounded min value",
7991 		.result = REJECT,
7992 	},
7993 	{
7994 		"bounds checks mixing signed and unsigned, variant 2",
7995 		.insns = {
7996 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7997 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7998 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7999 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8000 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8001 				     BPF_FUNC_map_lookup_elem),
8002 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8003 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8004 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8005 			BPF_MOV64_IMM(BPF_REG_2, -1),
8006 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8007 			BPF_MOV64_IMM(BPF_REG_8, 0),
8008 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
8009 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8010 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8011 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8012 			BPF_MOV64_IMM(BPF_REG_0, 0),
8013 			BPF_EXIT_INSN(),
8014 		},
8015 		.fixup_map_hash_8b = { 3 },
8016 		.errstr = "unbounded min value",
8017 		.result = REJECT,
8018 	},
8019 	{
8020 		"bounds checks mixing signed and unsigned, variant 3",
8021 		.insns = {
8022 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8023 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8024 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8025 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8026 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8027 				     BPF_FUNC_map_lookup_elem),
8028 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8029 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8030 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8031 			BPF_MOV64_IMM(BPF_REG_2, -1),
8032 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
8033 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
8034 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
8035 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
8036 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
8037 			BPF_MOV64_IMM(BPF_REG_0, 0),
8038 			BPF_EXIT_INSN(),
8039 		},
8040 		.fixup_map_hash_8b = { 3 },
8041 		.errstr = "unbounded min value",
8042 		.result = REJECT,
8043 	},
8044 	{
8045 		"bounds checks mixing signed and unsigned, variant 4",
8046 		.insns = {
8047 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8048 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8049 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8050 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8051 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8052 				     BPF_FUNC_map_lookup_elem),
8053 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8054 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8055 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8056 			BPF_MOV64_IMM(BPF_REG_2, 1),
8057 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
8058 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8059 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8060 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8061 			BPF_MOV64_IMM(BPF_REG_0, 0),
8062 			BPF_EXIT_INSN(),
8063 		},
8064 		.fixup_map_hash_8b = { 3 },
8065 		.result = ACCEPT,
8066 	},
8067 	{
8068 		"bounds checks mixing signed and unsigned, variant 5",
8069 		.insns = {
8070 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8071 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8073 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8075 				     BPF_FUNC_map_lookup_elem),
8076 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8077 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8078 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8079 			BPF_MOV64_IMM(BPF_REG_2, -1),
8080 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
8081 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
8082 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
8083 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
8084 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8085 			BPF_MOV64_IMM(BPF_REG_0, 0),
8086 			BPF_EXIT_INSN(),
8087 		},
8088 		.fixup_map_hash_8b = { 3 },
8089 		.errstr = "unbounded min value",
8090 		.result = REJECT,
8091 	},
8092 	{
8093 		"bounds checks mixing signed and unsigned, variant 6",
8094 		.insns = {
8095 			BPF_MOV64_IMM(BPF_REG_2, 0),
8096 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
8097 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
8098 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8099 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
8100 			BPF_MOV64_IMM(BPF_REG_6, -1),
8101 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
8102 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
8103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8104 			BPF_MOV64_IMM(BPF_REG_5, 0),
8105 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
8106 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8107 				     BPF_FUNC_skb_load_bytes),
8108 			BPF_MOV64_IMM(BPF_REG_0, 0),
8109 			BPF_EXIT_INSN(),
8110 		},
8111 		.errstr = "R4 min value is negative, either use unsigned",
8112 		.result = REJECT,
8113 	},
8114 	{
8115 		"bounds checks mixing signed and unsigned, variant 7",
8116 		.insns = {
8117 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8118 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8119 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8120 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8121 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8122 				     BPF_FUNC_map_lookup_elem),
8123 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8124 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8125 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8126 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
8127 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
8128 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8129 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8130 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8131 			BPF_MOV64_IMM(BPF_REG_0, 0),
8132 			BPF_EXIT_INSN(),
8133 		},
8134 		.fixup_map_hash_8b = { 3 },
8135 		.result = ACCEPT,
8136 	},
8137 	{
8138 		"bounds checks mixing signed and unsigned, variant 8",
8139 		.insns = {
8140 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8141 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8142 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8143 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8144 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8145 				     BPF_FUNC_map_lookup_elem),
8146 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8147 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8148 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8149 			BPF_MOV64_IMM(BPF_REG_2, -1),
8150 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8151 			BPF_MOV64_IMM(BPF_REG_0, 0),
8152 			BPF_EXIT_INSN(),
8153 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8154 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8155 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8156 			BPF_MOV64_IMM(BPF_REG_0, 0),
8157 			BPF_EXIT_INSN(),
8158 		},
8159 		.fixup_map_hash_8b = { 3 },
8160 		.errstr = "unbounded min value",
8161 		.result = REJECT,
8162 	},
8163 	{
8164 		"bounds checks mixing signed and unsigned, variant 9",
8165 		.insns = {
8166 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8167 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8168 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8169 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8170 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8171 				     BPF_FUNC_map_lookup_elem),
8172 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8173 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8174 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8175 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
8176 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8177 			BPF_MOV64_IMM(BPF_REG_0, 0),
8178 			BPF_EXIT_INSN(),
8179 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8180 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8181 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8182 			BPF_MOV64_IMM(BPF_REG_0, 0),
8183 			BPF_EXIT_INSN(),
8184 		},
8185 		.fixup_map_hash_8b = { 3 },
8186 		.result = ACCEPT,
8187 	},
8188 	{
8189 		"bounds checks mixing signed and unsigned, variant 10",
8190 		.insns = {
8191 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8192 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8193 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8194 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8195 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8196 				     BPF_FUNC_map_lookup_elem),
8197 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8198 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8199 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8200 			BPF_MOV64_IMM(BPF_REG_2, 0),
8201 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
8202 			BPF_MOV64_IMM(BPF_REG_0, 0),
8203 			BPF_EXIT_INSN(),
8204 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8205 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8206 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8207 			BPF_MOV64_IMM(BPF_REG_0, 0),
8208 			BPF_EXIT_INSN(),
8209 		},
8210 		.fixup_map_hash_8b = { 3 },
8211 		.errstr = "unbounded min value",
8212 		.result = REJECT,
8213 	},
8214 	{
8215 		"bounds checks mixing signed and unsigned, variant 11",
8216 		.insns = {
8217 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8218 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8220 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8221 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8222 				     BPF_FUNC_map_lookup_elem),
8223 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8224 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8225 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8226 			BPF_MOV64_IMM(BPF_REG_2, -1),
8227 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8228 			/* Dead branch. */
8229 			BPF_MOV64_IMM(BPF_REG_0, 0),
8230 			BPF_EXIT_INSN(),
8231 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8232 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8233 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8234 			BPF_MOV64_IMM(BPF_REG_0, 0),
8235 			BPF_EXIT_INSN(),
8236 		},
8237 		.fixup_map_hash_8b = { 3 },
8238 		.errstr = "unbounded min value",
8239 		.result = REJECT,
8240 	},
8241 	{
8242 		"bounds checks mixing signed and unsigned, variant 12",
8243 		.insns = {
8244 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8245 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8246 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8247 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8249 				     BPF_FUNC_map_lookup_elem),
8250 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8251 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8252 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8253 			BPF_MOV64_IMM(BPF_REG_2, -6),
8254 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8255 			BPF_MOV64_IMM(BPF_REG_0, 0),
8256 			BPF_EXIT_INSN(),
8257 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8258 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8259 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8260 			BPF_MOV64_IMM(BPF_REG_0, 0),
8261 			BPF_EXIT_INSN(),
8262 		},
8263 		.fixup_map_hash_8b = { 3 },
8264 		.errstr = "unbounded min value",
8265 		.result = REJECT,
8266 	},
8267 	{
8268 		"bounds checks mixing signed and unsigned, variant 13",
8269 		.insns = {
8270 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8271 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8272 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8273 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8274 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8275 				     BPF_FUNC_map_lookup_elem),
8276 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8277 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8278 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8279 			BPF_MOV64_IMM(BPF_REG_2, 2),
8280 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8281 			BPF_MOV64_IMM(BPF_REG_7, 1),
8282 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
8283 			BPF_MOV64_IMM(BPF_REG_0, 0),
8284 			BPF_EXIT_INSN(),
8285 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
8286 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
8287 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
8288 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8289 			BPF_MOV64_IMM(BPF_REG_0, 0),
8290 			BPF_EXIT_INSN(),
8291 		},
8292 		.fixup_map_hash_8b = { 3 },
8293 		.errstr = "unbounded min value",
8294 		.result = REJECT,
8295 	},
8296 	{
8297 		"bounds checks mixing signed and unsigned, variant 14",
8298 		.insns = {
8299 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
8300 				    offsetof(struct __sk_buff, mark)),
8301 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8302 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8303 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8304 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8305 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8306 				     BPF_FUNC_map_lookup_elem),
8307 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8308 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8309 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8310 			BPF_MOV64_IMM(BPF_REG_2, -1),
8311 			BPF_MOV64_IMM(BPF_REG_8, 2),
8312 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
8313 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
8314 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
8315 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8316 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8317 			BPF_MOV64_IMM(BPF_REG_0, 0),
8318 			BPF_EXIT_INSN(),
8319 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
8320 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
8321 		},
8322 		.fixup_map_hash_8b = { 4 },
8323 		.errstr = "R0 invalid mem access 'inv'",
8324 		.result = REJECT,
8325 	},
8326 	{
8327 		"bounds checks mixing signed and unsigned, variant 15",
8328 		.insns = {
8329 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8330 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8331 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8332 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8333 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8334 				     BPF_FUNC_map_lookup_elem),
8335 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8336 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
8337 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8338 			BPF_MOV64_IMM(BPF_REG_2, -6),
8339 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
8340 			BPF_MOV64_IMM(BPF_REG_0, 0),
8341 			BPF_EXIT_INSN(),
8342 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8343 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
8344 			BPF_MOV64_IMM(BPF_REG_0, 0),
8345 			BPF_EXIT_INSN(),
8346 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
8347 			BPF_MOV64_IMM(BPF_REG_0, 0),
8348 			BPF_EXIT_INSN(),
8349 		},
8350 		.fixup_map_hash_8b = { 3 },
8351 		.errstr = "unbounded min value",
8352 		.result = REJECT,
8353 		.result_unpriv = REJECT,
8354 	},
8355 	{
8356 		"subtraction bounds (map value) variant 1",
8357 		.insns = {
8358 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8359 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8360 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8361 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8362 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8363 				     BPF_FUNC_map_lookup_elem),
8364 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8365 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8366 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
8367 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8368 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
8369 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8370 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
8371 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8372 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8373 			BPF_EXIT_INSN(),
8374 			BPF_MOV64_IMM(BPF_REG_0, 0),
8375 			BPF_EXIT_INSN(),
8376 		},
8377 		.fixup_map_hash_8b = { 3 },
8378 		.errstr = "R0 max value is outside of the array range",
8379 		.result = REJECT,
8380 	},
8381 	{
8382 		"subtraction bounds (map value) variant 2",
8383 		.insns = {
8384 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8385 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8386 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8387 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8388 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8389 				     BPF_FUNC_map_lookup_elem),
8390 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8391 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8392 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
8393 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
8394 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
8395 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
8396 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8397 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8398 			BPF_EXIT_INSN(),
8399 			BPF_MOV64_IMM(BPF_REG_0, 0),
8400 			BPF_EXIT_INSN(),
8401 		},
8402 		.fixup_map_hash_8b = { 3 },
8403 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
8404 		.result = REJECT,
8405 	},
8406 	{
8407 		"bounds check based on zero-extended MOV",
8408 		.insns = {
8409 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8410 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8411 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8412 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8413 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8414 				     BPF_FUNC_map_lookup_elem),
8415 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8416 			/* r2 = 0x0000'0000'ffff'ffff */
8417 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
8418 			/* r2 = 0 */
8419 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8420 			/* no-op */
8421 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8422 			/* access at offset 0 */
8423 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8424 			/* exit */
8425 			BPF_MOV64_IMM(BPF_REG_0, 0),
8426 			BPF_EXIT_INSN(),
8427 		},
8428 		.fixup_map_hash_8b = { 3 },
8429 		.result = ACCEPT
8430 	},
8431 	{
8432 		"bounds check based on sign-extended MOV. test1",
8433 		.insns = {
8434 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8435 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8436 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8437 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8438 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8439 				     BPF_FUNC_map_lookup_elem),
8440 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8441 			/* r2 = 0xffff'ffff'ffff'ffff */
8442 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8443 			/* r2 = 0xffff'ffff */
8444 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
8445 			/* r0 = <oob pointer> */
8446 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8447 			/* access to OOB pointer */
8448 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8449 			/* exit */
8450 			BPF_MOV64_IMM(BPF_REG_0, 0),
8451 			BPF_EXIT_INSN(),
8452 		},
8453 		.fixup_map_hash_8b = { 3 },
8454 		.errstr = "map_value pointer and 4294967295",
8455 		.result = REJECT
8456 	},
8457 	{
8458 		"bounds check based on sign-extended MOV. test2",
8459 		.insns = {
8460 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8461 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8462 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8463 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8464 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8465 				     BPF_FUNC_map_lookup_elem),
8466 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8467 			/* r2 = 0xffff'ffff'ffff'ffff */
8468 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
8469 			/* r2 = 0xfff'ffff */
8470 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
8471 			/* r0 = <oob pointer> */
8472 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8473 			/* access to OOB pointer */
8474 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8475 			/* exit */
8476 			BPF_MOV64_IMM(BPF_REG_0, 0),
8477 			BPF_EXIT_INSN(),
8478 		},
8479 		.fixup_map_hash_8b = { 3 },
8480 		.errstr = "R0 min value is outside of the array range",
8481 		.result = REJECT
8482 	},
8483 	{
8484 		"bounds check based on reg_off + var_off + insn_off. test1",
8485 		.insns = {
8486 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8487 				    offsetof(struct __sk_buff, mark)),
8488 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8489 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8490 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8491 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8492 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8493 				     BPF_FUNC_map_lookup_elem),
8494 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8495 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8496 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
8497 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8498 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8499 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8500 			BPF_MOV64_IMM(BPF_REG_0, 0),
8501 			BPF_EXIT_INSN(),
8502 		},
8503 		.fixup_map_hash_8b = { 4 },
8504 		.errstr = "value_size=8 off=1073741825",
8505 		.result = REJECT,
8506 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8507 	},
8508 	{
8509 		"bounds check based on reg_off + var_off + insn_off. test2",
8510 		.insns = {
8511 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8512 				    offsetof(struct __sk_buff, mark)),
8513 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8514 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8515 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8516 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8517 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8518 				     BPF_FUNC_map_lookup_elem),
8519 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8520 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8521 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8522 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8523 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8524 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8525 			BPF_MOV64_IMM(BPF_REG_0, 0),
8526 			BPF_EXIT_INSN(),
8527 		},
8528 		.fixup_map_hash_8b = { 4 },
8529 		.errstr = "value 1073741823",
8530 		.result = REJECT,
8531 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8532 	},
8533 	{
8534 		"bounds check after truncation of non-boundary-crossing range",
8535 		.insns = {
8536 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8537 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8538 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8539 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8540 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8541 				     BPF_FUNC_map_lookup_elem),
8542 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8543 			/* r1 = [0x00, 0xff] */
8544 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8545 			BPF_MOV64_IMM(BPF_REG_2, 1),
8546 			/* r2 = 0x10'0000'0000 */
8547 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8548 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8549 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8550 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8551 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8552 			/* r1 = [0x00, 0xff] */
8553 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8554 			/* r1 = 0 */
8555 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8556 			/* no-op */
8557 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8558 			/* access at offset 0 */
8559 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8560 			/* exit */
8561 			BPF_MOV64_IMM(BPF_REG_0, 0),
8562 			BPF_EXIT_INSN(),
8563 		},
8564 		.fixup_map_hash_8b = { 3 },
8565 		.result = ACCEPT
8566 	},
8567 	{
8568 		"bounds check after truncation of boundary-crossing range (1)",
8569 		.insns = {
8570 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8571 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8572 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8573 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8574 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8575 				     BPF_FUNC_map_lookup_elem),
8576 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8577 			/* r1 = [0x00, 0xff] */
8578 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8579 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8580 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
8581 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8582 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
8583 			 *      [0x0000'0000, 0x0000'007f]
8584 			 */
8585 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8586 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8587 			/* r1 = [0x00, 0xff] or
8588 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8589 			 */
8590 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8591 			/* r1 = 0 or
8592 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8593 			 */
8594 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8595 			/* no-op or OOB pointer computation */
8596 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8597 			/* potentially OOB access */
8598 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8599 			/* exit */
8600 			BPF_MOV64_IMM(BPF_REG_0, 0),
8601 			BPF_EXIT_INSN(),
8602 		},
8603 		.fixup_map_hash_8b = { 3 },
8604 		/* not actually fully unbounded, but the bound is very high */
8605 		.errstr = "R0 unbounded memory access",
8606 		.result = REJECT
8607 	},
8608 	{
8609 		"bounds check after truncation of boundary-crossing range (2)",
8610 		.insns = {
8611 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8612 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8613 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8614 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8615 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8616 				     BPF_FUNC_map_lookup_elem),
8617 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8618 			/* r1 = [0x00, 0xff] */
8619 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8621 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
8622 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8623 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
8624 			 *      [0x0000'0000, 0x0000'007f]
8625 			 * difference to previous test: truncation via MOV32
8626 			 * instead of ALU32.
8627 			 */
8628 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8629 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8630 			/* r1 = [0x00, 0xff] or
8631 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8632 			 */
8633 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8634 			/* r1 = 0 or
8635 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8636 			 */
8637 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8638 			/* no-op or OOB pointer computation */
8639 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8640 			/* potentially OOB access */
8641 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8642 			/* exit */
8643 			BPF_MOV64_IMM(BPF_REG_0, 0),
8644 			BPF_EXIT_INSN(),
8645 		},
8646 		.fixup_map_hash_8b = { 3 },
8647 		/* not actually fully unbounded, but the bound is very high */
8648 		.errstr = "R0 unbounded memory access",
8649 		.result = REJECT
8650 	},
8651 	{
8652 		"bounds check after wrapping 32-bit addition",
8653 		.insns = {
8654 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8655 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8656 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8657 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8658 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8659 				     BPF_FUNC_map_lookup_elem),
8660 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8661 			/* r1 = 0x7fff'ffff */
8662 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8663 			/* r1 = 0xffff'fffe */
8664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8665 			/* r1 = 0 */
8666 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8667 			/* no-op */
8668 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8669 			/* access at offset 0 */
8670 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8671 			/* exit */
8672 			BPF_MOV64_IMM(BPF_REG_0, 0),
8673 			BPF_EXIT_INSN(),
8674 		},
8675 		.fixup_map_hash_8b = { 3 },
8676 		.result = ACCEPT
8677 	},
8678 	{
8679 		"bounds check after shift with oversized count operand",
8680 		.insns = {
8681 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8682 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8683 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8684 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8685 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8686 				     BPF_FUNC_map_lookup_elem),
8687 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8688 			BPF_MOV64_IMM(BPF_REG_2, 32),
8689 			BPF_MOV64_IMM(BPF_REG_1, 1),
8690 			/* r1 = (u32)1 << (u32)32 = ? */
8691 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8692 			/* r1 = [0x0000, 0xffff] */
8693 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8694 			/* computes unknown pointer, potentially OOB */
8695 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8696 			/* potentially OOB access */
8697 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8698 			/* exit */
8699 			BPF_MOV64_IMM(BPF_REG_0, 0),
8700 			BPF_EXIT_INSN(),
8701 		},
8702 		.fixup_map_hash_8b = { 3 },
8703 		.errstr = "R0 max value is outside of the array range",
8704 		.result = REJECT
8705 	},
8706 	{
8707 		"bounds check after right shift of maybe-negative number",
8708 		.insns = {
8709 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8710 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8711 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8712 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8713 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8714 				     BPF_FUNC_map_lookup_elem),
8715 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8716 			/* r1 = [0x00, 0xff] */
8717 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8718 			/* r1 = [-0x01, 0xfe] */
8719 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8720 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
8721 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8722 			/* r1 = 0 or 0xffff'ffff'ffff */
8723 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8724 			/* computes unknown pointer, potentially OOB */
8725 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8726 			/* potentially OOB access */
8727 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8728 			/* exit */
8729 			BPF_MOV64_IMM(BPF_REG_0, 0),
8730 			BPF_EXIT_INSN(),
8731 		},
8732 		.fixup_map_hash_8b = { 3 },
8733 		.errstr = "R0 unbounded memory access",
8734 		.result = REJECT
8735 	},
8736 	{
8737 		"bounds check map access with off+size signed 32bit overflow. test1",
8738 		.insns = {
8739 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8740 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8741 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8742 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8743 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8744 				     BPF_FUNC_map_lookup_elem),
8745 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8746 			BPF_EXIT_INSN(),
8747 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8748 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8749 			BPF_JMP_A(0),
8750 			BPF_EXIT_INSN(),
8751 		},
8752 		.fixup_map_hash_8b = { 3 },
8753 		.errstr = "map_value pointer and 2147483646",
8754 		.result = REJECT
8755 	},
8756 	{
8757 		"bounds check map access with off+size signed 32bit overflow. test2",
8758 		.insns = {
8759 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8760 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8762 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8763 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8764 				     BPF_FUNC_map_lookup_elem),
8765 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8766 			BPF_EXIT_INSN(),
8767 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8769 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8770 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8771 			BPF_JMP_A(0),
8772 			BPF_EXIT_INSN(),
8773 		},
8774 		.fixup_map_hash_8b = { 3 },
8775 		.errstr = "pointer offset 1073741822",
8776 		.result = REJECT
8777 	},
8778 	{
8779 		"bounds check map access with off+size signed 32bit overflow. test3",
8780 		.insns = {
8781 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8782 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8783 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8784 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8785 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8786 				     BPF_FUNC_map_lookup_elem),
8787 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8788 			BPF_EXIT_INSN(),
8789 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8790 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8791 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8792 			BPF_JMP_A(0),
8793 			BPF_EXIT_INSN(),
8794 		},
8795 		.fixup_map_hash_8b = { 3 },
8796 		.errstr = "pointer offset -1073741822",
8797 		.result = REJECT
8798 	},
8799 	{
8800 		"bounds check map access with off+size signed 32bit overflow. test4",
8801 		.insns = {
8802 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8803 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8804 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8805 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8806 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8807 				     BPF_FUNC_map_lookup_elem),
8808 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8809 			BPF_EXIT_INSN(),
8810 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
8811 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8812 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8813 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8814 			BPF_JMP_A(0),
8815 			BPF_EXIT_INSN(),
8816 		},
8817 		.fixup_map_hash_8b = { 3 },
8818 		.errstr = "map_value pointer and 1000000000000",
8819 		.result = REJECT
8820 	},
8821 	{
8822 		"pointer/scalar confusion in state equality check (way 1)",
8823 		.insns = {
8824 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8825 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8827 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8828 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8829 				     BPF_FUNC_map_lookup_elem),
8830 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8831 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8832 			BPF_JMP_A(1),
8833 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8834 			BPF_JMP_A(0),
8835 			BPF_EXIT_INSN(),
8836 		},
8837 		.fixup_map_hash_8b = { 3 },
8838 		.result = ACCEPT,
8839 		.retval = POINTER_VALUE,
8840 		.result_unpriv = REJECT,
8841 		.errstr_unpriv = "R0 leaks addr as return value"
8842 	},
8843 	{
8844 		"pointer/scalar confusion in state equality check (way 2)",
8845 		.insns = {
8846 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8847 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8849 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8850 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8851 				     BPF_FUNC_map_lookup_elem),
8852 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8853 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8854 			BPF_JMP_A(1),
8855 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8856 			BPF_EXIT_INSN(),
8857 		},
8858 		.fixup_map_hash_8b = { 3 },
8859 		.result = ACCEPT,
8860 		.retval = POINTER_VALUE,
8861 		.result_unpriv = REJECT,
8862 		.errstr_unpriv = "R0 leaks addr as return value"
8863 	},
8864 	{
8865 		"variable-offset ctx access",
8866 		.insns = {
8867 			/* Get an unknown value */
8868 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8869 			/* Make it small and 4-byte aligned */
8870 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8871 			/* add it to skb.  We now have either &skb->len or
8872 			 * &skb->pkt_type, but we don't know which
8873 			 */
8874 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8875 			/* dereference it */
8876 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8877 			BPF_EXIT_INSN(),
8878 		},
8879 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
8880 		.result = REJECT,
8881 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8882 	},
8883 	{
8884 		"variable-offset stack access",
8885 		.insns = {
8886 			/* Fill the top 8 bytes of the stack */
8887 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8888 			/* Get an unknown value */
8889 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8890 			/* Make it small and 4-byte aligned */
8891 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8892 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8893 			/* add it to fp.  We now have either fp-4 or fp-8, but
8894 			 * we don't know which
8895 			 */
8896 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8897 			/* dereference it */
8898 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8899 			BPF_EXIT_INSN(),
8900 		},
8901 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8902 		.result = REJECT,
8903 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8904 	},
8905 	{
8906 		"indirect variable-offset stack access",
8907 		.insns = {
8908 			/* Fill the top 8 bytes of the stack */
8909 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8910 			/* Get an unknown value */
8911 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8912 			/* Make it small and 4-byte aligned */
8913 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8914 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8915 			/* add it to fp.  We now have either fp-4 or fp-8, but
8916 			 * we don't know which
8917 			 */
8918 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8919 			/* dereference it indirectly */
8920 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8921 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8922 				     BPF_FUNC_map_lookup_elem),
8923 			BPF_MOV64_IMM(BPF_REG_0, 0),
8924 			BPF_EXIT_INSN(),
8925 		},
8926 		.fixup_map_hash_8b = { 5 },
8927 		.errstr = "variable stack read R2",
8928 		.result = REJECT,
8929 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8930 	},
8931 	{
8932 		"direct stack access with 32-bit wraparound. test1",
8933 		.insns = {
8934 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8935 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8936 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8937 			BPF_MOV32_IMM(BPF_REG_0, 0),
8938 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8939 			BPF_EXIT_INSN()
8940 		},
8941 		.errstr = "fp pointer and 2147483647",
8942 		.result = REJECT
8943 	},
8944 	{
8945 		"direct stack access with 32-bit wraparound. test2",
8946 		.insns = {
8947 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8948 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8949 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8950 			BPF_MOV32_IMM(BPF_REG_0, 0),
8951 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8952 			BPF_EXIT_INSN()
8953 		},
8954 		.errstr = "fp pointer and 1073741823",
8955 		.result = REJECT
8956 	},
8957 	{
8958 		"direct stack access with 32-bit wraparound. test3",
8959 		.insns = {
8960 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8961 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8963 			BPF_MOV32_IMM(BPF_REG_0, 0),
8964 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8965 			BPF_EXIT_INSN()
8966 		},
8967 		.errstr = "fp pointer offset 1073741822",
8968 		.result = REJECT
8969 	},
8970 	{
8971 		"liveness pruning and write screening",
8972 		.insns = {
8973 			/* Get an unknown value */
8974 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8975 			/* branch conditions teach us nothing about R2 */
8976 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8977 			BPF_MOV64_IMM(BPF_REG_0, 0),
8978 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8979 			BPF_MOV64_IMM(BPF_REG_0, 0),
8980 			BPF_EXIT_INSN(),
8981 		},
8982 		.errstr = "R0 !read_ok",
8983 		.result = REJECT,
8984 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8985 	},
8986 	{
8987 		"varlen_map_value_access pruning",
8988 		.insns = {
8989 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8990 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8991 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8992 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8993 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8994 				     BPF_FUNC_map_lookup_elem),
8995 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8996 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8997 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8998 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8999 			BPF_MOV32_IMM(BPF_REG_1, 0),
9000 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
9001 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9002 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
9003 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
9004 				   offsetof(struct test_val, foo)),
9005 			BPF_EXIT_INSN(),
9006 		},
9007 		.fixup_map_hash_48b = { 3 },
9008 		.errstr_unpriv = "R0 leaks addr",
9009 		.errstr = "R0 unbounded memory access",
9010 		.result_unpriv = REJECT,
9011 		.result = REJECT,
9012 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9013 	},
9014 	{
9015 		"invalid 64-bit BPF_END",
9016 		.insns = {
9017 			BPF_MOV32_IMM(BPF_REG_0, 0),
9018 			{
9019 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
9020 				.dst_reg = BPF_REG_0,
9021 				.src_reg = 0,
9022 				.off   = 0,
9023 				.imm   = 32,
9024 			},
9025 			BPF_EXIT_INSN(),
9026 		},
9027 		.errstr = "unknown opcode d7",
9028 		.result = REJECT,
9029 	},
9030 	{
9031 		"XDP, using ifindex from netdev",
9032 		.insns = {
9033 			BPF_MOV64_IMM(BPF_REG_0, 0),
9034 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9035 				    offsetof(struct xdp_md, ingress_ifindex)),
9036 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
9037 			BPF_MOV64_IMM(BPF_REG_0, 1),
9038 			BPF_EXIT_INSN(),
9039 		},
9040 		.result = ACCEPT,
9041 		.prog_type = BPF_PROG_TYPE_XDP,
9042 		.retval = 1,
9043 	},
9044 	{
9045 		"meta access, test1",
9046 		.insns = {
9047 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9048 				    offsetof(struct xdp_md, data_meta)),
9049 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9050 				    offsetof(struct xdp_md, data)),
9051 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9052 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9053 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9054 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9055 			BPF_MOV64_IMM(BPF_REG_0, 0),
9056 			BPF_EXIT_INSN(),
9057 		},
9058 		.result = ACCEPT,
9059 		.prog_type = BPF_PROG_TYPE_XDP,
9060 	},
9061 	{
9062 		"meta access, test2",
9063 		.insns = {
9064 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9065 				    offsetof(struct xdp_md, data_meta)),
9066 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9067 				    offsetof(struct xdp_md, data)),
9068 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9069 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
9070 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9071 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9072 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9073 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9074 			BPF_MOV64_IMM(BPF_REG_0, 0),
9075 			BPF_EXIT_INSN(),
9076 		},
9077 		.result = REJECT,
9078 		.errstr = "invalid access to packet, off=-8",
9079 		.prog_type = BPF_PROG_TYPE_XDP,
9080 	},
9081 	{
9082 		"meta access, test3",
9083 		.insns = {
9084 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9085 				    offsetof(struct xdp_md, data_meta)),
9086 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9087 				    offsetof(struct xdp_md, data_end)),
9088 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9089 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9090 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9091 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9092 			BPF_MOV64_IMM(BPF_REG_0, 0),
9093 			BPF_EXIT_INSN(),
9094 		},
9095 		.result = REJECT,
9096 		.errstr = "invalid access to packet",
9097 		.prog_type = BPF_PROG_TYPE_XDP,
9098 	},
9099 	{
9100 		"meta access, test4",
9101 		.insns = {
9102 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9103 				    offsetof(struct xdp_md, data_meta)),
9104 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9105 				    offsetof(struct xdp_md, data_end)),
9106 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9107 				    offsetof(struct xdp_md, data)),
9108 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
9109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9110 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
9111 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9112 			BPF_MOV64_IMM(BPF_REG_0, 0),
9113 			BPF_EXIT_INSN(),
9114 		},
9115 		.result = REJECT,
9116 		.errstr = "invalid access to packet",
9117 		.prog_type = BPF_PROG_TYPE_XDP,
9118 	},
9119 	{
9120 		"meta access, test5",
9121 		.insns = {
9122 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9123 				    offsetof(struct xdp_md, data_meta)),
9124 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9125 				    offsetof(struct xdp_md, data)),
9126 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9127 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9128 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
9129 			BPF_MOV64_IMM(BPF_REG_2, -8),
9130 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9131 				     BPF_FUNC_xdp_adjust_meta),
9132 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9133 			BPF_MOV64_IMM(BPF_REG_0, 0),
9134 			BPF_EXIT_INSN(),
9135 		},
9136 		.result = REJECT,
9137 		.errstr = "R3 !read_ok",
9138 		.prog_type = BPF_PROG_TYPE_XDP,
9139 	},
9140 	{
9141 		"meta access, test6",
9142 		.insns = {
9143 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9144 				    offsetof(struct xdp_md, data_meta)),
9145 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9146 				    offsetof(struct xdp_md, data)),
9147 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9148 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9149 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9150 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9151 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
9152 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9153 			BPF_MOV64_IMM(BPF_REG_0, 0),
9154 			BPF_EXIT_INSN(),
9155 		},
9156 		.result = REJECT,
9157 		.errstr = "invalid access to packet",
9158 		.prog_type = BPF_PROG_TYPE_XDP,
9159 	},
9160 	{
9161 		"meta access, test7",
9162 		.insns = {
9163 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9164 				    offsetof(struct xdp_md, data_meta)),
9165 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9166 				    offsetof(struct xdp_md, data)),
9167 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
9168 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
9169 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9170 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
9171 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9172 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9173 			BPF_MOV64_IMM(BPF_REG_0, 0),
9174 			BPF_EXIT_INSN(),
9175 		},
9176 		.result = ACCEPT,
9177 		.prog_type = BPF_PROG_TYPE_XDP,
9178 	},
9179 	{
9180 		"meta access, test8",
9181 		.insns = {
9182 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9183 				    offsetof(struct xdp_md, data_meta)),
9184 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9185 				    offsetof(struct xdp_md, data)),
9186 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9188 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9189 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9190 			BPF_MOV64_IMM(BPF_REG_0, 0),
9191 			BPF_EXIT_INSN(),
9192 		},
9193 		.result = ACCEPT,
9194 		.prog_type = BPF_PROG_TYPE_XDP,
9195 	},
9196 	{
9197 		"meta access, test9",
9198 		.insns = {
9199 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9200 				    offsetof(struct xdp_md, data_meta)),
9201 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9202 				    offsetof(struct xdp_md, data)),
9203 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
9204 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
9205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9206 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
9207 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9208 			BPF_MOV64_IMM(BPF_REG_0, 0),
9209 			BPF_EXIT_INSN(),
9210 		},
9211 		.result = REJECT,
9212 		.errstr = "invalid access to packet",
9213 		.prog_type = BPF_PROG_TYPE_XDP,
9214 	},
9215 	{
9216 		"meta access, test10",
9217 		.insns = {
9218 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9219 				    offsetof(struct xdp_md, data_meta)),
9220 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9221 				    offsetof(struct xdp_md, data)),
9222 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9223 				    offsetof(struct xdp_md, data_end)),
9224 			BPF_MOV64_IMM(BPF_REG_5, 42),
9225 			BPF_MOV64_IMM(BPF_REG_6, 24),
9226 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9227 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9228 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9229 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9230 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
9231 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9232 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9233 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9234 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
9235 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
9236 			BPF_MOV64_IMM(BPF_REG_0, 0),
9237 			BPF_EXIT_INSN(),
9238 		},
9239 		.result = REJECT,
9240 		.errstr = "invalid access to packet",
9241 		.prog_type = BPF_PROG_TYPE_XDP,
9242 	},
9243 	{
9244 		"meta access, test11",
9245 		.insns = {
9246 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9247 				    offsetof(struct xdp_md, data_meta)),
9248 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9249 				    offsetof(struct xdp_md, data)),
9250 			BPF_MOV64_IMM(BPF_REG_5, 42),
9251 			BPF_MOV64_IMM(BPF_REG_6, 24),
9252 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
9253 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
9254 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
9255 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
9256 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
9257 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9258 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
9259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
9260 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
9261 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
9262 			BPF_MOV64_IMM(BPF_REG_0, 0),
9263 			BPF_EXIT_INSN(),
9264 		},
9265 		.result = ACCEPT,
9266 		.prog_type = BPF_PROG_TYPE_XDP,
9267 	},
9268 	{
9269 		"meta access, test12",
9270 		.insns = {
9271 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9272 				    offsetof(struct xdp_md, data_meta)),
9273 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9274 				    offsetof(struct xdp_md, data)),
9275 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
9276 				    offsetof(struct xdp_md, data_end)),
9277 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
9278 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9279 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
9280 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
9281 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
9282 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
9283 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
9284 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
9285 			BPF_MOV64_IMM(BPF_REG_0, 0),
9286 			BPF_EXIT_INSN(),
9287 		},
9288 		.result = ACCEPT,
9289 		.prog_type = BPF_PROG_TYPE_XDP,
9290 	},
9291 	{
9292 		"arithmetic ops make PTR_TO_CTX unusable",
9293 		.insns = {
9294 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
9295 				      offsetof(struct __sk_buff, data) -
9296 				      offsetof(struct __sk_buff, mark)),
9297 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9298 				    offsetof(struct __sk_buff, mark)),
9299 			BPF_EXIT_INSN(),
9300 		},
9301 		.errstr = "dereference of modified ctx ptr",
9302 		.result = REJECT,
9303 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9304 	},
9305 	{
9306 		"pkt_end - pkt_start is allowed",
9307 		.insns = {
9308 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9309 				    offsetof(struct __sk_buff, data_end)),
9310 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9311 				    offsetof(struct __sk_buff, data)),
9312 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9313 			BPF_EXIT_INSN(),
9314 		},
9315 		.result = ACCEPT,
9316 		.retval = TEST_DATA_LEN,
9317 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9318 	},
9319 	{
9320 		"XDP pkt read, pkt_end mangling, bad access 1",
9321 		.insns = {
9322 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9323 				    offsetof(struct xdp_md, data)),
9324 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9325 				    offsetof(struct xdp_md, data_end)),
9326 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9328 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
9329 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9330 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9331 			BPF_MOV64_IMM(BPF_REG_0, 0),
9332 			BPF_EXIT_INSN(),
9333 		},
9334 		.errstr = "R3 pointer arithmetic on pkt_end",
9335 		.result = REJECT,
9336 		.prog_type = BPF_PROG_TYPE_XDP,
9337 	},
9338 	{
9339 		"XDP pkt read, pkt_end mangling, bad access 2",
9340 		.insns = {
9341 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9342 				    offsetof(struct xdp_md, data)),
9343 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9344 				    offsetof(struct xdp_md, data_end)),
9345 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9346 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9347 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
9348 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9349 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9350 			BPF_MOV64_IMM(BPF_REG_0, 0),
9351 			BPF_EXIT_INSN(),
9352 		},
9353 		.errstr = "R3 pointer arithmetic on pkt_end",
9354 		.result = REJECT,
9355 		.prog_type = BPF_PROG_TYPE_XDP,
9356 	},
9357 	{
9358 		"XDP pkt read, pkt_data' > pkt_end, good access",
9359 		.insns = {
9360 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9361 				    offsetof(struct xdp_md, data)),
9362 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9363 				    offsetof(struct xdp_md, data_end)),
9364 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9365 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9366 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9367 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9368 			BPF_MOV64_IMM(BPF_REG_0, 0),
9369 			BPF_EXIT_INSN(),
9370 		},
9371 		.result = ACCEPT,
9372 		.prog_type = BPF_PROG_TYPE_XDP,
9373 	},
9374 	{
9375 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
9376 		.insns = {
9377 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9378 				    offsetof(struct xdp_md, data)),
9379 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9380 				    offsetof(struct xdp_md, data_end)),
9381 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9382 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9383 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9384 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9385 			BPF_MOV64_IMM(BPF_REG_0, 0),
9386 			BPF_EXIT_INSN(),
9387 		},
9388 		.errstr = "R1 offset is outside of the packet",
9389 		.result = REJECT,
9390 		.prog_type = BPF_PROG_TYPE_XDP,
9391 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9392 	},
9393 	{
9394 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
9395 		.insns = {
9396 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9397 				    offsetof(struct xdp_md, data)),
9398 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9399 				    offsetof(struct xdp_md, data_end)),
9400 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9402 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9403 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9404 			BPF_MOV64_IMM(BPF_REG_0, 0),
9405 			BPF_EXIT_INSN(),
9406 		},
9407 		.errstr = "R1 offset is outside of the packet",
9408 		.result = REJECT,
9409 		.prog_type = BPF_PROG_TYPE_XDP,
9410 	},
9411 	{
9412 		"XDP pkt read, pkt_end > pkt_data', good access",
9413 		.insns = {
9414 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9415 				    offsetof(struct xdp_md, data)),
9416 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9417 				    offsetof(struct xdp_md, data_end)),
9418 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9419 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9420 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9421 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9422 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9423 			BPF_MOV64_IMM(BPF_REG_0, 0),
9424 			BPF_EXIT_INSN(),
9425 		},
9426 		.result = ACCEPT,
9427 		.prog_type = BPF_PROG_TYPE_XDP,
9428 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9429 	},
9430 	{
9431 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
9432 		.insns = {
9433 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9434 				    offsetof(struct xdp_md, data)),
9435 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9436 				    offsetof(struct xdp_md, data_end)),
9437 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9438 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9439 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9440 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9441 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9442 			BPF_MOV64_IMM(BPF_REG_0, 0),
9443 			BPF_EXIT_INSN(),
9444 		},
9445 		.errstr = "R1 offset is outside of the packet",
9446 		.result = REJECT,
9447 		.prog_type = BPF_PROG_TYPE_XDP,
9448 	},
9449 	{
9450 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
9451 		.insns = {
9452 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9453 				    offsetof(struct xdp_md, data)),
9454 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9455 				    offsetof(struct xdp_md, data_end)),
9456 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9457 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9458 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9459 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9460 			BPF_MOV64_IMM(BPF_REG_0, 0),
9461 			BPF_EXIT_INSN(),
9462 		},
9463 		.errstr = "R1 offset is outside of the packet",
9464 		.result = REJECT,
9465 		.prog_type = BPF_PROG_TYPE_XDP,
9466 	},
9467 	{
9468 		"XDP pkt read, pkt_data' < pkt_end, good access",
9469 		.insns = {
9470 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9471 				    offsetof(struct xdp_md, data)),
9472 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9473 				    offsetof(struct xdp_md, data_end)),
9474 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9475 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9476 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9477 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9478 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9479 			BPF_MOV64_IMM(BPF_REG_0, 0),
9480 			BPF_EXIT_INSN(),
9481 		},
9482 		.result = ACCEPT,
9483 		.prog_type = BPF_PROG_TYPE_XDP,
9484 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9485 	},
9486 	{
9487 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
9488 		.insns = {
9489 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9490 				    offsetof(struct xdp_md, data)),
9491 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9492 				    offsetof(struct xdp_md, data_end)),
9493 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9495 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9496 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9497 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9498 			BPF_MOV64_IMM(BPF_REG_0, 0),
9499 			BPF_EXIT_INSN(),
9500 		},
9501 		.errstr = "R1 offset is outside of the packet",
9502 		.result = REJECT,
9503 		.prog_type = BPF_PROG_TYPE_XDP,
9504 	},
9505 	{
9506 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
9507 		.insns = {
9508 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9509 				    offsetof(struct xdp_md, data)),
9510 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9511 				    offsetof(struct xdp_md, data_end)),
9512 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9513 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9514 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9515 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9516 			BPF_MOV64_IMM(BPF_REG_0, 0),
9517 			BPF_EXIT_INSN(),
9518 		},
9519 		.errstr = "R1 offset is outside of the packet",
9520 		.result = REJECT,
9521 		.prog_type = BPF_PROG_TYPE_XDP,
9522 	},
9523 	{
9524 		"XDP pkt read, pkt_end < pkt_data', good access",
9525 		.insns = {
9526 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9527 				    offsetof(struct xdp_md, data)),
9528 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9529 				    offsetof(struct xdp_md, data_end)),
9530 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9531 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9532 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9533 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9534 			BPF_MOV64_IMM(BPF_REG_0, 0),
9535 			BPF_EXIT_INSN(),
9536 		},
9537 		.result = ACCEPT,
9538 		.prog_type = BPF_PROG_TYPE_XDP,
9539 	},
9540 	{
9541 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
9542 		.insns = {
9543 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9544 				    offsetof(struct xdp_md, data)),
9545 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9546 				    offsetof(struct xdp_md, data_end)),
9547 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9548 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9549 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9550 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9551 			BPF_MOV64_IMM(BPF_REG_0, 0),
9552 			BPF_EXIT_INSN(),
9553 		},
9554 		.errstr = "R1 offset is outside of the packet",
9555 		.result = REJECT,
9556 		.prog_type = BPF_PROG_TYPE_XDP,
9557 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9558 	},
9559 	{
9560 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
9561 		.insns = {
9562 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9563 				    offsetof(struct xdp_md, data)),
9564 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9565 				    offsetof(struct xdp_md, data_end)),
9566 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9567 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9568 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9569 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9570 			BPF_MOV64_IMM(BPF_REG_0, 0),
9571 			BPF_EXIT_INSN(),
9572 		},
9573 		.errstr = "R1 offset is outside of the packet",
9574 		.result = REJECT,
9575 		.prog_type = BPF_PROG_TYPE_XDP,
9576 	},
9577 	{
9578 		"XDP pkt read, pkt_data' >= pkt_end, good access",
9579 		.insns = {
9580 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9581 				    offsetof(struct xdp_md, data)),
9582 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9583 				    offsetof(struct xdp_md, data_end)),
9584 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9585 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9586 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9587 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9588 			BPF_MOV64_IMM(BPF_REG_0, 0),
9589 			BPF_EXIT_INSN(),
9590 		},
9591 		.result = ACCEPT,
9592 		.prog_type = BPF_PROG_TYPE_XDP,
9593 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9594 	},
9595 	{
9596 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9597 		.insns = {
9598 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9599 				    offsetof(struct xdp_md, data)),
9600 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9601 				    offsetof(struct xdp_md, data_end)),
9602 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9604 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9605 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9606 			BPF_MOV64_IMM(BPF_REG_0, 0),
9607 			BPF_EXIT_INSN(),
9608 		},
9609 		.errstr = "R1 offset is outside of the packet",
9610 		.result = REJECT,
9611 		.prog_type = BPF_PROG_TYPE_XDP,
9612 	},
9613 	{
9614 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9615 		.insns = {
9616 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9617 				    offsetof(struct xdp_md, data)),
9618 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9619 				    offsetof(struct xdp_md, data_end)),
9620 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9621 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9622 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9623 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9624 			BPF_MOV64_IMM(BPF_REG_0, 0),
9625 			BPF_EXIT_INSN(),
9626 		},
9627 		.errstr = "R1 offset is outside of the packet",
9628 		.result = REJECT,
9629 		.prog_type = BPF_PROG_TYPE_XDP,
9630 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9631 	},
9632 	{
9633 		"XDP pkt read, pkt_end >= pkt_data', good access",
9634 		.insns = {
9635 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9636 				    offsetof(struct xdp_md, data)),
9637 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9638 				    offsetof(struct xdp_md, data_end)),
9639 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9640 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9641 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9642 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9643 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9644 			BPF_MOV64_IMM(BPF_REG_0, 0),
9645 			BPF_EXIT_INSN(),
9646 		},
9647 		.result = ACCEPT,
9648 		.prog_type = BPF_PROG_TYPE_XDP,
9649 	},
9650 	{
9651 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
9652 		.insns = {
9653 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9654 				    offsetof(struct xdp_md, data)),
9655 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9656 				    offsetof(struct xdp_md, data_end)),
9657 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9658 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9659 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9660 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9661 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9662 			BPF_MOV64_IMM(BPF_REG_0, 0),
9663 			BPF_EXIT_INSN(),
9664 		},
9665 		.errstr = "R1 offset is outside of the packet",
9666 		.result = REJECT,
9667 		.prog_type = BPF_PROG_TYPE_XDP,
9668 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9669 	},
9670 	{
9671 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
9672 		.insns = {
9673 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9674 				    offsetof(struct xdp_md, data)),
9675 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9676 				    offsetof(struct xdp_md, data_end)),
9677 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9678 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9679 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9680 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9681 			BPF_MOV64_IMM(BPF_REG_0, 0),
9682 			BPF_EXIT_INSN(),
9683 		},
9684 		.errstr = "R1 offset is outside of the packet",
9685 		.result = REJECT,
9686 		.prog_type = BPF_PROG_TYPE_XDP,
9687 	},
9688 	{
9689 		"XDP pkt read, pkt_data' <= pkt_end, good access",
9690 		.insns = {
9691 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9692 				    offsetof(struct xdp_md, data)),
9693 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9694 				    offsetof(struct xdp_md, data_end)),
9695 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9696 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9697 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9698 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9699 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9700 			BPF_MOV64_IMM(BPF_REG_0, 0),
9701 			BPF_EXIT_INSN(),
9702 		},
9703 		.result = ACCEPT,
9704 		.prog_type = BPF_PROG_TYPE_XDP,
9705 	},
9706 	{
9707 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9708 		.insns = {
9709 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9710 				    offsetof(struct xdp_md, data)),
9711 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9712 				    offsetof(struct xdp_md, data_end)),
9713 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9714 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9715 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9716 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9717 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9718 			BPF_MOV64_IMM(BPF_REG_0, 0),
9719 			BPF_EXIT_INSN(),
9720 		},
9721 		.errstr = "R1 offset is outside of the packet",
9722 		.result = REJECT,
9723 		.prog_type = BPF_PROG_TYPE_XDP,
9724 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9725 	},
9726 	{
9727 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9728 		.insns = {
9729 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9730 				    offsetof(struct xdp_md, data)),
9731 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9732 				    offsetof(struct xdp_md, data_end)),
9733 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9734 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9735 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9736 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9737 			BPF_MOV64_IMM(BPF_REG_0, 0),
9738 			BPF_EXIT_INSN(),
9739 		},
9740 		.errstr = "R1 offset is outside of the packet",
9741 		.result = REJECT,
9742 		.prog_type = BPF_PROG_TYPE_XDP,
9743 	},
9744 	{
9745 		"XDP pkt read, pkt_end <= pkt_data', good access",
9746 		.insns = {
9747 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9748 				    offsetof(struct xdp_md, data)),
9749 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9750 				    offsetof(struct xdp_md, data_end)),
9751 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9752 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9753 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9754 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9755 			BPF_MOV64_IMM(BPF_REG_0, 0),
9756 			BPF_EXIT_INSN(),
9757 		},
9758 		.result = ACCEPT,
9759 		.prog_type = BPF_PROG_TYPE_XDP,
9760 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9761 	},
9762 	{
9763 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
9764 		.insns = {
9765 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9766 				    offsetof(struct xdp_md, data)),
9767 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9768 				    offsetof(struct xdp_md, data_end)),
9769 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9771 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9772 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9773 			BPF_MOV64_IMM(BPF_REG_0, 0),
9774 			BPF_EXIT_INSN(),
9775 		},
9776 		.errstr = "R1 offset is outside of the packet",
9777 		.result = REJECT,
9778 		.prog_type = BPF_PROG_TYPE_XDP,
9779 	},
9780 	{
9781 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
9782 		.insns = {
9783 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9784 				    offsetof(struct xdp_md, data)),
9785 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9786 				    offsetof(struct xdp_md, data_end)),
9787 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9789 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9790 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9791 			BPF_MOV64_IMM(BPF_REG_0, 0),
9792 			BPF_EXIT_INSN(),
9793 		},
9794 		.errstr = "R1 offset is outside of the packet",
9795 		.result = REJECT,
9796 		.prog_type = BPF_PROG_TYPE_XDP,
9797 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9798 	},
9799 	{
9800 		"XDP pkt read, pkt_meta' > pkt_data, good access",
9801 		.insns = {
9802 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9803 				    offsetof(struct xdp_md, data_meta)),
9804 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9805 				    offsetof(struct xdp_md, data)),
9806 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9807 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9808 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9809 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9810 			BPF_MOV64_IMM(BPF_REG_0, 0),
9811 			BPF_EXIT_INSN(),
9812 		},
9813 		.result = ACCEPT,
9814 		.prog_type = BPF_PROG_TYPE_XDP,
9815 	},
9816 	{
9817 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9818 		.insns = {
9819 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9820 				    offsetof(struct xdp_md, data_meta)),
9821 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9822 				    offsetof(struct xdp_md, data)),
9823 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9825 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9826 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9827 			BPF_MOV64_IMM(BPF_REG_0, 0),
9828 			BPF_EXIT_INSN(),
9829 		},
9830 		.errstr = "R1 offset is outside of the packet",
9831 		.result = REJECT,
9832 		.prog_type = BPF_PROG_TYPE_XDP,
9833 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9834 	},
9835 	{
9836 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9837 		.insns = {
9838 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9839 				    offsetof(struct xdp_md, data_meta)),
9840 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9841 				    offsetof(struct xdp_md, data)),
9842 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9843 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9844 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9845 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9846 			BPF_MOV64_IMM(BPF_REG_0, 0),
9847 			BPF_EXIT_INSN(),
9848 		},
9849 		.errstr = "R1 offset is outside of the packet",
9850 		.result = REJECT,
9851 		.prog_type = BPF_PROG_TYPE_XDP,
9852 	},
9853 	{
9854 		"XDP pkt read, pkt_data > pkt_meta', good access",
9855 		.insns = {
9856 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9857 				    offsetof(struct xdp_md, data_meta)),
9858 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9859 				    offsetof(struct xdp_md, data)),
9860 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9861 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9862 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9863 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9864 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9865 			BPF_MOV64_IMM(BPF_REG_0, 0),
9866 			BPF_EXIT_INSN(),
9867 		},
9868 		.result = ACCEPT,
9869 		.prog_type = BPF_PROG_TYPE_XDP,
9870 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9871 	},
9872 	{
9873 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
9874 		.insns = {
9875 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9876 				    offsetof(struct xdp_md, data_meta)),
9877 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9878 				    offsetof(struct xdp_md, data)),
9879 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9880 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9881 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9882 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9883 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9884 			BPF_MOV64_IMM(BPF_REG_0, 0),
9885 			BPF_EXIT_INSN(),
9886 		},
9887 		.errstr = "R1 offset is outside of the packet",
9888 		.result = REJECT,
9889 		.prog_type = BPF_PROG_TYPE_XDP,
9890 	},
9891 	{
9892 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
9893 		.insns = {
9894 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9895 				    offsetof(struct xdp_md, data_meta)),
9896 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9897 				    offsetof(struct xdp_md, data)),
9898 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9899 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9900 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9901 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9902 			BPF_MOV64_IMM(BPF_REG_0, 0),
9903 			BPF_EXIT_INSN(),
9904 		},
9905 		.errstr = "R1 offset is outside of the packet",
9906 		.result = REJECT,
9907 		.prog_type = BPF_PROG_TYPE_XDP,
9908 	},
9909 	{
9910 		"XDP pkt read, pkt_meta' < pkt_data, good access",
9911 		.insns = {
9912 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9913 				    offsetof(struct xdp_md, data_meta)),
9914 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9915 				    offsetof(struct xdp_md, data)),
9916 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9918 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9919 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9920 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9921 			BPF_MOV64_IMM(BPF_REG_0, 0),
9922 			BPF_EXIT_INSN(),
9923 		},
9924 		.result = ACCEPT,
9925 		.prog_type = BPF_PROG_TYPE_XDP,
9926 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9927 	},
9928 	{
9929 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9930 		.insns = {
9931 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9932 				    offsetof(struct xdp_md, data_meta)),
9933 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9934 				    offsetof(struct xdp_md, data)),
9935 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9936 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9937 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9938 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9939 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9940 			BPF_MOV64_IMM(BPF_REG_0, 0),
9941 			BPF_EXIT_INSN(),
9942 		},
9943 		.errstr = "R1 offset is outside of the packet",
9944 		.result = REJECT,
9945 		.prog_type = BPF_PROG_TYPE_XDP,
9946 	},
9947 	{
9948 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9949 		.insns = {
9950 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9951 				    offsetof(struct xdp_md, data_meta)),
9952 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9953 				    offsetof(struct xdp_md, data)),
9954 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9956 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9957 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9958 			BPF_MOV64_IMM(BPF_REG_0, 0),
9959 			BPF_EXIT_INSN(),
9960 		},
9961 		.errstr = "R1 offset is outside of the packet",
9962 		.result = REJECT,
9963 		.prog_type = BPF_PROG_TYPE_XDP,
9964 	},
9965 	{
9966 		"XDP pkt read, pkt_data < pkt_meta', good access",
9967 		.insns = {
9968 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9969 				    offsetof(struct xdp_md, data_meta)),
9970 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9971 				    offsetof(struct xdp_md, data)),
9972 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9973 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9974 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9975 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9976 			BPF_MOV64_IMM(BPF_REG_0, 0),
9977 			BPF_EXIT_INSN(),
9978 		},
9979 		.result = ACCEPT,
9980 		.prog_type = BPF_PROG_TYPE_XDP,
9981 	},
9982 	{
9983 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
9984 		.insns = {
9985 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9986 				    offsetof(struct xdp_md, data_meta)),
9987 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9988 				    offsetof(struct xdp_md, data)),
9989 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9990 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9991 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9992 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9993 			BPF_MOV64_IMM(BPF_REG_0, 0),
9994 			BPF_EXIT_INSN(),
9995 		},
9996 		.errstr = "R1 offset is outside of the packet",
9997 		.result = REJECT,
9998 		.prog_type = BPF_PROG_TYPE_XDP,
9999 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10000 	},
10001 	{
10002 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
10003 		.insns = {
10004 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10005 				    offsetof(struct xdp_md, data_meta)),
10006 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10007 				    offsetof(struct xdp_md, data)),
10008 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10009 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10010 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10011 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10012 			BPF_MOV64_IMM(BPF_REG_0, 0),
10013 			BPF_EXIT_INSN(),
10014 		},
10015 		.errstr = "R1 offset is outside of the packet",
10016 		.result = REJECT,
10017 		.prog_type = BPF_PROG_TYPE_XDP,
10018 	},
10019 	{
10020 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
10021 		.insns = {
10022 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10023 				    offsetof(struct xdp_md, data_meta)),
10024 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10025 				    offsetof(struct xdp_md, data)),
10026 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10028 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10029 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10030 			BPF_MOV64_IMM(BPF_REG_0, 0),
10031 			BPF_EXIT_INSN(),
10032 		},
10033 		.result = ACCEPT,
10034 		.prog_type = BPF_PROG_TYPE_XDP,
10035 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10036 	},
10037 	{
10038 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
10039 		.insns = {
10040 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10041 				    offsetof(struct xdp_md, data_meta)),
10042 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10043 				    offsetof(struct xdp_md, data)),
10044 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10045 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10046 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10047 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10048 			BPF_MOV64_IMM(BPF_REG_0, 0),
10049 			BPF_EXIT_INSN(),
10050 		},
10051 		.errstr = "R1 offset is outside of the packet",
10052 		.result = REJECT,
10053 		.prog_type = BPF_PROG_TYPE_XDP,
10054 	},
10055 	{
10056 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
10057 		.insns = {
10058 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10059 				    offsetof(struct xdp_md, data_meta)),
10060 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10061 				    offsetof(struct xdp_md, data)),
10062 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10063 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10064 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10065 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10066 			BPF_MOV64_IMM(BPF_REG_0, 0),
10067 			BPF_EXIT_INSN(),
10068 		},
10069 		.errstr = "R1 offset is outside of the packet",
10070 		.result = REJECT,
10071 		.prog_type = BPF_PROG_TYPE_XDP,
10072 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10073 	},
10074 	{
10075 		"XDP pkt read, pkt_data >= pkt_meta', good access",
10076 		.insns = {
10077 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10078 				    offsetof(struct xdp_md, data_meta)),
10079 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10080 				    offsetof(struct xdp_md, data)),
10081 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10082 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10083 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10084 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10085 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10086 			BPF_MOV64_IMM(BPF_REG_0, 0),
10087 			BPF_EXIT_INSN(),
10088 		},
10089 		.result = ACCEPT,
10090 		.prog_type = BPF_PROG_TYPE_XDP,
10091 	},
10092 	{
10093 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
10094 		.insns = {
10095 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10096 				    offsetof(struct xdp_md, data_meta)),
10097 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10098 				    offsetof(struct xdp_md, data)),
10099 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10100 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10101 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10102 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10103 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10104 			BPF_MOV64_IMM(BPF_REG_0, 0),
10105 			BPF_EXIT_INSN(),
10106 		},
10107 		.errstr = "R1 offset is outside of the packet",
10108 		.result = REJECT,
10109 		.prog_type = BPF_PROG_TYPE_XDP,
10110 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10111 	},
10112 	{
10113 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
10114 		.insns = {
10115 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10116 				    offsetof(struct xdp_md, data_meta)),
10117 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10118 				    offsetof(struct xdp_md, data)),
10119 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10121 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10122 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10123 			BPF_MOV64_IMM(BPF_REG_0, 0),
10124 			BPF_EXIT_INSN(),
10125 		},
10126 		.errstr = "R1 offset is outside of the packet",
10127 		.result = REJECT,
10128 		.prog_type = BPF_PROG_TYPE_XDP,
10129 	},
10130 	{
10131 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
10132 		.insns = {
10133 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10134 				    offsetof(struct xdp_md, data_meta)),
10135 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10136 				    offsetof(struct xdp_md, data)),
10137 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10138 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10139 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10140 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10141 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10142 			BPF_MOV64_IMM(BPF_REG_0, 0),
10143 			BPF_EXIT_INSN(),
10144 		},
10145 		.result = ACCEPT,
10146 		.prog_type = BPF_PROG_TYPE_XDP,
10147 	},
10148 	{
10149 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
10150 		.insns = {
10151 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10152 				    offsetof(struct xdp_md, data_meta)),
10153 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10154 				    offsetof(struct xdp_md, data)),
10155 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10156 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10157 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10158 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10159 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10160 			BPF_MOV64_IMM(BPF_REG_0, 0),
10161 			BPF_EXIT_INSN(),
10162 		},
10163 		.errstr = "R1 offset is outside of the packet",
10164 		.result = REJECT,
10165 		.prog_type = BPF_PROG_TYPE_XDP,
10166 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10167 	},
10168 	{
10169 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
10170 		.insns = {
10171 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10172 				    offsetof(struct xdp_md, data_meta)),
10173 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10174 				    offsetof(struct xdp_md, data)),
10175 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10177 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10178 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10179 			BPF_MOV64_IMM(BPF_REG_0, 0),
10180 			BPF_EXIT_INSN(),
10181 		},
10182 		.errstr = "R1 offset is outside of the packet",
10183 		.result = REJECT,
10184 		.prog_type = BPF_PROG_TYPE_XDP,
10185 	},
10186 	{
10187 		"XDP pkt read, pkt_data <= pkt_meta', good access",
10188 		.insns = {
10189 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10190 				    offsetof(struct xdp_md, data_meta)),
10191 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10192 				    offsetof(struct xdp_md, data)),
10193 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10195 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10196 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10197 			BPF_MOV64_IMM(BPF_REG_0, 0),
10198 			BPF_EXIT_INSN(),
10199 		},
10200 		.result = ACCEPT,
10201 		.prog_type = BPF_PROG_TYPE_XDP,
10202 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10203 	},
10204 	{
10205 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
10206 		.insns = {
10207 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10208 				    offsetof(struct xdp_md, data_meta)),
10209 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10210 				    offsetof(struct xdp_md, data)),
10211 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10213 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10214 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10215 			BPF_MOV64_IMM(BPF_REG_0, 0),
10216 			BPF_EXIT_INSN(),
10217 		},
10218 		.errstr = "R1 offset is outside of the packet",
10219 		.result = REJECT,
10220 		.prog_type = BPF_PROG_TYPE_XDP,
10221 	},
10222 	{
10223 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
10224 		.insns = {
10225 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10226 				    offsetof(struct xdp_md, data_meta)),
10227 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10228 				    offsetof(struct xdp_md, data)),
10229 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10231 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10232 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10233 			BPF_MOV64_IMM(BPF_REG_0, 0),
10234 			BPF_EXIT_INSN(),
10235 		},
10236 		.errstr = "R1 offset is outside of the packet",
10237 		.result = REJECT,
10238 		.prog_type = BPF_PROG_TYPE_XDP,
10239 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10240 	},
10241 	{
10242 		"check deducing bounds from const, 1",
10243 		.insns = {
10244 			BPF_MOV64_IMM(BPF_REG_0, 1),
10245 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
10246 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10247 			BPF_EXIT_INSN(),
10248 		},
10249 		.result = REJECT,
10250 		.errstr = "R0 tried to subtract pointer from scalar",
10251 	},
10252 	{
10253 		"check deducing bounds from const, 2",
10254 		.insns = {
10255 			BPF_MOV64_IMM(BPF_REG_0, 1),
10256 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
10257 			BPF_EXIT_INSN(),
10258 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
10259 			BPF_EXIT_INSN(),
10260 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10261 			BPF_EXIT_INSN(),
10262 		},
10263 		.result = ACCEPT,
10264 		.retval = 1,
10265 	},
10266 	{
10267 		"check deducing bounds from const, 3",
10268 		.insns = {
10269 			BPF_MOV64_IMM(BPF_REG_0, 0),
10270 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10271 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10272 			BPF_EXIT_INSN(),
10273 		},
10274 		.result = REJECT,
10275 		.errstr = "R0 tried to subtract pointer from scalar",
10276 	},
10277 	{
10278 		"check deducing bounds from const, 4",
10279 		.insns = {
10280 			BPF_MOV64_IMM(BPF_REG_0, 0),
10281 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
10282 			BPF_EXIT_INSN(),
10283 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10284 			BPF_EXIT_INSN(),
10285 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10286 			BPF_EXIT_INSN(),
10287 		},
10288 		.result = ACCEPT,
10289 	},
10290 	{
10291 		"check deducing bounds from const, 5",
10292 		.insns = {
10293 			BPF_MOV64_IMM(BPF_REG_0, 0),
10294 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10295 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10296 			BPF_EXIT_INSN(),
10297 		},
10298 		.result = REJECT,
10299 		.errstr = "R0 tried to subtract pointer from scalar",
10300 	},
10301 	{
10302 		"check deducing bounds from const, 6",
10303 		.insns = {
10304 			BPF_MOV64_IMM(BPF_REG_0, 0),
10305 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10306 			BPF_EXIT_INSN(),
10307 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10308 			BPF_EXIT_INSN(),
10309 		},
10310 		.result = REJECT,
10311 		.errstr = "R0 tried to subtract pointer from scalar",
10312 	},
10313 	{
10314 		"check deducing bounds from const, 7",
10315 		.insns = {
10316 			BPF_MOV64_IMM(BPF_REG_0, ~0),
10317 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10318 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
10319 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10320 				    offsetof(struct __sk_buff, mark)),
10321 			BPF_EXIT_INSN(),
10322 		},
10323 		.result = REJECT,
10324 		.errstr = "dereference of modified ctx ptr",
10325 	},
10326 	{
10327 		"check deducing bounds from const, 8",
10328 		.insns = {
10329 			BPF_MOV64_IMM(BPF_REG_0, ~0),
10330 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
10331 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
10332 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10333 				    offsetof(struct __sk_buff, mark)),
10334 			BPF_EXIT_INSN(),
10335 		},
10336 		.result = REJECT,
10337 		.errstr = "dereference of modified ctx ptr",
10338 	},
10339 	{
10340 		"check deducing bounds from const, 9",
10341 		.insns = {
10342 			BPF_MOV64_IMM(BPF_REG_0, 0),
10343 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
10344 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10345 			BPF_EXIT_INSN(),
10346 		},
10347 		.result = REJECT,
10348 		.errstr = "R0 tried to subtract pointer from scalar",
10349 	},
10350 	{
10351 		"check deducing bounds from const, 10",
10352 		.insns = {
10353 			BPF_MOV64_IMM(BPF_REG_0, 0),
10354 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
10355 			/* Marks reg as unknown. */
10356 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
10357 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
10358 			BPF_EXIT_INSN(),
10359 		},
10360 		.result = REJECT,
10361 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
10362 	},
10363 	{
10364 		"bpf_exit with invalid return code. test1",
10365 		.insns = {
10366 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10367 			BPF_EXIT_INSN(),
10368 		},
10369 		.errstr = "R0 has value (0x0; 0xffffffff)",
10370 		.result = REJECT,
10371 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10372 	},
10373 	{
10374 		"bpf_exit with invalid return code. test2",
10375 		.insns = {
10376 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10377 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
10378 			BPF_EXIT_INSN(),
10379 		},
10380 		.result = ACCEPT,
10381 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10382 	},
10383 	{
10384 		"bpf_exit with invalid return code. test3",
10385 		.insns = {
10386 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10387 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
10388 			BPF_EXIT_INSN(),
10389 		},
10390 		.errstr = "R0 has value (0x0; 0x3)",
10391 		.result = REJECT,
10392 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10393 	},
10394 	{
10395 		"bpf_exit with invalid return code. test4",
10396 		.insns = {
10397 			BPF_MOV64_IMM(BPF_REG_0, 1),
10398 			BPF_EXIT_INSN(),
10399 		},
10400 		.result = ACCEPT,
10401 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10402 	},
10403 	{
10404 		"bpf_exit with invalid return code. test5",
10405 		.insns = {
10406 			BPF_MOV64_IMM(BPF_REG_0, 2),
10407 			BPF_EXIT_INSN(),
10408 		},
10409 		.errstr = "R0 has value (0x2; 0x0)",
10410 		.result = REJECT,
10411 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10412 	},
10413 	{
10414 		"bpf_exit with invalid return code. test6",
10415 		.insns = {
10416 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10417 			BPF_EXIT_INSN(),
10418 		},
10419 		.errstr = "R0 is not a known value (ctx)",
10420 		.result = REJECT,
10421 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10422 	},
10423 	{
10424 		"bpf_exit with invalid return code. test7",
10425 		.insns = {
10426 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10427 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
10428 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
10429 			BPF_EXIT_INSN(),
10430 		},
10431 		.errstr = "R0 has unknown scalar value",
10432 		.result = REJECT,
10433 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
10434 	},
10435 	{
10436 		"calls: basic sanity",
10437 		.insns = {
10438 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10439 			BPF_MOV64_IMM(BPF_REG_0, 1),
10440 			BPF_EXIT_INSN(),
10441 			BPF_MOV64_IMM(BPF_REG_0, 2),
10442 			BPF_EXIT_INSN(),
10443 		},
10444 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10445 		.result = ACCEPT,
10446 	},
10447 	{
10448 		"calls: not on unpriviledged",
10449 		.insns = {
10450 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10451 			BPF_MOV64_IMM(BPF_REG_0, 1),
10452 			BPF_EXIT_INSN(),
10453 			BPF_MOV64_IMM(BPF_REG_0, 2),
10454 			BPF_EXIT_INSN(),
10455 		},
10456 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
10457 		.result_unpriv = REJECT,
10458 		.result = ACCEPT,
10459 		.retval = 1,
10460 	},
10461 	{
10462 		"calls: div by 0 in subprog",
10463 		.insns = {
10464 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10465 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10466 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10467 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10468 				    offsetof(struct __sk_buff, data_end)),
10469 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10470 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10471 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10472 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10473 			BPF_MOV64_IMM(BPF_REG_0, 1),
10474 			BPF_EXIT_INSN(),
10475 			BPF_MOV32_IMM(BPF_REG_2, 0),
10476 			BPF_MOV32_IMM(BPF_REG_3, 1),
10477 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
10478 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10479 				    offsetof(struct __sk_buff, data)),
10480 			BPF_EXIT_INSN(),
10481 		},
10482 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10483 		.result = ACCEPT,
10484 		.retval = 1,
10485 	},
10486 	{
10487 		"calls: multiple ret types in subprog 1",
10488 		.insns = {
10489 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10490 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10491 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10492 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10493 				    offsetof(struct __sk_buff, data_end)),
10494 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10495 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10496 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10497 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10498 			BPF_MOV64_IMM(BPF_REG_0, 1),
10499 			BPF_EXIT_INSN(),
10500 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10501 				    offsetof(struct __sk_buff, data)),
10502 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10503 			BPF_MOV32_IMM(BPF_REG_0, 42),
10504 			BPF_EXIT_INSN(),
10505 		},
10506 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10507 		.result = REJECT,
10508 		.errstr = "R0 invalid mem access 'inv'",
10509 	},
10510 	{
10511 		"calls: multiple ret types in subprog 2",
10512 		.insns = {
10513 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10514 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10515 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10516 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
10517 				    offsetof(struct __sk_buff, data_end)),
10518 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
10519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10520 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10521 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10522 			BPF_MOV64_IMM(BPF_REG_0, 1),
10523 			BPF_EXIT_INSN(),
10524 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10525 				    offsetof(struct __sk_buff, data)),
10526 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10527 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10528 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10529 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10530 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10531 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10532 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10533 				     BPF_FUNC_map_lookup_elem),
10534 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10535 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10536 				    offsetof(struct __sk_buff, data)),
10537 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10538 			BPF_EXIT_INSN(),
10539 		},
10540 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10541 		.fixup_map_hash_8b = { 16 },
10542 		.result = REJECT,
10543 		.errstr = "R0 min value is outside of the array range",
10544 	},
10545 	{
10546 		"calls: overlapping caller/callee",
10547 		.insns = {
10548 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10549 			BPF_MOV64_IMM(BPF_REG_0, 1),
10550 			BPF_EXIT_INSN(),
10551 		},
10552 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10553 		.errstr = "last insn is not an exit or jmp",
10554 		.result = REJECT,
10555 	},
10556 	{
10557 		"calls: wrong recursive calls",
10558 		.insns = {
10559 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10560 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10561 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10562 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10563 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10564 			BPF_MOV64_IMM(BPF_REG_0, 1),
10565 			BPF_EXIT_INSN(),
10566 		},
10567 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10568 		.errstr = "jump out of range",
10569 		.result = REJECT,
10570 	},
10571 	{
10572 		"calls: wrong src reg",
10573 		.insns = {
10574 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10575 			BPF_MOV64_IMM(BPF_REG_0, 1),
10576 			BPF_EXIT_INSN(),
10577 		},
10578 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10579 		.errstr = "BPF_CALL uses reserved fields",
10580 		.result = REJECT,
10581 	},
10582 	{
10583 		"calls: wrong off value",
10584 		.insns = {
10585 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10586 			BPF_MOV64_IMM(BPF_REG_0, 1),
10587 			BPF_EXIT_INSN(),
10588 			BPF_MOV64_IMM(BPF_REG_0, 2),
10589 			BPF_EXIT_INSN(),
10590 		},
10591 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10592 		.errstr = "BPF_CALL uses reserved fields",
10593 		.result = REJECT,
10594 	},
10595 	{
10596 		"calls: jump back loop",
10597 		.insns = {
10598 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10599 			BPF_MOV64_IMM(BPF_REG_0, 1),
10600 			BPF_EXIT_INSN(),
10601 		},
10602 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10603 		.errstr = "back-edge from insn 0 to 0",
10604 		.result = REJECT,
10605 	},
10606 	{
10607 		"calls: conditional call",
10608 		.insns = {
10609 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10610 				    offsetof(struct __sk_buff, mark)),
10611 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10612 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10613 			BPF_MOV64_IMM(BPF_REG_0, 1),
10614 			BPF_EXIT_INSN(),
10615 			BPF_MOV64_IMM(BPF_REG_0, 2),
10616 			BPF_EXIT_INSN(),
10617 		},
10618 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10619 		.errstr = "jump out of range",
10620 		.result = REJECT,
10621 	},
10622 	{
10623 		"calls: conditional call 2",
10624 		.insns = {
10625 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10626 				    offsetof(struct __sk_buff, mark)),
10627 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10628 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10629 			BPF_MOV64_IMM(BPF_REG_0, 1),
10630 			BPF_EXIT_INSN(),
10631 			BPF_MOV64_IMM(BPF_REG_0, 2),
10632 			BPF_EXIT_INSN(),
10633 			BPF_MOV64_IMM(BPF_REG_0, 3),
10634 			BPF_EXIT_INSN(),
10635 		},
10636 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10637 		.result = ACCEPT,
10638 	},
10639 	{
10640 		"calls: conditional call 3",
10641 		.insns = {
10642 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10643 				    offsetof(struct __sk_buff, mark)),
10644 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10645 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10646 			BPF_MOV64_IMM(BPF_REG_0, 1),
10647 			BPF_EXIT_INSN(),
10648 			BPF_MOV64_IMM(BPF_REG_0, 1),
10649 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10650 			BPF_MOV64_IMM(BPF_REG_0, 3),
10651 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10652 		},
10653 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10654 		.errstr = "back-edge from insn",
10655 		.result = REJECT,
10656 	},
10657 	{
10658 		"calls: conditional call 4",
10659 		.insns = {
10660 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10661 				    offsetof(struct __sk_buff, mark)),
10662 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10663 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10664 			BPF_MOV64_IMM(BPF_REG_0, 1),
10665 			BPF_EXIT_INSN(),
10666 			BPF_MOV64_IMM(BPF_REG_0, 1),
10667 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10668 			BPF_MOV64_IMM(BPF_REG_0, 3),
10669 			BPF_EXIT_INSN(),
10670 		},
10671 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10672 		.result = ACCEPT,
10673 	},
10674 	{
10675 		"calls: conditional call 5",
10676 		.insns = {
10677 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10678 				    offsetof(struct __sk_buff, mark)),
10679 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10680 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10681 			BPF_MOV64_IMM(BPF_REG_0, 1),
10682 			BPF_EXIT_INSN(),
10683 			BPF_MOV64_IMM(BPF_REG_0, 1),
10684 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10685 			BPF_MOV64_IMM(BPF_REG_0, 3),
10686 			BPF_EXIT_INSN(),
10687 		},
10688 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10689 		.errstr = "back-edge from insn",
10690 		.result = REJECT,
10691 	},
10692 	{
10693 		"calls: conditional call 6",
10694 		.insns = {
10695 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10696 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10697 			BPF_EXIT_INSN(),
10698 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10699 				    offsetof(struct __sk_buff, mark)),
10700 			BPF_EXIT_INSN(),
10701 		},
10702 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10703 		.errstr = "back-edge from insn",
10704 		.result = REJECT,
10705 	},
10706 	{
10707 		"calls: using r0 returned by callee",
10708 		.insns = {
10709 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10710 			BPF_EXIT_INSN(),
10711 			BPF_MOV64_IMM(BPF_REG_0, 2),
10712 			BPF_EXIT_INSN(),
10713 		},
10714 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10715 		.result = ACCEPT,
10716 	},
10717 	{
10718 		"calls: using uninit r0 from callee",
10719 		.insns = {
10720 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10721 			BPF_EXIT_INSN(),
10722 			BPF_EXIT_INSN(),
10723 		},
10724 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10725 		.errstr = "!read_ok",
10726 		.result = REJECT,
10727 	},
10728 	{
10729 		"calls: callee is using r1",
10730 		.insns = {
10731 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10732 			BPF_EXIT_INSN(),
10733 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10734 				    offsetof(struct __sk_buff, len)),
10735 			BPF_EXIT_INSN(),
10736 		},
10737 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
10738 		.result = ACCEPT,
10739 		.retval = TEST_DATA_LEN,
10740 	},
10741 	{
10742 		"calls: callee using args1",
10743 		.insns = {
10744 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10745 			BPF_EXIT_INSN(),
10746 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10747 			BPF_EXIT_INSN(),
10748 		},
10749 		.errstr_unpriv = "allowed for root only",
10750 		.result_unpriv = REJECT,
10751 		.result = ACCEPT,
10752 		.retval = POINTER_VALUE,
10753 	},
10754 	{
10755 		"calls: callee using wrong args2",
10756 		.insns = {
10757 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10758 			BPF_EXIT_INSN(),
10759 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10760 			BPF_EXIT_INSN(),
10761 		},
10762 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10763 		.errstr = "R2 !read_ok",
10764 		.result = REJECT,
10765 	},
10766 	{
10767 		"calls: callee using two args",
10768 		.insns = {
10769 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10770 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10771 				    offsetof(struct __sk_buff, len)),
10772 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10773 				    offsetof(struct __sk_buff, len)),
10774 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10775 			BPF_EXIT_INSN(),
10776 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10777 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10778 			BPF_EXIT_INSN(),
10779 		},
10780 		.errstr_unpriv = "allowed for root only",
10781 		.result_unpriv = REJECT,
10782 		.result = ACCEPT,
10783 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10784 	},
10785 	{
10786 		"calls: callee changing pkt pointers",
10787 		.insns = {
10788 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10789 				    offsetof(struct xdp_md, data)),
10790 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10791 				    offsetof(struct xdp_md, data_end)),
10792 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10793 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10794 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10795 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10796 			/* clear_all_pkt_pointers() has to walk all frames
10797 			 * to make sure that pkt pointers in the caller
10798 			 * are cleared when callee is calling a helper that
10799 			 * adjusts packet size
10800 			 */
10801 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10802 			BPF_MOV32_IMM(BPF_REG_0, 0),
10803 			BPF_EXIT_INSN(),
10804 			BPF_MOV64_IMM(BPF_REG_2, 0),
10805 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10806 				     BPF_FUNC_xdp_adjust_head),
10807 			BPF_EXIT_INSN(),
10808 		},
10809 		.result = REJECT,
10810 		.errstr = "R6 invalid mem access 'inv'",
10811 		.prog_type = BPF_PROG_TYPE_XDP,
10812 	},
10813 	{
10814 		"calls: two calls with args",
10815 		.insns = {
10816 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10817 			BPF_EXIT_INSN(),
10818 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10819 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10820 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10821 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10822 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10823 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10824 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10825 			BPF_EXIT_INSN(),
10826 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10827 				    offsetof(struct __sk_buff, len)),
10828 			BPF_EXIT_INSN(),
10829 		},
10830 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10831 		.result = ACCEPT,
10832 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
10833 	},
10834 	{
10835 		"calls: calls with stack arith",
10836 		.insns = {
10837 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10839 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10840 			BPF_EXIT_INSN(),
10841 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10842 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10843 			BPF_EXIT_INSN(),
10844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10845 			BPF_MOV64_IMM(BPF_REG_0, 42),
10846 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10847 			BPF_EXIT_INSN(),
10848 		},
10849 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10850 		.result = ACCEPT,
10851 		.retval = 42,
10852 	},
10853 	{
10854 		"calls: calls with misaligned stack access",
10855 		.insns = {
10856 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10857 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10858 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10859 			BPF_EXIT_INSN(),
10860 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10861 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10862 			BPF_EXIT_INSN(),
10863 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10864 			BPF_MOV64_IMM(BPF_REG_0, 42),
10865 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10866 			BPF_EXIT_INSN(),
10867 		},
10868 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10869 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10870 		.errstr = "misaligned stack access",
10871 		.result = REJECT,
10872 	},
10873 	{
10874 		"calls: calls control flow, jump test",
10875 		.insns = {
10876 			BPF_MOV64_IMM(BPF_REG_0, 42),
10877 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10878 			BPF_MOV64_IMM(BPF_REG_0, 43),
10879 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10880 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10881 			BPF_EXIT_INSN(),
10882 		},
10883 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10884 		.result = ACCEPT,
10885 		.retval = 43,
10886 	},
10887 	{
10888 		"calls: calls control flow, jump test 2",
10889 		.insns = {
10890 			BPF_MOV64_IMM(BPF_REG_0, 42),
10891 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10892 			BPF_MOV64_IMM(BPF_REG_0, 43),
10893 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10894 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10895 			BPF_EXIT_INSN(),
10896 		},
10897 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10898 		.errstr = "jump out of range from insn 1 to 4",
10899 		.result = REJECT,
10900 	},
10901 	{
10902 		"calls: two calls with bad jump",
10903 		.insns = {
10904 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10905 			BPF_EXIT_INSN(),
10906 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10907 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10908 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10909 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10911 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10912 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10913 			BPF_EXIT_INSN(),
10914 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10915 				    offsetof(struct __sk_buff, len)),
10916 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10917 			BPF_EXIT_INSN(),
10918 		},
10919 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10920 		.errstr = "jump out of range from insn 11 to 9",
10921 		.result = REJECT,
10922 	},
10923 	{
10924 		"calls: recursive call. test1",
10925 		.insns = {
10926 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10927 			BPF_EXIT_INSN(),
10928 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10929 			BPF_EXIT_INSN(),
10930 		},
10931 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10932 		.errstr = "back-edge",
10933 		.result = REJECT,
10934 	},
10935 	{
10936 		"calls: recursive call. test2",
10937 		.insns = {
10938 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10939 			BPF_EXIT_INSN(),
10940 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10941 			BPF_EXIT_INSN(),
10942 		},
10943 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10944 		.errstr = "back-edge",
10945 		.result = REJECT,
10946 	},
10947 	{
10948 		"calls: unreachable code",
10949 		.insns = {
10950 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10951 			BPF_EXIT_INSN(),
10952 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10953 			BPF_EXIT_INSN(),
10954 			BPF_MOV64_IMM(BPF_REG_0, 0),
10955 			BPF_EXIT_INSN(),
10956 			BPF_MOV64_IMM(BPF_REG_0, 0),
10957 			BPF_EXIT_INSN(),
10958 		},
10959 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10960 		.errstr = "unreachable insn 6",
10961 		.result = REJECT,
10962 	},
10963 	{
10964 		"calls: invalid call",
10965 		.insns = {
10966 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10967 			BPF_EXIT_INSN(),
10968 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10969 			BPF_EXIT_INSN(),
10970 		},
10971 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10972 		.errstr = "invalid destination",
10973 		.result = REJECT,
10974 	},
10975 	{
10976 		"calls: invalid call 2",
10977 		.insns = {
10978 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10979 			BPF_EXIT_INSN(),
10980 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10981 			BPF_EXIT_INSN(),
10982 		},
10983 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10984 		.errstr = "invalid destination",
10985 		.result = REJECT,
10986 	},
10987 	{
10988 		"calls: jumping across function bodies. test1",
10989 		.insns = {
10990 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10991 			BPF_MOV64_IMM(BPF_REG_0, 0),
10992 			BPF_EXIT_INSN(),
10993 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10994 			BPF_EXIT_INSN(),
10995 		},
10996 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10997 		.errstr = "jump out of range",
10998 		.result = REJECT,
10999 	},
11000 	{
11001 		"calls: jumping across function bodies. test2",
11002 		.insns = {
11003 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
11004 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11005 			BPF_MOV64_IMM(BPF_REG_0, 0),
11006 			BPF_EXIT_INSN(),
11007 			BPF_EXIT_INSN(),
11008 		},
11009 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11010 		.errstr = "jump out of range",
11011 		.result = REJECT,
11012 	},
11013 	{
11014 		"calls: call without exit",
11015 		.insns = {
11016 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11017 			BPF_EXIT_INSN(),
11018 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11019 			BPF_EXIT_INSN(),
11020 			BPF_MOV64_IMM(BPF_REG_0, 0),
11021 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
11022 		},
11023 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11024 		.errstr = "not an exit",
11025 		.result = REJECT,
11026 	},
11027 	{
11028 		"calls: call into middle of ld_imm64",
11029 		.insns = {
11030 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11031 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11032 			BPF_MOV64_IMM(BPF_REG_0, 0),
11033 			BPF_EXIT_INSN(),
11034 			BPF_LD_IMM64(BPF_REG_0, 0),
11035 			BPF_EXIT_INSN(),
11036 		},
11037 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11038 		.errstr = "last insn",
11039 		.result = REJECT,
11040 	},
11041 	{
11042 		"calls: call into middle of other call",
11043 		.insns = {
11044 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11045 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11046 			BPF_MOV64_IMM(BPF_REG_0, 0),
11047 			BPF_EXIT_INSN(),
11048 			BPF_MOV64_IMM(BPF_REG_0, 0),
11049 			BPF_MOV64_IMM(BPF_REG_0, 0),
11050 			BPF_EXIT_INSN(),
11051 		},
11052 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11053 		.errstr = "last insn",
11054 		.result = REJECT,
11055 	},
11056 	{
11057 		"calls: ld_abs with changing ctx data in callee",
11058 		.insns = {
11059 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11060 			BPF_LD_ABS(BPF_B, 0),
11061 			BPF_LD_ABS(BPF_H, 0),
11062 			BPF_LD_ABS(BPF_W, 0),
11063 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11064 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11065 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11066 			BPF_LD_ABS(BPF_B, 0),
11067 			BPF_LD_ABS(BPF_H, 0),
11068 			BPF_LD_ABS(BPF_W, 0),
11069 			BPF_EXIT_INSN(),
11070 			BPF_MOV64_IMM(BPF_REG_2, 1),
11071 			BPF_MOV64_IMM(BPF_REG_3, 2),
11072 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11073 				     BPF_FUNC_skb_vlan_push),
11074 			BPF_EXIT_INSN(),
11075 		},
11076 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11077 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
11078 		.result = REJECT,
11079 	},
11080 	{
11081 		"calls: two calls with bad fallthrough",
11082 		.insns = {
11083 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11084 			BPF_EXIT_INSN(),
11085 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11086 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11087 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11088 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11089 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11090 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11091 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11092 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
11093 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11094 				    offsetof(struct __sk_buff, len)),
11095 			BPF_EXIT_INSN(),
11096 		},
11097 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11098 		.errstr = "not an exit",
11099 		.result = REJECT,
11100 	},
11101 	{
11102 		"calls: two calls with stack read",
11103 		.insns = {
11104 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11105 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11106 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11107 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11108 			BPF_EXIT_INSN(),
11109 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11110 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
11111 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11112 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11113 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11114 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
11115 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
11116 			BPF_EXIT_INSN(),
11117 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11118 			BPF_EXIT_INSN(),
11119 		},
11120 		.prog_type = BPF_PROG_TYPE_XDP,
11121 		.result = ACCEPT,
11122 	},
11123 	{
11124 		"calls: two calls with stack write",
11125 		.insns = {
11126 			/* main prog */
11127 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11128 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11129 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11130 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11132 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11133 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11134 			BPF_EXIT_INSN(),
11135 
11136 			/* subprog 1 */
11137 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11138 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11139 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
11140 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11141 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11142 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11143 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11144 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
11145 			/* write into stack frame of main prog */
11146 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11147 			BPF_EXIT_INSN(),
11148 
11149 			/* subprog 2 */
11150 			/* read from stack frame of main prog */
11151 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11152 			BPF_EXIT_INSN(),
11153 		},
11154 		.prog_type = BPF_PROG_TYPE_XDP,
11155 		.result = ACCEPT,
11156 	},
11157 	{
11158 		"calls: stack overflow using two frames (pre-call access)",
11159 		.insns = {
11160 			/* prog 1 */
11161 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11162 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
11163 			BPF_EXIT_INSN(),
11164 
11165 			/* prog 2 */
11166 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11167 			BPF_MOV64_IMM(BPF_REG_0, 0),
11168 			BPF_EXIT_INSN(),
11169 		},
11170 		.prog_type = BPF_PROG_TYPE_XDP,
11171 		.errstr = "combined stack size",
11172 		.result = REJECT,
11173 	},
11174 	{
11175 		"calls: stack overflow using two frames (post-call access)",
11176 		.insns = {
11177 			/* prog 1 */
11178 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
11179 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11180 			BPF_EXIT_INSN(),
11181 
11182 			/* prog 2 */
11183 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11184 			BPF_MOV64_IMM(BPF_REG_0, 0),
11185 			BPF_EXIT_INSN(),
11186 		},
11187 		.prog_type = BPF_PROG_TYPE_XDP,
11188 		.errstr = "combined stack size",
11189 		.result = REJECT,
11190 	},
11191 	{
11192 		"calls: stack depth check using three frames. test1",
11193 		.insns = {
11194 			/* main */
11195 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11196 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11197 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11198 			BPF_MOV64_IMM(BPF_REG_0, 0),
11199 			BPF_EXIT_INSN(),
11200 			/* A */
11201 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11202 			BPF_EXIT_INSN(),
11203 			/* B */
11204 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11205 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11206 			BPF_EXIT_INSN(),
11207 		},
11208 		.prog_type = BPF_PROG_TYPE_XDP,
11209 		/* stack_main=32, stack_A=256, stack_B=64
11210 		 * and max(main+A, main+A+B) < 512
11211 		 */
11212 		.result = ACCEPT,
11213 	},
11214 	{
11215 		"calls: stack depth check using three frames. test2",
11216 		.insns = {
11217 			/* main */
11218 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11219 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
11220 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
11221 			BPF_MOV64_IMM(BPF_REG_0, 0),
11222 			BPF_EXIT_INSN(),
11223 			/* A */
11224 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11225 			BPF_EXIT_INSN(),
11226 			/* B */
11227 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
11228 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11229 			BPF_EXIT_INSN(),
11230 		},
11231 		.prog_type = BPF_PROG_TYPE_XDP,
11232 		/* stack_main=32, stack_A=64, stack_B=256
11233 		 * and max(main+A, main+A+B) < 512
11234 		 */
11235 		.result = ACCEPT,
11236 	},
11237 	{
11238 		"calls: stack depth check using three frames. test3",
11239 		.insns = {
11240 			/* main */
11241 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11242 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11243 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11244 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
11245 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
11246 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
11247 			BPF_MOV64_IMM(BPF_REG_0, 0),
11248 			BPF_EXIT_INSN(),
11249 			/* A */
11250 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
11251 			BPF_EXIT_INSN(),
11252 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
11253 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
11254 			/* B */
11255 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
11256 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
11257 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
11258 			BPF_EXIT_INSN(),
11259 		},
11260 		.prog_type = BPF_PROG_TYPE_XDP,
11261 		/* stack_main=64, stack_A=224, stack_B=256
11262 		 * and max(main+A, main+A+B) > 512
11263 		 */
11264 		.errstr = "combined stack",
11265 		.result = REJECT,
11266 	},
11267 	{
11268 		"calls: stack depth check using three frames. test4",
11269 		/* void main(void) {
11270 		 *   func1(0);
11271 		 *   func1(1);
11272 		 *   func2(1);
11273 		 * }
11274 		 * void func1(int alloc_or_recurse) {
11275 		 *   if (alloc_or_recurse) {
11276 		 *     frame_pointer[-300] = 1;
11277 		 *   } else {
11278 		 *     func2(alloc_or_recurse);
11279 		 *   }
11280 		 * }
11281 		 * void func2(int alloc_or_recurse) {
11282 		 *   if (alloc_or_recurse) {
11283 		 *     frame_pointer[-300] = 1;
11284 		 *   }
11285 		 * }
11286 		 */
11287 		.insns = {
11288 			/* main */
11289 			BPF_MOV64_IMM(BPF_REG_1, 0),
11290 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
11291 			BPF_MOV64_IMM(BPF_REG_1, 1),
11292 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
11293 			BPF_MOV64_IMM(BPF_REG_1, 1),
11294 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
11295 			BPF_MOV64_IMM(BPF_REG_0, 0),
11296 			BPF_EXIT_INSN(),
11297 			/* A */
11298 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
11299 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11300 			BPF_EXIT_INSN(),
11301 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11302 			BPF_EXIT_INSN(),
11303 			/* B */
11304 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11305 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
11306 			BPF_EXIT_INSN(),
11307 		},
11308 		.prog_type = BPF_PROG_TYPE_XDP,
11309 		.result = REJECT,
11310 		.errstr = "combined stack",
11311 	},
11312 	{
11313 		"calls: stack depth check using three frames. test5",
11314 		.insns = {
11315 			/* main */
11316 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
11317 			BPF_EXIT_INSN(),
11318 			/* A */
11319 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
11320 			BPF_EXIT_INSN(),
11321 			/* B */
11322 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
11323 			BPF_EXIT_INSN(),
11324 			/* C */
11325 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
11326 			BPF_EXIT_INSN(),
11327 			/* D */
11328 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
11329 			BPF_EXIT_INSN(),
11330 			/* E */
11331 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
11332 			BPF_EXIT_INSN(),
11333 			/* F */
11334 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
11335 			BPF_EXIT_INSN(),
11336 			/* G */
11337 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
11338 			BPF_EXIT_INSN(),
11339 			/* H */
11340 			BPF_MOV64_IMM(BPF_REG_0, 0),
11341 			BPF_EXIT_INSN(),
11342 		},
11343 		.prog_type = BPF_PROG_TYPE_XDP,
11344 		.errstr = "call stack",
11345 		.result = REJECT,
11346 	},
11347 	{
11348 		"calls: spill into caller stack frame",
11349 		.insns = {
11350 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11351 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11352 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11353 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11354 			BPF_EXIT_INSN(),
11355 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
11356 			BPF_MOV64_IMM(BPF_REG_0, 0),
11357 			BPF_EXIT_INSN(),
11358 		},
11359 		.prog_type = BPF_PROG_TYPE_XDP,
11360 		.errstr = "cannot spill",
11361 		.result = REJECT,
11362 	},
11363 	{
11364 		"calls: write into caller stack frame",
11365 		.insns = {
11366 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11367 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11368 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11369 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11370 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11371 			BPF_EXIT_INSN(),
11372 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
11373 			BPF_MOV64_IMM(BPF_REG_0, 0),
11374 			BPF_EXIT_INSN(),
11375 		},
11376 		.prog_type = BPF_PROG_TYPE_XDP,
11377 		.result = ACCEPT,
11378 		.retval = 42,
11379 	},
11380 	{
11381 		"calls: write into callee stack frame",
11382 		.insns = {
11383 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11384 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
11385 			BPF_EXIT_INSN(),
11386 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
11387 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
11388 			BPF_EXIT_INSN(),
11389 		},
11390 		.prog_type = BPF_PROG_TYPE_XDP,
11391 		.errstr = "cannot return stack pointer",
11392 		.result = REJECT,
11393 	},
11394 	{
11395 		"calls: two calls with stack write and void return",
11396 		.insns = {
11397 			/* main prog */
11398 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11399 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11400 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11401 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11402 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11403 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11404 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11405 			BPF_EXIT_INSN(),
11406 
11407 			/* subprog 1 */
11408 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11409 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11410 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11411 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11412 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11413 			BPF_EXIT_INSN(),
11414 
11415 			/* subprog 2 */
11416 			/* write into stack frame of main prog */
11417 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
11418 			BPF_EXIT_INSN(), /* void return */
11419 		},
11420 		.prog_type = BPF_PROG_TYPE_XDP,
11421 		.result = ACCEPT,
11422 	},
11423 	{
11424 		"calls: ambiguous return value",
11425 		.insns = {
11426 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11427 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
11428 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11429 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11430 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11431 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11432 			BPF_EXIT_INSN(),
11433 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
11434 			BPF_MOV64_IMM(BPF_REG_0, 0),
11435 			BPF_EXIT_INSN(),
11436 		},
11437 		.errstr_unpriv = "allowed for root only",
11438 		.result_unpriv = REJECT,
11439 		.errstr = "R0 !read_ok",
11440 		.result = REJECT,
11441 	},
11442 	{
11443 		"calls: two calls that return map_value",
11444 		.insns = {
11445 			/* main prog */
11446 			/* pass fp-16, fp-8 into a function */
11447 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11449 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11450 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11451 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11452 
11453 			/* fetch map_value_ptr from the stack of this function */
11454 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11455 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11456 			/* write into map value */
11457 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11458 			/* fetch secound map_value_ptr from the stack */
11459 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
11460 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11461 			/* write into map value */
11462 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11463 			BPF_MOV64_IMM(BPF_REG_0, 0),
11464 			BPF_EXIT_INSN(),
11465 
11466 			/* subprog 1 */
11467 			/* call 3rd function twice */
11468 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11469 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11470 			/* first time with fp-8 */
11471 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11472 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11473 			/* second time with fp-16 */
11474 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11475 			BPF_EXIT_INSN(),
11476 
11477 			/* subprog 2 */
11478 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11479 			/* lookup from map */
11480 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11481 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11483 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11484 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11485 				     BPF_FUNC_map_lookup_elem),
11486 			/* write map_value_ptr into stack frame of main prog */
11487 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11488 			BPF_MOV64_IMM(BPF_REG_0, 0),
11489 			BPF_EXIT_INSN(), /* return 0 */
11490 		},
11491 		.prog_type = BPF_PROG_TYPE_XDP,
11492 		.fixup_map_hash_8b = { 23 },
11493 		.result = ACCEPT,
11494 	},
11495 	{
11496 		"calls: two calls that return map_value with bool condition",
11497 		.insns = {
11498 			/* main prog */
11499 			/* pass fp-16, fp-8 into a function */
11500 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11501 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11502 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11503 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11504 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11505 			BPF_MOV64_IMM(BPF_REG_0, 0),
11506 			BPF_EXIT_INSN(),
11507 
11508 			/* subprog 1 */
11509 			/* call 3rd function twice */
11510 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11511 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11512 			/* first time with fp-8 */
11513 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11514 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11515 			/* fetch map_value_ptr from the stack of this function */
11516 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11517 			/* write into map value */
11518 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11519 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11520 			/* second time with fp-16 */
11521 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11522 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11523 			/* fetch secound map_value_ptr from the stack */
11524 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11525 			/* write into map value */
11526 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11527 			BPF_EXIT_INSN(),
11528 
11529 			/* subprog 2 */
11530 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11531 			/* lookup from map */
11532 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11533 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11534 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11535 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11536 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11537 				     BPF_FUNC_map_lookup_elem),
11538 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11539 			BPF_MOV64_IMM(BPF_REG_0, 0),
11540 			BPF_EXIT_INSN(), /* return 0 */
11541 			/* write map_value_ptr into stack frame of main prog */
11542 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11543 			BPF_MOV64_IMM(BPF_REG_0, 1),
11544 			BPF_EXIT_INSN(), /* return 1 */
11545 		},
11546 		.prog_type = BPF_PROG_TYPE_XDP,
11547 		.fixup_map_hash_8b = { 23 },
11548 		.result = ACCEPT,
11549 	},
11550 	{
11551 		"calls: two calls that return map_value with incorrect bool check",
11552 		.insns = {
11553 			/* main prog */
11554 			/* pass fp-16, fp-8 into a function */
11555 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11557 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11558 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11559 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11560 			BPF_MOV64_IMM(BPF_REG_0, 0),
11561 			BPF_EXIT_INSN(),
11562 
11563 			/* subprog 1 */
11564 			/* call 3rd function twice */
11565 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11566 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11567 			/* first time with fp-8 */
11568 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11569 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11570 			/* fetch map_value_ptr from the stack of this function */
11571 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11572 			/* write into map value */
11573 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11574 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11575 			/* second time with fp-16 */
11576 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11577 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11578 			/* fetch secound map_value_ptr from the stack */
11579 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11580 			/* write into map value */
11581 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11582 			BPF_EXIT_INSN(),
11583 
11584 			/* subprog 2 */
11585 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11586 			/* lookup from map */
11587 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11588 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11589 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11590 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11591 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11592 				     BPF_FUNC_map_lookup_elem),
11593 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11594 			BPF_MOV64_IMM(BPF_REG_0, 0),
11595 			BPF_EXIT_INSN(), /* return 0 */
11596 			/* write map_value_ptr into stack frame of main prog */
11597 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11598 			BPF_MOV64_IMM(BPF_REG_0, 1),
11599 			BPF_EXIT_INSN(), /* return 1 */
11600 		},
11601 		.prog_type = BPF_PROG_TYPE_XDP,
11602 		.fixup_map_hash_8b = { 23 },
11603 		.result = REJECT,
11604 		.errstr = "invalid read from stack off -16+0 size 8",
11605 	},
11606 	{
11607 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11608 		.insns = {
11609 			/* main prog */
11610 			/* pass fp-16, fp-8 into a function */
11611 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11612 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11613 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11615 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11616 			BPF_MOV64_IMM(BPF_REG_0, 0),
11617 			BPF_EXIT_INSN(),
11618 
11619 			/* subprog 1 */
11620 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11621 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11622 			/* 1st lookup from map */
11623 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11624 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11625 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11626 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11627 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11628 				     BPF_FUNC_map_lookup_elem),
11629 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11630 			BPF_MOV64_IMM(BPF_REG_8, 0),
11631 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11632 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11633 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11634 			BPF_MOV64_IMM(BPF_REG_8, 1),
11635 
11636 			/* 2nd lookup from map */
11637 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11638 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11639 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11640 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11641 				     BPF_FUNC_map_lookup_elem),
11642 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11643 			BPF_MOV64_IMM(BPF_REG_9, 0),
11644 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11645 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11646 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11647 			BPF_MOV64_IMM(BPF_REG_9, 1),
11648 
11649 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11650 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11651 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11652 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11653 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11654 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
11655 			BPF_EXIT_INSN(),
11656 
11657 			/* subprog 2 */
11658 			/* if arg2 == 1 do *arg1 = 0 */
11659 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11660 			/* fetch map_value_ptr from the stack of this function */
11661 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11662 			/* write into map value */
11663 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11664 
11665 			/* if arg4 == 1 do *arg3 = 0 */
11666 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11667 			/* fetch map_value_ptr from the stack of this function */
11668 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11669 			/* write into map value */
11670 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11671 			BPF_EXIT_INSN(),
11672 		},
11673 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11674 		.fixup_map_hash_8b = { 12, 22 },
11675 		.result = REJECT,
11676 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11677 	},
11678 	{
11679 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11680 		.insns = {
11681 			/* main prog */
11682 			/* pass fp-16, fp-8 into a function */
11683 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11684 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11685 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11687 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11688 			BPF_MOV64_IMM(BPF_REG_0, 0),
11689 			BPF_EXIT_INSN(),
11690 
11691 			/* subprog 1 */
11692 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11693 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11694 			/* 1st lookup from map */
11695 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11698 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11699 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11700 				     BPF_FUNC_map_lookup_elem),
11701 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11702 			BPF_MOV64_IMM(BPF_REG_8, 0),
11703 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11704 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11705 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11706 			BPF_MOV64_IMM(BPF_REG_8, 1),
11707 
11708 			/* 2nd lookup from map */
11709 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11710 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11711 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11712 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11713 				     BPF_FUNC_map_lookup_elem),
11714 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11715 			BPF_MOV64_IMM(BPF_REG_9, 0),
11716 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11717 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11718 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11719 			BPF_MOV64_IMM(BPF_REG_9, 1),
11720 
11721 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11722 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11723 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11724 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11725 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11726 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
11727 			BPF_EXIT_INSN(),
11728 
11729 			/* subprog 2 */
11730 			/* if arg2 == 1 do *arg1 = 0 */
11731 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11732 			/* fetch map_value_ptr from the stack of this function */
11733 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11734 			/* write into map value */
11735 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11736 
11737 			/* if arg4 == 1 do *arg3 = 0 */
11738 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11739 			/* fetch map_value_ptr from the stack of this function */
11740 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11741 			/* write into map value */
11742 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11743 			BPF_EXIT_INSN(),
11744 		},
11745 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11746 		.fixup_map_hash_8b = { 12, 22 },
11747 		.result = ACCEPT,
11748 	},
11749 	{
11750 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11751 		.insns = {
11752 			/* main prog */
11753 			/* pass fp-16, fp-8 into a function */
11754 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11756 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11757 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11758 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11759 			BPF_MOV64_IMM(BPF_REG_0, 0),
11760 			BPF_EXIT_INSN(),
11761 
11762 			/* subprog 1 */
11763 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11764 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11765 			/* 1st lookup from map */
11766 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11767 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11769 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11770 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11771 				     BPF_FUNC_map_lookup_elem),
11772 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11773 			BPF_MOV64_IMM(BPF_REG_8, 0),
11774 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11775 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11776 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11777 			BPF_MOV64_IMM(BPF_REG_8, 1),
11778 
11779 			/* 2nd lookup from map */
11780 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11781 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11782 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11783 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11784 				     BPF_FUNC_map_lookup_elem),
11785 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11786 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
11787 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11788 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11789 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11790 			BPF_MOV64_IMM(BPF_REG_9, 1),
11791 
11792 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11793 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11794 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11795 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11796 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11797 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11798 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11799 
11800 			/* subprog 2 */
11801 			/* if arg2 == 1 do *arg1 = 0 */
11802 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11803 			/* fetch map_value_ptr from the stack of this function */
11804 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11805 			/* write into map value */
11806 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11807 
11808 			/* if arg4 == 1 do *arg3 = 0 */
11809 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11810 			/* fetch map_value_ptr from the stack of this function */
11811 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11812 			/* write into map value */
11813 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11814 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11815 		},
11816 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11817 		.fixup_map_hash_8b = { 12, 22 },
11818 		.result = REJECT,
11819 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11820 	},
11821 	{
11822 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
11823 		.insns = {
11824 			/* main prog */
11825 			/* pass fp-16, fp-8 into a function */
11826 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11827 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11828 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11829 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11830 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11831 			BPF_MOV64_IMM(BPF_REG_0, 0),
11832 			BPF_EXIT_INSN(),
11833 
11834 			/* subprog 1 */
11835 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11836 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11837 			/* 1st lookup from map */
11838 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11839 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11840 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11841 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11842 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11843 				     BPF_FUNC_map_lookup_elem),
11844 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11845 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11846 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11847 			BPF_MOV64_IMM(BPF_REG_8, 0),
11848 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11849 			BPF_MOV64_IMM(BPF_REG_8, 1),
11850 
11851 			/* 2nd lookup from map */
11852 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11853 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11854 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11855 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11856 				     BPF_FUNC_map_lookup_elem),
11857 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11858 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11859 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11860 			BPF_MOV64_IMM(BPF_REG_9, 0),
11861 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11862 			BPF_MOV64_IMM(BPF_REG_9, 1),
11863 
11864 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11865 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11866 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11867 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11868 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11869 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11870 			BPF_EXIT_INSN(),
11871 
11872 			/* subprog 2 */
11873 			/* if arg2 == 1 do *arg1 = 0 */
11874 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11875 			/* fetch map_value_ptr from the stack of this function */
11876 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11877 			/* write into map value */
11878 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11879 
11880 			/* if arg4 == 1 do *arg3 = 0 */
11881 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11882 			/* fetch map_value_ptr from the stack of this function */
11883 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11884 			/* write into map value */
11885 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11886 			BPF_EXIT_INSN(),
11887 		},
11888 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11889 		.fixup_map_hash_8b = { 12, 22 },
11890 		.result = ACCEPT,
11891 	},
11892 	{
11893 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
11894 		.insns = {
11895 			/* main prog */
11896 			/* pass fp-16, fp-8 into a function */
11897 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11898 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11899 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11901 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11902 			BPF_MOV64_IMM(BPF_REG_0, 0),
11903 			BPF_EXIT_INSN(),
11904 
11905 			/* subprog 1 */
11906 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11907 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11908 			/* 1st lookup from map */
11909 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11910 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11911 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11912 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11913 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11914 				     BPF_FUNC_map_lookup_elem),
11915 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11916 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11917 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11918 			BPF_MOV64_IMM(BPF_REG_8, 0),
11919 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11920 			BPF_MOV64_IMM(BPF_REG_8, 1),
11921 
11922 			/* 2nd lookup from map */
11923 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11924 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11925 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11926 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11927 				     BPF_FUNC_map_lookup_elem),
11928 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11929 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11930 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11931 			BPF_MOV64_IMM(BPF_REG_9, 0),
11932 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11933 			BPF_MOV64_IMM(BPF_REG_9, 1),
11934 
11935 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11936 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11937 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11938 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11939 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11940 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11941 			BPF_EXIT_INSN(),
11942 
11943 			/* subprog 2 */
11944 			/* if arg2 == 1 do *arg1 = 0 */
11945 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11946 			/* fetch map_value_ptr from the stack of this function */
11947 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11948 			/* write into map value */
11949 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11950 
11951 			/* if arg4 == 0 do *arg3 = 0 */
11952 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11953 			/* fetch map_value_ptr from the stack of this function */
11954 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11955 			/* write into map value */
11956 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11957 			BPF_EXIT_INSN(),
11958 		},
11959 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11960 		.fixup_map_hash_8b = { 12, 22 },
11961 		.result = REJECT,
11962 		.errstr = "R0 invalid mem access 'inv'",
11963 	},
11964 	{
11965 		"calls: pkt_ptr spill into caller stack",
11966 		.insns = {
11967 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11969 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11970 			BPF_EXIT_INSN(),
11971 
11972 			/* subprog 1 */
11973 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11974 				    offsetof(struct __sk_buff, data)),
11975 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11976 				    offsetof(struct __sk_buff, data_end)),
11977 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11978 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11979 			/* spill unchecked pkt_ptr into stack of caller */
11980 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11981 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11982 			/* now the pkt range is verified, read pkt_ptr from stack */
11983 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11984 			/* write 4 bytes into packet */
11985 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11986 			BPF_EXIT_INSN(),
11987 		},
11988 		.result = ACCEPT,
11989 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11990 		.retval = POINTER_VALUE,
11991 	},
11992 	{
11993 		"calls: pkt_ptr spill into caller stack 2",
11994 		.insns = {
11995 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11996 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11997 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11998 			/* Marking is still kept, but not in all cases safe. */
11999 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12000 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12001 			BPF_EXIT_INSN(),
12002 
12003 			/* subprog 1 */
12004 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12005 				    offsetof(struct __sk_buff, data)),
12006 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12007 				    offsetof(struct __sk_buff, data_end)),
12008 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12009 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12010 			/* spill unchecked pkt_ptr into stack of caller */
12011 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12012 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12013 			/* now the pkt range is verified, read pkt_ptr from stack */
12014 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12015 			/* write 4 bytes into packet */
12016 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12017 			BPF_EXIT_INSN(),
12018 		},
12019 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12020 		.errstr = "invalid access to packet",
12021 		.result = REJECT,
12022 	},
12023 	{
12024 		"calls: pkt_ptr spill into caller stack 3",
12025 		.insns = {
12026 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12028 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12029 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12030 			/* Marking is still kept and safe here. */
12031 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12032 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12033 			BPF_EXIT_INSN(),
12034 
12035 			/* subprog 1 */
12036 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12037 				    offsetof(struct __sk_buff, data)),
12038 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12039 				    offsetof(struct __sk_buff, data_end)),
12040 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12042 			/* spill unchecked pkt_ptr into stack of caller */
12043 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12044 			BPF_MOV64_IMM(BPF_REG_5, 0),
12045 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12046 			BPF_MOV64_IMM(BPF_REG_5, 1),
12047 			/* now the pkt range is verified, read pkt_ptr from stack */
12048 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
12049 			/* write 4 bytes into packet */
12050 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12051 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12052 			BPF_EXIT_INSN(),
12053 		},
12054 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12055 		.result = ACCEPT,
12056 		.retval = 1,
12057 	},
12058 	{
12059 		"calls: pkt_ptr spill into caller stack 4",
12060 		.insns = {
12061 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12062 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12063 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12064 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12065 			/* Check marking propagated. */
12066 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12067 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
12068 			BPF_EXIT_INSN(),
12069 
12070 			/* subprog 1 */
12071 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12072 				    offsetof(struct __sk_buff, data)),
12073 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12074 				    offsetof(struct __sk_buff, data_end)),
12075 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12076 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12077 			/* spill unchecked pkt_ptr into stack of caller */
12078 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12079 			BPF_MOV64_IMM(BPF_REG_5, 0),
12080 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12081 			BPF_MOV64_IMM(BPF_REG_5, 1),
12082 			/* don't read back pkt_ptr from stack here */
12083 			/* write 4 bytes into packet */
12084 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12085 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12086 			BPF_EXIT_INSN(),
12087 		},
12088 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12089 		.result = ACCEPT,
12090 		.retval = 1,
12091 	},
12092 	{
12093 		"calls: pkt_ptr spill into caller stack 5",
12094 		.insns = {
12095 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12096 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12097 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
12098 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12099 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12100 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12101 			BPF_EXIT_INSN(),
12102 
12103 			/* subprog 1 */
12104 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12105 				    offsetof(struct __sk_buff, data)),
12106 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12107 				    offsetof(struct __sk_buff, data_end)),
12108 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12110 			BPF_MOV64_IMM(BPF_REG_5, 0),
12111 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12112 			/* spill checked pkt_ptr into stack of caller */
12113 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12114 			BPF_MOV64_IMM(BPF_REG_5, 1),
12115 			/* don't read back pkt_ptr from stack here */
12116 			/* write 4 bytes into packet */
12117 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12118 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12119 			BPF_EXIT_INSN(),
12120 		},
12121 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12122 		.errstr = "same insn cannot be used with different",
12123 		.result = REJECT,
12124 	},
12125 	{
12126 		"calls: pkt_ptr spill into caller stack 6",
12127 		.insns = {
12128 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12129 				    offsetof(struct __sk_buff, data_end)),
12130 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12132 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12133 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12134 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12135 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12136 			BPF_EXIT_INSN(),
12137 
12138 			/* subprog 1 */
12139 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12140 				    offsetof(struct __sk_buff, data)),
12141 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12142 				    offsetof(struct __sk_buff, data_end)),
12143 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12145 			BPF_MOV64_IMM(BPF_REG_5, 0),
12146 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12147 			/* spill checked pkt_ptr into stack of caller */
12148 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12149 			BPF_MOV64_IMM(BPF_REG_5, 1),
12150 			/* don't read back pkt_ptr from stack here */
12151 			/* write 4 bytes into packet */
12152 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12153 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12154 			BPF_EXIT_INSN(),
12155 		},
12156 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12157 		.errstr = "R4 invalid mem access",
12158 		.result = REJECT,
12159 	},
12160 	{
12161 		"calls: pkt_ptr spill into caller stack 7",
12162 		.insns = {
12163 			BPF_MOV64_IMM(BPF_REG_2, 0),
12164 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12165 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12166 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12167 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12168 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12169 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12170 			BPF_EXIT_INSN(),
12171 
12172 			/* subprog 1 */
12173 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12174 				    offsetof(struct __sk_buff, data)),
12175 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12176 				    offsetof(struct __sk_buff, data_end)),
12177 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12178 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12179 			BPF_MOV64_IMM(BPF_REG_5, 0),
12180 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12181 			/* spill checked pkt_ptr into stack of caller */
12182 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12183 			BPF_MOV64_IMM(BPF_REG_5, 1),
12184 			/* don't read back pkt_ptr from stack here */
12185 			/* write 4 bytes into packet */
12186 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12187 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12188 			BPF_EXIT_INSN(),
12189 		},
12190 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12191 		.errstr = "R4 invalid mem access",
12192 		.result = REJECT,
12193 	},
12194 	{
12195 		"calls: pkt_ptr spill into caller stack 8",
12196 		.insns = {
12197 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12198 				    offsetof(struct __sk_buff, data)),
12199 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12200 				    offsetof(struct __sk_buff, data_end)),
12201 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12202 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12203 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12204 			BPF_EXIT_INSN(),
12205 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12207 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12208 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12209 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12210 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12211 			BPF_EXIT_INSN(),
12212 
12213 			/* subprog 1 */
12214 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12215 				    offsetof(struct __sk_buff, data)),
12216 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12217 				    offsetof(struct __sk_buff, data_end)),
12218 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12220 			BPF_MOV64_IMM(BPF_REG_5, 0),
12221 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
12222 			/* spill checked pkt_ptr into stack of caller */
12223 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12224 			BPF_MOV64_IMM(BPF_REG_5, 1),
12225 			/* don't read back pkt_ptr from stack here */
12226 			/* write 4 bytes into packet */
12227 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12228 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12229 			BPF_EXIT_INSN(),
12230 		},
12231 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12232 		.result = ACCEPT,
12233 	},
12234 	{
12235 		"calls: pkt_ptr spill into caller stack 9",
12236 		.insns = {
12237 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12238 				    offsetof(struct __sk_buff, data)),
12239 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12240 				    offsetof(struct __sk_buff, data_end)),
12241 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12242 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12243 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
12244 			BPF_EXIT_INSN(),
12245 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12246 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12247 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12249 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
12250 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
12251 			BPF_EXIT_INSN(),
12252 
12253 			/* subprog 1 */
12254 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12255 				    offsetof(struct __sk_buff, data)),
12256 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12257 				    offsetof(struct __sk_buff, data_end)),
12258 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
12259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
12260 			BPF_MOV64_IMM(BPF_REG_5, 0),
12261 			/* spill unchecked pkt_ptr into stack of caller */
12262 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
12263 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
12264 			BPF_MOV64_IMM(BPF_REG_5, 1),
12265 			/* don't read back pkt_ptr from stack here */
12266 			/* write 4 bytes into packet */
12267 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12268 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
12269 			BPF_EXIT_INSN(),
12270 		},
12271 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12272 		.errstr = "invalid access to packet",
12273 		.result = REJECT,
12274 	},
12275 	{
12276 		"calls: caller stack init to zero or map_value_or_null",
12277 		.insns = {
12278 			BPF_MOV64_IMM(BPF_REG_0, 0),
12279 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12280 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12282 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12283 			/* fetch map_value_or_null or const_zero from stack */
12284 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12285 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12286 			/* store into map_value */
12287 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
12288 			BPF_EXIT_INSN(),
12289 
12290 			/* subprog 1 */
12291 			/* if (ctx == 0) return; */
12292 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
12293 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
12294 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
12295 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12296 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12297 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12298 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12299 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12300 				     BPF_FUNC_map_lookup_elem),
12301 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
12302 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12303 			BPF_EXIT_INSN(),
12304 		},
12305 		.fixup_map_hash_8b = { 13 },
12306 		.result = ACCEPT,
12307 		.prog_type = BPF_PROG_TYPE_XDP,
12308 	},
12309 	{
12310 		"calls: stack init to zero and pruning",
12311 		.insns = {
12312 			/* first make allocated_stack 16 byte */
12313 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
12314 			/* now fork the execution such that the false branch
12315 			 * of JGT insn will be verified second and it skisp zero
12316 			 * init of fp-8 stack slot. If stack liveness marking
12317 			 * is missing live_read marks from call map_lookup
12318 			 * processing then pruning will incorrectly assume
12319 			 * that fp-8 stack slot was unused in the fall-through
12320 			 * branch and will accept the program incorrectly
12321 			 */
12322 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
12323 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12324 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
12325 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12326 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12327 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12328 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12329 				     BPF_FUNC_map_lookup_elem),
12330 			BPF_EXIT_INSN(),
12331 		},
12332 		.fixup_map_hash_48b = { 6 },
12333 		.errstr = "invalid indirect read from stack off -8+0 size 8",
12334 		.result = REJECT,
12335 		.prog_type = BPF_PROG_TYPE_XDP,
12336 	},
12337 	{
12338 		"calls: two calls returning different map pointers for lookup (hash, array)",
12339 		.insns = {
12340 			/* main prog */
12341 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12342 			BPF_CALL_REL(11),
12343 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12344 			BPF_CALL_REL(12),
12345 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12346 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12347 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12348 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12349 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12350 				     BPF_FUNC_map_lookup_elem),
12351 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12352 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12353 				   offsetof(struct test_val, foo)),
12354 			BPF_MOV64_IMM(BPF_REG_0, 1),
12355 			BPF_EXIT_INSN(),
12356 			/* subprog 1 */
12357 			BPF_LD_MAP_FD(BPF_REG_0, 0),
12358 			BPF_EXIT_INSN(),
12359 			/* subprog 2 */
12360 			BPF_LD_MAP_FD(BPF_REG_0, 0),
12361 			BPF_EXIT_INSN(),
12362 		},
12363 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12364 		.fixup_map_hash_48b = { 13 },
12365 		.fixup_map_array_48b = { 16 },
12366 		.result = ACCEPT,
12367 		.retval = 1,
12368 	},
12369 	{
12370 		"calls: two calls returning different map pointers for lookup (hash, map in map)",
12371 		.insns = {
12372 			/* main prog */
12373 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12374 			BPF_CALL_REL(11),
12375 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12376 			BPF_CALL_REL(12),
12377 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12378 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12379 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12380 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12381 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12382 				     BPF_FUNC_map_lookup_elem),
12383 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
12384 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
12385 				   offsetof(struct test_val, foo)),
12386 			BPF_MOV64_IMM(BPF_REG_0, 1),
12387 			BPF_EXIT_INSN(),
12388 			/* subprog 1 */
12389 			BPF_LD_MAP_FD(BPF_REG_0, 0),
12390 			BPF_EXIT_INSN(),
12391 			/* subprog 2 */
12392 			BPF_LD_MAP_FD(BPF_REG_0, 0),
12393 			BPF_EXIT_INSN(),
12394 		},
12395 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12396 		.fixup_map_in_map = { 16 },
12397 		.fixup_map_array_48b = { 13 },
12398 		.result = REJECT,
12399 		.errstr = "R0 invalid mem access 'map_ptr'",
12400 	},
12401 	{
12402 		"cond: two branches returning different map pointers for lookup (tail, tail)",
12403 		.insns = {
12404 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12405 				    offsetof(struct __sk_buff, mark)),
12406 			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
12407 			BPF_LD_MAP_FD(BPF_REG_2, 0),
12408 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12409 			BPF_LD_MAP_FD(BPF_REG_2, 0),
12410 			BPF_MOV64_IMM(BPF_REG_3, 7),
12411 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12412 				     BPF_FUNC_tail_call),
12413 			BPF_MOV64_IMM(BPF_REG_0, 1),
12414 			BPF_EXIT_INSN(),
12415 		},
12416 		.fixup_prog1 = { 5 },
12417 		.fixup_prog2 = { 2 },
12418 		.result_unpriv = REJECT,
12419 		.errstr_unpriv = "tail_call abusing map_ptr",
12420 		.result = ACCEPT,
12421 		.retval = 42,
12422 	},
12423 	{
12424 		"cond: two branches returning same map pointers for lookup (tail, tail)",
12425 		.insns = {
12426 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12427 				    offsetof(struct __sk_buff, mark)),
12428 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
12429 			BPF_LD_MAP_FD(BPF_REG_2, 0),
12430 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12431 			BPF_LD_MAP_FD(BPF_REG_2, 0),
12432 			BPF_MOV64_IMM(BPF_REG_3, 7),
12433 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12434 				     BPF_FUNC_tail_call),
12435 			BPF_MOV64_IMM(BPF_REG_0, 1),
12436 			BPF_EXIT_INSN(),
12437 		},
12438 		.fixup_prog2 = { 2, 5 },
12439 		.result_unpriv = ACCEPT,
12440 		.result = ACCEPT,
12441 		.retval = 42,
12442 	},
12443 	{
12444 		"search pruning: all branches should be verified (nop operation)",
12445 		.insns = {
12446 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12447 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12448 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12449 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12450 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12451 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
12452 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12453 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12454 			BPF_MOV64_IMM(BPF_REG_4, 0),
12455 			BPF_JMP_A(1),
12456 			BPF_MOV64_IMM(BPF_REG_4, 1),
12457 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12458 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12459 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12460 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
12461 			BPF_MOV64_IMM(BPF_REG_6, 0),
12462 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
12463 			BPF_EXIT_INSN(),
12464 		},
12465 		.fixup_map_hash_8b = { 3 },
12466 		.errstr = "R6 invalid mem access 'inv'",
12467 		.result = REJECT,
12468 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12469 	},
12470 	{
12471 		"search pruning: all branches should be verified (invalid stack access)",
12472 		.insns = {
12473 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12474 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12475 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
12476 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12477 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
12478 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
12479 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
12480 			BPF_MOV64_IMM(BPF_REG_4, 0),
12481 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
12482 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
12483 			BPF_JMP_A(1),
12484 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
12485 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
12486 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
12487 			BPF_EXIT_INSN(),
12488 		},
12489 		.fixup_map_hash_8b = { 3 },
12490 		.errstr = "invalid read from stack off -16+0 size 8",
12491 		.result = REJECT,
12492 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12493 	},
12494 	{
12495 		"jit: lsh, rsh, arsh by 1",
12496 		.insns = {
12497 			BPF_MOV64_IMM(BPF_REG_0, 1),
12498 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
12499 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
12500 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
12501 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
12502 			BPF_EXIT_INSN(),
12503 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
12504 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
12505 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
12506 			BPF_EXIT_INSN(),
12507 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
12508 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
12509 			BPF_EXIT_INSN(),
12510 			BPF_MOV64_IMM(BPF_REG_0, 2),
12511 			BPF_EXIT_INSN(),
12512 		},
12513 		.result = ACCEPT,
12514 		.retval = 2,
12515 	},
12516 	{
12517 		"jit: mov32 for ldimm64, 1",
12518 		.insns = {
12519 			BPF_MOV64_IMM(BPF_REG_0, 2),
12520 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12521 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12522 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12523 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12524 			BPF_MOV64_IMM(BPF_REG_0, 1),
12525 			BPF_EXIT_INSN(),
12526 		},
12527 		.result = ACCEPT,
12528 		.retval = 2,
12529 	},
12530 	{
12531 		"jit: mov32 for ldimm64, 2",
12532 		.insns = {
12533 			BPF_MOV64_IMM(BPF_REG_0, 1),
12534 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12535 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12536 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12537 			BPF_MOV64_IMM(BPF_REG_0, 2),
12538 			BPF_EXIT_INSN(),
12539 		},
12540 		.result = ACCEPT,
12541 		.retval = 2,
12542 	},
12543 	{
12544 		"jit: various mul tests",
12545 		.insns = {
12546 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12547 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12548 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12549 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12550 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12551 			BPF_MOV64_IMM(BPF_REG_0, 1),
12552 			BPF_EXIT_INSN(),
12553 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12554 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12555 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12556 			BPF_MOV64_IMM(BPF_REG_0, 1),
12557 			BPF_EXIT_INSN(),
12558 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12559 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12560 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12561 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12562 			BPF_MOV64_IMM(BPF_REG_0, 1),
12563 			BPF_EXIT_INSN(),
12564 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12565 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12566 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12567 			BPF_MOV64_IMM(BPF_REG_0, 1),
12568 			BPF_EXIT_INSN(),
12569 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12570 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12571 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12572 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12573 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12574 			BPF_MOV64_IMM(BPF_REG_0, 1),
12575 			BPF_EXIT_INSN(),
12576 			BPF_MOV64_IMM(BPF_REG_0, 2),
12577 			BPF_EXIT_INSN(),
12578 		},
12579 		.result = ACCEPT,
12580 		.retval = 2,
12581 	},
12582 	{
12583 		"xadd/w check unaligned stack",
12584 		.insns = {
12585 			BPF_MOV64_IMM(BPF_REG_0, 1),
12586 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12587 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12588 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12589 			BPF_EXIT_INSN(),
12590 		},
12591 		.result = REJECT,
12592 		.errstr = "misaligned stack access off",
12593 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12594 	},
12595 	{
12596 		"xadd/w check unaligned map",
12597 		.insns = {
12598 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12599 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12600 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12601 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12602 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12603 				     BPF_FUNC_map_lookup_elem),
12604 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12605 			BPF_EXIT_INSN(),
12606 			BPF_MOV64_IMM(BPF_REG_1, 1),
12607 			BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12608 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12609 			BPF_EXIT_INSN(),
12610 		},
12611 		.fixup_map_hash_8b = { 3 },
12612 		.result = REJECT,
12613 		.errstr = "misaligned value access off",
12614 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12615 	},
12616 	{
12617 		"xadd/w check unaligned pkt",
12618 		.insns = {
12619 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12620 				    offsetof(struct xdp_md, data)),
12621 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12622 				    offsetof(struct xdp_md, data_end)),
12623 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12624 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12625 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12626 			BPF_MOV64_IMM(BPF_REG_0, 99),
12627 			BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12628 			BPF_MOV64_IMM(BPF_REG_0, 1),
12629 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12630 			BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12631 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12632 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12633 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12634 			BPF_EXIT_INSN(),
12635 		},
12636 		.result = REJECT,
12637 		.errstr = "BPF_XADD stores into R2 pkt is not allowed",
12638 		.prog_type = BPF_PROG_TYPE_XDP,
12639 	},
12640 	{
12641 		"xadd/w check whether src/dst got mangled, 1",
12642 		.insns = {
12643 			BPF_MOV64_IMM(BPF_REG_0, 1),
12644 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12645 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12646 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12647 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12648 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12649 			BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12650 			BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12651 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12652 			BPF_EXIT_INSN(),
12653 			BPF_MOV64_IMM(BPF_REG_0, 42),
12654 			BPF_EXIT_INSN(),
12655 		},
12656 		.result = ACCEPT,
12657 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12658 		.retval = 3,
12659 	},
12660 	{
12661 		"xadd/w check whether src/dst got mangled, 2",
12662 		.insns = {
12663 			BPF_MOV64_IMM(BPF_REG_0, 1),
12664 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12665 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12666 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12667 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12668 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12669 			BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12670 			BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12671 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12672 			BPF_EXIT_INSN(),
12673 			BPF_MOV64_IMM(BPF_REG_0, 42),
12674 			BPF_EXIT_INSN(),
12675 		},
12676 		.result = ACCEPT,
12677 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12678 		.retval = 3,
12679 	},
12680 	{
12681 		"bpf_get_stack return R0 within range",
12682 		.insns = {
12683 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12684 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12685 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12687 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12688 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12689 				     BPF_FUNC_map_lookup_elem),
12690 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12691 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12692 			BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12693 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12694 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12695 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12696 			BPF_MOV64_IMM(BPF_REG_4, 256),
12697 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
12698 			BPF_MOV64_IMM(BPF_REG_1, 0),
12699 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12700 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12701 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12702 			BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12703 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12704 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12705 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12706 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12707 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12708 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12709 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12710 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12711 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12712 			BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12713 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12714 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12715 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12716 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12717 			BPF_MOV64_IMM(BPF_REG_4, 0),
12718 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
12719 			BPF_EXIT_INSN(),
12720 		},
12721 		.fixup_map_hash_48b = { 4 },
12722 		.result = ACCEPT,
12723 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12724 	},
12725 	{
12726 		"ld_abs: invalid op 1",
12727 		.insns = {
12728 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12729 			BPF_LD_ABS(BPF_DW, 0),
12730 			BPF_EXIT_INSN(),
12731 		},
12732 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12733 		.result = REJECT,
12734 		.errstr = "unknown opcode",
12735 	},
12736 	{
12737 		"ld_abs: invalid op 2",
12738 		.insns = {
12739 			BPF_MOV32_IMM(BPF_REG_0, 256),
12740 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12741 			BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12742 			BPF_EXIT_INSN(),
12743 		},
12744 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12745 		.result = REJECT,
12746 		.errstr = "unknown opcode",
12747 	},
12748 	{
12749 		"ld_abs: nmap reduced",
12750 		.insns = {
12751 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12752 			BPF_LD_ABS(BPF_H, 12),
12753 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12754 			BPF_LD_ABS(BPF_H, 12),
12755 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12756 			BPF_MOV32_IMM(BPF_REG_0, 18),
12757 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12758 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12759 			BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12760 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12761 			BPF_MOV32_IMM(BPF_REG_0, 280971478),
12762 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12763 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12764 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12765 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12766 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12767 			BPF_LD_ABS(BPF_H, 12),
12768 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12769 			BPF_MOV32_IMM(BPF_REG_0, 22),
12770 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12771 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12772 			BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12773 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12774 			BPF_MOV32_IMM(BPF_REG_0, 17366),
12775 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12776 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12777 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12778 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12779 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12780 			BPF_MOV32_IMM(BPF_REG_0, 256),
12781 			BPF_EXIT_INSN(),
12782 			BPF_MOV32_IMM(BPF_REG_0, 0),
12783 			BPF_EXIT_INSN(),
12784 		},
12785 		.data = {
12786 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12787 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12788 			0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12789 		},
12790 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12791 		.result = ACCEPT,
12792 		.retval = 256,
12793 	},
12794 	{
12795 		"ld_abs: div + abs, test 1",
12796 		.insns = {
12797 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12798 			BPF_LD_ABS(BPF_B, 3),
12799 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12800 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12801 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12802 			BPF_LD_ABS(BPF_B, 4),
12803 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12804 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12805 			BPF_EXIT_INSN(),
12806 		},
12807 		.data = {
12808 			10, 20, 30, 40, 50,
12809 		},
12810 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12811 		.result = ACCEPT,
12812 		.retval = 10,
12813 	},
12814 	{
12815 		"ld_abs: div + abs, test 2",
12816 		.insns = {
12817 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12818 			BPF_LD_ABS(BPF_B, 3),
12819 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12820 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12821 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12822 			BPF_LD_ABS(BPF_B, 128),
12823 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12824 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12825 			BPF_EXIT_INSN(),
12826 		},
12827 		.data = {
12828 			10, 20, 30, 40, 50,
12829 		},
12830 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12831 		.result = ACCEPT,
12832 		.retval = 0,
12833 	},
12834 	{
12835 		"ld_abs: div + abs, test 3",
12836 		.insns = {
12837 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12838 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12839 			BPF_LD_ABS(BPF_B, 3),
12840 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12841 			BPF_EXIT_INSN(),
12842 		},
12843 		.data = {
12844 			10, 20, 30, 40, 50,
12845 		},
12846 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12847 		.result = ACCEPT,
12848 		.retval = 0,
12849 	},
12850 	{
12851 		"ld_abs: div + abs, test 4",
12852 		.insns = {
12853 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12854 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12855 			BPF_LD_ABS(BPF_B, 256),
12856 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12857 			BPF_EXIT_INSN(),
12858 		},
12859 		.data = {
12860 			10, 20, 30, 40, 50,
12861 		},
12862 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12863 		.result = ACCEPT,
12864 		.retval = 0,
12865 	},
12866 	{
12867 		"ld_abs: vlan + abs, test 1",
12868 		.insns = { },
12869 		.data = {
12870 			0x34,
12871 		},
12872 		.fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12873 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12874 		.result = ACCEPT,
12875 		.retval = 0xbef,
12876 	},
12877 	{
12878 		"ld_abs: vlan + abs, test 2",
12879 		.insns = {
12880 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12881 			BPF_LD_ABS(BPF_B, 0),
12882 			BPF_LD_ABS(BPF_H, 0),
12883 			BPF_LD_ABS(BPF_W, 0),
12884 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12885 			BPF_MOV64_IMM(BPF_REG_6, 0),
12886 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12887 			BPF_MOV64_IMM(BPF_REG_2, 1),
12888 			BPF_MOV64_IMM(BPF_REG_3, 2),
12889 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12890 				     BPF_FUNC_skb_vlan_push),
12891 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12892 			BPF_LD_ABS(BPF_B, 0),
12893 			BPF_LD_ABS(BPF_H, 0),
12894 			BPF_LD_ABS(BPF_W, 0),
12895 			BPF_MOV64_IMM(BPF_REG_0, 42),
12896 			BPF_EXIT_INSN(),
12897 		},
12898 		.data = {
12899 			0x34,
12900 		},
12901 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12902 		.result = ACCEPT,
12903 		.retval = 42,
12904 	},
12905 	{
12906 		"ld_abs: jump around ld_abs",
12907 		.insns = { },
12908 		.data = {
12909 			10, 11,
12910 		},
12911 		.fill_helper = bpf_fill_jump_around_ld_abs,
12912 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12913 		.result = ACCEPT,
12914 		.retval = 10,
12915 	},
12916 	{
12917 		"ld_dw: xor semi-random 64 bit imms, test 1",
12918 		.insns = { },
12919 		.data = { },
12920 		.fill_helper = bpf_fill_rand_ld_dw,
12921 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12922 		.result = ACCEPT,
12923 		.retval = 4090,
12924 	},
12925 	{
12926 		"ld_dw: xor semi-random 64 bit imms, test 2",
12927 		.insns = { },
12928 		.data = { },
12929 		.fill_helper = bpf_fill_rand_ld_dw,
12930 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12931 		.result = ACCEPT,
12932 		.retval = 2047,
12933 	},
12934 	{
12935 		"ld_dw: xor semi-random 64 bit imms, test 3",
12936 		.insns = { },
12937 		.data = { },
12938 		.fill_helper = bpf_fill_rand_ld_dw,
12939 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12940 		.result = ACCEPT,
12941 		.retval = 511,
12942 	},
12943 	{
12944 		"ld_dw: xor semi-random 64 bit imms, test 4",
12945 		.insns = { },
12946 		.data = { },
12947 		.fill_helper = bpf_fill_rand_ld_dw,
12948 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12949 		.result = ACCEPT,
12950 		.retval = 5,
12951 	},
12952 	{
12953 		"pass unmodified ctx pointer to helper",
12954 		.insns = {
12955 			BPF_MOV64_IMM(BPF_REG_2, 0),
12956 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12957 				     BPF_FUNC_csum_update),
12958 			BPF_MOV64_IMM(BPF_REG_0, 0),
12959 			BPF_EXIT_INSN(),
12960 		},
12961 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12962 		.result = ACCEPT,
12963 	},
12964 	{
12965 		"reference tracking: leak potential reference",
12966 		.insns = {
12967 			BPF_SK_LOOKUP,
12968 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
12969 			BPF_EXIT_INSN(),
12970 		},
12971 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12972 		.errstr = "Unreleased reference",
12973 		.result = REJECT,
12974 	},
12975 	{
12976 		"reference tracking: leak potential reference on stack",
12977 		.insns = {
12978 			BPF_SK_LOOKUP,
12979 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12980 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12981 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
12982 			BPF_MOV64_IMM(BPF_REG_0, 0),
12983 			BPF_EXIT_INSN(),
12984 		},
12985 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12986 		.errstr = "Unreleased reference",
12987 		.result = REJECT,
12988 	},
12989 	{
12990 		"reference tracking: leak potential reference on stack 2",
12991 		.insns = {
12992 			BPF_SK_LOOKUP,
12993 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
12994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
12995 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
12996 			BPF_MOV64_IMM(BPF_REG_0, 0),
12997 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
12998 			BPF_EXIT_INSN(),
12999 		},
13000 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13001 		.errstr = "Unreleased reference",
13002 		.result = REJECT,
13003 	},
13004 	{
13005 		"reference tracking: zero potential reference",
13006 		.insns = {
13007 			BPF_SK_LOOKUP,
13008 			BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
13009 			BPF_EXIT_INSN(),
13010 		},
13011 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13012 		.errstr = "Unreleased reference",
13013 		.result = REJECT,
13014 	},
13015 	{
13016 		"reference tracking: copy and zero potential references",
13017 		.insns = {
13018 			BPF_SK_LOOKUP,
13019 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13020 			BPF_MOV64_IMM(BPF_REG_0, 0),
13021 			BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
13022 			BPF_EXIT_INSN(),
13023 		},
13024 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13025 		.errstr = "Unreleased reference",
13026 		.result = REJECT,
13027 	},
13028 	{
13029 		"reference tracking: release reference without check",
13030 		.insns = {
13031 			BPF_SK_LOOKUP,
13032 			/* reference in r0 may be NULL */
13033 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13034 			BPF_MOV64_IMM(BPF_REG_2, 0),
13035 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13036 			BPF_EXIT_INSN(),
13037 		},
13038 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13039 		.errstr = "type=sock_or_null expected=sock",
13040 		.result = REJECT,
13041 	},
13042 	{
13043 		"reference tracking: release reference",
13044 		.insns = {
13045 			BPF_SK_LOOKUP,
13046 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13047 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13048 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13049 			BPF_EXIT_INSN(),
13050 		},
13051 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13052 		.result = ACCEPT,
13053 	},
13054 	{
13055 		"reference tracking: release reference 2",
13056 		.insns = {
13057 			BPF_SK_LOOKUP,
13058 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13059 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13060 			BPF_EXIT_INSN(),
13061 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13062 			BPF_EXIT_INSN(),
13063 		},
13064 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13065 		.result = ACCEPT,
13066 	},
13067 	{
13068 		"reference tracking: release reference twice",
13069 		.insns = {
13070 			BPF_SK_LOOKUP,
13071 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13072 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13073 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13074 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13075 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13076 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13077 			BPF_EXIT_INSN(),
13078 		},
13079 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13080 		.errstr = "type=inv expected=sock",
13081 		.result = REJECT,
13082 	},
13083 	{
13084 		"reference tracking: release reference twice inside branch",
13085 		.insns = {
13086 			BPF_SK_LOOKUP,
13087 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13088 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13089 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
13090 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13091 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13092 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13093 			BPF_EXIT_INSN(),
13094 		},
13095 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13096 		.errstr = "type=inv expected=sock",
13097 		.result = REJECT,
13098 	},
13099 	{
13100 		"reference tracking: alloc, check, free in one subbranch",
13101 		.insns = {
13102 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13103 				    offsetof(struct __sk_buff, data)),
13104 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13105 				    offsetof(struct __sk_buff, data_end)),
13106 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13107 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13108 			/* if (offsetof(skb, mark) > data_len) exit; */
13109 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13110 			BPF_EXIT_INSN(),
13111 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13112 				    offsetof(struct __sk_buff, mark)),
13113 			BPF_SK_LOOKUP,
13114 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
13115 			/* Leak reference in R0 */
13116 			BPF_EXIT_INSN(),
13117 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13118 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13119 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13120 			BPF_EXIT_INSN(),
13121 		},
13122 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13123 		.errstr = "Unreleased reference",
13124 		.result = REJECT,
13125 	},
13126 	{
13127 		"reference tracking: alloc, check, free in both subbranches",
13128 		.insns = {
13129 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13130 				    offsetof(struct __sk_buff, data)),
13131 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13132 				    offsetof(struct __sk_buff, data_end)),
13133 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13134 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
13135 			/* if (offsetof(skb, mark) > data_len) exit; */
13136 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13137 			BPF_EXIT_INSN(),
13138 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
13139 				    offsetof(struct __sk_buff, mark)),
13140 			BPF_SK_LOOKUP,
13141 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
13142 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13143 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13144 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13145 			BPF_EXIT_INSN(),
13146 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
13147 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13148 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13149 			BPF_EXIT_INSN(),
13150 		},
13151 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13152 		.result = ACCEPT,
13153 	},
13154 	{
13155 		"reference tracking in call: free reference in subprog",
13156 		.insns = {
13157 			BPF_SK_LOOKUP,
13158 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13159 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13160 			BPF_MOV64_IMM(BPF_REG_0, 0),
13161 			BPF_EXIT_INSN(),
13162 
13163 			/* subprog 1 */
13164 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13165 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13166 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13167 			BPF_EXIT_INSN(),
13168 		},
13169 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13170 		.result = ACCEPT,
13171 	},
13172 	{
13173 		"pass modified ctx pointer to helper, 1",
13174 		.insns = {
13175 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13176 			BPF_MOV64_IMM(BPF_REG_2, 0),
13177 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13178 				     BPF_FUNC_csum_update),
13179 			BPF_MOV64_IMM(BPF_REG_0, 0),
13180 			BPF_EXIT_INSN(),
13181 		},
13182 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13183 		.result = REJECT,
13184 		.errstr = "dereference of modified ctx ptr",
13185 	},
13186 	{
13187 		"pass modified ctx pointer to helper, 2",
13188 		.insns = {
13189 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
13190 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13191 				     BPF_FUNC_get_socket_cookie),
13192 			BPF_MOV64_IMM(BPF_REG_0, 0),
13193 			BPF_EXIT_INSN(),
13194 		},
13195 		.result_unpriv = REJECT,
13196 		.result = REJECT,
13197 		.errstr_unpriv = "dereference of modified ctx ptr",
13198 		.errstr = "dereference of modified ctx ptr",
13199 	},
13200 	{
13201 		"pass modified ctx pointer to helper, 3",
13202 		.insns = {
13203 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
13204 			BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
13205 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
13206 			BPF_MOV64_IMM(BPF_REG_2, 0),
13207 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13208 				     BPF_FUNC_csum_update),
13209 			BPF_MOV64_IMM(BPF_REG_0, 0),
13210 			BPF_EXIT_INSN(),
13211 		},
13212 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13213 		.result = REJECT,
13214 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
13215 	},
13216 	{
13217 		"mov64 src == dst",
13218 		.insns = {
13219 			BPF_MOV64_IMM(BPF_REG_2, 0),
13220 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
13221 			// Check bounds are OK
13222 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13223 			BPF_MOV64_IMM(BPF_REG_0, 0),
13224 			BPF_EXIT_INSN(),
13225 		},
13226 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13227 		.result = ACCEPT,
13228 	},
13229 	{
13230 		"mov64 src != dst",
13231 		.insns = {
13232 			BPF_MOV64_IMM(BPF_REG_3, 0),
13233 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
13234 			// Check bounds are OK
13235 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
13236 			BPF_MOV64_IMM(BPF_REG_0, 0),
13237 			BPF_EXIT_INSN(),
13238 		},
13239 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13240 		.result = ACCEPT,
13241 	},
13242 	{
13243 		"reference tracking in call: free reference in subprog and outside",
13244 		.insns = {
13245 			BPF_SK_LOOKUP,
13246 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
13247 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13249 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13250 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13251 			BPF_EXIT_INSN(),
13252 
13253 			/* subprog 1 */
13254 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
13255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
13256 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13257 			BPF_EXIT_INSN(),
13258 		},
13259 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13260 		.errstr = "type=inv expected=sock",
13261 		.result = REJECT,
13262 	},
13263 	{
13264 		"reference tracking in call: alloc & leak reference in subprog",
13265 		.insns = {
13266 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13267 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13268 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13269 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13270 			BPF_MOV64_IMM(BPF_REG_0, 0),
13271 			BPF_EXIT_INSN(),
13272 
13273 			/* subprog 1 */
13274 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
13275 			BPF_SK_LOOKUP,
13276 			/* spill unchecked sk_ptr into stack of caller */
13277 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13278 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13279 			BPF_EXIT_INSN(),
13280 		},
13281 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13282 		.errstr = "Unreleased reference",
13283 		.result = REJECT,
13284 	},
13285 	{
13286 		"reference tracking in call: alloc in subprog, release outside",
13287 		.insns = {
13288 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13289 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13290 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13291 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13292 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13293 			BPF_EXIT_INSN(),
13294 
13295 			/* subprog 1 */
13296 			BPF_SK_LOOKUP,
13297 			BPF_EXIT_INSN(), /* return sk */
13298 		},
13299 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13300 		.retval = POINTER_VALUE,
13301 		.result = ACCEPT,
13302 	},
13303 	{
13304 		"reference tracking in call: sk_ptr leak into caller stack",
13305 		.insns = {
13306 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13307 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13308 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13309 			BPF_MOV64_IMM(BPF_REG_0, 0),
13310 			BPF_EXIT_INSN(),
13311 
13312 			/* subprog 1 */
13313 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13314 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13315 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13316 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
13317 			/* spill unchecked sk_ptr into stack of caller */
13318 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13319 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13320 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13321 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13322 			BPF_EXIT_INSN(),
13323 
13324 			/* subprog 2 */
13325 			BPF_SK_LOOKUP,
13326 			BPF_EXIT_INSN(),
13327 		},
13328 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13329 		.errstr = "Unreleased reference",
13330 		.result = REJECT,
13331 	},
13332 	{
13333 		"reference tracking in call: sk_ptr spill into caller stack",
13334 		.insns = {
13335 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13336 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13337 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13338 			BPF_MOV64_IMM(BPF_REG_0, 0),
13339 			BPF_EXIT_INSN(),
13340 
13341 			/* subprog 1 */
13342 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13343 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13344 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
13345 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
13346 			/* spill unchecked sk_ptr into stack of caller */
13347 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
13348 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
13349 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
13350 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
13351 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13352 			/* now the sk_ptr is verified, free the reference */
13353 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
13354 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13355 			BPF_EXIT_INSN(),
13356 
13357 			/* subprog 2 */
13358 			BPF_SK_LOOKUP,
13359 			BPF_EXIT_INSN(),
13360 		},
13361 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13362 		.result = ACCEPT,
13363 	},
13364 	{
13365 		"reference tracking: allow LD_ABS",
13366 		.insns = {
13367 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13368 			BPF_SK_LOOKUP,
13369 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13370 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13371 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13372 			BPF_LD_ABS(BPF_B, 0),
13373 			BPF_LD_ABS(BPF_H, 0),
13374 			BPF_LD_ABS(BPF_W, 0),
13375 			BPF_EXIT_INSN(),
13376 		},
13377 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13378 		.result = ACCEPT,
13379 	},
13380 	{
13381 		"reference tracking: forbid LD_ABS while holding reference",
13382 		.insns = {
13383 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13384 			BPF_SK_LOOKUP,
13385 			BPF_LD_ABS(BPF_B, 0),
13386 			BPF_LD_ABS(BPF_H, 0),
13387 			BPF_LD_ABS(BPF_W, 0),
13388 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13389 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13390 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13391 			BPF_EXIT_INSN(),
13392 		},
13393 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13394 		.errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13395 		.result = REJECT,
13396 	},
13397 	{
13398 		"reference tracking: allow LD_IND",
13399 		.insns = {
13400 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13401 			BPF_SK_LOOKUP,
13402 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13403 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13404 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13405 			BPF_MOV64_IMM(BPF_REG_7, 1),
13406 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13407 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13408 			BPF_EXIT_INSN(),
13409 		},
13410 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13411 		.result = ACCEPT,
13412 		.retval = 1,
13413 	},
13414 	{
13415 		"reference tracking: forbid LD_IND while holding reference",
13416 		.insns = {
13417 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13418 			BPF_SK_LOOKUP,
13419 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
13420 			BPF_MOV64_IMM(BPF_REG_7, 1),
13421 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
13422 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
13423 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
13424 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13425 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13426 			BPF_EXIT_INSN(),
13427 		},
13428 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13429 		.errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
13430 		.result = REJECT,
13431 	},
13432 	{
13433 		"reference tracking: check reference or tail call",
13434 		.insns = {
13435 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13436 			BPF_SK_LOOKUP,
13437 			/* if (sk) bpf_sk_release() */
13438 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13439 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
13440 			/* bpf_tail_call() */
13441 			BPF_MOV64_IMM(BPF_REG_3, 2),
13442 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13443 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13444 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13445 				     BPF_FUNC_tail_call),
13446 			BPF_MOV64_IMM(BPF_REG_0, 0),
13447 			BPF_EXIT_INSN(),
13448 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13449 			BPF_EXIT_INSN(),
13450 		},
13451 		.fixup_prog1 = { 17 },
13452 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13453 		.result = ACCEPT,
13454 	},
13455 	{
13456 		"reference tracking: release reference then tail call",
13457 		.insns = {
13458 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13459 			BPF_SK_LOOKUP,
13460 			/* if (sk) bpf_sk_release() */
13461 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13462 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13463 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13464 			/* bpf_tail_call() */
13465 			BPF_MOV64_IMM(BPF_REG_3, 2),
13466 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13467 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13468 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13469 				     BPF_FUNC_tail_call),
13470 			BPF_MOV64_IMM(BPF_REG_0, 0),
13471 			BPF_EXIT_INSN(),
13472 		},
13473 		.fixup_prog1 = { 18 },
13474 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13475 		.result = ACCEPT,
13476 	},
13477 	{
13478 		"reference tracking: leak possible reference over tail call",
13479 		.insns = {
13480 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13481 			/* Look up socket and store in REG_6 */
13482 			BPF_SK_LOOKUP,
13483 			/* bpf_tail_call() */
13484 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13485 			BPF_MOV64_IMM(BPF_REG_3, 2),
13486 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13487 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13488 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13489 				     BPF_FUNC_tail_call),
13490 			BPF_MOV64_IMM(BPF_REG_0, 0),
13491 			/* if (sk) bpf_sk_release() */
13492 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13493 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
13494 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13495 			BPF_EXIT_INSN(),
13496 		},
13497 		.fixup_prog1 = { 16 },
13498 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13499 		.errstr = "tail_call would lead to reference leak",
13500 		.result = REJECT,
13501 	},
13502 	{
13503 		"reference tracking: leak checked reference over tail call",
13504 		.insns = {
13505 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
13506 			/* Look up socket and store in REG_6 */
13507 			BPF_SK_LOOKUP,
13508 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13509 			/* if (!sk) goto end */
13510 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
13511 			/* bpf_tail_call() */
13512 			BPF_MOV64_IMM(BPF_REG_3, 0),
13513 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13514 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13515 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13516 				     BPF_FUNC_tail_call),
13517 			BPF_MOV64_IMM(BPF_REG_0, 0),
13518 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13519 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13520 			BPF_EXIT_INSN(),
13521 		},
13522 		.fixup_prog1 = { 17 },
13523 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13524 		.errstr = "tail_call would lead to reference leak",
13525 		.result = REJECT,
13526 	},
13527 	{
13528 		"reference tracking: mangle and release sock_or_null",
13529 		.insns = {
13530 			BPF_SK_LOOKUP,
13531 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13532 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13533 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13534 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13535 			BPF_EXIT_INSN(),
13536 		},
13537 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13538 		.errstr = "R1 pointer arithmetic on sock_or_null prohibited",
13539 		.result = REJECT,
13540 	},
13541 	{
13542 		"reference tracking: mangle and release sock",
13543 		.insns = {
13544 			BPF_SK_LOOKUP,
13545 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13546 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13547 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
13548 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13549 			BPF_EXIT_INSN(),
13550 		},
13551 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13552 		.errstr = "R1 pointer arithmetic on sock prohibited",
13553 		.result = REJECT,
13554 	},
13555 	{
13556 		"reference tracking: access member",
13557 		.insns = {
13558 			BPF_SK_LOOKUP,
13559 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13560 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13561 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13562 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13563 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13564 			BPF_EXIT_INSN(),
13565 		},
13566 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13567 		.result = ACCEPT,
13568 	},
13569 	{
13570 		"reference tracking: write to member",
13571 		.insns = {
13572 			BPF_SK_LOOKUP,
13573 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13574 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
13575 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13576 			BPF_LD_IMM64(BPF_REG_2, 42),
13577 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
13578 				    offsetof(struct bpf_sock, mark)),
13579 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13580 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13581 			BPF_LD_IMM64(BPF_REG_0, 0),
13582 			BPF_EXIT_INSN(),
13583 		},
13584 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13585 		.errstr = "cannot write into socket",
13586 		.result = REJECT,
13587 	},
13588 	{
13589 		"reference tracking: invalid 64-bit access of member",
13590 		.insns = {
13591 			BPF_SK_LOOKUP,
13592 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13593 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13594 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
13595 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13596 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13597 			BPF_EXIT_INSN(),
13598 		},
13599 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13600 		.errstr = "invalid bpf_sock access off=0 size=8",
13601 		.result = REJECT,
13602 	},
13603 	{
13604 		"reference tracking: access after release",
13605 		.insns = {
13606 			BPF_SK_LOOKUP,
13607 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13608 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13609 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13610 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
13611 			BPF_EXIT_INSN(),
13612 		},
13613 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13614 		.errstr = "!read_ok",
13615 		.result = REJECT,
13616 	},
13617 	{
13618 		"reference tracking: direct access for lookup",
13619 		.insns = {
13620 			/* Check that the packet is at least 64B long */
13621 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13622 				    offsetof(struct __sk_buff, data)),
13623 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13624 				    offsetof(struct __sk_buff, data_end)),
13625 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13626 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
13627 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
13628 			/* sk = sk_lookup_tcp(ctx, skb->data, ...) */
13629 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
13630 			BPF_MOV64_IMM(BPF_REG_4, 0),
13631 			BPF_MOV64_IMM(BPF_REG_5, 0),
13632 			BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
13633 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13634 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
13635 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
13636 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13637 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
13638 			BPF_EXIT_INSN(),
13639 		},
13640 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13641 		.result = ACCEPT,
13642 	},
13643 };
13644 
13645 static int probe_filter_length(const struct bpf_insn *fp)
13646 {
13647 	int len;
13648 
13649 	for (len = MAX_INSNS - 1; len > 0; --len)
13650 		if (fp[len].code != 0 || fp[len].imm != 0)
13651 			break;
13652 	return len + 1;
13653 }
13654 
13655 static int create_map(uint32_t type, uint32_t size_key,
13656 		      uint32_t size_value, uint32_t max_elem)
13657 {
13658 	int fd;
13659 
13660 	fd = bpf_create_map(type, size_key, size_value, max_elem,
13661 			    type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
13662 	if (fd < 0)
13663 		printf("Failed to create hash map '%s'!\n", strerror(errno));
13664 
13665 	return fd;
13666 }
13667 
13668 static int create_prog_dummy1(enum bpf_map_type prog_type)
13669 {
13670 	struct bpf_insn prog[] = {
13671 		BPF_MOV64_IMM(BPF_REG_0, 42),
13672 		BPF_EXIT_INSN(),
13673 	};
13674 
13675 	return bpf_load_program(prog_type, prog,
13676 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13677 }
13678 
13679 static int create_prog_dummy2(enum bpf_map_type prog_type, int mfd, int idx)
13680 {
13681 	struct bpf_insn prog[] = {
13682 		BPF_MOV64_IMM(BPF_REG_3, idx),
13683 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
13684 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13685 			     BPF_FUNC_tail_call),
13686 		BPF_MOV64_IMM(BPF_REG_0, 41),
13687 		BPF_EXIT_INSN(),
13688 	};
13689 
13690 	return bpf_load_program(prog_type, prog,
13691 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
13692 }
13693 
13694 static int create_prog_array(enum bpf_map_type prog_type, uint32_t max_elem,
13695 			     int p1key)
13696 {
13697 	int p2key = 1;
13698 	int mfd, p1fd, p2fd;
13699 
13700 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
13701 			     sizeof(int), max_elem, 0);
13702 	if (mfd < 0) {
13703 		printf("Failed to create prog array '%s'!\n", strerror(errno));
13704 		return -1;
13705 	}
13706 
13707 	p1fd = create_prog_dummy1(prog_type);
13708 	p2fd = create_prog_dummy2(prog_type, mfd, p2key);
13709 	if (p1fd < 0 || p2fd < 0)
13710 		goto out;
13711 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
13712 		goto out;
13713 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
13714 		goto out;
13715 	close(p2fd);
13716 	close(p1fd);
13717 
13718 	return mfd;
13719 out:
13720 	close(p2fd);
13721 	close(p1fd);
13722 	close(mfd);
13723 	return -1;
13724 }
13725 
13726 static int create_map_in_map(void)
13727 {
13728 	int inner_map_fd, outer_map_fd;
13729 
13730 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13731 				      sizeof(int), 1, 0);
13732 	if (inner_map_fd < 0) {
13733 		printf("Failed to create array '%s'!\n", strerror(errno));
13734 		return inner_map_fd;
13735 	}
13736 
13737 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
13738 					     sizeof(int), inner_map_fd, 1, 0);
13739 	if (outer_map_fd < 0)
13740 		printf("Failed to create array of maps '%s'!\n",
13741 		       strerror(errno));
13742 
13743 	close(inner_map_fd);
13744 
13745 	return outer_map_fd;
13746 }
13747 
13748 static int create_cgroup_storage(bool percpu)
13749 {
13750 	enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
13751 		BPF_MAP_TYPE_CGROUP_STORAGE;
13752 	int fd;
13753 
13754 	fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
13755 			    TEST_DATA_LEN, 0, 0);
13756 	if (fd < 0)
13757 		printf("Failed to create cgroup storage '%s'!\n",
13758 		       strerror(errno));
13759 
13760 	return fd;
13761 }
13762 
13763 static char bpf_vlog[UINT_MAX >> 8];
13764 
13765 static void do_test_fixup(struct bpf_test *test, enum bpf_map_type prog_type,
13766 			  struct bpf_insn *prog, int *map_fds)
13767 {
13768 	int *fixup_map_hash_8b = test->fixup_map_hash_8b;
13769 	int *fixup_map_hash_48b = test->fixup_map_hash_48b;
13770 	int *fixup_map_hash_16b = test->fixup_map_hash_16b;
13771 	int *fixup_map_array_48b = test->fixup_map_array_48b;
13772 	int *fixup_map_sockmap = test->fixup_map_sockmap;
13773 	int *fixup_map_sockhash = test->fixup_map_sockhash;
13774 	int *fixup_map_xskmap = test->fixup_map_xskmap;
13775 	int *fixup_map_stacktrace = test->fixup_map_stacktrace;
13776 	int *fixup_prog1 = test->fixup_prog1;
13777 	int *fixup_prog2 = test->fixup_prog2;
13778 	int *fixup_map_in_map = test->fixup_map_in_map;
13779 	int *fixup_cgroup_storage = test->fixup_cgroup_storage;
13780 	int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
13781 
13782 	if (test->fill_helper)
13783 		test->fill_helper(test);
13784 
13785 	/* Allocating HTs with 1 elem is fine here, since we only test
13786 	 * for verifier and not do a runtime lookup, so the only thing
13787 	 * that really matters is value size in this case.
13788 	 */
13789 	if (*fixup_map_hash_8b) {
13790 		map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
13791 					sizeof(long long), 1);
13792 		do {
13793 			prog[*fixup_map_hash_8b].imm = map_fds[0];
13794 			fixup_map_hash_8b++;
13795 		} while (*fixup_map_hash_8b);
13796 	}
13797 
13798 	if (*fixup_map_hash_48b) {
13799 		map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
13800 					sizeof(struct test_val), 1);
13801 		do {
13802 			prog[*fixup_map_hash_48b].imm = map_fds[1];
13803 			fixup_map_hash_48b++;
13804 		} while (*fixup_map_hash_48b);
13805 	}
13806 
13807 	if (*fixup_map_hash_16b) {
13808 		map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
13809 					sizeof(struct other_val), 1);
13810 		do {
13811 			prog[*fixup_map_hash_16b].imm = map_fds[2];
13812 			fixup_map_hash_16b++;
13813 		} while (*fixup_map_hash_16b);
13814 	}
13815 
13816 	if (*fixup_map_array_48b) {
13817 		map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
13818 					sizeof(struct test_val), 1);
13819 		do {
13820 			prog[*fixup_map_array_48b].imm = map_fds[3];
13821 			fixup_map_array_48b++;
13822 		} while (*fixup_map_array_48b);
13823 	}
13824 
13825 	if (*fixup_prog1) {
13826 		map_fds[4] = create_prog_array(prog_type, 4, 0);
13827 		do {
13828 			prog[*fixup_prog1].imm = map_fds[4];
13829 			fixup_prog1++;
13830 		} while (*fixup_prog1);
13831 	}
13832 
13833 	if (*fixup_prog2) {
13834 		map_fds[5] = create_prog_array(prog_type, 8, 7);
13835 		do {
13836 			prog[*fixup_prog2].imm = map_fds[5];
13837 			fixup_prog2++;
13838 		} while (*fixup_prog2);
13839 	}
13840 
13841 	if (*fixup_map_in_map) {
13842 		map_fds[6] = create_map_in_map();
13843 		do {
13844 			prog[*fixup_map_in_map].imm = map_fds[6];
13845 			fixup_map_in_map++;
13846 		} while (*fixup_map_in_map);
13847 	}
13848 
13849 	if (*fixup_cgroup_storage) {
13850 		map_fds[7] = create_cgroup_storage(false);
13851 		do {
13852 			prog[*fixup_cgroup_storage].imm = map_fds[7];
13853 			fixup_cgroup_storage++;
13854 		} while (*fixup_cgroup_storage);
13855 	}
13856 
13857 	if (*fixup_percpu_cgroup_storage) {
13858 		map_fds[8] = create_cgroup_storage(true);
13859 		do {
13860 			prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
13861 			fixup_percpu_cgroup_storage++;
13862 		} while (*fixup_percpu_cgroup_storage);
13863 	}
13864 	if (*fixup_map_sockmap) {
13865 		map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
13866 					sizeof(int), 1);
13867 		do {
13868 			prog[*fixup_map_sockmap].imm = map_fds[9];
13869 			fixup_map_sockmap++;
13870 		} while (*fixup_map_sockmap);
13871 	}
13872 	if (*fixup_map_sockhash) {
13873 		map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
13874 					sizeof(int), 1);
13875 		do {
13876 			prog[*fixup_map_sockhash].imm = map_fds[10];
13877 			fixup_map_sockhash++;
13878 		} while (*fixup_map_sockhash);
13879 	}
13880 	if (*fixup_map_xskmap) {
13881 		map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
13882 					sizeof(int), 1);
13883 		do {
13884 			prog[*fixup_map_xskmap].imm = map_fds[11];
13885 			fixup_map_xskmap++;
13886 		} while (*fixup_map_xskmap);
13887 	}
13888 	if (*fixup_map_stacktrace) {
13889 		map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
13890 					 sizeof(u64), 1);
13891 		do {
13892 			prog[*fixup_map_stacktrace].imm = map_fds[12];
13893 			fixup_map_stacktrace++;
13894 		} while (fixup_map_stacktrace);
13895 	}
13896 }
13897 
13898 static void do_test_single(struct bpf_test *test, bool unpriv,
13899 			   int *passes, int *errors)
13900 {
13901 	int fd_prog, expected_ret, reject_from_alignment;
13902 	int prog_len, prog_type = test->prog_type;
13903 	struct bpf_insn *prog = test->insns;
13904 	int map_fds[MAX_NR_MAPS];
13905 	const char *expected_err;
13906 	uint32_t retval;
13907 	int i, err;
13908 
13909 	for (i = 0; i < MAX_NR_MAPS; i++)
13910 		map_fds[i] = -1;
13911 
13912 	if (!prog_type)
13913 		prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
13914 	do_test_fixup(test, prog_type, prog, map_fds);
13915 	prog_len = probe_filter_length(prog);
13916 
13917 	fd_prog = bpf_verify_program(prog_type, prog, prog_len,
13918 				     test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
13919 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
13920 
13921 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
13922 		       test->result_unpriv : test->result;
13923 	expected_err = unpriv && test->errstr_unpriv ?
13924 		       test->errstr_unpriv : test->errstr;
13925 
13926 	reject_from_alignment = fd_prog < 0 &&
13927 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
13928 				strstr(bpf_vlog, "Unknown alignment.");
13929 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
13930 	if (reject_from_alignment) {
13931 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
13932 		       strerror(errno));
13933 		goto fail_log;
13934 	}
13935 #endif
13936 	if (expected_ret == ACCEPT) {
13937 		if (fd_prog < 0 && !reject_from_alignment) {
13938 			printf("FAIL\nFailed to load prog '%s'!\n",
13939 			       strerror(errno));
13940 			goto fail_log;
13941 		}
13942 	} else {
13943 		if (fd_prog >= 0) {
13944 			printf("FAIL\nUnexpected success to load!\n");
13945 			goto fail_log;
13946 		}
13947 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
13948 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
13949 			      expected_err, bpf_vlog);
13950 			goto fail_log;
13951 		}
13952 	}
13953 
13954 	if (fd_prog >= 0) {
13955 		__u8 tmp[TEST_DATA_LEN << 2];
13956 		__u32 size_tmp = sizeof(tmp);
13957 
13958 		err = bpf_prog_test_run(fd_prog, 1, test->data,
13959 					sizeof(test->data), tmp, &size_tmp,
13960 					&retval, NULL);
13961 		if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
13962 			printf("Unexpected bpf_prog_test_run error\n");
13963 			goto fail_log;
13964 		}
13965 		if (!err && retval != test->retval &&
13966 		    test->retval != POINTER_VALUE) {
13967 			printf("FAIL retval %d != %d\n", retval, test->retval);
13968 			goto fail_log;
13969 		}
13970 	}
13971 	(*passes)++;
13972 	printf("OK%s\n", reject_from_alignment ?
13973 	       " (NOTE: reject due to unknown alignment)" : "");
13974 close_fds:
13975 	close(fd_prog);
13976 	for (i = 0; i < MAX_NR_MAPS; i++)
13977 		close(map_fds[i]);
13978 	sched_yield();
13979 	return;
13980 fail_log:
13981 	(*errors)++;
13982 	printf("%s", bpf_vlog);
13983 	goto close_fds;
13984 }
13985 
13986 static bool is_admin(void)
13987 {
13988 	cap_t caps;
13989 	cap_flag_value_t sysadmin = CAP_CLEAR;
13990 	const cap_value_t cap_val = CAP_SYS_ADMIN;
13991 
13992 #ifdef CAP_IS_SUPPORTED
13993 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
13994 		perror("cap_get_flag");
13995 		return false;
13996 	}
13997 #endif
13998 	caps = cap_get_proc();
13999 	if (!caps) {
14000 		perror("cap_get_proc");
14001 		return false;
14002 	}
14003 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
14004 		perror("cap_get_flag");
14005 	if (cap_free(caps))
14006 		perror("cap_free");
14007 	return (sysadmin == CAP_SET);
14008 }
14009 
14010 static int set_admin(bool admin)
14011 {
14012 	cap_t caps;
14013 	const cap_value_t cap_val = CAP_SYS_ADMIN;
14014 	int ret = -1;
14015 
14016 	caps = cap_get_proc();
14017 	if (!caps) {
14018 		perror("cap_get_proc");
14019 		return -1;
14020 	}
14021 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
14022 				admin ? CAP_SET : CAP_CLEAR)) {
14023 		perror("cap_set_flag");
14024 		goto out;
14025 	}
14026 	if (cap_set_proc(caps)) {
14027 		perror("cap_set_proc");
14028 		goto out;
14029 	}
14030 	ret = 0;
14031 out:
14032 	if (cap_free(caps))
14033 		perror("cap_free");
14034 	return ret;
14035 }
14036 
14037 static void get_unpriv_disabled()
14038 {
14039 	char buf[2];
14040 	FILE *fd;
14041 
14042 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
14043 	if (!fd) {
14044 		perror("fopen /proc/sys/"UNPRIV_SYSCTL);
14045 		unpriv_disabled = true;
14046 		return;
14047 	}
14048 	if (fgets(buf, 2, fd) == buf && atoi(buf))
14049 		unpriv_disabled = true;
14050 	fclose(fd);
14051 }
14052 
14053 static int do_test(bool unpriv, unsigned int from, unsigned int to)
14054 {
14055 	int i, passes = 0, errors = 0, skips = 0;
14056 
14057 	for (i = from; i < to; i++) {
14058 		struct bpf_test *test = &tests[i];
14059 
14060 		/* Program types that are not supported by non-root we
14061 		 * skip right away.
14062 		 */
14063 		if (!test->prog_type && unpriv_disabled) {
14064 			printf("#%d/u %s SKIP\n", i, test->descr);
14065 			skips++;
14066 		} else if (!test->prog_type) {
14067 			if (!unpriv)
14068 				set_admin(false);
14069 			printf("#%d/u %s ", i, test->descr);
14070 			do_test_single(test, true, &passes, &errors);
14071 			if (!unpriv)
14072 				set_admin(true);
14073 		}
14074 
14075 		if (unpriv) {
14076 			printf("#%d/p %s SKIP\n", i, test->descr);
14077 			skips++;
14078 		} else {
14079 			printf("#%d/p %s ", i, test->descr);
14080 			do_test_single(test, false, &passes, &errors);
14081 		}
14082 	}
14083 
14084 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
14085 	       skips, errors);
14086 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
14087 }
14088 
14089 int main(int argc, char **argv)
14090 {
14091 	unsigned int from = 0, to = ARRAY_SIZE(tests);
14092 	bool unpriv = !is_admin();
14093 
14094 	if (argc == 3) {
14095 		unsigned int l = atoi(argv[argc - 2]);
14096 		unsigned int u = atoi(argv[argc - 1]);
14097 
14098 		if (l < to && u < to) {
14099 			from = l;
14100 			to   = u + 1;
14101 		}
14102 	} else if (argc == 2) {
14103 		unsigned int t = atoi(argv[argc - 1]);
14104 
14105 		if (t < to) {
14106 			from = t;
14107 			to   = t + 1;
14108 		}
14109 	}
14110 
14111 	get_unpriv_disabled();
14112 	if (unpriv && unpriv_disabled) {
14113 		printf("Cannot run as unprivileged user with sysctl %s.\n",
14114 		       UNPRIV_SYSCTL);
14115 		return EXIT_FAILURE;
14116 	}
14117 
14118 	bpf_semi_rand_init();
14119 	return do_test(unpriv, from, to);
14120 }
14121