xref: /linux/tools/testing/selftests/bpf/verifier/calls.c (revision c94cd9508b1335b949fd13ebd269313c65492df0)
1 {
2 	"calls: invalid kfunc call not eliminated",
3 	.insns = {
4 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
5 	BPF_MOV64_IMM(BPF_REG_0, 1),
6 	BPF_EXIT_INSN(),
7 	},
8 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9 	.result  = REJECT,
10 	.errstr = "invalid kernel function call not eliminated in verifier pass",
11 },
12 {
13 	"calls: invalid kfunc call unreachable",
14 	.insns = {
15 	BPF_MOV64_IMM(BPF_REG_0, 1),
16 	BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 0, 2),
17 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
18 	BPF_MOV64_IMM(BPF_REG_0, 1),
19 	BPF_EXIT_INSN(),
20 	},
21 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
22 	.result  = ACCEPT,
23 },
24 {
25 	"calls: invalid kfunc call: ptr_to_mem to struct with non-scalar",
26 	.insns = {
27 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
28 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
29 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
30 	BPF_EXIT_INSN(),
31 	},
32 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
33 	.result = REJECT,
34 	.errstr = "arg#0 pointer type STRUCT prog_test_fail1 must point to scalar",
35 	.fixup_kfunc_btf_id = {
36 		{ "bpf_kfunc_call_test_fail1", 2 },
37 	},
38 },
39 {
40 	"calls: invalid kfunc call: ptr_to_mem to struct with nesting depth > 4",
41 	.insns = {
42 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
43 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
44 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
45 	BPF_EXIT_INSN(),
46 	},
47 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
48 	.result = REJECT,
49 	.errstr = "max struct nesting depth exceeded\narg#0 pointer type STRUCT prog_test_fail2",
50 	.fixup_kfunc_btf_id = {
51 		{ "bpf_kfunc_call_test_fail2", 2 },
52 	},
53 },
54 {
55 	"calls: invalid kfunc call: ptr_to_mem to struct with FAM",
56 	.insns = {
57 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
58 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
59 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
60 	BPF_EXIT_INSN(),
61 	},
62 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
63 	.result = REJECT,
64 	.errstr = "arg#0 pointer type STRUCT prog_test_fail3 must point to scalar",
65 	.fixup_kfunc_btf_id = {
66 		{ "bpf_kfunc_call_test_fail3", 2 },
67 	},
68 },
69 {
70 	"calls: invalid kfunc call: reg->type != PTR_TO_CTX",
71 	.insns = {
72 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
73 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
74 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
75 	BPF_EXIT_INSN(),
76 	},
77 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
78 	.result = REJECT,
79 	.errstr = "arg#0 expected pointer to ctx, but got fp",
80 	.fixup_kfunc_btf_id = {
81 		{ "bpf_kfunc_call_test_pass_ctx", 2 },
82 	},
83 },
84 {
85 	"calls: invalid kfunc call: void * not allowed in func proto without mem size arg",
86 	.insns = {
87 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
88 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
89 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
90 	BPF_EXIT_INSN(),
91 	},
92 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
93 	.result = REJECT,
94 	.errstr = "arg#0 pointer type UNKNOWN  must point to scalar",
95 	.fixup_kfunc_btf_id = {
96 		{ "bpf_kfunc_call_test_mem_len_fail1", 2 },
97 	},
98 },
99 {
100 	"calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX",
101 	.insns = {
102 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
103 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
104 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
105 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
106 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
107 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
108 	BPF_EXIT_INSN(),
109 	},
110 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
111 	.result = REJECT,
112 	.errstr = "Possibly NULL pointer passed to trusted arg0",
113 	.fixup_kfunc_btf_id = {
114 		{ "bpf_kfunc_call_test_acquire", 3 },
115 		{ "bpf_kfunc_call_test_release", 5 },
116 	},
117 },
118 {
119 	"calls: invalid kfunc call: reg->off must be zero when passed to release kfunc",
120 	.insns = {
121 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
122 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
123 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
124 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
125 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
126 	BPF_EXIT_INSN(),
127 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
128 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
130 	BPF_MOV64_IMM(BPF_REG_0, 0),
131 	BPF_EXIT_INSN(),
132 	},
133 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
134 	.result = REJECT,
135 	.errstr = "R1 must have zero offset when passed to release func",
136 	.fixup_kfunc_btf_id = {
137 		{ "bpf_kfunc_call_test_acquire", 3 },
138 		{ "bpf_kfunc_call_memb_release", 8 },
139 	},
140 },
141 {
142 	"calls: invalid kfunc call: don't match first member type when passed to release kfunc",
143 	.insns = {
144 	BPF_MOV64_IMM(BPF_REG_0, 0),
145 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
146 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
147 	BPF_EXIT_INSN(),
148 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
149 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
150 	BPF_MOV64_IMM(BPF_REG_0, 0),
151 	BPF_EXIT_INSN(),
152 	},
153 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
154 	.result = REJECT,
155 	.errstr = "kernel function bpf_kfunc_call_memb1_release args#0 expected pointer",
156 	.fixup_kfunc_btf_id = {
157 		{ "bpf_kfunc_call_memb_acquire", 1 },
158 		{ "bpf_kfunc_call_memb1_release", 5 },
159 	},
160 },
161 {
162 	"calls: invalid kfunc call: PTR_TO_BTF_ID with negative offset",
163 	.insns = {
164 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
165 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
166 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
167 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
168 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
169 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
170 	BPF_EXIT_INSN(),
171 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
172 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -4),
173 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
174 	BPF_MOV64_IMM(BPF_REG_0, 0),
175 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
176 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
177 	BPF_MOV64_IMM(BPF_REG_0, 0),
178 	BPF_EXIT_INSN(),
179 	},
180 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
181 	.fixup_kfunc_btf_id = {
182 		{ "bpf_kfunc_call_test_acquire", 3 },
183 		{ "bpf_kfunc_call_test_offset", 9 },
184 		{ "bpf_kfunc_call_test_release", 12 },
185 	},
186 	.result_unpriv = REJECT,
187 	.result = REJECT,
188 	.errstr = "ptr R1 off=-4 disallowed",
189 },
190 {
191 	"calls: invalid kfunc call: PTR_TO_BTF_ID with variable offset",
192 	.insns = {
193 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
194 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
195 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
196 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
197 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
198 	BPF_EXIT_INSN(),
199 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
200 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
201 	BPF_JMP_IMM(BPF_JLE, BPF_REG_2, 4, 3),
202 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
203 	BPF_MOV64_IMM(BPF_REG_0, 0),
204 	BPF_EXIT_INSN(),
205 	BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 3),
206 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
207 	BPF_MOV64_IMM(BPF_REG_0, 0),
208 	BPF_EXIT_INSN(),
209 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
210 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
211 	BPF_MOV64_IMM(BPF_REG_0, 0),
212 	BPF_EXIT_INSN(),
213 	},
214 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
215 	.fixup_kfunc_btf_id = {
216 		{ "bpf_kfunc_call_test_acquire", 3 },
217 		{ "bpf_kfunc_call_test_release", 9 },
218 		{ "bpf_kfunc_call_test_release", 13 },
219 		{ "bpf_kfunc_call_test_release", 17 },
220 	},
221 	.result_unpriv = REJECT,
222 	.result = REJECT,
223 	.errstr = "variable ptr_ access var_off=(0x0; 0x7) disallowed",
224 },
225 {
226 	"calls: invalid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID",
227 	.insns = {
228 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
229 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
230 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
231 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
232 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
233 	BPF_EXIT_INSN(),
234 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
235 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
236 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
237 	BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 16),
238 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
239 	BPF_MOV64_IMM(BPF_REG_0, 0),
240 	BPF_EXIT_INSN(),
241 	},
242 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
243 	.fixup_kfunc_btf_id = {
244 		{ "bpf_kfunc_call_test_acquire", 3 },
245 		{ "bpf_kfunc_call_test_ref", 8 },
246 		{ "bpf_kfunc_call_test_ref", 10 },
247 	},
248 	.result_unpriv = REJECT,
249 	.result = REJECT,
250 	.errstr = "R1 must be",
251 },
252 {
253 	"calls: valid kfunc call: referenced arg needs refcounted PTR_TO_BTF_ID",
254 	.insns = {
255 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
256 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
257 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
258 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
259 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
260 	BPF_EXIT_INSN(),
261 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
262 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
263 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
264 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
265 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
266 	BPF_MOV64_IMM(BPF_REG_0, 0),
267 	BPF_EXIT_INSN(),
268 	},
269 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
270 	.fixup_kfunc_btf_id = {
271 		{ "bpf_kfunc_call_test_acquire", 3 },
272 		{ "bpf_kfunc_call_test_ref", 8 },
273 		{ "bpf_kfunc_call_test_release", 10 },
274 	},
275 	.result_unpriv = REJECT,
276 	.result = ACCEPT,
277 },
278 {
279 	"calls: invalid kfunc call: must provide (attach_prog_fd, btf_id) pair when freplace",
280 	.insns = {
281 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
282 	BPF_EXIT_INSN(),
283 	},
284 	.prog_type = BPF_PROG_TYPE_EXT,
285 	.result = REJECT,
286 	.errstr = "Tracing programs must provide btf_id",
287 	.fixup_kfunc_btf_id = {
288 		{ "bpf_dynptr_from_skb", 0 },
289 	},
290 },
291 {
292 	"calls: basic sanity",
293 	.insns = {
294 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
295 	BPF_MOV64_IMM(BPF_REG_0, 1),
296 	BPF_EXIT_INSN(),
297 	BPF_MOV64_IMM(BPF_REG_0, 2),
298 	BPF_EXIT_INSN(),
299 	},
300 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
301 	.result = ACCEPT,
302 },
303 {
304 	"calls: not on unprivileged",
305 	.insns = {
306 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
307 	BPF_MOV64_IMM(BPF_REG_0, 1),
308 	BPF_EXIT_INSN(),
309 	BPF_MOV64_IMM(BPF_REG_0, 2),
310 	BPF_EXIT_INSN(),
311 	},
312 	.errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
313 	.result_unpriv = REJECT,
314 	.result = ACCEPT,
315 	.retval = 1,
316 },
317 {
318 	"calls: div by 0 in subprog",
319 	.insns = {
320 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
321 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
322 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
323 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
324 		    offsetof(struct __sk_buff, data_end)),
325 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
326 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
327 	BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
328 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
329 	BPF_MOV64_IMM(BPF_REG_0, 1),
330 	BPF_EXIT_INSN(),
331 	BPF_MOV32_IMM(BPF_REG_2, 0),
332 	BPF_MOV32_IMM(BPF_REG_3, 1),
333 	BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
334 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
335 		    offsetof(struct __sk_buff, data)),
336 	BPF_EXIT_INSN(),
337 	},
338 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
339 	.result = ACCEPT,
340 	.retval = 1,
341 },
342 {
343 	"calls: multiple ret types in subprog 1",
344 	.insns = {
345 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
346 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
347 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
348 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
349 		    offsetof(struct __sk_buff, data_end)),
350 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
351 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
352 	BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
353 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
354 	BPF_MOV64_IMM(BPF_REG_0, 1),
355 	BPF_EXIT_INSN(),
356 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
357 		    offsetof(struct __sk_buff, data)),
358 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
359 	BPF_MOV32_IMM(BPF_REG_0, 42),
360 	BPF_EXIT_INSN(),
361 	},
362 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
363 	.result = REJECT,
364 	.errstr = "R0 invalid mem access 'scalar'",
365 },
366 {
367 	"calls: multiple ret types in subprog 2",
368 	.insns = {
369 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
370 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
371 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
372 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
373 		    offsetof(struct __sk_buff, data_end)),
374 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
375 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
376 	BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
377 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
378 	BPF_MOV64_IMM(BPF_REG_0, 1),
379 	BPF_EXIT_INSN(),
380 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
381 		    offsetof(struct __sk_buff, data)),
382 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
383 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
384 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
385 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
386 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
387 	BPF_LD_MAP_FD(BPF_REG_1, 0),
388 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
389 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
390 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
391 		    offsetof(struct __sk_buff, data)),
392 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
393 	BPF_EXIT_INSN(),
394 	},
395 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
396 	.fixup_map_hash_8b = { 16 },
397 	.result = REJECT,
398 	.errstr = "R0 min value is outside of the allowed memory range",
399 },
400 {
401 	"calls: overlapping caller/callee",
402 	.insns = {
403 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
404 	BPF_MOV64_IMM(BPF_REG_0, 1),
405 	BPF_EXIT_INSN(),
406 	},
407 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
408 	.errstr = "last insn is not an exit or jmp",
409 	.result = REJECT,
410 },
411 {
412 	"calls: wrong recursive calls",
413 	.insns = {
414 	BPF_JMP_IMM(BPF_JA, 0, 0, 4),
415 	BPF_JMP_IMM(BPF_JA, 0, 0, 4),
416 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
417 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
418 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
419 	BPF_MOV64_IMM(BPF_REG_0, 1),
420 	BPF_EXIT_INSN(),
421 	},
422 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
423 	.errstr = "jump out of range",
424 	.result = REJECT,
425 },
426 {
427 	"calls: wrong src reg",
428 	.insns = {
429 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 3, 0, 0),
430 	BPF_MOV64_IMM(BPF_REG_0, 1),
431 	BPF_EXIT_INSN(),
432 	},
433 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
434 	.errstr = "BPF_CALL uses reserved fields",
435 	.result = REJECT,
436 },
437 {
438 	"calls: wrong off value",
439 	.insns = {
440 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
441 	BPF_MOV64_IMM(BPF_REG_0, 1),
442 	BPF_EXIT_INSN(),
443 	BPF_MOV64_IMM(BPF_REG_0, 2),
444 	BPF_EXIT_INSN(),
445 	},
446 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
447 	.errstr = "BPF_CALL uses reserved fields",
448 	.result = REJECT,
449 },
450 {
451 	"calls: jump back loop",
452 	.insns = {
453 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
454 	BPF_MOV64_IMM(BPF_REG_0, 1),
455 	BPF_EXIT_INSN(),
456 	},
457 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
458 	.errstr = "the call stack of 9 frames is too deep",
459 	.result = REJECT,
460 },
461 {
462 	"calls: conditional call",
463 	.insns = {
464 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
465 		    offsetof(struct __sk_buff, mark)),
466 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
467 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
468 	BPF_MOV64_IMM(BPF_REG_0, 1),
469 	BPF_EXIT_INSN(),
470 	BPF_MOV64_IMM(BPF_REG_0, 2),
471 	BPF_EXIT_INSN(),
472 	},
473 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
474 	.errstr = "jump out of range",
475 	.result = REJECT,
476 },
477 {
478 	"calls: conditional call 2",
479 	.insns = {
480 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
481 		    offsetof(struct __sk_buff, mark)),
482 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
483 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
484 	BPF_MOV64_IMM(BPF_REG_0, 1),
485 	BPF_EXIT_INSN(),
486 	BPF_MOV64_IMM(BPF_REG_0, 2),
487 	BPF_EXIT_INSN(),
488 	BPF_MOV64_IMM(BPF_REG_0, 3),
489 	BPF_EXIT_INSN(),
490 	},
491 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
492 	.result = ACCEPT,
493 },
494 {
495 	"calls: conditional call 3",
496 	.insns = {
497 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
498 		    offsetof(struct __sk_buff, mark)),
499 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
500 	BPF_JMP_IMM(BPF_JA, 0, 0, 4),
501 	BPF_MOV64_IMM(BPF_REG_0, 1),
502 	BPF_EXIT_INSN(),
503 	BPF_MOV64_IMM(BPF_REG_0, 1),
504 	BPF_JMP_IMM(BPF_JA, 0, 0, -6),
505 	BPF_MOV64_IMM(BPF_REG_0, 3),
506 	BPF_JMP_IMM(BPF_JA, 0, 0, -6),
507 	},
508 	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
509 	.errstr_unpriv = "back-edge from insn",
510 	.result_unpriv = REJECT,
511 	.result = ACCEPT,
512 	.retval = 1,
513 },
514 {
515 	"calls: conditional call 4",
516 	.insns = {
517 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
518 		    offsetof(struct __sk_buff, mark)),
519 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
520 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
521 	BPF_MOV64_IMM(BPF_REG_0, 1),
522 	BPF_EXIT_INSN(),
523 	BPF_MOV64_IMM(BPF_REG_0, 1),
524 	BPF_JMP_IMM(BPF_JA, 0, 0, -5),
525 	BPF_MOV64_IMM(BPF_REG_0, 3),
526 	BPF_EXIT_INSN(),
527 	},
528 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
529 	.result = ACCEPT,
530 },
531 {
532 	"calls: conditional call 5",
533 	.insns = {
534 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
535 		    offsetof(struct __sk_buff, mark)),
536 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
537 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
538 	BPF_MOV64_IMM(BPF_REG_0, 1),
539 	BPF_EXIT_INSN(),
540 	BPF_MOV64_IMM(BPF_REG_0, 1),
541 	BPF_JMP_IMM(BPF_JA, 0, 0, -6),
542 	BPF_MOV64_IMM(BPF_REG_0, 3),
543 	BPF_EXIT_INSN(),
544 	},
545 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
546 	.result = ACCEPT,
547 	.retval = 1,
548 },
549 {
550 	"calls: conditional call 6",
551 	.insns = {
552 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
553 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
554 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
555 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
556 	BPF_EXIT_INSN(),
557 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
558 		    offsetof(struct __sk_buff, mark)),
559 	BPF_EXIT_INSN(),
560 	},
561 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
562 	.errstr = "infinite loop detected",
563 	.result = REJECT,
564 },
565 {
566 	"calls: using r0 returned by callee",
567 	.insns = {
568 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
569 	BPF_EXIT_INSN(),
570 	BPF_MOV64_IMM(BPF_REG_0, 2),
571 	BPF_EXIT_INSN(),
572 	},
573 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
574 	.result = ACCEPT,
575 },
576 {
577 	"calls: using uninit r0 from callee",
578 	.insns = {
579 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
580 	BPF_EXIT_INSN(),
581 	BPF_EXIT_INSN(),
582 	},
583 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
584 	.errstr = "!read_ok",
585 	.result = REJECT,
586 },
587 {
588 	"calls: callee is using r1",
589 	.insns = {
590 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
591 	BPF_EXIT_INSN(),
592 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
593 		    offsetof(struct __sk_buff, len)),
594 	BPF_EXIT_INSN(),
595 	},
596 	.prog_type = BPF_PROG_TYPE_SCHED_ACT,
597 	.result = ACCEPT,
598 	.retval = TEST_DATA_LEN,
599 },
600 {
601 	"calls: callee using args1",
602 	.insns = {
603 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
604 	BPF_EXIT_INSN(),
605 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
606 	BPF_EXIT_INSN(),
607 	},
608 	.errstr_unpriv = "allowed for",
609 	.result_unpriv = REJECT,
610 	.result = ACCEPT,
611 	.retval = POINTER_VALUE,
612 },
613 {
614 	"calls: callee using wrong args2",
615 	.insns = {
616 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
617 	BPF_EXIT_INSN(),
618 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
619 	BPF_EXIT_INSN(),
620 	},
621 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
622 	.errstr = "R2 !read_ok",
623 	.result = REJECT,
624 },
625 {
626 	"calls: callee using two args",
627 	.insns = {
628 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
629 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
630 		    offsetof(struct __sk_buff, len)),
631 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
632 		    offsetof(struct __sk_buff, len)),
633 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
634 	BPF_EXIT_INSN(),
635 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
636 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
637 	BPF_EXIT_INSN(),
638 	},
639 	.errstr_unpriv = "allowed for",
640 	.result_unpriv = REJECT,
641 	.result = ACCEPT,
642 	.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
643 },
644 {
645 	"calls: callee changing pkt pointers",
646 	.insns = {
647 	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1, offsetof(struct xdp_md, data)),
648 	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
649 		    offsetof(struct xdp_md, data_end)),
650 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
651 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
652 	BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
653 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
654 	/* clear_all_pkt_pointers() has to walk all frames
655 	 * to make sure that pkt pointers in the caller
656 	 * are cleared when callee is calling a helper that
657 	 * adjusts packet size
658 	 */
659 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
660 	BPF_MOV32_IMM(BPF_REG_0, 0),
661 	BPF_EXIT_INSN(),
662 	BPF_MOV64_IMM(BPF_REG_2, 0),
663 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_xdp_adjust_head),
664 	BPF_EXIT_INSN(),
665 	},
666 	.result = REJECT,
667 	.errstr = "R6 invalid mem access 'scalar'",
668 	.prog_type = BPF_PROG_TYPE_XDP,
669 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
670 },
671 {
672 	"calls: ptr null check in subprog",
673 	.insns = {
674 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
675 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
676 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
677 	BPF_LD_MAP_FD(BPF_REG_1, 0),
678 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
679 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
680 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
681 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
682 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
683 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
684 	BPF_EXIT_INSN(),
685 	BPF_MOV64_IMM(BPF_REG_0, 0),
686 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
687 	BPF_MOV64_IMM(BPF_REG_0, 1),
688 	BPF_EXIT_INSN(),
689 	},
690 	.errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
691 	.fixup_map_hash_48b = { 3 },
692 	.result_unpriv = REJECT,
693 	.result = ACCEPT,
694 	.retval = 0,
695 },
696 {
697 	"calls: two calls with args",
698 	.insns = {
699 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
700 	BPF_EXIT_INSN(),
701 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
702 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
703 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
704 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
705 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
706 	BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
707 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
708 	BPF_EXIT_INSN(),
709 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
710 		    offsetof(struct __sk_buff, len)),
711 	BPF_EXIT_INSN(),
712 	},
713 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
714 	.result = ACCEPT,
715 	.retval = TEST_DATA_LEN + TEST_DATA_LEN,
716 },
717 {
718 	"calls: calls with stack arith",
719 	.insns = {
720 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
721 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
722 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
723 	BPF_EXIT_INSN(),
724 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
725 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
726 	BPF_EXIT_INSN(),
727 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
728 	BPF_MOV64_IMM(BPF_REG_0, 42),
729 	BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
730 	BPF_EXIT_INSN(),
731 	},
732 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
733 	.result = ACCEPT,
734 	.retval = 42,
735 },
736 {
737 	"calls: calls with misaligned stack access",
738 	.insns = {
739 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
740 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
741 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
742 	BPF_EXIT_INSN(),
743 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
744 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
745 	BPF_EXIT_INSN(),
746 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
747 	BPF_MOV64_IMM(BPF_REG_0, 42),
748 	BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
749 	BPF_EXIT_INSN(),
750 	},
751 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
752 	.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
753 	.errstr = "misaligned stack access",
754 	.result = REJECT,
755 },
756 {
757 	"calls: calls control flow, jump test",
758 	.insns = {
759 	BPF_MOV64_IMM(BPF_REG_0, 42),
760 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
761 	BPF_MOV64_IMM(BPF_REG_0, 43),
762 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
763 	BPF_JMP_IMM(BPF_JA, 0, 0, -3),
764 	BPF_EXIT_INSN(),
765 	},
766 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
767 	.result = ACCEPT,
768 	.retval = 43,
769 },
770 {
771 	"calls: calls control flow, jump test 2",
772 	.insns = {
773 	BPF_MOV64_IMM(BPF_REG_0, 42),
774 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
775 	BPF_MOV64_IMM(BPF_REG_0, 43),
776 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
777 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
778 	BPF_EXIT_INSN(),
779 	},
780 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
781 	.errstr = "jump out of range from insn 1 to 4",
782 	.result = REJECT,
783 },
784 {
785 	"calls: two calls with bad jump",
786 	.insns = {
787 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
788 	BPF_EXIT_INSN(),
789 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
790 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
791 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
792 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
793 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
794 	BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
795 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
796 	BPF_EXIT_INSN(),
797 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
798 		    offsetof(struct __sk_buff, len)),
799 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
800 	BPF_EXIT_INSN(),
801 	},
802 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
803 	.errstr = "jump out of range from insn 11 to 9",
804 	.result = REJECT,
805 },
806 {
807 	"calls: recursive call. test1",
808 	.insns = {
809 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
810 	BPF_EXIT_INSN(),
811 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
812 	BPF_EXIT_INSN(),
813 	},
814 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
815 	.errstr = "the call stack of 9 frames is too deep",
816 	.result = REJECT,
817 },
818 {
819 	"calls: recursive call. test2",
820 	.insns = {
821 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
822 	BPF_EXIT_INSN(),
823 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
824 	BPF_EXIT_INSN(),
825 	},
826 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
827 	.errstr = "the call stack of 9 frames is too deep",
828 	.result = REJECT,
829 },
830 {
831 	"calls: unreachable code",
832 	.insns = {
833 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
834 	BPF_EXIT_INSN(),
835 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
836 	BPF_EXIT_INSN(),
837 	BPF_MOV64_IMM(BPF_REG_0, 0),
838 	BPF_EXIT_INSN(),
839 	BPF_MOV64_IMM(BPF_REG_0, 0),
840 	BPF_EXIT_INSN(),
841 	},
842 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
843 	.errstr = "unreachable insn 6",
844 	.result = REJECT,
845 },
846 {
847 	"calls: invalid call",
848 	.insns = {
849 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
850 	BPF_EXIT_INSN(),
851 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
852 	BPF_EXIT_INSN(),
853 	},
854 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
855 	.errstr = "invalid destination",
856 	.result = REJECT,
857 },
858 {
859 	"calls: invalid call 2",
860 	.insns = {
861 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
862 	BPF_EXIT_INSN(),
863 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
864 	BPF_EXIT_INSN(),
865 	},
866 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
867 	.errstr = "invalid destination",
868 	.result = REJECT,
869 },
870 {
871 	"calls: jumping across function bodies. test1",
872 	.insns = {
873 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
874 	BPF_MOV64_IMM(BPF_REG_0, 0),
875 	BPF_EXIT_INSN(),
876 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
877 	BPF_EXIT_INSN(),
878 	},
879 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
880 	.errstr = "jump out of range",
881 	.result = REJECT,
882 },
883 {
884 	"calls: jumping across function bodies. test2",
885 	.insns = {
886 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
887 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
888 	BPF_MOV64_IMM(BPF_REG_0, 0),
889 	BPF_EXIT_INSN(),
890 	BPF_EXIT_INSN(),
891 	},
892 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
893 	.errstr = "jump out of range",
894 	.result = REJECT,
895 },
896 {
897 	"calls: call without exit",
898 	.insns = {
899 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
900 	BPF_EXIT_INSN(),
901 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
902 	BPF_EXIT_INSN(),
903 	BPF_MOV64_IMM(BPF_REG_0, 0),
904 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
905 	},
906 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
907 	.errstr = "not an exit",
908 	.result = REJECT,
909 },
910 {
911 	"calls: call into middle of ld_imm64",
912 	.insns = {
913 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
914 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
915 	BPF_MOV64_IMM(BPF_REG_0, 0),
916 	BPF_EXIT_INSN(),
917 	BPF_LD_IMM64(BPF_REG_0, 0),
918 	BPF_EXIT_INSN(),
919 	},
920 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
921 	.errstr = "last insn",
922 	.result = REJECT,
923 },
924 {
925 	"calls: call into middle of other call",
926 	.insns = {
927 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
928 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
929 	BPF_MOV64_IMM(BPF_REG_0, 0),
930 	BPF_EXIT_INSN(),
931 	BPF_MOV64_IMM(BPF_REG_0, 0),
932 	BPF_MOV64_IMM(BPF_REG_0, 0),
933 	BPF_EXIT_INSN(),
934 	},
935 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
936 	.errstr = "last insn",
937 	.result = REJECT,
938 },
939 {
940 	"calls: subprog call with ld_abs in main prog",
941 	.insns = {
942 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
943 	BPF_LD_ABS(BPF_B, 0),
944 	BPF_LD_ABS(BPF_H, 0),
945 	BPF_LD_ABS(BPF_W, 0),
946 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
947 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
948 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
949 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
950 	BPF_LD_ABS(BPF_B, 0),
951 	BPF_LD_ABS(BPF_H, 0),
952 	BPF_LD_ABS(BPF_W, 0),
953 	BPF_EXIT_INSN(),
954 	BPF_MOV64_IMM(BPF_REG_2, 1),
955 	BPF_MOV64_IMM(BPF_REG_3, 2),
956 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_skb_vlan_push),
957 	BPF_EXIT_INSN(),
958 	},
959 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
960 	.result = ACCEPT,
961 },
962 {
963 	"calls: two calls with bad fallthrough",
964 	.insns = {
965 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
966 	BPF_EXIT_INSN(),
967 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
968 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
969 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
970 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
971 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
972 	BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
973 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
974 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
975 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
976 		    offsetof(struct __sk_buff, len)),
977 	BPF_EXIT_INSN(),
978 	},
979 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
980 	.errstr = "not an exit",
981 	.result = REJECT,
982 },
983 {
984 	"calls: two calls with stack read",
985 	.insns = {
986 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
987 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
988 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
989 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
990 	BPF_EXIT_INSN(),
991 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
992 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
993 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
994 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
995 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
996 	BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
997 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
998 	BPF_EXIT_INSN(),
999 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
1000 	BPF_EXIT_INSN(),
1001 	},
1002 	.prog_type = BPF_PROG_TYPE_XDP,
1003 	.result = ACCEPT,
1004 },
1005 {
1006 	"calls: two calls with stack write",
1007 	.insns = {
1008 	/* main prog */
1009 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1010 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1011 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1012 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1013 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1014 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1015 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1016 	BPF_EXIT_INSN(),
1017 
1018 	/* subprog 1 */
1019 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1020 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1021 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
1022 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
1023 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1024 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1025 	BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
1026 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
1027 	/* write into stack frame of main prog */
1028 	BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1029 	BPF_EXIT_INSN(),
1030 
1031 	/* subprog 2 */
1032 	/* read from stack frame of main prog */
1033 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
1034 	BPF_EXIT_INSN(),
1035 	},
1036 	.prog_type = BPF_PROG_TYPE_XDP,
1037 	.result = ACCEPT,
1038 },
1039 {
1040 	"calls: stack overflow using two frames (pre-call access)",
1041 	.insns = {
1042 	/* prog 1 */
1043 	BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1044 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
1045 	BPF_EXIT_INSN(),
1046 
1047 	/* prog 2 */
1048 	BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1049 	BPF_MOV64_IMM(BPF_REG_0, 0),
1050 	BPF_EXIT_INSN(),
1051 	},
1052 	.prog_type = BPF_PROG_TYPE_XDP,
1053 	.errstr = "combined stack size",
1054 	.result = REJECT,
1055 },
1056 {
1057 	"calls: stack overflow using two frames (post-call access)",
1058 	.insns = {
1059 	/* prog 1 */
1060 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
1061 	BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1062 	BPF_EXIT_INSN(),
1063 
1064 	/* prog 2 */
1065 	BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1066 	BPF_MOV64_IMM(BPF_REG_0, 0),
1067 	BPF_EXIT_INSN(),
1068 	},
1069 	.prog_type = BPF_PROG_TYPE_XDP,
1070 	.errstr = "combined stack size",
1071 	.result = REJECT,
1072 },
1073 {
1074 	"calls: stack depth check using three frames. test1",
1075 	.insns = {
1076 	/* main */
1077 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
1078 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
1079 	BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
1080 	BPF_MOV64_IMM(BPF_REG_0, 0),
1081 	BPF_EXIT_INSN(),
1082 	/* A */
1083 	BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
1084 	BPF_EXIT_INSN(),
1085 	/* B */
1086 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
1087 	BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
1088 	BPF_EXIT_INSN(),
1089 	},
1090 	.prog_type = BPF_PROG_TYPE_XDP,
1091 	/* stack_main=32, stack_A=256, stack_B=64
1092 	 * and max(main+A, main+A+B) < 512
1093 	 */
1094 	.result = ACCEPT,
1095 },
1096 {
1097 	"calls: stack depth check using three frames. test2",
1098 	.insns = {
1099 	/* main */
1100 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
1101 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
1102 	BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
1103 	BPF_MOV64_IMM(BPF_REG_0, 0),
1104 	BPF_EXIT_INSN(),
1105 	/* A */
1106 	BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
1107 	BPF_EXIT_INSN(),
1108 	/* B */
1109 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
1110 	BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
1111 	BPF_EXIT_INSN(),
1112 	},
1113 	.prog_type = BPF_PROG_TYPE_XDP,
1114 	/* stack_main=32, stack_A=64, stack_B=256
1115 	 * and max(main+A, main+A+B) < 512
1116 	 */
1117 	.result = ACCEPT,
1118 },
1119 {
1120 	"calls: stack depth check using three frames. test3",
1121 	.insns = {
1122 	/* main */
1123 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1124 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
1125 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1126 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
1127 	BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
1128 	BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
1129 	BPF_MOV64_IMM(BPF_REG_0, 0),
1130 	BPF_EXIT_INSN(),
1131 	/* A */
1132 	BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
1133 	BPF_EXIT_INSN(),
1134 	BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
1135 	BPF_JMP_IMM(BPF_JA, 0, 0, -3),
1136 	/* B */
1137 	BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
1138 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
1139 	BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
1140 	BPF_EXIT_INSN(),
1141 	},
1142 	.prog_type = BPF_PROG_TYPE_XDP,
1143 	/* stack_main=64, stack_A=224, stack_B=256
1144 	 * and max(main+A, main+A+B) > 512
1145 	 */
1146 	.errstr = "combined stack",
1147 	.result = REJECT,
1148 },
1149 {
1150 	"calls: stack depth check using three frames. test4",
1151 	/* void main(void) {
1152 	 *   func1(0);
1153 	 *   func1(1);
1154 	 *   func2(1);
1155 	 * }
1156 	 * void func1(int alloc_or_recurse) {
1157 	 *   if (alloc_or_recurse) {
1158 	 *     frame_pointer[-300] = 1;
1159 	 *   } else {
1160 	 *     func2(alloc_or_recurse);
1161 	 *   }
1162 	 * }
1163 	 * void func2(int alloc_or_recurse) {
1164 	 *   if (alloc_or_recurse) {
1165 	 *     frame_pointer[-300] = 1;
1166 	 *   }
1167 	 * }
1168 	 */
1169 	.insns = {
1170 	/* main */
1171 	BPF_MOV64_IMM(BPF_REG_1, 0),
1172 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
1173 	BPF_MOV64_IMM(BPF_REG_1, 1),
1174 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
1175 	BPF_MOV64_IMM(BPF_REG_1, 1),
1176 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
1177 	BPF_MOV64_IMM(BPF_REG_0, 0),
1178 	BPF_EXIT_INSN(),
1179 	/* A */
1180 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1181 	BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1182 	BPF_EXIT_INSN(),
1183 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
1184 	BPF_EXIT_INSN(),
1185 	/* B */
1186 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1187 	BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
1188 	BPF_EXIT_INSN(),
1189 	},
1190 	.prog_type = BPF_PROG_TYPE_XDP,
1191 	.result = REJECT,
1192 	.errstr = "combined stack",
1193 },
1194 {
1195 	"calls: stack depth check using three frames. test5",
1196 	.insns = {
1197 	/* main */
1198 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
1199 	BPF_EXIT_INSN(),
1200 	/* A */
1201 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
1202 	BPF_EXIT_INSN(),
1203 	/* B */
1204 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
1205 	BPF_EXIT_INSN(),
1206 	/* C */
1207 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
1208 	BPF_EXIT_INSN(),
1209 	/* D */
1210 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
1211 	BPF_EXIT_INSN(),
1212 	/* E */
1213 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
1214 	BPF_EXIT_INSN(),
1215 	/* F */
1216 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
1217 	BPF_EXIT_INSN(),
1218 	/* G */
1219 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
1220 	BPF_EXIT_INSN(),
1221 	/* H */
1222 	BPF_MOV64_IMM(BPF_REG_0, 0),
1223 	BPF_EXIT_INSN(),
1224 	},
1225 	.prog_type = BPF_PROG_TYPE_XDP,
1226 	.errstr = "call stack",
1227 	.result = REJECT,
1228 },
1229 {
1230 	"calls: stack depth check in dead code",
1231 	.insns = {
1232 	/* main */
1233 	BPF_MOV64_IMM(BPF_REG_1, 0),
1234 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
1235 	BPF_EXIT_INSN(),
1236 	/* A */
1237 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1238 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2), /* call B */
1239 	BPF_MOV64_IMM(BPF_REG_0, 0),
1240 	BPF_EXIT_INSN(),
1241 	/* B */
1242 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
1243 	BPF_EXIT_INSN(),
1244 	/* C */
1245 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
1246 	BPF_EXIT_INSN(),
1247 	/* D */
1248 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
1249 	BPF_EXIT_INSN(),
1250 	/* E */
1251 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
1252 	BPF_EXIT_INSN(),
1253 	/* F */
1254 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
1255 	BPF_EXIT_INSN(),
1256 	/* G */
1257 	BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
1258 	BPF_EXIT_INSN(),
1259 	/* H */
1260 	BPF_MOV64_IMM(BPF_REG_0, 0),
1261 	BPF_EXIT_INSN(),
1262 	},
1263 	.prog_type = BPF_PROG_TYPE_XDP,
1264 	.errstr = "call stack",
1265 	.result = REJECT,
1266 },
1267 {
1268 	"calls: spill into caller stack frame",
1269 	.insns = {
1270 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1271 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1272 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1273 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1274 	BPF_EXIT_INSN(),
1275 	BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1276 	BPF_MOV64_IMM(BPF_REG_0, 0),
1277 	BPF_EXIT_INSN(),
1278 	},
1279 	.prog_type = BPF_PROG_TYPE_XDP,
1280 	.errstr = "cannot spill",
1281 	.result = REJECT,
1282 },
1283 {
1284 	"calls: write into caller stack frame",
1285 	.insns = {
1286 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1287 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1288 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1289 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1290 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1291 	BPF_EXIT_INSN(),
1292 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
1293 	BPF_MOV64_IMM(BPF_REG_0, 0),
1294 	BPF_EXIT_INSN(),
1295 	},
1296 	.prog_type = BPF_PROG_TYPE_XDP,
1297 	.result = ACCEPT,
1298 	.retval = 42,
1299 },
1300 {
1301 	"calls: write into callee stack frame",
1302 	.insns = {
1303 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1304 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
1305 	BPF_EXIT_INSN(),
1306 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1307 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
1308 	BPF_EXIT_INSN(),
1309 	},
1310 	.prog_type = BPF_PROG_TYPE_XDP,
1311 	.errstr = "cannot return stack pointer",
1312 	.result = REJECT,
1313 },
1314 {
1315 	"calls: two calls with stack write and void return",
1316 	.insns = {
1317 	/* main prog */
1318 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1319 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1320 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1321 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1322 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1323 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1324 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1325 	BPF_EXIT_INSN(),
1326 
1327 	/* subprog 1 */
1328 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1329 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1330 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1331 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1332 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1333 	BPF_EXIT_INSN(),
1334 
1335 	/* subprog 2 */
1336 	/* write into stack frame of main prog */
1337 	BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
1338 	BPF_EXIT_INSN(), /* void return */
1339 	},
1340 	.prog_type = BPF_PROG_TYPE_XDP,
1341 	.result = ACCEPT,
1342 },
1343 {
1344 	"calls: ambiguous return value",
1345 	.insns = {
1346 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1347 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
1348 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1349 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1350 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1351 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1352 	BPF_EXIT_INSN(),
1353 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1354 	BPF_MOV64_IMM(BPF_REG_0, 0),
1355 	BPF_EXIT_INSN(),
1356 	},
1357 	.errstr_unpriv = "allowed for",
1358 	.result_unpriv = REJECT,
1359 	.errstr = "R0 !read_ok",
1360 	.result = REJECT,
1361 },
1362 {
1363 	"calls: two calls that return map_value",
1364 	.insns = {
1365 	/* main prog */
1366 	/* pass fp-16, fp-8 into a function */
1367 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1368 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1369 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1370 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1371 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
1372 
1373 	/* fetch map_value_ptr from the stack of this function */
1374 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1375 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1376 	/* write into map value */
1377 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1378 	/* fetch secound map_value_ptr from the stack */
1379 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
1380 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1381 	/* write into map value */
1382 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1383 	BPF_MOV64_IMM(BPF_REG_0, 0),
1384 	BPF_EXIT_INSN(),
1385 
1386 	/* subprog 1 */
1387 	/* call 3rd function twice */
1388 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1389 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1390 	/* first time with fp-8 */
1391 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1392 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1393 	/* second time with fp-16 */
1394 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1395 	BPF_EXIT_INSN(),
1396 
1397 	/* subprog 2 */
1398 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1399 	/* lookup from map */
1400 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1401 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1402 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1403 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1404 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1405 	/* write map_value_ptr into stack frame of main prog */
1406 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1407 	BPF_MOV64_IMM(BPF_REG_0, 0),
1408 	BPF_EXIT_INSN(), /* return 0 */
1409 	},
1410 	.prog_type = BPF_PROG_TYPE_XDP,
1411 	.fixup_map_hash_8b = { 23 },
1412 	.result = ACCEPT,
1413 },
1414 {
1415 	"calls: two calls that return map_value with bool condition",
1416 	.insns = {
1417 	/* main prog */
1418 	/* pass fp-16, fp-8 into a function */
1419 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1420 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1421 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1422 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1423 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1424 	BPF_MOV64_IMM(BPF_REG_0, 0),
1425 	BPF_EXIT_INSN(),
1426 
1427 	/* subprog 1 */
1428 	/* call 3rd function twice */
1429 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1430 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1431 	/* first time with fp-8 */
1432 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
1433 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1434 	/* fetch map_value_ptr from the stack of this function */
1435 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1436 	/* write into map value */
1437 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1438 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1439 	/* second time with fp-16 */
1440 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1441 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1442 	/* fetch secound map_value_ptr from the stack */
1443 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
1444 	/* write into map value */
1445 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1446 	BPF_EXIT_INSN(),
1447 
1448 	/* subprog 2 */
1449 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1450 	/* lookup from map */
1451 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1452 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1453 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1454 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1455 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1456 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1457 	BPF_MOV64_IMM(BPF_REG_0, 0),
1458 	BPF_EXIT_INSN(), /* return 0 */
1459 	/* write map_value_ptr into stack frame of main prog */
1460 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1461 	BPF_MOV64_IMM(BPF_REG_0, 1),
1462 	BPF_EXIT_INSN(), /* return 1 */
1463 	},
1464 	.prog_type = BPF_PROG_TYPE_XDP,
1465 	.fixup_map_hash_8b = { 23 },
1466 	.result = ACCEPT,
1467 },
1468 {
1469 	"calls: two calls that return map_value with incorrect bool check",
1470 	.insns = {
1471 	/* main prog */
1472 	/* pass fp-16, fp-8 into a function */
1473 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1474 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1475 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1476 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1477 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1478 	BPF_MOV64_IMM(BPF_REG_0, 0),
1479 	BPF_EXIT_INSN(),
1480 
1481 	/* subprog 1 */
1482 	/* call 3rd function twice */
1483 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1484 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1485 	/* first time with fp-8 */
1486 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
1487 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
1488 	/* fetch map_value_ptr from the stack of this function */
1489 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1490 	/* write into map value */
1491 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1492 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
1493 	/* second time with fp-16 */
1494 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1495 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1496 	/* fetch secound map_value_ptr from the stack */
1497 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
1498 	/* write into map value */
1499 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1500 	BPF_EXIT_INSN(),
1501 
1502 	/* subprog 2 */
1503 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1504 	/* lookup from map */
1505 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1506 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1507 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1508 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1509 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1510 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1511 	BPF_MOV64_IMM(BPF_REG_0, 0),
1512 	BPF_EXIT_INSN(), /* return 0 */
1513 	/* write map_value_ptr into stack frame of main prog */
1514 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1515 	BPF_MOV64_IMM(BPF_REG_0, 1),
1516 	BPF_EXIT_INSN(), /* return 1 */
1517 	},
1518 	.prog_type = BPF_PROG_TYPE_XDP,
1519 	.fixup_map_hash_8b = { 23 },
1520 	.result = REJECT,
1521 	.errstr = "R0 invalid mem access 'scalar'",
1522 	.result_unpriv = REJECT,
1523 	.errstr_unpriv = "invalid read from stack R7 off=-16 size=8",
1524 },
1525 {
1526 	"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
1527 	.insns = {
1528 	/* main prog */
1529 	/* pass fp-16, fp-8 into a function */
1530 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1531 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1532 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1533 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1534 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1535 	BPF_MOV64_IMM(BPF_REG_0, 0),
1536 	BPF_EXIT_INSN(),
1537 
1538 	/* subprog 1 */
1539 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1540 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1541 	/* 1st lookup from map */
1542 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1543 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1544 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1545 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1546 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1547 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1548 	BPF_MOV64_IMM(BPF_REG_8, 0),
1549 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1550 	/* write map_value_ptr into stack frame of main prog at fp-8 */
1551 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1552 	BPF_MOV64_IMM(BPF_REG_8, 1),
1553 
1554 	/* 2nd lookup from map */
1555 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
1556 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1557 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1558 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
1559 		     BPF_FUNC_map_lookup_elem),
1560 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1561 	BPF_MOV64_IMM(BPF_REG_9, 0),
1562 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1563 	/* write map_value_ptr into stack frame of main prog at fp-16 */
1564 	BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1565 	BPF_MOV64_IMM(BPF_REG_9, 1),
1566 
1567 	/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1568 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
1569 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1570 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1571 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1572 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
1573 	BPF_EXIT_INSN(),
1574 
1575 	/* subprog 2 */
1576 	/* if arg2 == 1 do *arg1 = 0 */
1577 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1578 	/* fetch map_value_ptr from the stack of this function */
1579 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1580 	/* write into map value */
1581 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1582 
1583 	/* if arg4 == 1 do *arg3 = 0 */
1584 	BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1585 	/* fetch map_value_ptr from the stack of this function */
1586 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1587 	/* write into map value */
1588 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
1589 	BPF_EXIT_INSN(),
1590 	},
1591 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1592 	.fixup_map_hash_8b = { 12, 22 },
1593 	.result = REJECT,
1594 	.errstr = "invalid access to map value, value_size=8 off=2 size=8",
1595 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1596 },
1597 {
1598 	"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
1599 	.insns = {
1600 	/* main prog */
1601 	/* pass fp-16, fp-8 into a function */
1602 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1603 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1604 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1605 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1606 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1607 	BPF_MOV64_IMM(BPF_REG_0, 0),
1608 	BPF_EXIT_INSN(),
1609 
1610 	/* subprog 1 */
1611 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1612 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1613 	/* 1st lookup from map */
1614 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1615 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1616 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1617 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1618 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1619 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1620 	BPF_MOV64_IMM(BPF_REG_8, 0),
1621 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1622 	/* write map_value_ptr into stack frame of main prog at fp-8 */
1623 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1624 	BPF_MOV64_IMM(BPF_REG_8, 1),
1625 
1626 	/* 2nd lookup from map */
1627 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
1628 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1629 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1630 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
1631 		     BPF_FUNC_map_lookup_elem),
1632 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1633 	BPF_MOV64_IMM(BPF_REG_9, 0),
1634 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1635 	/* write map_value_ptr into stack frame of main prog at fp-16 */
1636 	BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1637 	BPF_MOV64_IMM(BPF_REG_9, 1),
1638 
1639 	/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1640 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
1641 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1642 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1643 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1644 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
1645 	BPF_EXIT_INSN(),
1646 
1647 	/* subprog 2 */
1648 	/* if arg2 == 1 do *arg1 = 0 */
1649 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1650 	/* fetch map_value_ptr from the stack of this function */
1651 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1652 	/* write into map value */
1653 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1654 
1655 	/* if arg4 == 1 do *arg3 = 0 */
1656 	BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1657 	/* fetch map_value_ptr from the stack of this function */
1658 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1659 	/* write into map value */
1660 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1661 	BPF_EXIT_INSN(),
1662 	},
1663 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1664 	.fixup_map_hash_8b = { 12, 22 },
1665 	.result = ACCEPT,
1666 },
1667 {
1668 	"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
1669 	.insns = {
1670 	/* main prog */
1671 	/* pass fp-16, fp-8 into a function */
1672 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1673 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1674 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1675 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1676 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
1677 	BPF_MOV64_IMM(BPF_REG_0, 0),
1678 	BPF_EXIT_INSN(),
1679 
1680 	/* subprog 1 */
1681 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1682 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1683 	/* 1st lookup from map */
1684 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
1685 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1686 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
1687 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1688 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1689 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1690 	BPF_MOV64_IMM(BPF_REG_8, 0),
1691 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1692 	/* write map_value_ptr into stack frame of main prog at fp-8 */
1693 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1694 	BPF_MOV64_IMM(BPF_REG_8, 1),
1695 
1696 	/* 2nd lookup from map */
1697 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1698 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
1699 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1700 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1701 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1702 	BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
1703 	BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1704 	/* write map_value_ptr into stack frame of main prog at fp-16 */
1705 	BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1706 	BPF_MOV64_IMM(BPF_REG_9, 1),
1707 
1708 	/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1709 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
1710 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1711 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1712 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1713 	BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
1714 	BPF_JMP_IMM(BPF_JA, 0, 0, -30),
1715 
1716 	/* subprog 2 */
1717 	/* if arg2 == 1 do *arg1 = 0 */
1718 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1719 	/* fetch map_value_ptr from the stack of this function */
1720 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1721 	/* write into map value */
1722 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1723 
1724 	/* if arg4 == 1 do *arg3 = 0 */
1725 	BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1726 	/* fetch map_value_ptr from the stack of this function */
1727 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1728 	/* write into map value */
1729 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
1730 	BPF_JMP_IMM(BPF_JA, 0, 0, -8),
1731 	},
1732 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1733 	.fixup_map_hash_8b = { 12, 22 },
1734 	.result = REJECT,
1735 	.errstr = "invalid access to map value, value_size=8 off=2 size=8",
1736 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1737 },
1738 {
1739 	"calls: two calls that receive map_value_ptr_or_null via arg. test1",
1740 	.insns = {
1741 	/* main prog */
1742 	/* pass fp-16, fp-8 into a function */
1743 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1744 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1745 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1746 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1747 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1748 	BPF_MOV64_IMM(BPF_REG_0, 0),
1749 	BPF_EXIT_INSN(),
1750 
1751 	/* subprog 1 */
1752 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1753 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1754 	/* 1st lookup from map */
1755 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1756 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1757 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1758 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1759 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1760 	/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
1761 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1762 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1763 	BPF_MOV64_IMM(BPF_REG_8, 0),
1764 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1765 	BPF_MOV64_IMM(BPF_REG_8, 1),
1766 
1767 	/* 2nd lookup from map */
1768 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1769 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1770 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1771 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1772 	/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
1773 	BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1774 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1775 	BPF_MOV64_IMM(BPF_REG_9, 0),
1776 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1777 	BPF_MOV64_IMM(BPF_REG_9, 1),
1778 
1779 	/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1780 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1781 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1782 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1783 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1784 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1785 	BPF_EXIT_INSN(),
1786 
1787 	/* subprog 2 */
1788 	/* if arg2 == 1 do *arg1 = 0 */
1789 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1790 	/* fetch map_value_ptr from the stack of this function */
1791 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1792 	/* write into map value */
1793 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1794 
1795 	/* if arg4 == 1 do *arg3 = 0 */
1796 	BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
1797 	/* fetch map_value_ptr from the stack of this function */
1798 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1799 	/* write into map value */
1800 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1801 	BPF_EXIT_INSN(),
1802 	},
1803 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1804 	.fixup_map_hash_8b = { 12, 22 },
1805 	.result = ACCEPT,
1806 },
1807 {
1808 	"calls: two calls that receive map_value_ptr_or_null via arg. test2",
1809 	.insns = {
1810 	/* main prog */
1811 	/* pass fp-16, fp-8 into a function */
1812 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1813 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1814 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1815 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1816 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
1817 	BPF_MOV64_IMM(BPF_REG_0, 0),
1818 	BPF_EXIT_INSN(),
1819 
1820 	/* subprog 1 */
1821 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
1822 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
1823 	/* 1st lookup from map */
1824 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1825 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1826 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1827 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1828 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1829 	/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
1830 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
1831 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1832 	BPF_MOV64_IMM(BPF_REG_8, 0),
1833 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1834 	BPF_MOV64_IMM(BPF_REG_8, 1),
1835 
1836 	/* 2nd lookup from map */
1837 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1838 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1839 	BPF_LD_MAP_FD(BPF_REG_1, 0),
1840 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
1841 	/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
1842 	BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
1843 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
1844 	BPF_MOV64_IMM(BPF_REG_9, 0),
1845 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
1846 	BPF_MOV64_IMM(BPF_REG_9, 1),
1847 
1848 	/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
1849 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
1850 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
1851 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
1852 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
1853 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1854 	BPF_EXIT_INSN(),
1855 
1856 	/* subprog 2 */
1857 	/* if arg2 == 1 do *arg1 = 0 */
1858 	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
1859 	/* fetch map_value_ptr from the stack of this function */
1860 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
1861 	/* write into map value */
1862 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1863 
1864 	/* if arg4 == 0 do *arg3 = 0 */
1865 	BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
1866 	/* fetch map_value_ptr from the stack of this function */
1867 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
1868 	/* write into map value */
1869 	BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1870 	BPF_EXIT_INSN(),
1871 	},
1872 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1873 	.fixup_map_hash_8b = { 12, 22 },
1874 	.result = REJECT,
1875 	.errstr = "R0 invalid mem access 'scalar'",
1876 },
1877 {
1878 	"calls: pkt_ptr spill into caller stack",
1879 	.insns = {
1880 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1881 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1882 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
1883 	BPF_EXIT_INSN(),
1884 
1885 	/* subprog 1 */
1886 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1887 		    offsetof(struct __sk_buff, data)),
1888 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1889 		    offsetof(struct __sk_buff, data_end)),
1890 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1891 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1892 	/* spill unchecked pkt_ptr into stack of caller */
1893 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1894 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1895 	/* now the pkt range is verified, read pkt_ptr from stack */
1896 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1897 	/* write 4 bytes into packet */
1898 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1899 	BPF_EXIT_INSN(),
1900 	},
1901 	.result = ACCEPT,
1902 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1903 	.retval = POINTER_VALUE,
1904 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1905 },
1906 {
1907 	"calls: pkt_ptr spill into caller stack 2",
1908 	.insns = {
1909 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1910 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1911 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
1912 	/* Marking is still kept, but not in all cases safe. */
1913 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1914 	BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1915 	BPF_EXIT_INSN(),
1916 
1917 	/* subprog 1 */
1918 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1919 		    offsetof(struct __sk_buff, data)),
1920 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1921 		    offsetof(struct __sk_buff, data_end)),
1922 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1923 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1924 	/* spill unchecked pkt_ptr into stack of caller */
1925 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1926 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1927 	/* now the pkt range is verified, read pkt_ptr from stack */
1928 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1929 	/* write 4 bytes into packet */
1930 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1931 	BPF_EXIT_INSN(),
1932 	},
1933 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1934 	.errstr = "invalid access to packet",
1935 	.result = REJECT,
1936 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1937 },
1938 {
1939 	"calls: pkt_ptr spill into caller stack 3",
1940 	.insns = {
1941 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1942 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1943 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1944 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1945 	/* Marking is still kept and safe here. */
1946 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1947 	BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1948 	BPF_EXIT_INSN(),
1949 
1950 	/* subprog 1 */
1951 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1952 		    offsetof(struct __sk_buff, data)),
1953 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1954 		    offsetof(struct __sk_buff, data_end)),
1955 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1956 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1957 	/* spill unchecked pkt_ptr into stack of caller */
1958 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1959 	BPF_MOV64_IMM(BPF_REG_5, 0),
1960 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
1961 	BPF_MOV64_IMM(BPF_REG_5, 1),
1962 	/* now the pkt range is verified, read pkt_ptr from stack */
1963 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
1964 	/* write 4 bytes into packet */
1965 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
1966 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
1967 	BPF_EXIT_INSN(),
1968 	},
1969 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1970 	.result = ACCEPT,
1971 	.retval = 1,
1972 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1973 },
1974 {
1975 	"calls: pkt_ptr spill into caller stack 4",
1976 	.insns = {
1977 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
1978 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
1979 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
1980 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1981 	/* Check marking propagated. */
1982 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
1983 	BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
1984 	BPF_EXIT_INSN(),
1985 
1986 	/* subprog 1 */
1987 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1988 		    offsetof(struct __sk_buff, data)),
1989 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1990 		    offsetof(struct __sk_buff, data_end)),
1991 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1992 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1993 	/* spill unchecked pkt_ptr into stack of caller */
1994 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
1995 	BPF_MOV64_IMM(BPF_REG_5, 0),
1996 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
1997 	BPF_MOV64_IMM(BPF_REG_5, 1),
1998 	/* don't read back pkt_ptr from stack here */
1999 	/* write 4 bytes into packet */
2000 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2001 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2002 	BPF_EXIT_INSN(),
2003 	},
2004 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2005 	.result = ACCEPT,
2006 	.retval = 1,
2007 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2008 },
2009 {
2010 	"calls: pkt_ptr spill into caller stack 5",
2011 	.insns = {
2012 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2013 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2014 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
2015 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2016 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2017 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2018 	BPF_EXIT_INSN(),
2019 
2020 	/* subprog 1 */
2021 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2022 		    offsetof(struct __sk_buff, data)),
2023 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2024 		    offsetof(struct __sk_buff, data_end)),
2025 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2026 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2027 	BPF_MOV64_IMM(BPF_REG_5, 0),
2028 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2029 	/* spill checked pkt_ptr into stack of caller */
2030 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2031 	BPF_MOV64_IMM(BPF_REG_5, 1),
2032 	/* don't read back pkt_ptr from stack here */
2033 	/* write 4 bytes into packet */
2034 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2035 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2036 	BPF_EXIT_INSN(),
2037 	},
2038 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2039 	.errstr = "same insn cannot be used with different",
2040 	.result = REJECT,
2041 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2042 },
2043 {
2044 	"calls: pkt_ptr spill into caller stack 6",
2045 	.insns = {
2046 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2047 		    offsetof(struct __sk_buff, data_end)),
2048 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2049 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2050 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2051 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2052 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2053 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2054 	BPF_EXIT_INSN(),
2055 
2056 	/* subprog 1 */
2057 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2058 		    offsetof(struct __sk_buff, data)),
2059 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2060 		    offsetof(struct __sk_buff, data_end)),
2061 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2062 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2063 	BPF_MOV64_IMM(BPF_REG_5, 0),
2064 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2065 	/* spill checked pkt_ptr into stack of caller */
2066 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2067 	BPF_MOV64_IMM(BPF_REG_5, 1),
2068 	/* don't read back pkt_ptr from stack here */
2069 	/* write 4 bytes into packet */
2070 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2071 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2072 	BPF_EXIT_INSN(),
2073 	},
2074 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2075 	.errstr = "R4 invalid mem access",
2076 	.result = REJECT,
2077 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2078 },
2079 {
2080 	"calls: pkt_ptr spill into caller stack 7",
2081 	.insns = {
2082 	BPF_MOV64_IMM(BPF_REG_2, 0),
2083 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2084 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2085 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2086 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2087 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2088 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2089 	BPF_EXIT_INSN(),
2090 
2091 	/* subprog 1 */
2092 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2093 		    offsetof(struct __sk_buff, data)),
2094 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2095 		    offsetof(struct __sk_buff, data_end)),
2096 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2097 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2098 	BPF_MOV64_IMM(BPF_REG_5, 0),
2099 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2100 	/* spill checked pkt_ptr into stack of caller */
2101 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2102 	BPF_MOV64_IMM(BPF_REG_5, 1),
2103 	/* don't read back pkt_ptr from stack here */
2104 	/* write 4 bytes into packet */
2105 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2106 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2107 	BPF_EXIT_INSN(),
2108 	},
2109 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2110 	.errstr = "R4 invalid mem access",
2111 	.result = REJECT,
2112 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2113 },
2114 {
2115 	"calls: pkt_ptr spill into caller stack 8",
2116 	.insns = {
2117 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2118 		    offsetof(struct __sk_buff, data)),
2119 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2120 		    offsetof(struct __sk_buff, data_end)),
2121 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2122 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2123 	BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
2124 	BPF_EXIT_INSN(),
2125 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2126 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2127 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2128 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2129 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2130 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2131 	BPF_EXIT_INSN(),
2132 
2133 	/* subprog 1 */
2134 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2135 		    offsetof(struct __sk_buff, data)),
2136 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2137 		    offsetof(struct __sk_buff, data_end)),
2138 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2139 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2140 	BPF_MOV64_IMM(BPF_REG_5, 0),
2141 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2142 	/* spill checked pkt_ptr into stack of caller */
2143 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2144 	BPF_MOV64_IMM(BPF_REG_5, 1),
2145 	/* don't read back pkt_ptr from stack here */
2146 	/* write 4 bytes into packet */
2147 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2148 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2149 	BPF_EXIT_INSN(),
2150 	},
2151 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2152 	.result = ACCEPT,
2153 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2154 },
2155 {
2156 	"calls: pkt_ptr spill into caller stack 9",
2157 	.insns = {
2158 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2159 		    offsetof(struct __sk_buff, data)),
2160 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2161 		    offsetof(struct __sk_buff, data_end)),
2162 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2163 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2164 	BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
2165 	BPF_EXIT_INSN(),
2166 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2167 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2168 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2169 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
2170 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2171 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
2172 	BPF_EXIT_INSN(),
2173 
2174 	/* subprog 1 */
2175 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2176 		    offsetof(struct __sk_buff, data)),
2177 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2178 		    offsetof(struct __sk_buff, data_end)),
2179 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2180 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2181 	BPF_MOV64_IMM(BPF_REG_5, 0),
2182 	/* spill unchecked pkt_ptr into stack of caller */
2183 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2184 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2185 	BPF_MOV64_IMM(BPF_REG_5, 1),
2186 	/* don't read back pkt_ptr from stack here */
2187 	/* write 4 bytes into packet */
2188 	BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
2189 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
2190 	BPF_EXIT_INSN(),
2191 	},
2192 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2193 	.errstr = "invalid access to packet",
2194 	.result = REJECT,
2195 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2196 },
2197 {
2198 	"calls: caller stack init to zero or map_value_or_null",
2199 	.insns = {
2200 	BPF_MOV64_IMM(BPF_REG_0, 0),
2201 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2202 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2203 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2204 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2205 	/* fetch map_value_or_null or const_zero from stack */
2206 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2207 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2208 	/* store into map_value */
2209 	BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
2210 	BPF_EXIT_INSN(),
2211 
2212 	/* subprog 1 */
2213 	/* if (ctx == 0) return; */
2214 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
2215 	/* else bpf_map_lookup() and *(fp - 8) = r0 */
2216 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2217 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2218 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2219 	BPF_LD_MAP_FD(BPF_REG_1, 0),
2220 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2221 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
2222 	/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
2223 	BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
2224 	BPF_EXIT_INSN(),
2225 	},
2226 	.fixup_map_hash_8b = { 13 },
2227 	.result = ACCEPT,
2228 	.prog_type = BPF_PROG_TYPE_XDP,
2229 },
2230 {
2231 	"calls: stack init to zero and pruning",
2232 	.insns = {
2233 	/* first make allocated_stack 16 byte */
2234 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
2235 	/* now fork the execution such that the false branch
2236 	 * of JGT insn will be verified second and it skisp zero
2237 	 * init of fp-8 stack slot. If stack liveness marking
2238 	 * is missing live_read marks from call map_lookup
2239 	 * processing then pruning will incorrectly assume
2240 	 * that fp-8 stack slot was unused in the fall-through
2241 	 * branch and will accept the program incorrectly
2242 	 */
2243 	BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
2244 	BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 2, 2),
2245 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2246 	BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2247 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2248 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2249 	BPF_LD_MAP_FD(BPF_REG_1, 0),
2250 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
2251 	BPF_MOV64_IMM(BPF_REG_0, 0),
2252 	BPF_EXIT_INSN(),
2253 	},
2254 	.fixup_map_hash_48b = { 7 },
2255 	.errstr_unpriv = "invalid indirect read from stack R2 off -8+0 size 8",
2256 	.result_unpriv = REJECT,
2257 	/* in privileged mode reads from uninitialized stack locations are permitted */
2258 	.result = ACCEPT,
2259 },
2260 {
2261 	"calls: ctx read at start of subprog",
2262 	.insns = {
2263 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
2264 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
2265 	BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
2266 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2267 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
2268 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
2269 	BPF_EXIT_INSN(),
2270 	BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
2271 	BPF_MOV64_IMM(BPF_REG_0, 0),
2272 	BPF_EXIT_INSN(),
2273 	},
2274 	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2275 	.errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
2276 	.result_unpriv = REJECT,
2277 	.result = ACCEPT,
2278 },
2279 {
2280 	"calls: cross frame pruning",
2281 	.insns = {
2282 	/* r8 = !!random();
2283 	 * call pruner()
2284 	 * if (r8)
2285 	 *     do something bad;
2286 	 */
2287 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2288 	BPF_MOV64_IMM(BPF_REG_8, 0),
2289 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2290 	BPF_MOV64_IMM(BPF_REG_8, 1),
2291 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2292 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2293 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
2294 	BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
2295 	BPF_MOV64_IMM(BPF_REG_0, 0),
2296 	BPF_EXIT_INSN(),
2297 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2298 	BPF_EXIT_INSN(),
2299 	},
2300 	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2301 	.errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
2302 	.errstr = "!read_ok",
2303 	.result = REJECT,
2304 },
2305 {
2306 	"calls: cross frame pruning - liveness propagation",
2307 	.insns = {
2308 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2309 	BPF_MOV64_IMM(BPF_REG_8, 0),
2310 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2311 	BPF_MOV64_IMM(BPF_REG_8, 1),
2312 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
2313 	BPF_MOV64_IMM(BPF_REG_9, 0),
2314 	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
2315 	BPF_MOV64_IMM(BPF_REG_9, 1),
2316 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
2317 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
2318 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
2319 	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_2, 0),
2320 	BPF_MOV64_IMM(BPF_REG_0, 0),
2321 	BPF_EXIT_INSN(),
2322 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2323 	BPF_EXIT_INSN(),
2324 	},
2325 	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2326 	.errstr_unpriv = "loading/calling other bpf or kernel functions are allowed for",
2327 	.errstr = "!read_ok",
2328 	.result = REJECT,
2329 },
2330 /* Make sure that verifier.c:states_equal() considers IDs from all
2331  * frames when building 'idmap' for check_ids().
2332  */
2333 {
2334 	"calls: check_ids() across call boundary",
2335 	.insns = {
2336 	/* Function main() */
2337 	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2338 	/* fp[-24] = map_lookup_elem(...) ; get a MAP_VALUE_PTR_OR_NULL with some ID */
2339 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2340 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2341 	BPF_LD_MAP_FD(BPF_REG_1,
2342 		      0),
2343 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
2344 	BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -24),
2345 	/* fp[-32] = map_lookup_elem(...) ; get a MAP_VALUE_PTR_OR_NULL with some ID */
2346 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2347 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2348 	BPF_LD_MAP_FD(BPF_REG_1,
2349 		      0),
2350 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
2351 	BPF_STX_MEM(BPF_DW, BPF_REG_FP, BPF_REG_0, -32),
2352 	/* call foo(&fp[-24], &fp[-32])   ; both arguments have IDs in the current
2353 	 *                                ; stack frame
2354 	 */
2355 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_FP),
2356 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -24),
2357 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_FP),
2358 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
2359 	BPF_CALL_REL(2),
2360 	/* exit 0 */
2361 	BPF_MOV64_IMM(BPF_REG_0, 0),
2362 	BPF_EXIT_INSN(),
2363 	/* Function foo()
2364 	 *
2365 	 * r9 = &frame[0].fp[-24]  ; save arguments in the callee saved registers,
2366 	 * r8 = &frame[0].fp[-32]  ; arguments are pointers to pointers to map value
2367 	 */
2368 	BPF_MOV64_REG(BPF_REG_9, BPF_REG_1),
2369 	BPF_MOV64_REG(BPF_REG_8, BPF_REG_2),
2370 	/* r7 = ktime_get_ns() */
2371 	BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
2372 	BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
2373 	/* r6 = ktime_get_ns() */
2374 	BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
2375 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
2376 	/* if r6 > r7 goto +1      ; no new information about the state is derived from
2377 	 *                         ; this check, thus produced verifier states differ
2378 	 *                         ; only in 'insn_idx'
2379 	 * r9 = r8
2380 	 */
2381 	BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 1),
2382 	BPF_MOV64_REG(BPF_REG_9, BPF_REG_8),
2383 	/* r9 = *r9                ; verifier get's to this point via two paths:
2384 	 *                         ; (I) one including r9 = r8, verified first;
2385 	 *                         ; (II) one excluding r9 = r8, verified next.
2386 	 *                         ; After load of *r9 to r9 the frame[0].fp[-24].id == r9.id.
2387 	 *                         ; Suppose that checkpoint is created here via path (I).
2388 	 *                         ; When verifying via (II) the r9.id must be compared against
2389 	 *                         ; frame[0].fp[-24].id, otherwise (I) and (II) would be
2390 	 *                         ; incorrectly deemed equivalent.
2391 	 * if r9 == 0 goto <exit>
2392 	 */
2393 	BPF_LDX_MEM(BPF_DW, BPF_REG_9, BPF_REG_9, 0),
2394 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 0, 1),
2395 	/* r8 = *r8                ; read map value via r8, this is not safe
2396 	 * r0 = *r8                ; because r8 might be not equal to r9.
2397 	 */
2398 	BPF_LDX_MEM(BPF_DW, BPF_REG_8, BPF_REG_8, 0),
2399 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_8, 0),
2400 	/* exit 0 */
2401 	BPF_MOV64_IMM(BPF_REG_0, 0),
2402 	BPF_EXIT_INSN(),
2403 	},
2404 	.flags = BPF_F_TEST_STATE_FREQ,
2405 	.fixup_map_hash_8b = { 3, 9 },
2406 	.result = REJECT,
2407 	.errstr = "R8 invalid mem access 'map_value_or_null'",
2408 	.result_unpriv = REJECT,
2409 	.errstr_unpriv = "",
2410 	.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
2411 },
2412