xref: /openbmc/linux/tools/testing/selftests/bpf/test_verifier.c (revision 8631f940b81bf0da3d375fce166d381fa8c47bb2)
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of version 2 of the GNU General Public
10  * License as published by the Free Software Foundation.
11  */
12 
13 #include <endian.h>
14 #include <asm/types.h>
15 #include <linux/types.h>
16 #include <stdint.h>
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <errno.h>
21 #include <string.h>
22 #include <stddef.h>
23 #include <stdbool.h>
24 #include <sched.h>
25 #include <limits.h>
26 #include <assert.h>
27 
28 #include <sys/capability.h>
29 
30 #include <linux/unistd.h>
31 #include <linux/filter.h>
32 #include <linux/bpf_perf_event.h>
33 #include <linux/bpf.h>
34 #include <linux/if_ether.h>
35 
36 #include <bpf/bpf.h>
37 
38 #ifdef HAVE_GENHDR
39 # include "autoconf.h"
40 #else
41 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
42 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
43 # endif
44 #endif
45 #include "bpf_rlimit.h"
46 #include "bpf_rand.h"
47 #include "bpf_util.h"
48 #include "../../../include/linux/filter.h"
49 
50 #define MAX_INSNS	BPF_MAXINSNS
51 #define MAX_FIXUPS	8
52 #define MAX_NR_MAPS	13
53 #define MAX_TEST_RUNS	8
54 #define POINTER_VALUE	0xcafe4all
55 #define TEST_DATA_LEN	64
56 
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
59 
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
62 
63 struct bpf_test {
64 	const char *descr;
65 	struct bpf_insn	insns[MAX_INSNS];
66 	int fixup_map_hash_8b[MAX_FIXUPS];
67 	int fixup_map_hash_48b[MAX_FIXUPS];
68 	int fixup_map_hash_16b[MAX_FIXUPS];
69 	int fixup_map_array_48b[MAX_FIXUPS];
70 	int fixup_map_sockmap[MAX_FIXUPS];
71 	int fixup_map_sockhash[MAX_FIXUPS];
72 	int fixup_map_xskmap[MAX_FIXUPS];
73 	int fixup_map_stacktrace[MAX_FIXUPS];
74 	int fixup_prog1[MAX_FIXUPS];
75 	int fixup_prog2[MAX_FIXUPS];
76 	int fixup_map_in_map[MAX_FIXUPS];
77 	int fixup_cgroup_storage[MAX_FIXUPS];
78 	int fixup_percpu_cgroup_storage[MAX_FIXUPS];
79 	const char *errstr;
80 	const char *errstr_unpriv;
81 	uint32_t retval, retval_unpriv, insn_processed;
82 	enum {
83 		UNDEF,
84 		ACCEPT,
85 		REJECT
86 	} result, result_unpriv;
87 	enum bpf_prog_type prog_type;
88 	uint8_t flags;
89 	__u8 data[TEST_DATA_LEN];
90 	void (*fill_helper)(struct bpf_test *self);
91 	uint8_t runs;
92 	struct {
93 		uint32_t retval, retval_unpriv;
94 		union {
95 			__u8 data[TEST_DATA_LEN];
96 			__u64 data64[TEST_DATA_LEN / 8];
97 		};
98 	} retvals[MAX_TEST_RUNS];
99 };
100 
101 /* Note we want this to be 64 bit aligned so that the end of our array is
102  * actually the end of the structure.
103  */
104 #define MAX_ENTRIES 11
105 
106 struct test_val {
107 	unsigned int index;
108 	int foo[MAX_ENTRIES];
109 };
110 
111 struct other_val {
112 	long long foo;
113 	long long bar;
114 };
115 
116 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
117 {
118 	/* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
119 #define PUSH_CNT 51
120 	unsigned int len = BPF_MAXINSNS;
121 	struct bpf_insn *insn = self->insns;
122 	int i = 0, j, k = 0;
123 
124 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
125 loop:
126 	for (j = 0; j < PUSH_CNT; j++) {
127 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
128 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
129 		i++;
130 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
131 		insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
132 		insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
133 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
134 					 BPF_FUNC_skb_vlan_push),
135 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
136 		i++;
137 	}
138 
139 	for (j = 0; j < PUSH_CNT; j++) {
140 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
141 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
142 		i++;
143 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
144 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
145 					 BPF_FUNC_skb_vlan_pop),
146 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
147 		i++;
148 	}
149 	if (++k < 5)
150 		goto loop;
151 
152 	for (; i < len - 1; i++)
153 		insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
154 	insn[len - 1] = BPF_EXIT_INSN();
155 }
156 
157 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
158 {
159 	struct bpf_insn *insn = self->insns;
160 	unsigned int len = BPF_MAXINSNS;
161 	int i = 0;
162 
163 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
164 	insn[i++] = BPF_LD_ABS(BPF_B, 0);
165 	insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
166 	i++;
167 	while (i < len - 1)
168 		insn[i++] = BPF_LD_ABS(BPF_B, 1);
169 	insn[i] = BPF_EXIT_INSN();
170 }
171 
172 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
173 {
174 	struct bpf_insn *insn = self->insns;
175 	uint64_t res = 0;
176 	int i = 0;
177 
178 	insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
179 	while (i < self->retval) {
180 		uint64_t val = bpf_semi_rand_get();
181 		struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
182 
183 		res ^= val;
184 		insn[i++] = tmp[0];
185 		insn[i++] = tmp[1];
186 		insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
187 	}
188 	insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
189 	insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
190 	insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
191 	insn[i] = BPF_EXIT_INSN();
192 	res ^= (res >> 32);
193 	self->retval = (uint32_t)res;
194 }
195 
196 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
197 #define BPF_SK_LOOKUP							\
198 	/* struct bpf_sock_tuple tuple = {} */				\
199 	BPF_MOV64_IMM(BPF_REG_2, 0),					\
200 	BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),			\
201 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16),		\
202 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24),		\
203 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32),		\
204 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40),		\
205 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48),		\
206 	/* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */	\
207 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),				\
208 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),				\
209 	BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),	\
210 	BPF_MOV64_IMM(BPF_REG_4, 0),					\
211 	BPF_MOV64_IMM(BPF_REG_5, 0),					\
212 	BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
213 
214 static struct bpf_test tests[] = {
215 	{
216 		"add+sub+mul",
217 		.insns = {
218 			BPF_MOV64_IMM(BPF_REG_1, 1),
219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
220 			BPF_MOV64_IMM(BPF_REG_2, 3),
221 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
222 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
223 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
224 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
225 			BPF_EXIT_INSN(),
226 		},
227 		.result = ACCEPT,
228 		.retval = -3,
229 	},
230 	{
231 		"DIV32 by 0, zero check 1",
232 		.insns = {
233 			BPF_MOV32_IMM(BPF_REG_0, 42),
234 			BPF_MOV32_IMM(BPF_REG_1, 0),
235 			BPF_MOV32_IMM(BPF_REG_2, 1),
236 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
237 			BPF_EXIT_INSN(),
238 		},
239 		.result = ACCEPT,
240 		.retval = 42,
241 	},
242 	{
243 		"DIV32 by 0, zero check 2",
244 		.insns = {
245 			BPF_MOV32_IMM(BPF_REG_0, 42),
246 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
247 			BPF_MOV32_IMM(BPF_REG_2, 1),
248 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
249 			BPF_EXIT_INSN(),
250 		},
251 		.result = ACCEPT,
252 		.retval = 42,
253 	},
254 	{
255 		"DIV64 by 0, zero check",
256 		.insns = {
257 			BPF_MOV32_IMM(BPF_REG_0, 42),
258 			BPF_MOV32_IMM(BPF_REG_1, 0),
259 			BPF_MOV32_IMM(BPF_REG_2, 1),
260 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
261 			BPF_EXIT_INSN(),
262 		},
263 		.result = ACCEPT,
264 		.retval = 42,
265 	},
266 	{
267 		"MOD32 by 0, zero check 1",
268 		.insns = {
269 			BPF_MOV32_IMM(BPF_REG_0, 42),
270 			BPF_MOV32_IMM(BPF_REG_1, 0),
271 			BPF_MOV32_IMM(BPF_REG_2, 1),
272 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
273 			BPF_EXIT_INSN(),
274 		},
275 		.result = ACCEPT,
276 		.retval = 42,
277 	},
278 	{
279 		"MOD32 by 0, zero check 2",
280 		.insns = {
281 			BPF_MOV32_IMM(BPF_REG_0, 42),
282 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
283 			BPF_MOV32_IMM(BPF_REG_2, 1),
284 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
285 			BPF_EXIT_INSN(),
286 		},
287 		.result = ACCEPT,
288 		.retval = 42,
289 	},
290 	{
291 		"MOD64 by 0, zero check",
292 		.insns = {
293 			BPF_MOV32_IMM(BPF_REG_0, 42),
294 			BPF_MOV32_IMM(BPF_REG_1, 0),
295 			BPF_MOV32_IMM(BPF_REG_2, 1),
296 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
297 			BPF_EXIT_INSN(),
298 		},
299 		.result = ACCEPT,
300 		.retval = 42,
301 	},
302 	{
303 		"DIV32 by 0, zero check ok, cls",
304 		.insns = {
305 			BPF_MOV32_IMM(BPF_REG_0, 42),
306 			BPF_MOV32_IMM(BPF_REG_1, 2),
307 			BPF_MOV32_IMM(BPF_REG_2, 16),
308 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
309 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
310 			BPF_EXIT_INSN(),
311 		},
312 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
313 		.result = ACCEPT,
314 		.retval = 8,
315 	},
316 	{
317 		"DIV32 by 0, zero check 1, cls",
318 		.insns = {
319 			BPF_MOV32_IMM(BPF_REG_1, 0),
320 			BPF_MOV32_IMM(BPF_REG_0, 1),
321 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
322 			BPF_EXIT_INSN(),
323 		},
324 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
325 		.result = ACCEPT,
326 		.retval = 0,
327 	},
328 	{
329 		"DIV32 by 0, zero check 2, cls",
330 		.insns = {
331 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
332 			BPF_MOV32_IMM(BPF_REG_0, 1),
333 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
334 			BPF_EXIT_INSN(),
335 		},
336 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
337 		.result = ACCEPT,
338 		.retval = 0,
339 	},
340 	{
341 		"DIV64 by 0, zero check, cls",
342 		.insns = {
343 			BPF_MOV32_IMM(BPF_REG_1, 0),
344 			BPF_MOV32_IMM(BPF_REG_0, 1),
345 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
346 			BPF_EXIT_INSN(),
347 		},
348 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
349 		.result = ACCEPT,
350 		.retval = 0,
351 	},
352 	{
353 		"MOD32 by 0, zero check ok, cls",
354 		.insns = {
355 			BPF_MOV32_IMM(BPF_REG_0, 42),
356 			BPF_MOV32_IMM(BPF_REG_1, 3),
357 			BPF_MOV32_IMM(BPF_REG_2, 5),
358 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
359 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
360 			BPF_EXIT_INSN(),
361 		},
362 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
363 		.result = ACCEPT,
364 		.retval = 2,
365 	},
366 	{
367 		"MOD32 by 0, zero check 1, cls",
368 		.insns = {
369 			BPF_MOV32_IMM(BPF_REG_1, 0),
370 			BPF_MOV32_IMM(BPF_REG_0, 1),
371 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
372 			BPF_EXIT_INSN(),
373 		},
374 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
375 		.result = ACCEPT,
376 		.retval = 1,
377 	},
378 	{
379 		"MOD32 by 0, zero check 2, cls",
380 		.insns = {
381 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
382 			BPF_MOV32_IMM(BPF_REG_0, 1),
383 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
384 			BPF_EXIT_INSN(),
385 		},
386 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
387 		.result = ACCEPT,
388 		.retval = 1,
389 	},
390 	{
391 		"MOD64 by 0, zero check 1, cls",
392 		.insns = {
393 			BPF_MOV32_IMM(BPF_REG_1, 0),
394 			BPF_MOV32_IMM(BPF_REG_0, 2),
395 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
396 			BPF_EXIT_INSN(),
397 		},
398 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
399 		.result = ACCEPT,
400 		.retval = 2,
401 	},
402 	{
403 		"MOD64 by 0, zero check 2, cls",
404 		.insns = {
405 			BPF_MOV32_IMM(BPF_REG_1, 0),
406 			BPF_MOV32_IMM(BPF_REG_0, -1),
407 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
408 			BPF_EXIT_INSN(),
409 		},
410 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
411 		.result = ACCEPT,
412 		.retval = -1,
413 	},
414 	/* Just make sure that JITs used udiv/umod as otherwise we get
415 	 * an exception from INT_MIN/-1 overflow similarly as with div
416 	 * by zero.
417 	 */
418 	{
419 		"DIV32 overflow, check 1",
420 		.insns = {
421 			BPF_MOV32_IMM(BPF_REG_1, -1),
422 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
423 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
424 			BPF_EXIT_INSN(),
425 		},
426 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
427 		.result = ACCEPT,
428 		.retval = 0,
429 	},
430 	{
431 		"DIV32 overflow, check 2",
432 		.insns = {
433 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
434 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
435 			BPF_EXIT_INSN(),
436 		},
437 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
438 		.result = ACCEPT,
439 		.retval = 0,
440 	},
441 	{
442 		"DIV64 overflow, check 1",
443 		.insns = {
444 			BPF_MOV64_IMM(BPF_REG_1, -1),
445 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
446 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
447 			BPF_EXIT_INSN(),
448 		},
449 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
450 		.result = ACCEPT,
451 		.retval = 0,
452 	},
453 	{
454 		"DIV64 overflow, check 2",
455 		.insns = {
456 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
457 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
458 			BPF_EXIT_INSN(),
459 		},
460 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
461 		.result = ACCEPT,
462 		.retval = 0,
463 	},
464 	{
465 		"MOD32 overflow, check 1",
466 		.insns = {
467 			BPF_MOV32_IMM(BPF_REG_1, -1),
468 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
469 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
470 			BPF_EXIT_INSN(),
471 		},
472 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
473 		.result = ACCEPT,
474 		.retval = INT_MIN,
475 	},
476 	{
477 		"MOD32 overflow, check 2",
478 		.insns = {
479 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
480 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
481 			BPF_EXIT_INSN(),
482 		},
483 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
484 		.result = ACCEPT,
485 		.retval = INT_MIN,
486 	},
487 	{
488 		"MOD64 overflow, check 1",
489 		.insns = {
490 			BPF_MOV64_IMM(BPF_REG_1, -1),
491 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
492 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
493 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
494 			BPF_MOV32_IMM(BPF_REG_0, 0),
495 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
496 			BPF_MOV32_IMM(BPF_REG_0, 1),
497 			BPF_EXIT_INSN(),
498 		},
499 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
500 		.result = ACCEPT,
501 		.retval = 1,
502 	},
503 	{
504 		"MOD64 overflow, check 2",
505 		.insns = {
506 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
507 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
508 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
509 			BPF_MOV32_IMM(BPF_REG_0, 0),
510 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
511 			BPF_MOV32_IMM(BPF_REG_0, 1),
512 			BPF_EXIT_INSN(),
513 		},
514 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
515 		.result = ACCEPT,
516 		.retval = 1,
517 	},
518 	{
519 		"xor32 zero extend check",
520 		.insns = {
521 			BPF_MOV32_IMM(BPF_REG_2, -1),
522 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
523 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
524 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
525 			BPF_MOV32_IMM(BPF_REG_0, 2),
526 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
527 			BPF_MOV32_IMM(BPF_REG_0, 1),
528 			BPF_EXIT_INSN(),
529 		},
530 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
531 		.result = ACCEPT,
532 		.retval = 1,
533 	},
534 	{
535 		"empty prog",
536 		.insns = {
537 		},
538 		.errstr = "unknown opcode 00",
539 		.result = REJECT,
540 	},
541 	{
542 		"only exit insn",
543 		.insns = {
544 			BPF_EXIT_INSN(),
545 		},
546 		.errstr = "R0 !read_ok",
547 		.result = REJECT,
548 	},
549 	{
550 		"unreachable",
551 		.insns = {
552 			BPF_EXIT_INSN(),
553 			BPF_EXIT_INSN(),
554 		},
555 		.errstr = "unreachable",
556 		.result = REJECT,
557 	},
558 	{
559 		"unreachable2",
560 		.insns = {
561 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
563 			BPF_EXIT_INSN(),
564 		},
565 		.errstr = "unreachable",
566 		.result = REJECT,
567 	},
568 	{
569 		"out of range jump",
570 		.insns = {
571 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
572 			BPF_EXIT_INSN(),
573 		},
574 		.errstr = "jump out of range",
575 		.result = REJECT,
576 	},
577 	{
578 		"out of range jump2",
579 		.insns = {
580 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
581 			BPF_EXIT_INSN(),
582 		},
583 		.errstr = "jump out of range",
584 		.result = REJECT,
585 	},
586 	{
587 		"test1 ld_imm64",
588 		.insns = {
589 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
590 			BPF_LD_IMM64(BPF_REG_0, 0),
591 			BPF_LD_IMM64(BPF_REG_0, 0),
592 			BPF_LD_IMM64(BPF_REG_0, 1),
593 			BPF_LD_IMM64(BPF_REG_0, 1),
594 			BPF_MOV64_IMM(BPF_REG_0, 2),
595 			BPF_EXIT_INSN(),
596 		},
597 		.errstr = "invalid BPF_LD_IMM insn",
598 		.errstr_unpriv = "R1 pointer comparison",
599 		.result = REJECT,
600 	},
601 	{
602 		"test2 ld_imm64",
603 		.insns = {
604 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
605 			BPF_LD_IMM64(BPF_REG_0, 0),
606 			BPF_LD_IMM64(BPF_REG_0, 0),
607 			BPF_LD_IMM64(BPF_REG_0, 1),
608 			BPF_LD_IMM64(BPF_REG_0, 1),
609 			BPF_EXIT_INSN(),
610 		},
611 		.errstr = "invalid BPF_LD_IMM insn",
612 		.errstr_unpriv = "R1 pointer comparison",
613 		.result = REJECT,
614 	},
615 	{
616 		"test3 ld_imm64",
617 		.insns = {
618 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
619 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
620 			BPF_LD_IMM64(BPF_REG_0, 0),
621 			BPF_LD_IMM64(BPF_REG_0, 0),
622 			BPF_LD_IMM64(BPF_REG_0, 1),
623 			BPF_LD_IMM64(BPF_REG_0, 1),
624 			BPF_EXIT_INSN(),
625 		},
626 		.errstr = "invalid bpf_ld_imm64 insn",
627 		.result = REJECT,
628 	},
629 	{
630 		"test4 ld_imm64",
631 		.insns = {
632 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
633 			BPF_EXIT_INSN(),
634 		},
635 		.errstr = "invalid bpf_ld_imm64 insn",
636 		.result = REJECT,
637 	},
638 	{
639 		"test5 ld_imm64",
640 		.insns = {
641 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
642 		},
643 		.errstr = "invalid bpf_ld_imm64 insn",
644 		.result = REJECT,
645 	},
646 	{
647 		"test6 ld_imm64",
648 		.insns = {
649 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
650 			BPF_RAW_INSN(0, 0, 0, 0, 0),
651 			BPF_EXIT_INSN(),
652 		},
653 		.result = ACCEPT,
654 	},
655 	{
656 		"test7 ld_imm64",
657 		.insns = {
658 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
659 			BPF_RAW_INSN(0, 0, 0, 0, 1),
660 			BPF_EXIT_INSN(),
661 		},
662 		.result = ACCEPT,
663 		.retval = 1,
664 	},
665 	{
666 		"test8 ld_imm64",
667 		.insns = {
668 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
669 			BPF_RAW_INSN(0, 0, 0, 0, 1),
670 			BPF_EXIT_INSN(),
671 		},
672 		.errstr = "uses reserved fields",
673 		.result = REJECT,
674 	},
675 	{
676 		"test9 ld_imm64",
677 		.insns = {
678 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679 			BPF_RAW_INSN(0, 0, 0, 1, 1),
680 			BPF_EXIT_INSN(),
681 		},
682 		.errstr = "invalid bpf_ld_imm64 insn",
683 		.result = REJECT,
684 	},
685 	{
686 		"test10 ld_imm64",
687 		.insns = {
688 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
690 			BPF_EXIT_INSN(),
691 		},
692 		.errstr = "invalid bpf_ld_imm64 insn",
693 		.result = REJECT,
694 	},
695 	{
696 		"test11 ld_imm64",
697 		.insns = {
698 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
699 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
700 			BPF_EXIT_INSN(),
701 		},
702 		.errstr = "invalid bpf_ld_imm64 insn",
703 		.result = REJECT,
704 	},
705 	{
706 		"test12 ld_imm64",
707 		.insns = {
708 			BPF_MOV64_IMM(BPF_REG_1, 0),
709 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
710 			BPF_RAW_INSN(0, 0, 0, 0, 1),
711 			BPF_EXIT_INSN(),
712 		},
713 		.errstr = "not pointing to valid bpf_map",
714 		.result = REJECT,
715 	},
716 	{
717 		"test13 ld_imm64",
718 		.insns = {
719 			BPF_MOV64_IMM(BPF_REG_1, 0),
720 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
721 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
722 			BPF_EXIT_INSN(),
723 		},
724 		.errstr = "invalid bpf_ld_imm64 insn",
725 		.result = REJECT,
726 	},
727 	{
728 		"arsh32 on imm",
729 		.insns = {
730 			BPF_MOV64_IMM(BPF_REG_0, 1),
731 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
732 			BPF_EXIT_INSN(),
733 		},
734 		.result = ACCEPT,
735 		.retval = 0,
736 	},
737 	{
738 		"arsh32 on imm 2",
739 		.insns = {
740 			BPF_LD_IMM64(BPF_REG_0, 0x1122334485667788),
741 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 7),
742 			BPF_EXIT_INSN(),
743 		},
744 		.result = ACCEPT,
745 		.retval = -16069393,
746 	},
747 	{
748 		"arsh32 on reg",
749 		.insns = {
750 			BPF_MOV64_IMM(BPF_REG_0, 1),
751 			BPF_MOV64_IMM(BPF_REG_1, 5),
752 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
753 			BPF_EXIT_INSN(),
754 		},
755 		.result = ACCEPT,
756 		.retval = 0,
757 	},
758 	{
759 		"arsh32 on reg 2",
760 		.insns = {
761 			BPF_LD_IMM64(BPF_REG_0, 0xffff55667788),
762 			BPF_MOV64_IMM(BPF_REG_1, 15),
763 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
764 			BPF_EXIT_INSN(),
765 		},
766 		.result = ACCEPT,
767 		.retval = 43724,
768 	},
769 	{
770 		"arsh64 on imm",
771 		.insns = {
772 			BPF_MOV64_IMM(BPF_REG_0, 1),
773 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
774 			BPF_EXIT_INSN(),
775 		},
776 		.result = ACCEPT,
777 	},
778 	{
779 		"arsh64 on reg",
780 		.insns = {
781 			BPF_MOV64_IMM(BPF_REG_0, 1),
782 			BPF_MOV64_IMM(BPF_REG_1, 5),
783 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
784 			BPF_EXIT_INSN(),
785 		},
786 		.result = ACCEPT,
787 	},
788 	{
789 		"no bpf_exit",
790 		.insns = {
791 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
792 		},
793 		.errstr = "not an exit",
794 		.result = REJECT,
795 	},
796 	{
797 		"loop (back-edge)",
798 		.insns = {
799 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
800 			BPF_EXIT_INSN(),
801 		},
802 		.errstr = "back-edge",
803 		.result = REJECT,
804 	},
805 	{
806 		"loop2 (back-edge)",
807 		.insns = {
808 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
809 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
810 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
811 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
812 			BPF_EXIT_INSN(),
813 		},
814 		.errstr = "back-edge",
815 		.result = REJECT,
816 	},
817 	{
818 		"conditional loop",
819 		.insns = {
820 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
821 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
822 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
823 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
824 			BPF_EXIT_INSN(),
825 		},
826 		.errstr = "back-edge",
827 		.result = REJECT,
828 	},
829 	{
830 		"read uninitialized register",
831 		.insns = {
832 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
833 			BPF_EXIT_INSN(),
834 		},
835 		.errstr = "R2 !read_ok",
836 		.result = REJECT,
837 	},
838 	{
839 		"read invalid register",
840 		.insns = {
841 			BPF_MOV64_REG(BPF_REG_0, -1),
842 			BPF_EXIT_INSN(),
843 		},
844 		.errstr = "R15 is invalid",
845 		.result = REJECT,
846 	},
847 	{
848 		"program doesn't init R0 before exit",
849 		.insns = {
850 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
851 			BPF_EXIT_INSN(),
852 		},
853 		.errstr = "R0 !read_ok",
854 		.result = REJECT,
855 	},
856 	{
857 		"program doesn't init R0 before exit in all branches",
858 		.insns = {
859 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
860 			BPF_MOV64_IMM(BPF_REG_0, 1),
861 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
862 			BPF_EXIT_INSN(),
863 		},
864 		.errstr = "R0 !read_ok",
865 		.errstr_unpriv = "R1 pointer comparison",
866 		.result = REJECT,
867 	},
868 	{
869 		"stack out of bounds",
870 		.insns = {
871 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
872 			BPF_EXIT_INSN(),
873 		},
874 		.errstr = "invalid stack",
875 		.result = REJECT,
876 	},
877 	{
878 		"invalid call insn1",
879 		.insns = {
880 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
881 			BPF_EXIT_INSN(),
882 		},
883 		.errstr = "unknown opcode 8d",
884 		.result = REJECT,
885 	},
886 	{
887 		"invalid call insn2",
888 		.insns = {
889 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
890 			BPF_EXIT_INSN(),
891 		},
892 		.errstr = "BPF_CALL uses reserved",
893 		.result = REJECT,
894 	},
895 	{
896 		"invalid function call",
897 		.insns = {
898 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
899 			BPF_EXIT_INSN(),
900 		},
901 		.errstr = "invalid func unknown#1234567",
902 		.result = REJECT,
903 	},
904 	{
905 		"uninitialized stack1",
906 		.insns = {
907 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
908 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
909 			BPF_LD_MAP_FD(BPF_REG_1, 0),
910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
911 				     BPF_FUNC_map_lookup_elem),
912 			BPF_EXIT_INSN(),
913 		},
914 		.fixup_map_hash_8b = { 2 },
915 		.errstr = "invalid indirect read from stack",
916 		.result = REJECT,
917 	},
918 	{
919 		"uninitialized stack2",
920 		.insns = {
921 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
922 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
923 			BPF_EXIT_INSN(),
924 		},
925 		.errstr = "invalid read from stack",
926 		.result = REJECT,
927 	},
928 	{
929 		"invalid fp arithmetic",
930 		/* If this gets ever changed, make sure JITs can deal with it. */
931 		.insns = {
932 			BPF_MOV64_IMM(BPF_REG_0, 0),
933 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
934 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
935 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
936 			BPF_EXIT_INSN(),
937 		},
938 		.errstr = "R1 subtraction from stack pointer",
939 		.result = REJECT,
940 	},
941 	{
942 		"non-invalid fp arithmetic",
943 		.insns = {
944 			BPF_MOV64_IMM(BPF_REG_0, 0),
945 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
946 			BPF_EXIT_INSN(),
947 		},
948 		.result = ACCEPT,
949 	},
950 	{
951 		"invalid argument register",
952 		.insns = {
953 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
954 				     BPF_FUNC_get_cgroup_classid),
955 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
956 				     BPF_FUNC_get_cgroup_classid),
957 			BPF_EXIT_INSN(),
958 		},
959 		.errstr = "R1 !read_ok",
960 		.result = REJECT,
961 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
962 	},
963 	{
964 		"non-invalid argument register",
965 		.insns = {
966 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
968 				     BPF_FUNC_get_cgroup_classid),
969 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
970 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
971 				     BPF_FUNC_get_cgroup_classid),
972 			BPF_EXIT_INSN(),
973 		},
974 		.result = ACCEPT,
975 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
976 	},
977 	{
978 		"check valid spill/fill",
979 		.insns = {
980 			/* spill R1(ctx) into stack */
981 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
982 			/* fill it back into R2 */
983 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
984 			/* should be able to access R0 = *(R2 + 8) */
985 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
986 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
987 			BPF_EXIT_INSN(),
988 		},
989 		.errstr_unpriv = "R0 leaks addr",
990 		.result = ACCEPT,
991 		.result_unpriv = REJECT,
992 		.retval = POINTER_VALUE,
993 	},
994 	{
995 		"check valid spill/fill, skb mark",
996 		.insns = {
997 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
998 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
999 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1000 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1001 				    offsetof(struct __sk_buff, mark)),
1002 			BPF_EXIT_INSN(),
1003 		},
1004 		.result = ACCEPT,
1005 		.result_unpriv = ACCEPT,
1006 	},
1007 	{
1008 		"check corrupted spill/fill",
1009 		.insns = {
1010 			/* spill R1(ctx) into stack */
1011 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1012 			/* mess up with R1 pointer on stack */
1013 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
1014 			/* fill back into R0 is fine for priv.
1015 			 * R0 now becomes SCALAR_VALUE.
1016 			 */
1017 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1018 			/* Load from R0 should fail. */
1019 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
1020 			BPF_EXIT_INSN(),
1021 		},
1022 		.errstr_unpriv = "attempt to corrupt spilled",
1023 		.errstr = "R0 invalid mem access 'inv",
1024 		.result = REJECT,
1025 	},
1026 	{
1027 		"check corrupted spill/fill, LSB",
1028 		.insns = {
1029 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1030 			BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
1031 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1032 			BPF_EXIT_INSN(),
1033 		},
1034 		.errstr_unpriv = "attempt to corrupt spilled",
1035 		.result_unpriv = REJECT,
1036 		.result = ACCEPT,
1037 		.retval = POINTER_VALUE,
1038 	},
1039 	{
1040 		"check corrupted spill/fill, MSB",
1041 		.insns = {
1042 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1043 			BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
1044 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1045 			BPF_EXIT_INSN(),
1046 		},
1047 		.errstr_unpriv = "attempt to corrupt spilled",
1048 		.result_unpriv = REJECT,
1049 		.result = ACCEPT,
1050 		.retval = POINTER_VALUE,
1051 	},
1052 	{
1053 		"invalid src register in STX",
1054 		.insns = {
1055 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
1056 			BPF_EXIT_INSN(),
1057 		},
1058 		.errstr = "R15 is invalid",
1059 		.result = REJECT,
1060 	},
1061 	{
1062 		"invalid dst register in STX",
1063 		.insns = {
1064 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1065 			BPF_EXIT_INSN(),
1066 		},
1067 		.errstr = "R14 is invalid",
1068 		.result = REJECT,
1069 	},
1070 	{
1071 		"invalid dst register in ST",
1072 		.insns = {
1073 			BPF_ST_MEM(BPF_B, 14, -1, -1),
1074 			BPF_EXIT_INSN(),
1075 		},
1076 		.errstr = "R14 is invalid",
1077 		.result = REJECT,
1078 	},
1079 	{
1080 		"invalid src register in LDX",
1081 		.insns = {
1082 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1083 			BPF_EXIT_INSN(),
1084 		},
1085 		.errstr = "R12 is invalid",
1086 		.result = REJECT,
1087 	},
1088 	{
1089 		"invalid dst register in LDX",
1090 		.insns = {
1091 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1092 			BPF_EXIT_INSN(),
1093 		},
1094 		.errstr = "R11 is invalid",
1095 		.result = REJECT,
1096 	},
1097 	{
1098 		"junk insn",
1099 		.insns = {
1100 			BPF_RAW_INSN(0, 0, 0, 0, 0),
1101 			BPF_EXIT_INSN(),
1102 		},
1103 		.errstr = "unknown opcode 00",
1104 		.result = REJECT,
1105 	},
1106 	{
1107 		"junk insn2",
1108 		.insns = {
1109 			BPF_RAW_INSN(1, 0, 0, 0, 0),
1110 			BPF_EXIT_INSN(),
1111 		},
1112 		.errstr = "BPF_LDX uses reserved fields",
1113 		.result = REJECT,
1114 	},
1115 	{
1116 		"junk insn3",
1117 		.insns = {
1118 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
1119 			BPF_EXIT_INSN(),
1120 		},
1121 		.errstr = "unknown opcode ff",
1122 		.result = REJECT,
1123 	},
1124 	{
1125 		"junk insn4",
1126 		.insns = {
1127 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
1128 			BPF_EXIT_INSN(),
1129 		},
1130 		.errstr = "unknown opcode ff",
1131 		.result = REJECT,
1132 	},
1133 	{
1134 		"junk insn5",
1135 		.insns = {
1136 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1137 			BPF_EXIT_INSN(),
1138 		},
1139 		.errstr = "BPF_ALU uses reserved fields",
1140 		.result = REJECT,
1141 	},
1142 	{
1143 		"misaligned read from stack",
1144 		.insns = {
1145 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1146 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1147 			BPF_EXIT_INSN(),
1148 		},
1149 		.errstr = "misaligned stack access",
1150 		.result = REJECT,
1151 	},
1152 	{
1153 		"invalid map_fd for function call",
1154 		.insns = {
1155 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1156 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1157 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1158 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1159 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1160 				     BPF_FUNC_map_delete_elem),
1161 			BPF_EXIT_INSN(),
1162 		},
1163 		.errstr = "fd 0 is not pointing to valid bpf_map",
1164 		.result = REJECT,
1165 	},
1166 	{
1167 		"don't check return value before access",
1168 		.insns = {
1169 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1170 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1171 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1172 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1173 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1174 				     BPF_FUNC_map_lookup_elem),
1175 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1176 			BPF_EXIT_INSN(),
1177 		},
1178 		.fixup_map_hash_8b = { 3 },
1179 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1180 		.result = REJECT,
1181 	},
1182 	{
1183 		"access memory with incorrect alignment",
1184 		.insns = {
1185 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1186 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1188 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1189 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1190 				     BPF_FUNC_map_lookup_elem),
1191 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1192 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1193 			BPF_EXIT_INSN(),
1194 		},
1195 		.fixup_map_hash_8b = { 3 },
1196 		.errstr = "misaligned value access",
1197 		.result = REJECT,
1198 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1199 	},
1200 	{
1201 		"sometimes access memory with incorrect alignment",
1202 		.insns = {
1203 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1204 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1206 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1207 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1208 				     BPF_FUNC_map_lookup_elem),
1209 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1210 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1211 			BPF_EXIT_INSN(),
1212 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1213 			BPF_EXIT_INSN(),
1214 		},
1215 		.fixup_map_hash_8b = { 3 },
1216 		.errstr = "R0 invalid mem access",
1217 		.errstr_unpriv = "R0 leaks addr",
1218 		.result = REJECT,
1219 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1220 	},
1221 	{
1222 		"jump test 1",
1223 		.insns = {
1224 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1225 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1226 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1227 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1228 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1229 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1230 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1231 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1232 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1233 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1235 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1237 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1238 			BPF_MOV64_IMM(BPF_REG_0, 0),
1239 			BPF_EXIT_INSN(),
1240 		},
1241 		.errstr_unpriv = "R1 pointer comparison",
1242 		.result_unpriv = REJECT,
1243 		.result = ACCEPT,
1244 	},
1245 	{
1246 		"jump test 2",
1247 		.insns = {
1248 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1249 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1250 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1251 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1252 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1253 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1254 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1256 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1257 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1258 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1259 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1260 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1261 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1262 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1263 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1264 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1265 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1266 			BPF_MOV64_IMM(BPF_REG_0, 0),
1267 			BPF_EXIT_INSN(),
1268 		},
1269 		.errstr_unpriv = "R1 pointer comparison",
1270 		.result_unpriv = REJECT,
1271 		.result = ACCEPT,
1272 	},
1273 	{
1274 		"jump test 3",
1275 		.insns = {
1276 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1277 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1278 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1280 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1281 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1282 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1284 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1285 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1286 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1287 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1288 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1289 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1290 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1291 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1292 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1293 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1294 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1295 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1296 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1297 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1298 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1299 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1300 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1301 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302 				     BPF_FUNC_map_delete_elem),
1303 			BPF_EXIT_INSN(),
1304 		},
1305 		.fixup_map_hash_8b = { 24 },
1306 		.errstr_unpriv = "R1 pointer comparison",
1307 		.result_unpriv = REJECT,
1308 		.result = ACCEPT,
1309 		.retval = -ENOENT,
1310 	},
1311 	{
1312 		"jump test 4",
1313 		.insns = {
1314 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1315 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1316 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1317 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1318 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1319 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1320 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1321 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1322 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1323 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1324 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1325 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1326 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1327 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1328 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1329 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1330 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1331 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1332 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1333 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1334 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1335 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1336 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1337 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1338 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1339 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1340 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1341 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1342 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1343 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1344 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1345 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1346 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1347 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1348 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1349 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1350 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1351 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1352 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1353 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1354 			BPF_MOV64_IMM(BPF_REG_0, 0),
1355 			BPF_EXIT_INSN(),
1356 		},
1357 		.errstr_unpriv = "R1 pointer comparison",
1358 		.result_unpriv = REJECT,
1359 		.result = ACCEPT,
1360 	},
1361 	{
1362 		"jump test 5",
1363 		.insns = {
1364 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1366 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1367 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1368 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1369 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1370 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1371 			BPF_MOV64_IMM(BPF_REG_0, 0),
1372 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1373 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1374 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1375 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1376 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1377 			BPF_MOV64_IMM(BPF_REG_0, 0),
1378 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1379 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1380 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1381 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1382 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1383 			BPF_MOV64_IMM(BPF_REG_0, 0),
1384 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1386 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1387 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1388 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1389 			BPF_MOV64_IMM(BPF_REG_0, 0),
1390 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1391 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1392 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1393 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1394 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1395 			BPF_MOV64_IMM(BPF_REG_0, 0),
1396 			BPF_EXIT_INSN(),
1397 		},
1398 		.errstr_unpriv = "R1 pointer comparison",
1399 		.result_unpriv = REJECT,
1400 		.result = ACCEPT,
1401 	},
1402 	{
1403 		"access skb fields ok",
1404 		.insns = {
1405 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1406 				    offsetof(struct __sk_buff, len)),
1407 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1408 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1409 				    offsetof(struct __sk_buff, mark)),
1410 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1411 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1412 				    offsetof(struct __sk_buff, pkt_type)),
1413 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1414 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1415 				    offsetof(struct __sk_buff, queue_mapping)),
1416 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1417 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1418 				    offsetof(struct __sk_buff, protocol)),
1419 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1420 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421 				    offsetof(struct __sk_buff, vlan_present)),
1422 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1423 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1424 				    offsetof(struct __sk_buff, vlan_tci)),
1425 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1426 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1427 				    offsetof(struct __sk_buff, napi_id)),
1428 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1429 			BPF_EXIT_INSN(),
1430 		},
1431 		.result = ACCEPT,
1432 	},
1433 	{
1434 		"access skb fields bad1",
1435 		.insns = {
1436 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1437 			BPF_EXIT_INSN(),
1438 		},
1439 		.errstr = "invalid bpf_context access",
1440 		.result = REJECT,
1441 	},
1442 	{
1443 		"access skb fields bad2",
1444 		.insns = {
1445 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1446 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1447 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1449 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1450 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1451 				     BPF_FUNC_map_lookup_elem),
1452 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1453 			BPF_EXIT_INSN(),
1454 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1455 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1456 				    offsetof(struct __sk_buff, pkt_type)),
1457 			BPF_EXIT_INSN(),
1458 		},
1459 		.fixup_map_hash_8b = { 4 },
1460 		.errstr = "different pointers",
1461 		.errstr_unpriv = "R1 pointer comparison",
1462 		.result = REJECT,
1463 	},
1464 	{
1465 		"access skb fields bad3",
1466 		.insns = {
1467 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1468 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1469 				    offsetof(struct __sk_buff, pkt_type)),
1470 			BPF_EXIT_INSN(),
1471 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1472 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1474 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1475 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1476 				     BPF_FUNC_map_lookup_elem),
1477 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1478 			BPF_EXIT_INSN(),
1479 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1480 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1481 		},
1482 		.fixup_map_hash_8b = { 6 },
1483 		.errstr = "different pointers",
1484 		.errstr_unpriv = "R1 pointer comparison",
1485 		.result = REJECT,
1486 	},
1487 	{
1488 		"access skb fields bad4",
1489 		.insns = {
1490 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1491 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1492 				    offsetof(struct __sk_buff, len)),
1493 			BPF_MOV64_IMM(BPF_REG_0, 0),
1494 			BPF_EXIT_INSN(),
1495 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1496 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1497 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1498 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1499 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1500 				     BPF_FUNC_map_lookup_elem),
1501 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1502 			BPF_EXIT_INSN(),
1503 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1504 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1505 		},
1506 		.fixup_map_hash_8b = { 7 },
1507 		.errstr = "different pointers",
1508 		.errstr_unpriv = "R1 pointer comparison",
1509 		.result = REJECT,
1510 	},
1511 	{
1512 		"invalid access __sk_buff family",
1513 		.insns = {
1514 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1515 				    offsetof(struct __sk_buff, family)),
1516 			BPF_EXIT_INSN(),
1517 		},
1518 		.errstr = "invalid bpf_context access",
1519 		.result = REJECT,
1520 	},
1521 	{
1522 		"invalid access __sk_buff remote_ip4",
1523 		.insns = {
1524 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1525 				    offsetof(struct __sk_buff, remote_ip4)),
1526 			BPF_EXIT_INSN(),
1527 		},
1528 		.errstr = "invalid bpf_context access",
1529 		.result = REJECT,
1530 	},
1531 	{
1532 		"invalid access __sk_buff local_ip4",
1533 		.insns = {
1534 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535 				    offsetof(struct __sk_buff, local_ip4)),
1536 			BPF_EXIT_INSN(),
1537 		},
1538 		.errstr = "invalid bpf_context access",
1539 		.result = REJECT,
1540 	},
1541 	{
1542 		"invalid access __sk_buff remote_ip6",
1543 		.insns = {
1544 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1545 				    offsetof(struct __sk_buff, remote_ip6)),
1546 			BPF_EXIT_INSN(),
1547 		},
1548 		.errstr = "invalid bpf_context access",
1549 		.result = REJECT,
1550 	},
1551 	{
1552 		"invalid access __sk_buff local_ip6",
1553 		.insns = {
1554 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1555 				    offsetof(struct __sk_buff, local_ip6)),
1556 			BPF_EXIT_INSN(),
1557 		},
1558 		.errstr = "invalid bpf_context access",
1559 		.result = REJECT,
1560 	},
1561 	{
1562 		"invalid access __sk_buff remote_port",
1563 		.insns = {
1564 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565 				    offsetof(struct __sk_buff, remote_port)),
1566 			BPF_EXIT_INSN(),
1567 		},
1568 		.errstr = "invalid bpf_context access",
1569 		.result = REJECT,
1570 	},
1571 	{
1572 		"invalid access __sk_buff remote_port",
1573 		.insns = {
1574 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1575 				    offsetof(struct __sk_buff, local_port)),
1576 			BPF_EXIT_INSN(),
1577 		},
1578 		.errstr = "invalid bpf_context access",
1579 		.result = REJECT,
1580 	},
1581 	{
1582 		"valid access __sk_buff family",
1583 		.insns = {
1584 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1585 				    offsetof(struct __sk_buff, family)),
1586 			BPF_EXIT_INSN(),
1587 		},
1588 		.result = ACCEPT,
1589 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1590 	},
1591 	{
1592 		"valid access __sk_buff remote_ip4",
1593 		.insns = {
1594 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595 				    offsetof(struct __sk_buff, remote_ip4)),
1596 			BPF_EXIT_INSN(),
1597 		},
1598 		.result = ACCEPT,
1599 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1600 	},
1601 	{
1602 		"valid access __sk_buff local_ip4",
1603 		.insns = {
1604 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1605 				    offsetof(struct __sk_buff, local_ip4)),
1606 			BPF_EXIT_INSN(),
1607 		},
1608 		.result = ACCEPT,
1609 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1610 	},
1611 	{
1612 		"valid access __sk_buff remote_ip6",
1613 		.insns = {
1614 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1615 				    offsetof(struct __sk_buff, remote_ip6[0])),
1616 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617 				    offsetof(struct __sk_buff, remote_ip6[1])),
1618 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1619 				    offsetof(struct __sk_buff, remote_ip6[2])),
1620 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1621 				    offsetof(struct __sk_buff, remote_ip6[3])),
1622 			BPF_EXIT_INSN(),
1623 		},
1624 		.result = ACCEPT,
1625 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1626 	},
1627 	{
1628 		"valid access __sk_buff local_ip6",
1629 		.insns = {
1630 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1631 				    offsetof(struct __sk_buff, local_ip6[0])),
1632 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1633 				    offsetof(struct __sk_buff, local_ip6[1])),
1634 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1635 				    offsetof(struct __sk_buff, local_ip6[2])),
1636 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1637 				    offsetof(struct __sk_buff, local_ip6[3])),
1638 			BPF_EXIT_INSN(),
1639 		},
1640 		.result = ACCEPT,
1641 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1642 	},
1643 	{
1644 		"valid access __sk_buff remote_port",
1645 		.insns = {
1646 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1647 				    offsetof(struct __sk_buff, remote_port)),
1648 			BPF_EXIT_INSN(),
1649 		},
1650 		.result = ACCEPT,
1651 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1652 	},
1653 	{
1654 		"valid access __sk_buff remote_port",
1655 		.insns = {
1656 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1657 				    offsetof(struct __sk_buff, local_port)),
1658 			BPF_EXIT_INSN(),
1659 		},
1660 		.result = ACCEPT,
1661 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1662 	},
1663 	{
1664 		"invalid access of tc_classid for SK_SKB",
1665 		.insns = {
1666 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1667 				    offsetof(struct __sk_buff, tc_classid)),
1668 			BPF_EXIT_INSN(),
1669 		},
1670 		.result = REJECT,
1671 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1672 		.errstr = "invalid bpf_context access",
1673 	},
1674 	{
1675 		"invalid access of skb->mark for SK_SKB",
1676 		.insns = {
1677 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1678 				    offsetof(struct __sk_buff, mark)),
1679 			BPF_EXIT_INSN(),
1680 		},
1681 		.result =  REJECT,
1682 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1683 		.errstr = "invalid bpf_context access",
1684 	},
1685 	{
1686 		"check skb->mark is not writeable by SK_SKB",
1687 		.insns = {
1688 			BPF_MOV64_IMM(BPF_REG_0, 0),
1689 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1690 				    offsetof(struct __sk_buff, mark)),
1691 			BPF_EXIT_INSN(),
1692 		},
1693 		.result =  REJECT,
1694 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1695 		.errstr = "invalid bpf_context access",
1696 	},
1697 	{
1698 		"check skb->tc_index is writeable by SK_SKB",
1699 		.insns = {
1700 			BPF_MOV64_IMM(BPF_REG_0, 0),
1701 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1702 				    offsetof(struct __sk_buff, tc_index)),
1703 			BPF_EXIT_INSN(),
1704 		},
1705 		.result = ACCEPT,
1706 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1707 	},
1708 	{
1709 		"check skb->priority is writeable by SK_SKB",
1710 		.insns = {
1711 			BPF_MOV64_IMM(BPF_REG_0, 0),
1712 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1713 				    offsetof(struct __sk_buff, priority)),
1714 			BPF_EXIT_INSN(),
1715 		},
1716 		.result = ACCEPT,
1717 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1718 	},
1719 	{
1720 		"direct packet read for SK_SKB",
1721 		.insns = {
1722 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1723 				    offsetof(struct __sk_buff, data)),
1724 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1725 				    offsetof(struct __sk_buff, data_end)),
1726 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1727 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1728 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1729 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1730 			BPF_MOV64_IMM(BPF_REG_0, 0),
1731 			BPF_EXIT_INSN(),
1732 		},
1733 		.result = ACCEPT,
1734 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1735 	},
1736 	{
1737 		"direct packet write for SK_SKB",
1738 		.insns = {
1739 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1740 				    offsetof(struct __sk_buff, data)),
1741 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1742 				    offsetof(struct __sk_buff, data_end)),
1743 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1745 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1746 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1747 			BPF_MOV64_IMM(BPF_REG_0, 0),
1748 			BPF_EXIT_INSN(),
1749 		},
1750 		.result = ACCEPT,
1751 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1752 	},
1753 	{
1754 		"overlapping checks for direct packet access SK_SKB",
1755 		.insns = {
1756 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1757 				    offsetof(struct __sk_buff, data)),
1758 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1759 				    offsetof(struct __sk_buff, data_end)),
1760 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1762 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1763 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1764 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1765 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1766 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1767 			BPF_MOV64_IMM(BPF_REG_0, 0),
1768 			BPF_EXIT_INSN(),
1769 		},
1770 		.result = ACCEPT,
1771 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1772 	},
1773 	{
1774 		"valid access family in SK_MSG",
1775 		.insns = {
1776 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1777 				    offsetof(struct sk_msg_md, family)),
1778 			BPF_EXIT_INSN(),
1779 		},
1780 		.result = ACCEPT,
1781 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1782 	},
1783 	{
1784 		"valid access remote_ip4 in SK_MSG",
1785 		.insns = {
1786 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1787 				    offsetof(struct sk_msg_md, remote_ip4)),
1788 			BPF_EXIT_INSN(),
1789 		},
1790 		.result = ACCEPT,
1791 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1792 	},
1793 	{
1794 		"valid access local_ip4 in SK_MSG",
1795 		.insns = {
1796 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1797 				    offsetof(struct sk_msg_md, local_ip4)),
1798 			BPF_EXIT_INSN(),
1799 		},
1800 		.result = ACCEPT,
1801 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1802 	},
1803 	{
1804 		"valid access remote_port in SK_MSG",
1805 		.insns = {
1806 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1807 				    offsetof(struct sk_msg_md, remote_port)),
1808 			BPF_EXIT_INSN(),
1809 		},
1810 		.result = ACCEPT,
1811 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1812 	},
1813 	{
1814 		"valid access local_port in SK_MSG",
1815 		.insns = {
1816 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1817 				    offsetof(struct sk_msg_md, local_port)),
1818 			BPF_EXIT_INSN(),
1819 		},
1820 		.result = ACCEPT,
1821 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1822 	},
1823 	{
1824 		"valid access remote_ip6 in SK_MSG",
1825 		.insns = {
1826 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1827 				    offsetof(struct sk_msg_md, remote_ip6[0])),
1828 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1829 				    offsetof(struct sk_msg_md, remote_ip6[1])),
1830 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1831 				    offsetof(struct sk_msg_md, remote_ip6[2])),
1832 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1833 				    offsetof(struct sk_msg_md, remote_ip6[3])),
1834 			BPF_EXIT_INSN(),
1835 		},
1836 		.result = ACCEPT,
1837 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1838 	},
1839 	{
1840 		"valid access local_ip6 in SK_MSG",
1841 		.insns = {
1842 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1843 				    offsetof(struct sk_msg_md, local_ip6[0])),
1844 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1845 				    offsetof(struct sk_msg_md, local_ip6[1])),
1846 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1847 				    offsetof(struct sk_msg_md, local_ip6[2])),
1848 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1849 				    offsetof(struct sk_msg_md, local_ip6[3])),
1850 			BPF_EXIT_INSN(),
1851 		},
1852 		.result = ACCEPT,
1853 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1854 	},
1855 	{
1856 		"valid access size in SK_MSG",
1857 		.insns = {
1858 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1859 				    offsetof(struct sk_msg_md, size)),
1860 			BPF_EXIT_INSN(),
1861 		},
1862 		.result = ACCEPT,
1863 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1864 	},
1865 	{
1866 		"invalid 64B read of size in SK_MSG",
1867 		.insns = {
1868 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1869 				    offsetof(struct sk_msg_md, size)),
1870 			BPF_EXIT_INSN(),
1871 		},
1872 		.errstr = "invalid bpf_context access",
1873 		.result = REJECT,
1874 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1875 	},
1876 	{
1877 		"invalid read past end of SK_MSG",
1878 		.insns = {
1879 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1880 				    offsetof(struct sk_msg_md, size) + 4),
1881 			BPF_EXIT_INSN(),
1882 		},
1883 		.errstr = "invalid bpf_context access",
1884 		.result = REJECT,
1885 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1886 	},
1887 	{
1888 		"invalid read offset in SK_MSG",
1889 		.insns = {
1890 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1891 				    offsetof(struct sk_msg_md, family) + 1),
1892 			BPF_EXIT_INSN(),
1893 		},
1894 		.errstr = "invalid bpf_context access",
1895 		.result = REJECT,
1896 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1897 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1898 	},
1899 	{
1900 		"direct packet read for SK_MSG",
1901 		.insns = {
1902 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1903 				    offsetof(struct sk_msg_md, data)),
1904 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1905 				    offsetof(struct sk_msg_md, data_end)),
1906 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1907 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1908 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1909 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1910 			BPF_MOV64_IMM(BPF_REG_0, 0),
1911 			BPF_EXIT_INSN(),
1912 		},
1913 		.result = ACCEPT,
1914 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1915 	},
1916 	{
1917 		"direct packet write for SK_MSG",
1918 		.insns = {
1919 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1920 				    offsetof(struct sk_msg_md, data)),
1921 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1922 				    offsetof(struct sk_msg_md, data_end)),
1923 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1924 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1925 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1926 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1927 			BPF_MOV64_IMM(BPF_REG_0, 0),
1928 			BPF_EXIT_INSN(),
1929 		},
1930 		.result = ACCEPT,
1931 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1932 	},
1933 	{
1934 		"overlapping checks for direct packet access SK_MSG",
1935 		.insns = {
1936 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1937 				    offsetof(struct sk_msg_md, data)),
1938 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1939 				    offsetof(struct sk_msg_md, data_end)),
1940 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1942 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1943 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1944 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1945 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1946 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1947 			BPF_MOV64_IMM(BPF_REG_0, 0),
1948 			BPF_EXIT_INSN(),
1949 		},
1950 		.result = ACCEPT,
1951 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1952 	},
1953 	{
1954 		"check skb->mark is not writeable by sockets",
1955 		.insns = {
1956 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1957 				    offsetof(struct __sk_buff, mark)),
1958 			BPF_EXIT_INSN(),
1959 		},
1960 		.errstr = "invalid bpf_context access",
1961 		.errstr_unpriv = "R1 leaks addr",
1962 		.result = REJECT,
1963 	},
1964 	{
1965 		"check skb->tc_index is not writeable by sockets",
1966 		.insns = {
1967 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1968 				    offsetof(struct __sk_buff, tc_index)),
1969 			BPF_EXIT_INSN(),
1970 		},
1971 		.errstr = "invalid bpf_context access",
1972 		.errstr_unpriv = "R1 leaks addr",
1973 		.result = REJECT,
1974 	},
1975 	{
1976 		"check cb access: byte",
1977 		.insns = {
1978 			BPF_MOV64_IMM(BPF_REG_0, 0),
1979 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1980 				    offsetof(struct __sk_buff, cb[0])),
1981 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1982 				    offsetof(struct __sk_buff, cb[0]) + 1),
1983 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1984 				    offsetof(struct __sk_buff, cb[0]) + 2),
1985 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1986 				    offsetof(struct __sk_buff, cb[0]) + 3),
1987 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1988 				    offsetof(struct __sk_buff, cb[1])),
1989 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1990 				    offsetof(struct __sk_buff, cb[1]) + 1),
1991 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1992 				    offsetof(struct __sk_buff, cb[1]) + 2),
1993 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1994 				    offsetof(struct __sk_buff, cb[1]) + 3),
1995 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996 				    offsetof(struct __sk_buff, cb[2])),
1997 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1998 				    offsetof(struct __sk_buff, cb[2]) + 1),
1999 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2000 				    offsetof(struct __sk_buff, cb[2]) + 2),
2001 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2002 				    offsetof(struct __sk_buff, cb[2]) + 3),
2003 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2004 				    offsetof(struct __sk_buff, cb[3])),
2005 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2006 				    offsetof(struct __sk_buff, cb[3]) + 1),
2007 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2008 				    offsetof(struct __sk_buff, cb[3]) + 2),
2009 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2010 				    offsetof(struct __sk_buff, cb[3]) + 3),
2011 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2012 				    offsetof(struct __sk_buff, cb[4])),
2013 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2014 				    offsetof(struct __sk_buff, cb[4]) + 1),
2015 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2016 				    offsetof(struct __sk_buff, cb[4]) + 2),
2017 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2018 				    offsetof(struct __sk_buff, cb[4]) + 3),
2019 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020 				    offsetof(struct __sk_buff, cb[0])),
2021 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 				    offsetof(struct __sk_buff, cb[0]) + 1),
2023 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2024 				    offsetof(struct __sk_buff, cb[0]) + 2),
2025 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2026 				    offsetof(struct __sk_buff, cb[0]) + 3),
2027 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2028 				    offsetof(struct __sk_buff, cb[1])),
2029 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2030 				    offsetof(struct __sk_buff, cb[1]) + 1),
2031 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032 				    offsetof(struct __sk_buff, cb[1]) + 2),
2033 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034 				    offsetof(struct __sk_buff, cb[1]) + 3),
2035 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2036 				    offsetof(struct __sk_buff, cb[2])),
2037 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2038 				    offsetof(struct __sk_buff, cb[2]) + 1),
2039 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2040 				    offsetof(struct __sk_buff, cb[2]) + 2),
2041 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2042 				    offsetof(struct __sk_buff, cb[2]) + 3),
2043 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044 				    offsetof(struct __sk_buff, cb[3])),
2045 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2046 				    offsetof(struct __sk_buff, cb[3]) + 1),
2047 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2048 				    offsetof(struct __sk_buff, cb[3]) + 2),
2049 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2050 				    offsetof(struct __sk_buff, cb[3]) + 3),
2051 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2052 				    offsetof(struct __sk_buff, cb[4])),
2053 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2054 				    offsetof(struct __sk_buff, cb[4]) + 1),
2055 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056 				    offsetof(struct __sk_buff, cb[4]) + 2),
2057 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2058 				    offsetof(struct __sk_buff, cb[4]) + 3),
2059 			BPF_EXIT_INSN(),
2060 		},
2061 		.result = ACCEPT,
2062 	},
2063 	{
2064 		"__sk_buff->hash, offset 0, byte store not permitted",
2065 		.insns = {
2066 			BPF_MOV64_IMM(BPF_REG_0, 0),
2067 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2068 				    offsetof(struct __sk_buff, hash)),
2069 			BPF_EXIT_INSN(),
2070 		},
2071 		.errstr = "invalid bpf_context access",
2072 		.result = REJECT,
2073 	},
2074 	{
2075 		"__sk_buff->tc_index, offset 3, byte store not permitted",
2076 		.insns = {
2077 			BPF_MOV64_IMM(BPF_REG_0, 0),
2078 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2079 				    offsetof(struct __sk_buff, tc_index) + 3),
2080 			BPF_EXIT_INSN(),
2081 		},
2082 		.errstr = "invalid bpf_context access",
2083 		.result = REJECT,
2084 	},
2085 	{
2086 		"check skb->hash byte load permitted",
2087 		.insns = {
2088 			BPF_MOV64_IMM(BPF_REG_0, 0),
2089 #if __BYTE_ORDER == __LITTLE_ENDIAN
2090 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2091 				    offsetof(struct __sk_buff, hash)),
2092 #else
2093 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2094 				    offsetof(struct __sk_buff, hash) + 3),
2095 #endif
2096 			BPF_EXIT_INSN(),
2097 		},
2098 		.result = ACCEPT,
2099 	},
2100 	{
2101 		"check skb->hash byte load permitted 1",
2102 		.insns = {
2103 			BPF_MOV64_IMM(BPF_REG_0, 0),
2104 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2105 				    offsetof(struct __sk_buff, hash) + 1),
2106 			BPF_EXIT_INSN(),
2107 		},
2108 		.result = ACCEPT,
2109 	},
2110 	{
2111 		"check skb->hash byte load permitted 2",
2112 		.insns = {
2113 			BPF_MOV64_IMM(BPF_REG_0, 0),
2114 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2115 				    offsetof(struct __sk_buff, hash) + 2),
2116 			BPF_EXIT_INSN(),
2117 		},
2118 		.result = ACCEPT,
2119 	},
2120 	{
2121 		"check skb->hash byte load permitted 3",
2122 		.insns = {
2123 			BPF_MOV64_IMM(BPF_REG_0, 0),
2124 #if __BYTE_ORDER == __LITTLE_ENDIAN
2125 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2126 				    offsetof(struct __sk_buff, hash) + 3),
2127 #else
2128 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2129 				    offsetof(struct __sk_buff, hash)),
2130 #endif
2131 			BPF_EXIT_INSN(),
2132 		},
2133 		.result = ACCEPT,
2134 	},
2135 	{
2136 		"check cb access: byte, wrong type",
2137 		.insns = {
2138 			BPF_MOV64_IMM(BPF_REG_0, 0),
2139 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2140 				    offsetof(struct __sk_buff, cb[0])),
2141 			BPF_EXIT_INSN(),
2142 		},
2143 		.errstr = "invalid bpf_context access",
2144 		.result = REJECT,
2145 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2146 	},
2147 	{
2148 		"check cb access: half",
2149 		.insns = {
2150 			BPF_MOV64_IMM(BPF_REG_0, 0),
2151 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2152 				    offsetof(struct __sk_buff, cb[0])),
2153 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154 				    offsetof(struct __sk_buff, cb[0]) + 2),
2155 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2156 				    offsetof(struct __sk_buff, cb[1])),
2157 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2158 				    offsetof(struct __sk_buff, cb[1]) + 2),
2159 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2160 				    offsetof(struct __sk_buff, cb[2])),
2161 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2162 				    offsetof(struct __sk_buff, cb[2]) + 2),
2163 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2164 				    offsetof(struct __sk_buff, cb[3])),
2165 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2166 				    offsetof(struct __sk_buff, cb[3]) + 2),
2167 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2168 				    offsetof(struct __sk_buff, cb[4])),
2169 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2170 				    offsetof(struct __sk_buff, cb[4]) + 2),
2171 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2172 				    offsetof(struct __sk_buff, cb[0])),
2173 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2174 				    offsetof(struct __sk_buff, cb[0]) + 2),
2175 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2176 				    offsetof(struct __sk_buff, cb[1])),
2177 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2178 				    offsetof(struct __sk_buff, cb[1]) + 2),
2179 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2180 				    offsetof(struct __sk_buff, cb[2])),
2181 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2182 				    offsetof(struct __sk_buff, cb[2]) + 2),
2183 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184 				    offsetof(struct __sk_buff, cb[3])),
2185 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2186 				    offsetof(struct __sk_buff, cb[3]) + 2),
2187 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2188 				    offsetof(struct __sk_buff, cb[4])),
2189 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2190 				    offsetof(struct __sk_buff, cb[4]) + 2),
2191 			BPF_EXIT_INSN(),
2192 		},
2193 		.result = ACCEPT,
2194 	},
2195 	{
2196 		"check cb access: half, unaligned",
2197 		.insns = {
2198 			BPF_MOV64_IMM(BPF_REG_0, 0),
2199 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2200 				    offsetof(struct __sk_buff, cb[0]) + 1),
2201 			BPF_EXIT_INSN(),
2202 		},
2203 		.errstr = "misaligned context access",
2204 		.result = REJECT,
2205 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2206 	},
2207 	{
2208 		"check __sk_buff->hash, offset 0, half store not permitted",
2209 		.insns = {
2210 			BPF_MOV64_IMM(BPF_REG_0, 0),
2211 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2212 				    offsetof(struct __sk_buff, hash)),
2213 			BPF_EXIT_INSN(),
2214 		},
2215 		.errstr = "invalid bpf_context access",
2216 		.result = REJECT,
2217 	},
2218 	{
2219 		"check __sk_buff->tc_index, offset 2, half store not permitted",
2220 		.insns = {
2221 			BPF_MOV64_IMM(BPF_REG_0, 0),
2222 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2223 				    offsetof(struct __sk_buff, tc_index) + 2),
2224 			BPF_EXIT_INSN(),
2225 		},
2226 		.errstr = "invalid bpf_context access",
2227 		.result = REJECT,
2228 	},
2229 	{
2230 		"check skb->hash half load permitted",
2231 		.insns = {
2232 			BPF_MOV64_IMM(BPF_REG_0, 0),
2233 #if __BYTE_ORDER == __LITTLE_ENDIAN
2234 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2235 				    offsetof(struct __sk_buff, hash)),
2236 #else
2237 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2238 				    offsetof(struct __sk_buff, hash) + 2),
2239 #endif
2240 			BPF_EXIT_INSN(),
2241 		},
2242 		.result = ACCEPT,
2243 	},
2244 	{
2245 		"check skb->hash half load permitted 2",
2246 		.insns = {
2247 			BPF_MOV64_IMM(BPF_REG_0, 0),
2248 #if __BYTE_ORDER == __LITTLE_ENDIAN
2249 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2250 				    offsetof(struct __sk_buff, hash) + 2),
2251 #else
2252 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2253 				    offsetof(struct __sk_buff, hash)),
2254 #endif
2255 			BPF_EXIT_INSN(),
2256 		},
2257 		.result = ACCEPT,
2258 	},
2259 	{
2260 		"check skb->hash half load not permitted, unaligned 1",
2261 		.insns = {
2262 			BPF_MOV64_IMM(BPF_REG_0, 0),
2263 #if __BYTE_ORDER == __LITTLE_ENDIAN
2264 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2265 				    offsetof(struct __sk_buff, hash) + 1),
2266 #else
2267 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2268 				    offsetof(struct __sk_buff, hash) + 3),
2269 #endif
2270 			BPF_EXIT_INSN(),
2271 		},
2272 		.errstr = "invalid bpf_context access",
2273 		.result = REJECT,
2274 	},
2275 	{
2276 		"check skb->hash half load not permitted, unaligned 3",
2277 		.insns = {
2278 			BPF_MOV64_IMM(BPF_REG_0, 0),
2279 #if __BYTE_ORDER == __LITTLE_ENDIAN
2280 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2281 				    offsetof(struct __sk_buff, hash) + 3),
2282 #else
2283 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2284 				    offsetof(struct __sk_buff, hash) + 1),
2285 #endif
2286 			BPF_EXIT_INSN(),
2287 		},
2288 		.errstr = "invalid bpf_context access",
2289 		.result = REJECT,
2290 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2291 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2292 	},
2293 	{
2294 		"check cb access: half, wrong type",
2295 		.insns = {
2296 			BPF_MOV64_IMM(BPF_REG_0, 0),
2297 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2298 				    offsetof(struct __sk_buff, cb[0])),
2299 			BPF_EXIT_INSN(),
2300 		},
2301 		.errstr = "invalid bpf_context access",
2302 		.result = REJECT,
2303 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2304 	},
2305 	{
2306 		"check cb access: word",
2307 		.insns = {
2308 			BPF_MOV64_IMM(BPF_REG_0, 0),
2309 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2310 				    offsetof(struct __sk_buff, cb[0])),
2311 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2312 				    offsetof(struct __sk_buff, cb[1])),
2313 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2314 				    offsetof(struct __sk_buff, cb[2])),
2315 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2316 				    offsetof(struct __sk_buff, cb[3])),
2317 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2318 				    offsetof(struct __sk_buff, cb[4])),
2319 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2320 				    offsetof(struct __sk_buff, cb[0])),
2321 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2322 				    offsetof(struct __sk_buff, cb[1])),
2323 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2324 				    offsetof(struct __sk_buff, cb[2])),
2325 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2326 				    offsetof(struct __sk_buff, cb[3])),
2327 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2328 				    offsetof(struct __sk_buff, cb[4])),
2329 			BPF_EXIT_INSN(),
2330 		},
2331 		.result = ACCEPT,
2332 	},
2333 	{
2334 		"check cb access: word, unaligned 1",
2335 		.insns = {
2336 			BPF_MOV64_IMM(BPF_REG_0, 0),
2337 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2338 				    offsetof(struct __sk_buff, cb[0]) + 2),
2339 			BPF_EXIT_INSN(),
2340 		},
2341 		.errstr = "misaligned context access",
2342 		.result = REJECT,
2343 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2344 	},
2345 	{
2346 		"check cb access: word, unaligned 2",
2347 		.insns = {
2348 			BPF_MOV64_IMM(BPF_REG_0, 0),
2349 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2350 				    offsetof(struct __sk_buff, cb[4]) + 1),
2351 			BPF_EXIT_INSN(),
2352 		},
2353 		.errstr = "misaligned context access",
2354 		.result = REJECT,
2355 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2356 	},
2357 	{
2358 		"check cb access: word, unaligned 3",
2359 		.insns = {
2360 			BPF_MOV64_IMM(BPF_REG_0, 0),
2361 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2362 				    offsetof(struct __sk_buff, cb[4]) + 2),
2363 			BPF_EXIT_INSN(),
2364 		},
2365 		.errstr = "misaligned context access",
2366 		.result = REJECT,
2367 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2368 	},
2369 	{
2370 		"check cb access: word, unaligned 4",
2371 		.insns = {
2372 			BPF_MOV64_IMM(BPF_REG_0, 0),
2373 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2374 				    offsetof(struct __sk_buff, cb[4]) + 3),
2375 			BPF_EXIT_INSN(),
2376 		},
2377 		.errstr = "misaligned context access",
2378 		.result = REJECT,
2379 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2380 	},
2381 	{
2382 		"check cb access: double",
2383 		.insns = {
2384 			BPF_MOV64_IMM(BPF_REG_0, 0),
2385 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2386 				    offsetof(struct __sk_buff, cb[0])),
2387 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2388 				    offsetof(struct __sk_buff, cb[2])),
2389 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2390 				    offsetof(struct __sk_buff, cb[0])),
2391 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2392 				    offsetof(struct __sk_buff, cb[2])),
2393 			BPF_EXIT_INSN(),
2394 		},
2395 		.result = ACCEPT,
2396 	},
2397 	{
2398 		"check cb access: double, unaligned 1",
2399 		.insns = {
2400 			BPF_MOV64_IMM(BPF_REG_0, 0),
2401 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2402 				    offsetof(struct __sk_buff, cb[1])),
2403 			BPF_EXIT_INSN(),
2404 		},
2405 		.errstr = "misaligned context access",
2406 		.result = REJECT,
2407 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2408 	},
2409 	{
2410 		"check cb access: double, unaligned 2",
2411 		.insns = {
2412 			BPF_MOV64_IMM(BPF_REG_0, 0),
2413 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2414 				    offsetof(struct __sk_buff, cb[3])),
2415 			BPF_EXIT_INSN(),
2416 		},
2417 		.errstr = "misaligned context access",
2418 		.result = REJECT,
2419 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2420 	},
2421 	{
2422 		"check cb access: double, oob 1",
2423 		.insns = {
2424 			BPF_MOV64_IMM(BPF_REG_0, 0),
2425 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2426 				    offsetof(struct __sk_buff, cb[4])),
2427 			BPF_EXIT_INSN(),
2428 		},
2429 		.errstr = "invalid bpf_context access",
2430 		.result = REJECT,
2431 	},
2432 	{
2433 		"check cb access: double, oob 2",
2434 		.insns = {
2435 			BPF_MOV64_IMM(BPF_REG_0, 0),
2436 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2437 				    offsetof(struct __sk_buff, cb[4])),
2438 			BPF_EXIT_INSN(),
2439 		},
2440 		.errstr = "invalid bpf_context access",
2441 		.result = REJECT,
2442 	},
2443 	{
2444 		"check __sk_buff->ifindex dw store not permitted",
2445 		.insns = {
2446 			BPF_MOV64_IMM(BPF_REG_0, 0),
2447 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2448 				    offsetof(struct __sk_buff, ifindex)),
2449 			BPF_EXIT_INSN(),
2450 		},
2451 		.errstr = "invalid bpf_context access",
2452 		.result = REJECT,
2453 	},
2454 	{
2455 		"check __sk_buff->ifindex dw load not permitted",
2456 		.insns = {
2457 			BPF_MOV64_IMM(BPF_REG_0, 0),
2458 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2459 				    offsetof(struct __sk_buff, ifindex)),
2460 			BPF_EXIT_INSN(),
2461 		},
2462 		.errstr = "invalid bpf_context access",
2463 		.result = REJECT,
2464 	},
2465 	{
2466 		"check cb access: double, wrong type",
2467 		.insns = {
2468 			BPF_MOV64_IMM(BPF_REG_0, 0),
2469 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2470 				    offsetof(struct __sk_buff, cb[0])),
2471 			BPF_EXIT_INSN(),
2472 		},
2473 		.errstr = "invalid bpf_context access",
2474 		.result = REJECT,
2475 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2476 	},
2477 	{
2478 		"check out of range skb->cb access",
2479 		.insns = {
2480 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2481 				    offsetof(struct __sk_buff, cb[0]) + 256),
2482 			BPF_EXIT_INSN(),
2483 		},
2484 		.errstr = "invalid bpf_context access",
2485 		.errstr_unpriv = "",
2486 		.result = REJECT,
2487 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2488 	},
2489 	{
2490 		"write skb fields from socket prog",
2491 		.insns = {
2492 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2493 				    offsetof(struct __sk_buff, cb[4])),
2494 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2495 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2496 				    offsetof(struct __sk_buff, mark)),
2497 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2498 				    offsetof(struct __sk_buff, tc_index)),
2499 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2500 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2501 				    offsetof(struct __sk_buff, cb[0])),
2502 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2503 				    offsetof(struct __sk_buff, cb[2])),
2504 			BPF_EXIT_INSN(),
2505 		},
2506 		.result = ACCEPT,
2507 		.errstr_unpriv = "R1 leaks addr",
2508 		.result_unpriv = REJECT,
2509 	},
2510 	{
2511 		"write skb fields from tc_cls_act prog",
2512 		.insns = {
2513 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2514 				    offsetof(struct __sk_buff, cb[0])),
2515 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2516 				    offsetof(struct __sk_buff, mark)),
2517 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2518 				    offsetof(struct __sk_buff, tc_index)),
2519 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2520 				    offsetof(struct __sk_buff, tc_index)),
2521 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2522 				    offsetof(struct __sk_buff, cb[3])),
2523 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2524 				    offsetof(struct __sk_buff, tstamp)),
2525 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2526 				    offsetof(struct __sk_buff, tstamp)),
2527 			BPF_EXIT_INSN(),
2528 		},
2529 		.errstr_unpriv = "",
2530 		.result_unpriv = REJECT,
2531 		.result = ACCEPT,
2532 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2533 	},
2534 	{
2535 		"PTR_TO_STACK store/load",
2536 		.insns = {
2537 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2538 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2539 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2540 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2541 			BPF_EXIT_INSN(),
2542 		},
2543 		.result = ACCEPT,
2544 		.retval = 0xfaceb00c,
2545 	},
2546 	{
2547 		"PTR_TO_STACK store/load - bad alignment on off",
2548 		.insns = {
2549 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2550 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2551 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2552 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2553 			BPF_EXIT_INSN(),
2554 		},
2555 		.result = REJECT,
2556 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2557 	},
2558 	{
2559 		"PTR_TO_STACK store/load - bad alignment on reg",
2560 		.insns = {
2561 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2562 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2563 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2564 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2565 			BPF_EXIT_INSN(),
2566 		},
2567 		.result = REJECT,
2568 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2569 	},
2570 	{
2571 		"PTR_TO_STACK store/load - out of bounds low",
2572 		.insns = {
2573 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2574 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2575 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2576 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2577 			BPF_EXIT_INSN(),
2578 		},
2579 		.result = REJECT,
2580 		.errstr = "invalid stack off=-79992 size=8",
2581 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2582 	},
2583 	{
2584 		"PTR_TO_STACK store/load - out of bounds high",
2585 		.insns = {
2586 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2587 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2588 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2589 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2590 			BPF_EXIT_INSN(),
2591 		},
2592 		.result = REJECT,
2593 		.errstr = "invalid stack off=0 size=8",
2594 	},
2595 	{
2596 		"unpriv: return pointer",
2597 		.insns = {
2598 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2599 			BPF_EXIT_INSN(),
2600 		},
2601 		.result = ACCEPT,
2602 		.result_unpriv = REJECT,
2603 		.errstr_unpriv = "R0 leaks addr",
2604 		.retval = POINTER_VALUE,
2605 	},
2606 	{
2607 		"unpriv: add const to pointer",
2608 		.insns = {
2609 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2610 			BPF_MOV64_IMM(BPF_REG_0, 0),
2611 			BPF_EXIT_INSN(),
2612 		},
2613 		.result = ACCEPT,
2614 	},
2615 	{
2616 		"unpriv: add pointer to pointer",
2617 		.insns = {
2618 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2619 			BPF_MOV64_IMM(BPF_REG_0, 0),
2620 			BPF_EXIT_INSN(),
2621 		},
2622 		.result = REJECT,
2623 		.errstr = "R1 pointer += pointer",
2624 	},
2625 	{
2626 		"unpriv: neg pointer",
2627 		.insns = {
2628 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2629 			BPF_MOV64_IMM(BPF_REG_0, 0),
2630 			BPF_EXIT_INSN(),
2631 		},
2632 		.result = ACCEPT,
2633 		.result_unpriv = REJECT,
2634 		.errstr_unpriv = "R1 pointer arithmetic",
2635 	},
2636 	{
2637 		"unpriv: cmp pointer with const",
2638 		.insns = {
2639 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2640 			BPF_MOV64_IMM(BPF_REG_0, 0),
2641 			BPF_EXIT_INSN(),
2642 		},
2643 		.result = ACCEPT,
2644 		.result_unpriv = REJECT,
2645 		.errstr_unpriv = "R1 pointer comparison",
2646 	},
2647 	{
2648 		"unpriv: cmp pointer with pointer",
2649 		.insns = {
2650 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2651 			BPF_MOV64_IMM(BPF_REG_0, 0),
2652 			BPF_EXIT_INSN(),
2653 		},
2654 		.result = ACCEPT,
2655 		.result_unpriv = REJECT,
2656 		.errstr_unpriv = "R10 pointer comparison",
2657 	},
2658 	{
2659 		"unpriv: check that printk is disallowed",
2660 		.insns = {
2661 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2662 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2664 			BPF_MOV64_IMM(BPF_REG_2, 8),
2665 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2666 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2667 				     BPF_FUNC_trace_printk),
2668 			BPF_MOV64_IMM(BPF_REG_0, 0),
2669 			BPF_EXIT_INSN(),
2670 		},
2671 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2672 		.result_unpriv = REJECT,
2673 		.result = ACCEPT,
2674 	},
2675 	{
2676 		"unpriv: pass pointer to helper function",
2677 		.insns = {
2678 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2679 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2680 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2681 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2682 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2683 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2684 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2685 				     BPF_FUNC_map_update_elem),
2686 			BPF_MOV64_IMM(BPF_REG_0, 0),
2687 			BPF_EXIT_INSN(),
2688 		},
2689 		.fixup_map_hash_8b = { 3 },
2690 		.errstr_unpriv = "R4 leaks addr",
2691 		.result_unpriv = REJECT,
2692 		.result = ACCEPT,
2693 	},
2694 	{
2695 		"unpriv: indirectly pass pointer on stack to helper function",
2696 		.insns = {
2697 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2698 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2700 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2701 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2702 				     BPF_FUNC_map_lookup_elem),
2703 			BPF_MOV64_IMM(BPF_REG_0, 0),
2704 			BPF_EXIT_INSN(),
2705 		},
2706 		.fixup_map_hash_8b = { 3 },
2707 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2708 		.result = REJECT,
2709 	},
2710 	{
2711 		"unpriv: mangle pointer on stack 1",
2712 		.insns = {
2713 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2714 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2715 			BPF_MOV64_IMM(BPF_REG_0, 0),
2716 			BPF_EXIT_INSN(),
2717 		},
2718 		.errstr_unpriv = "attempt to corrupt spilled",
2719 		.result_unpriv = REJECT,
2720 		.result = ACCEPT,
2721 	},
2722 	{
2723 		"unpriv: mangle pointer on stack 2",
2724 		.insns = {
2725 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2726 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2727 			BPF_MOV64_IMM(BPF_REG_0, 0),
2728 			BPF_EXIT_INSN(),
2729 		},
2730 		.errstr_unpriv = "attempt to corrupt spilled",
2731 		.result_unpriv = REJECT,
2732 		.result = ACCEPT,
2733 	},
2734 	{
2735 		"unpriv: read pointer from stack in small chunks",
2736 		.insns = {
2737 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2738 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2739 			BPF_MOV64_IMM(BPF_REG_0, 0),
2740 			BPF_EXIT_INSN(),
2741 		},
2742 		.errstr = "invalid size",
2743 		.result = REJECT,
2744 	},
2745 	{
2746 		"unpriv: write pointer into ctx",
2747 		.insns = {
2748 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2749 			BPF_MOV64_IMM(BPF_REG_0, 0),
2750 			BPF_EXIT_INSN(),
2751 		},
2752 		.errstr_unpriv = "R1 leaks addr",
2753 		.result_unpriv = REJECT,
2754 		.errstr = "invalid bpf_context access",
2755 		.result = REJECT,
2756 	},
2757 	{
2758 		"unpriv: spill/fill of ctx",
2759 		.insns = {
2760 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2762 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2763 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2764 			BPF_MOV64_IMM(BPF_REG_0, 0),
2765 			BPF_EXIT_INSN(),
2766 		},
2767 		.result = ACCEPT,
2768 	},
2769 	{
2770 		"unpriv: spill/fill of ctx 2",
2771 		.insns = {
2772 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2773 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2774 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2775 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2776 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2777 				     BPF_FUNC_get_hash_recalc),
2778 			BPF_MOV64_IMM(BPF_REG_0, 0),
2779 			BPF_EXIT_INSN(),
2780 		},
2781 		.result = ACCEPT,
2782 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2783 	},
2784 	{
2785 		"unpriv: spill/fill of ctx 3",
2786 		.insns = {
2787 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2789 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2790 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2791 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2792 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2793 				     BPF_FUNC_get_hash_recalc),
2794 			BPF_EXIT_INSN(),
2795 		},
2796 		.result = REJECT,
2797 		.errstr = "R1 type=fp expected=ctx",
2798 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799 	},
2800 	{
2801 		"unpriv: spill/fill of ctx 4",
2802 		.insns = {
2803 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2804 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2805 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2806 			BPF_MOV64_IMM(BPF_REG_0, 1),
2807 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2808 				     BPF_REG_0, -8, 0),
2809 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2810 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2811 				     BPF_FUNC_get_hash_recalc),
2812 			BPF_EXIT_INSN(),
2813 		},
2814 		.result = REJECT,
2815 		.errstr = "R1 type=inv expected=ctx",
2816 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2817 	},
2818 	{
2819 		"unpriv: spill/fill of different pointers stx",
2820 		.insns = {
2821 			BPF_MOV64_IMM(BPF_REG_3, 42),
2822 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2823 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2824 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2825 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2827 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2828 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2829 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2830 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2831 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2832 				    offsetof(struct __sk_buff, mark)),
2833 			BPF_MOV64_IMM(BPF_REG_0, 0),
2834 			BPF_EXIT_INSN(),
2835 		},
2836 		.result = REJECT,
2837 		.errstr = "same insn cannot be used with different pointers",
2838 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2839 	},
2840 	{
2841 		"unpriv: spill/fill of different pointers stx - ctx and sock",
2842 		.insns = {
2843 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2844 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2845 			BPF_SK_LOOKUP,
2846 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2847 			/* u64 foo; */
2848 			/* void *target = &foo; */
2849 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2851 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2852 			/* if (skb == NULL) *target = sock; */
2853 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2854 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2855 			/* else *target = skb; */
2856 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2857 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2858 			/* struct __sk_buff *skb = *target; */
2859 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2860 			/* skb->mark = 42; */
2861 			BPF_MOV64_IMM(BPF_REG_3, 42),
2862 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2863 				    offsetof(struct __sk_buff, mark)),
2864 			/* if (sk) bpf_sk_release(sk) */
2865 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2866 				BPF_EMIT_CALL(BPF_FUNC_sk_release),
2867 			BPF_MOV64_IMM(BPF_REG_0, 0),
2868 			BPF_EXIT_INSN(),
2869 		},
2870 		.result = REJECT,
2871 		.errstr = "type=ctx expected=sock",
2872 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2873 	},
2874 	{
2875 		"unpriv: spill/fill of different pointers stx - leak sock",
2876 		.insns = {
2877 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2878 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2879 			BPF_SK_LOOKUP,
2880 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2881 			/* u64 foo; */
2882 			/* void *target = &foo; */
2883 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2884 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2885 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2886 			/* if (skb == NULL) *target = sock; */
2887 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2888 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2889 			/* else *target = skb; */
2890 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2891 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2892 			/* struct __sk_buff *skb = *target; */
2893 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2894 			/* skb->mark = 42; */
2895 			BPF_MOV64_IMM(BPF_REG_3, 42),
2896 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2897 				    offsetof(struct __sk_buff, mark)),
2898 			BPF_EXIT_INSN(),
2899 		},
2900 		.result = REJECT,
2901 		//.errstr = "same insn cannot be used with different pointers",
2902 		.errstr = "Unreleased reference",
2903 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2904 	},
2905 	{
2906 		"unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2907 		.insns = {
2908 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2909 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2910 			BPF_SK_LOOKUP,
2911 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2912 			/* u64 foo; */
2913 			/* void *target = &foo; */
2914 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2915 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2916 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2917 			/* if (skb) *target = skb */
2918 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2919 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2920 			/* else *target = sock */
2921 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2922 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2923 			/* struct bpf_sock *sk = *target; */
2924 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2925 			/* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2926 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2927 				BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2928 					    offsetof(struct bpf_sock, mark)),
2929 				BPF_EMIT_CALL(BPF_FUNC_sk_release),
2930 			BPF_MOV64_IMM(BPF_REG_0, 0),
2931 			BPF_EXIT_INSN(),
2932 		},
2933 		.result = REJECT,
2934 		.errstr = "same insn cannot be used with different pointers",
2935 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2936 	},
2937 	{
2938 		"unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2939 		.insns = {
2940 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2941 			/* struct bpf_sock *sock = bpf_sock_lookup(...); */
2942 			BPF_SK_LOOKUP,
2943 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2944 			/* u64 foo; */
2945 			/* void *target = &foo; */
2946 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2948 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2949 			/* if (skb) *target = skb */
2950 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2951 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2952 			/* else *target = sock */
2953 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2954 				BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2955 			/* struct bpf_sock *sk = *target; */
2956 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2957 			/* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2958 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2959 				BPF_MOV64_IMM(BPF_REG_3, 42),
2960 				BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2961 					    offsetof(struct bpf_sock, mark)),
2962 				BPF_EMIT_CALL(BPF_FUNC_sk_release),
2963 			BPF_MOV64_IMM(BPF_REG_0, 0),
2964 			BPF_EXIT_INSN(),
2965 		},
2966 		.result = REJECT,
2967 		//.errstr = "same insn cannot be used with different pointers",
2968 		.errstr = "cannot write into socket",
2969 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2970 	},
2971 	{
2972 		"unpriv: spill/fill of different pointers ldx",
2973 		.insns = {
2974 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2977 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2978 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2979 				      -(__s32)offsetof(struct bpf_perf_event_data,
2980 						       sample_period) - 8),
2981 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2982 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2983 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2984 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2985 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2986 				    offsetof(struct bpf_perf_event_data,
2987 					     sample_period)),
2988 			BPF_MOV64_IMM(BPF_REG_0, 0),
2989 			BPF_EXIT_INSN(),
2990 		},
2991 		.result = REJECT,
2992 		.errstr = "same insn cannot be used with different pointers",
2993 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2994 	},
2995 	{
2996 		"unpriv: write pointer into map elem value",
2997 		.insns = {
2998 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2999 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3001 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3002 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3003 				     BPF_FUNC_map_lookup_elem),
3004 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3005 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
3006 			BPF_EXIT_INSN(),
3007 		},
3008 		.fixup_map_hash_8b = { 3 },
3009 		.errstr_unpriv = "R0 leaks addr",
3010 		.result_unpriv = REJECT,
3011 		.result = ACCEPT,
3012 	},
3013 	{
3014 		"alu32: mov u32 const",
3015 		.insns = {
3016 			BPF_MOV32_IMM(BPF_REG_7, 0),
3017 			BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
3018 			BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
3019 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3020 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
3021 			BPF_EXIT_INSN(),
3022 		},
3023 		.result = ACCEPT,
3024 		.retval = 0,
3025 	},
3026 	{
3027 		"unpriv: partial copy of pointer",
3028 		.insns = {
3029 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
3030 			BPF_MOV64_IMM(BPF_REG_0, 0),
3031 			BPF_EXIT_INSN(),
3032 		},
3033 		.errstr_unpriv = "R10 partial copy",
3034 		.result_unpriv = REJECT,
3035 		.result = ACCEPT,
3036 	},
3037 	{
3038 		"unpriv: pass pointer to tail_call",
3039 		.insns = {
3040 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
3041 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3042 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3043 				     BPF_FUNC_tail_call),
3044 			BPF_MOV64_IMM(BPF_REG_0, 0),
3045 			BPF_EXIT_INSN(),
3046 		},
3047 		.fixup_prog1 = { 1 },
3048 		.errstr_unpriv = "R3 leaks addr into helper",
3049 		.result_unpriv = REJECT,
3050 		.result = ACCEPT,
3051 	},
3052 	{
3053 		"unpriv: cmp map pointer with zero",
3054 		.insns = {
3055 			BPF_MOV64_IMM(BPF_REG_1, 0),
3056 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3057 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
3058 			BPF_MOV64_IMM(BPF_REG_0, 0),
3059 			BPF_EXIT_INSN(),
3060 		},
3061 		.fixup_map_hash_8b = { 1 },
3062 		.errstr_unpriv = "R1 pointer comparison",
3063 		.result_unpriv = REJECT,
3064 		.result = ACCEPT,
3065 	},
3066 	{
3067 		"unpriv: write into frame pointer",
3068 		.insns = {
3069 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
3070 			BPF_MOV64_IMM(BPF_REG_0, 0),
3071 			BPF_EXIT_INSN(),
3072 		},
3073 		.errstr = "frame pointer is read only",
3074 		.result = REJECT,
3075 	},
3076 	{
3077 		"unpriv: spill/fill frame pointer",
3078 		.insns = {
3079 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3080 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3081 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
3082 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
3083 			BPF_MOV64_IMM(BPF_REG_0, 0),
3084 			BPF_EXIT_INSN(),
3085 		},
3086 		.errstr = "frame pointer is read only",
3087 		.result = REJECT,
3088 	},
3089 	{
3090 		"unpriv: cmp of frame pointer",
3091 		.insns = {
3092 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
3093 			BPF_MOV64_IMM(BPF_REG_0, 0),
3094 			BPF_EXIT_INSN(),
3095 		},
3096 		.errstr_unpriv = "R10 pointer comparison",
3097 		.result_unpriv = REJECT,
3098 		.result = ACCEPT,
3099 	},
3100 	{
3101 		"unpriv: adding of fp",
3102 		.insns = {
3103 			BPF_MOV64_IMM(BPF_REG_0, 0),
3104 			BPF_MOV64_IMM(BPF_REG_1, 0),
3105 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
3106 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
3107 			BPF_EXIT_INSN(),
3108 		},
3109 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3110 		.result_unpriv = REJECT,
3111 		.result = ACCEPT,
3112 	},
3113 	{
3114 		"unpriv: cmp of stack pointer",
3115 		.insns = {
3116 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3118 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
3119 			BPF_MOV64_IMM(BPF_REG_0, 0),
3120 			BPF_EXIT_INSN(),
3121 		},
3122 		.errstr_unpriv = "R2 pointer comparison",
3123 		.result_unpriv = REJECT,
3124 		.result = ACCEPT,
3125 	},
3126 	{
3127 		"runtime/jit: tail_call within bounds, prog once",
3128 		.insns = {
3129 			BPF_MOV64_IMM(BPF_REG_3, 0),
3130 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3131 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 				     BPF_FUNC_tail_call),
3133 			BPF_MOV64_IMM(BPF_REG_0, 1),
3134 			BPF_EXIT_INSN(),
3135 		},
3136 		.fixup_prog1 = { 1 },
3137 		.result = ACCEPT,
3138 		.retval = 42,
3139 	},
3140 	{
3141 		"runtime/jit: tail_call within bounds, prog loop",
3142 		.insns = {
3143 			BPF_MOV64_IMM(BPF_REG_3, 1),
3144 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3145 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3146 				     BPF_FUNC_tail_call),
3147 			BPF_MOV64_IMM(BPF_REG_0, 1),
3148 			BPF_EXIT_INSN(),
3149 		},
3150 		.fixup_prog1 = { 1 },
3151 		.result = ACCEPT,
3152 		.retval = 41,
3153 	},
3154 	{
3155 		"runtime/jit: tail_call within bounds, no prog",
3156 		.insns = {
3157 			BPF_MOV64_IMM(BPF_REG_3, 2),
3158 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3159 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3160 				     BPF_FUNC_tail_call),
3161 			BPF_MOV64_IMM(BPF_REG_0, 1),
3162 			BPF_EXIT_INSN(),
3163 		},
3164 		.fixup_prog1 = { 1 },
3165 		.result = ACCEPT,
3166 		.retval = 1,
3167 	},
3168 	{
3169 		"runtime/jit: tail_call out of bounds",
3170 		.insns = {
3171 			BPF_MOV64_IMM(BPF_REG_3, 256),
3172 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3173 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3174 				     BPF_FUNC_tail_call),
3175 			BPF_MOV64_IMM(BPF_REG_0, 2),
3176 			BPF_EXIT_INSN(),
3177 		},
3178 		.fixup_prog1 = { 1 },
3179 		.result = ACCEPT,
3180 		.retval = 2,
3181 	},
3182 	{
3183 		"runtime/jit: pass negative index to tail_call",
3184 		.insns = {
3185 			BPF_MOV64_IMM(BPF_REG_3, -1),
3186 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3187 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3188 				     BPF_FUNC_tail_call),
3189 			BPF_MOV64_IMM(BPF_REG_0, 2),
3190 			BPF_EXIT_INSN(),
3191 		},
3192 		.fixup_prog1 = { 1 },
3193 		.result = ACCEPT,
3194 		.retval = 2,
3195 	},
3196 	{
3197 		"runtime/jit: pass > 32bit index to tail_call",
3198 		.insns = {
3199 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3200 			BPF_LD_MAP_FD(BPF_REG_2, 0),
3201 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3202 				     BPF_FUNC_tail_call),
3203 			BPF_MOV64_IMM(BPF_REG_0, 2),
3204 			BPF_EXIT_INSN(),
3205 		},
3206 		.fixup_prog1 = { 2 },
3207 		.result = ACCEPT,
3208 		.retval = 42,
3209 		/* Verifier rewrite for unpriv skips tail call here. */
3210 		.retval_unpriv = 2,
3211 	},
3212 	{
3213 		"PTR_TO_STACK check high 1",
3214 		.insns = {
3215 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3216 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
3217 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3218 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3219 			BPF_EXIT_INSN(),
3220 		},
3221 		.result = ACCEPT,
3222 		.retval = 42,
3223 	},
3224 	{
3225 		"PTR_TO_STACK check high 2",
3226 		.insns = {
3227 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3228 			BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3229 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3230 			BPF_EXIT_INSN(),
3231 		},
3232 		.result = ACCEPT,
3233 		.retval = 42,
3234 	},
3235 	{
3236 		"PTR_TO_STACK check high 3",
3237 		.insns = {
3238 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3239 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3240 			BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3241 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3242 			BPF_EXIT_INSN(),
3243 		},
3244 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3245 		.result_unpriv = REJECT,
3246 		.result = ACCEPT,
3247 		.retval = 42,
3248 	},
3249 	{
3250 		"PTR_TO_STACK check high 4",
3251 		.insns = {
3252 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3253 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3254 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3255 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3256 			BPF_EXIT_INSN(),
3257 		},
3258 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3259 		.errstr = "invalid stack off=0 size=1",
3260 		.result = REJECT,
3261 	},
3262 	{
3263 		"PTR_TO_STACK check high 5",
3264 		.insns = {
3265 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3266 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3267 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3268 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3269 			BPF_EXIT_INSN(),
3270 		},
3271 		.result = REJECT,
3272 		.errstr = "invalid stack off",
3273 	},
3274 	{
3275 		"PTR_TO_STACK check high 6",
3276 		.insns = {
3277 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3278 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3279 			BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3280 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3281 			BPF_EXIT_INSN(),
3282 		},
3283 		.result = REJECT,
3284 		.errstr = "invalid stack off",
3285 	},
3286 	{
3287 		"PTR_TO_STACK check high 7",
3288 		.insns = {
3289 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3290 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3291 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3292 			BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3293 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3294 			BPF_EXIT_INSN(),
3295 		},
3296 		.result = REJECT,
3297 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3298 		.errstr = "fp pointer offset",
3299 	},
3300 	{
3301 		"PTR_TO_STACK check low 1",
3302 		.insns = {
3303 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
3305 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3306 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3307 			BPF_EXIT_INSN(),
3308 		},
3309 		.result = ACCEPT,
3310 		.retval = 42,
3311 	},
3312 	{
3313 		"PTR_TO_STACK check low 2",
3314 		.insns = {
3315 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3316 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3317 			BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
3318 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
3319 			BPF_EXIT_INSN(),
3320 		},
3321 		.result_unpriv = REJECT,
3322 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3323 		.result = ACCEPT,
3324 		.retval = 42,
3325 	},
3326 	{
3327 		"PTR_TO_STACK check low 3",
3328 		.insns = {
3329 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3331 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3332 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3333 			BPF_EXIT_INSN(),
3334 		},
3335 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3336 		.errstr = "invalid stack off=-513 size=1",
3337 		.result = REJECT,
3338 	},
3339 	{
3340 		"PTR_TO_STACK check low 4",
3341 		.insns = {
3342 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3343 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
3344 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3345 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3346 			BPF_EXIT_INSN(),
3347 		},
3348 		.result = REJECT,
3349 		.errstr = "math between fp pointer",
3350 	},
3351 	{
3352 		"PTR_TO_STACK check low 5",
3353 		.insns = {
3354 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3356 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3357 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3358 			BPF_EXIT_INSN(),
3359 		},
3360 		.result = REJECT,
3361 		.errstr = "invalid stack off",
3362 	},
3363 	{
3364 		"PTR_TO_STACK check low 6",
3365 		.insns = {
3366 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3367 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3368 			BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3369 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3370 			BPF_EXIT_INSN(),
3371 		},
3372 		.result = REJECT,
3373 		.errstr = "invalid stack off",
3374 	},
3375 	{
3376 		"PTR_TO_STACK check low 7",
3377 		.insns = {
3378 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3379 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3380 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3381 			BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3382 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3383 			BPF_EXIT_INSN(),
3384 		},
3385 		.result = REJECT,
3386 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3387 		.errstr = "fp pointer offset",
3388 	},
3389 	{
3390 		"PTR_TO_STACK mixed reg/k, 1",
3391 		.insns = {
3392 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3393 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3394 			BPF_MOV64_IMM(BPF_REG_2, -3),
3395 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3396 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3397 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3398 			BPF_EXIT_INSN(),
3399 		},
3400 		.result = ACCEPT,
3401 		.retval = 42,
3402 	},
3403 	{
3404 		"PTR_TO_STACK mixed reg/k, 2",
3405 		.insns = {
3406 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3407 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
3408 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3409 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3410 			BPF_MOV64_IMM(BPF_REG_2, -3),
3411 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3412 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3413 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
3414 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
3415 			BPF_EXIT_INSN(),
3416 		},
3417 		.result = ACCEPT,
3418 		.retval = 42,
3419 	},
3420 	{
3421 		"PTR_TO_STACK mixed reg/k, 3",
3422 		.insns = {
3423 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3425 			BPF_MOV64_IMM(BPF_REG_2, -3),
3426 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3427 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3428 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3429 			BPF_EXIT_INSN(),
3430 		},
3431 		.result = ACCEPT,
3432 		.retval = -3,
3433 	},
3434 	{
3435 		"PTR_TO_STACK reg",
3436 		.insns = {
3437 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3438 			BPF_MOV64_IMM(BPF_REG_2, -3),
3439 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3440 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3441 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3442 			BPF_EXIT_INSN(),
3443 		},
3444 		.result_unpriv = REJECT,
3445 		.errstr_unpriv = "invalid stack off=0 size=1",
3446 		.result = ACCEPT,
3447 		.retval = 42,
3448 	},
3449 	{
3450 		"stack pointer arithmetic",
3451 		.insns = {
3452 			BPF_MOV64_IMM(BPF_REG_1, 4),
3453 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3454 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3455 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3456 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3457 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3458 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3459 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3460 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3461 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3462 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3463 			BPF_MOV64_IMM(BPF_REG_0, 0),
3464 			BPF_EXIT_INSN(),
3465 		},
3466 		.result = ACCEPT,
3467 	},
3468 	{
3469 		"raw_stack: no skb_load_bytes",
3470 		.insns = {
3471 			BPF_MOV64_IMM(BPF_REG_2, 4),
3472 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3474 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3475 			BPF_MOV64_IMM(BPF_REG_4, 8),
3476 			/* Call to skb_load_bytes() omitted. */
3477 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3478 			BPF_EXIT_INSN(),
3479 		},
3480 		.result = REJECT,
3481 		.errstr = "invalid read from stack off -8+0 size 8",
3482 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3483 	},
3484 	{
3485 		"raw_stack: skb_load_bytes, negative len",
3486 		.insns = {
3487 			BPF_MOV64_IMM(BPF_REG_2, 4),
3488 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3490 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3491 			BPF_MOV64_IMM(BPF_REG_4, -8),
3492 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3493 				     BPF_FUNC_skb_load_bytes),
3494 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3495 			BPF_EXIT_INSN(),
3496 		},
3497 		.result = REJECT,
3498 		.errstr = "R4 min value is negative",
3499 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3500 	},
3501 	{
3502 		"raw_stack: skb_load_bytes, negative len 2",
3503 		.insns = {
3504 			BPF_MOV64_IMM(BPF_REG_2, 4),
3505 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3506 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3507 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3508 			BPF_MOV64_IMM(BPF_REG_4, ~0),
3509 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3510 				     BPF_FUNC_skb_load_bytes),
3511 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3512 			BPF_EXIT_INSN(),
3513 		},
3514 		.result = REJECT,
3515 		.errstr = "R4 min value is negative",
3516 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3517 	},
3518 	{
3519 		"raw_stack: skb_load_bytes, zero len",
3520 		.insns = {
3521 			BPF_MOV64_IMM(BPF_REG_2, 4),
3522 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3523 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3524 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3525 			BPF_MOV64_IMM(BPF_REG_4, 0),
3526 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3527 				     BPF_FUNC_skb_load_bytes),
3528 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3529 			BPF_EXIT_INSN(),
3530 		},
3531 		.result = REJECT,
3532 		.errstr = "invalid stack type R3",
3533 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3534 	},
3535 	{
3536 		"raw_stack: skb_load_bytes, no init",
3537 		.insns = {
3538 			BPF_MOV64_IMM(BPF_REG_2, 4),
3539 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3540 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3541 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3542 			BPF_MOV64_IMM(BPF_REG_4, 8),
3543 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3544 				     BPF_FUNC_skb_load_bytes),
3545 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3546 			BPF_EXIT_INSN(),
3547 		},
3548 		.result = ACCEPT,
3549 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3550 	},
3551 	{
3552 		"raw_stack: skb_load_bytes, init",
3553 		.insns = {
3554 			BPF_MOV64_IMM(BPF_REG_2, 4),
3555 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3557 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3558 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3559 			BPF_MOV64_IMM(BPF_REG_4, 8),
3560 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3561 				     BPF_FUNC_skb_load_bytes),
3562 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3563 			BPF_EXIT_INSN(),
3564 		},
3565 		.result = ACCEPT,
3566 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3567 	},
3568 	{
3569 		"raw_stack: skb_load_bytes, spilled regs around bounds",
3570 		.insns = {
3571 			BPF_MOV64_IMM(BPF_REG_2, 4),
3572 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3573 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3574 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3575 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3576 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3577 			BPF_MOV64_IMM(BPF_REG_4, 8),
3578 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3579 				     BPF_FUNC_skb_load_bytes),
3580 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3581 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3582 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3583 				    offsetof(struct __sk_buff, mark)),
3584 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3585 				    offsetof(struct __sk_buff, priority)),
3586 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3587 			BPF_EXIT_INSN(),
3588 		},
3589 		.result = ACCEPT,
3590 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3591 	},
3592 	{
3593 		"raw_stack: skb_load_bytes, spilled regs corruption",
3594 		.insns = {
3595 			BPF_MOV64_IMM(BPF_REG_2, 4),
3596 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3597 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3598 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3599 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3600 			BPF_MOV64_IMM(BPF_REG_4, 8),
3601 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3602 				     BPF_FUNC_skb_load_bytes),
3603 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3604 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3605 				    offsetof(struct __sk_buff, mark)),
3606 			BPF_EXIT_INSN(),
3607 		},
3608 		.result = REJECT,
3609 		.errstr = "R0 invalid mem access 'inv'",
3610 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3612 	},
3613 	{
3614 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
3615 		.insns = {
3616 			BPF_MOV64_IMM(BPF_REG_2, 4),
3617 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3619 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3620 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3621 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3622 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3623 			BPF_MOV64_IMM(BPF_REG_4, 8),
3624 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3625 				     BPF_FUNC_skb_load_bytes),
3626 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3627 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3628 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3629 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3630 				    offsetof(struct __sk_buff, mark)),
3631 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3632 				    offsetof(struct __sk_buff, priority)),
3633 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3634 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3635 				    offsetof(struct __sk_buff, pkt_type)),
3636 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3637 			BPF_EXIT_INSN(),
3638 		},
3639 		.result = REJECT,
3640 		.errstr = "R3 invalid mem access 'inv'",
3641 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3642 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3643 	},
3644 	{
3645 		"raw_stack: skb_load_bytes, spilled regs + data",
3646 		.insns = {
3647 			BPF_MOV64_IMM(BPF_REG_2, 4),
3648 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3649 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3650 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3651 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3652 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3653 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3654 			BPF_MOV64_IMM(BPF_REG_4, 8),
3655 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3656 				     BPF_FUNC_skb_load_bytes),
3657 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3658 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3659 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3660 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3661 				    offsetof(struct __sk_buff, mark)),
3662 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3663 				    offsetof(struct __sk_buff, priority)),
3664 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3665 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3666 			BPF_EXIT_INSN(),
3667 		},
3668 		.result = ACCEPT,
3669 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3670 	},
3671 	{
3672 		"raw_stack: skb_load_bytes, invalid access 1",
3673 		.insns = {
3674 			BPF_MOV64_IMM(BPF_REG_2, 4),
3675 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3676 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3677 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3678 			BPF_MOV64_IMM(BPF_REG_4, 8),
3679 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3680 				     BPF_FUNC_skb_load_bytes),
3681 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3682 			BPF_EXIT_INSN(),
3683 		},
3684 		.result = REJECT,
3685 		.errstr = "invalid stack type R3 off=-513 access_size=8",
3686 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3687 	},
3688 	{
3689 		"raw_stack: skb_load_bytes, invalid access 2",
3690 		.insns = {
3691 			BPF_MOV64_IMM(BPF_REG_2, 4),
3692 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3693 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3694 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3695 			BPF_MOV64_IMM(BPF_REG_4, 8),
3696 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3697 				     BPF_FUNC_skb_load_bytes),
3698 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3699 			BPF_EXIT_INSN(),
3700 		},
3701 		.result = REJECT,
3702 		.errstr = "invalid stack type R3 off=-1 access_size=8",
3703 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3704 	},
3705 	{
3706 		"raw_stack: skb_load_bytes, invalid access 3",
3707 		.insns = {
3708 			BPF_MOV64_IMM(BPF_REG_2, 4),
3709 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3710 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3711 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3712 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3713 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3714 				     BPF_FUNC_skb_load_bytes),
3715 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3716 			BPF_EXIT_INSN(),
3717 		},
3718 		.result = REJECT,
3719 		.errstr = "R4 min value is negative",
3720 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3721 	},
3722 	{
3723 		"raw_stack: skb_load_bytes, invalid access 4",
3724 		.insns = {
3725 			BPF_MOV64_IMM(BPF_REG_2, 4),
3726 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3727 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3728 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3729 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3730 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3731 				     BPF_FUNC_skb_load_bytes),
3732 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3733 			BPF_EXIT_INSN(),
3734 		},
3735 		.result = REJECT,
3736 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3737 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3738 	},
3739 	{
3740 		"raw_stack: skb_load_bytes, invalid access 5",
3741 		.insns = {
3742 			BPF_MOV64_IMM(BPF_REG_2, 4),
3743 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3745 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3746 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3747 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3748 				     BPF_FUNC_skb_load_bytes),
3749 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3750 			BPF_EXIT_INSN(),
3751 		},
3752 		.result = REJECT,
3753 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3754 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3755 	},
3756 	{
3757 		"raw_stack: skb_load_bytes, invalid access 6",
3758 		.insns = {
3759 			BPF_MOV64_IMM(BPF_REG_2, 4),
3760 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3762 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3763 			BPF_MOV64_IMM(BPF_REG_4, 0),
3764 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3765 				     BPF_FUNC_skb_load_bytes),
3766 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3767 			BPF_EXIT_INSN(),
3768 		},
3769 		.result = REJECT,
3770 		.errstr = "invalid stack type R3 off=-512 access_size=0",
3771 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3772 	},
3773 	{
3774 		"raw_stack: skb_load_bytes, large access",
3775 		.insns = {
3776 			BPF_MOV64_IMM(BPF_REG_2, 4),
3777 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3778 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3779 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3780 			BPF_MOV64_IMM(BPF_REG_4, 512),
3781 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3782 				     BPF_FUNC_skb_load_bytes),
3783 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3784 			BPF_EXIT_INSN(),
3785 		},
3786 		.result = ACCEPT,
3787 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3788 	},
3789 	{
3790 		"context stores via ST",
3791 		.insns = {
3792 			BPF_MOV64_IMM(BPF_REG_0, 0),
3793 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3794 			BPF_EXIT_INSN(),
3795 		},
3796 		.errstr = "BPF_ST stores into R1 ctx is not allowed",
3797 		.result = REJECT,
3798 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3799 	},
3800 	{
3801 		"context stores via XADD",
3802 		.insns = {
3803 			BPF_MOV64_IMM(BPF_REG_0, 0),
3804 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3805 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3806 			BPF_EXIT_INSN(),
3807 		},
3808 		.errstr = "BPF_XADD stores into R1 ctx is not allowed",
3809 		.result = REJECT,
3810 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3811 	},
3812 	{
3813 		"direct packet access: test1",
3814 		.insns = {
3815 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3816 				    offsetof(struct __sk_buff, data)),
3817 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3818 				    offsetof(struct __sk_buff, data_end)),
3819 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3820 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3821 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3822 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3823 			BPF_MOV64_IMM(BPF_REG_0, 0),
3824 			BPF_EXIT_INSN(),
3825 		},
3826 		.result = ACCEPT,
3827 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3828 	},
3829 	{
3830 		"direct packet access: test2",
3831 		.insns = {
3832 			BPF_MOV64_IMM(BPF_REG_0, 1),
3833 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3834 				    offsetof(struct __sk_buff, data_end)),
3835 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3836 				    offsetof(struct __sk_buff, data)),
3837 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3839 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3840 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3841 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3842 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3843 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3844 				    offsetof(struct __sk_buff, data)),
3845 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3846 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3847 				    offsetof(struct __sk_buff, len)),
3848 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3849 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3850 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3851 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3852 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3853 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3854 				    offsetof(struct __sk_buff, data_end)),
3855 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3856 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3857 			BPF_MOV64_IMM(BPF_REG_0, 0),
3858 			BPF_EXIT_INSN(),
3859 		},
3860 		.result = ACCEPT,
3861 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3862 	},
3863 	{
3864 		"direct packet access: test3",
3865 		.insns = {
3866 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3867 				    offsetof(struct __sk_buff, data)),
3868 			BPF_MOV64_IMM(BPF_REG_0, 0),
3869 			BPF_EXIT_INSN(),
3870 		},
3871 		.errstr = "invalid bpf_context access off=76",
3872 		.result = REJECT,
3873 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3874 	},
3875 	{
3876 		"direct packet access: test4 (write)",
3877 		.insns = {
3878 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3879 				    offsetof(struct __sk_buff, data)),
3880 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3881 				    offsetof(struct __sk_buff, data_end)),
3882 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3883 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3884 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3885 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3886 			BPF_MOV64_IMM(BPF_REG_0, 0),
3887 			BPF_EXIT_INSN(),
3888 		},
3889 		.result = ACCEPT,
3890 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3891 	},
3892 	{
3893 		"direct packet access: test5 (pkt_end >= reg, good access)",
3894 		.insns = {
3895 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3896 				    offsetof(struct __sk_buff, data)),
3897 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3898 				    offsetof(struct __sk_buff, data_end)),
3899 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3901 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3902 			BPF_MOV64_IMM(BPF_REG_0, 1),
3903 			BPF_EXIT_INSN(),
3904 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3905 			BPF_MOV64_IMM(BPF_REG_0, 0),
3906 			BPF_EXIT_INSN(),
3907 		},
3908 		.result = ACCEPT,
3909 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3910 	},
3911 	{
3912 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3913 		.insns = {
3914 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3915 				    offsetof(struct __sk_buff, data)),
3916 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3917 				    offsetof(struct __sk_buff, data_end)),
3918 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3920 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3921 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3922 			BPF_MOV64_IMM(BPF_REG_0, 1),
3923 			BPF_EXIT_INSN(),
3924 			BPF_MOV64_IMM(BPF_REG_0, 0),
3925 			BPF_EXIT_INSN(),
3926 		},
3927 		.errstr = "invalid access to packet",
3928 		.result = REJECT,
3929 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3930 	},
3931 	{
3932 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3933 		.insns = {
3934 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3935 				    offsetof(struct __sk_buff, data)),
3936 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3937 				    offsetof(struct __sk_buff, data_end)),
3938 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3939 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3940 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3941 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3942 			BPF_MOV64_IMM(BPF_REG_0, 1),
3943 			BPF_EXIT_INSN(),
3944 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3945 			BPF_MOV64_IMM(BPF_REG_0, 0),
3946 			BPF_EXIT_INSN(),
3947 		},
3948 		.errstr = "invalid access to packet",
3949 		.result = REJECT,
3950 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3951 	},
3952 	{
3953 		"direct packet access: test8 (double test, variant 1)",
3954 		.insns = {
3955 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3956 				    offsetof(struct __sk_buff, data)),
3957 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3958 				    offsetof(struct __sk_buff, data_end)),
3959 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3960 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3961 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3962 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3963 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3964 			BPF_MOV64_IMM(BPF_REG_0, 1),
3965 			BPF_EXIT_INSN(),
3966 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3967 			BPF_MOV64_IMM(BPF_REG_0, 0),
3968 			BPF_EXIT_INSN(),
3969 		},
3970 		.result = ACCEPT,
3971 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3972 	},
3973 	{
3974 		"direct packet access: test9 (double test, variant 2)",
3975 		.insns = {
3976 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977 				    offsetof(struct __sk_buff, data)),
3978 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979 				    offsetof(struct __sk_buff, data_end)),
3980 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3982 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3983 			BPF_MOV64_IMM(BPF_REG_0, 1),
3984 			BPF_EXIT_INSN(),
3985 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3986 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3987 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3988 			BPF_MOV64_IMM(BPF_REG_0, 0),
3989 			BPF_EXIT_INSN(),
3990 		},
3991 		.result = ACCEPT,
3992 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3993 	},
3994 	{
3995 		"direct packet access: test10 (write invalid)",
3996 		.insns = {
3997 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3998 				    offsetof(struct __sk_buff, data)),
3999 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4000 				    offsetof(struct __sk_buff, data_end)),
4001 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4002 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4003 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4004 			BPF_MOV64_IMM(BPF_REG_0, 0),
4005 			BPF_EXIT_INSN(),
4006 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4007 			BPF_MOV64_IMM(BPF_REG_0, 0),
4008 			BPF_EXIT_INSN(),
4009 		},
4010 		.errstr = "invalid access to packet",
4011 		.result = REJECT,
4012 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4013 	},
4014 	{
4015 		"direct packet access: test11 (shift, good access)",
4016 		.insns = {
4017 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4018 				    offsetof(struct __sk_buff, data)),
4019 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4020 				    offsetof(struct __sk_buff, data_end)),
4021 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4022 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4023 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4024 			BPF_MOV64_IMM(BPF_REG_3, 144),
4025 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4026 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4027 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
4028 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4029 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4030 			BPF_MOV64_IMM(BPF_REG_0, 1),
4031 			BPF_EXIT_INSN(),
4032 			BPF_MOV64_IMM(BPF_REG_0, 0),
4033 			BPF_EXIT_INSN(),
4034 		},
4035 		.result = ACCEPT,
4036 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4037 		.retval = 1,
4038 	},
4039 	{
4040 		"direct packet access: test12 (and, good access)",
4041 		.insns = {
4042 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4043 				    offsetof(struct __sk_buff, data)),
4044 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4045 				    offsetof(struct __sk_buff, data_end)),
4046 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4047 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4048 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4049 			BPF_MOV64_IMM(BPF_REG_3, 144),
4050 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4051 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4052 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4053 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4054 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4055 			BPF_MOV64_IMM(BPF_REG_0, 1),
4056 			BPF_EXIT_INSN(),
4057 			BPF_MOV64_IMM(BPF_REG_0, 0),
4058 			BPF_EXIT_INSN(),
4059 		},
4060 		.result = ACCEPT,
4061 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4062 		.retval = 1,
4063 	},
4064 	{
4065 		"direct packet access: test13 (branches, good access)",
4066 		.insns = {
4067 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4068 				    offsetof(struct __sk_buff, data)),
4069 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4070 				    offsetof(struct __sk_buff, data_end)),
4071 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4073 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
4074 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4075 				    offsetof(struct __sk_buff, mark)),
4076 			BPF_MOV64_IMM(BPF_REG_4, 1),
4077 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
4078 			BPF_MOV64_IMM(BPF_REG_3, 14),
4079 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
4080 			BPF_MOV64_IMM(BPF_REG_3, 24),
4081 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4082 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4083 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4084 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4085 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4086 			BPF_MOV64_IMM(BPF_REG_0, 1),
4087 			BPF_EXIT_INSN(),
4088 			BPF_MOV64_IMM(BPF_REG_0, 0),
4089 			BPF_EXIT_INSN(),
4090 		},
4091 		.result = ACCEPT,
4092 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4093 		.retval = 1,
4094 	},
4095 	{
4096 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
4097 		.insns = {
4098 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4099 				    offsetof(struct __sk_buff, data)),
4100 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4101 				    offsetof(struct __sk_buff, data_end)),
4102 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4104 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
4105 			BPF_MOV64_IMM(BPF_REG_5, 12),
4106 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
4107 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4108 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4109 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
4110 			BPF_MOV64_IMM(BPF_REG_0, 1),
4111 			BPF_EXIT_INSN(),
4112 			BPF_MOV64_IMM(BPF_REG_0, 0),
4113 			BPF_EXIT_INSN(),
4114 		},
4115 		.result = ACCEPT,
4116 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4117 		.retval = 1,
4118 	},
4119 	{
4120 		"direct packet access: test15 (spill with xadd)",
4121 		.insns = {
4122 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4123 				    offsetof(struct __sk_buff, data)),
4124 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4125 				    offsetof(struct __sk_buff, data_end)),
4126 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4127 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4128 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4129 			BPF_MOV64_IMM(BPF_REG_5, 4096),
4130 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
4131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
4132 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
4133 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
4134 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
4135 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
4136 			BPF_MOV64_IMM(BPF_REG_0, 0),
4137 			BPF_EXIT_INSN(),
4138 		},
4139 		.errstr = "R2 invalid mem access 'inv'",
4140 		.result = REJECT,
4141 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4142 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4143 	},
4144 	{
4145 		"direct packet access: test16 (arith on data_end)",
4146 		.insns = {
4147 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4148 				    offsetof(struct __sk_buff, data)),
4149 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4150 				    offsetof(struct __sk_buff, data_end)),
4151 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4152 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4153 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
4154 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4155 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4156 			BPF_MOV64_IMM(BPF_REG_0, 0),
4157 			BPF_EXIT_INSN(),
4158 		},
4159 		.errstr = "R3 pointer arithmetic on pkt_end",
4160 		.result = REJECT,
4161 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4162 	},
4163 	{
4164 		"direct packet access: test17 (pruning, alignment)",
4165 		.insns = {
4166 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4167 				    offsetof(struct __sk_buff, data)),
4168 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4169 				    offsetof(struct __sk_buff, data_end)),
4170 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4171 				    offsetof(struct __sk_buff, mark)),
4172 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4173 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
4174 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
4175 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4176 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
4177 			BPF_MOV64_IMM(BPF_REG_0, 0),
4178 			BPF_EXIT_INSN(),
4179 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
4180 			BPF_JMP_A(-6),
4181 		},
4182 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
4183 		.result = REJECT,
4184 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4185 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
4186 	},
4187 	{
4188 		"direct packet access: test18 (imm += pkt_ptr, 1)",
4189 		.insns = {
4190 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4191 				    offsetof(struct __sk_buff, data)),
4192 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4193 				    offsetof(struct __sk_buff, data_end)),
4194 			BPF_MOV64_IMM(BPF_REG_0, 8),
4195 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4196 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4197 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4198 			BPF_MOV64_IMM(BPF_REG_0, 0),
4199 			BPF_EXIT_INSN(),
4200 		},
4201 		.result = ACCEPT,
4202 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4203 	},
4204 	{
4205 		"direct packet access: test19 (imm += pkt_ptr, 2)",
4206 		.insns = {
4207 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4208 				    offsetof(struct __sk_buff, data)),
4209 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4210 				    offsetof(struct __sk_buff, data_end)),
4211 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4213 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
4214 			BPF_MOV64_IMM(BPF_REG_4, 4),
4215 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4216 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
4217 			BPF_MOV64_IMM(BPF_REG_0, 0),
4218 			BPF_EXIT_INSN(),
4219 		},
4220 		.result = ACCEPT,
4221 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4222 	},
4223 	{
4224 		"direct packet access: test20 (x += pkt_ptr, 1)",
4225 		.insns = {
4226 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4227 				    offsetof(struct __sk_buff, data)),
4228 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4229 				    offsetof(struct __sk_buff, data_end)),
4230 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4231 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4232 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4233 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
4234 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4235 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4236 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4237 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4238 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4239 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4240 			BPF_MOV64_IMM(BPF_REG_0, 0),
4241 			BPF_EXIT_INSN(),
4242 		},
4243 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4244 		.result = ACCEPT,
4245 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4246 	},
4247 	{
4248 		"direct packet access: test21 (x += pkt_ptr, 2)",
4249 		.insns = {
4250 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4251 				    offsetof(struct __sk_buff, data)),
4252 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4253 				    offsetof(struct __sk_buff, data_end)),
4254 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4255 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4256 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
4257 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4258 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4259 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4260 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
4261 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4262 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4263 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4264 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4265 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4266 			BPF_MOV64_IMM(BPF_REG_0, 0),
4267 			BPF_EXIT_INSN(),
4268 		},
4269 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4270 		.result = ACCEPT,
4271 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4272 	},
4273 	{
4274 		"direct packet access: test22 (x += pkt_ptr, 3)",
4275 		.insns = {
4276 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4277 				    offsetof(struct __sk_buff, data)),
4278 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4279 				    offsetof(struct __sk_buff, data_end)),
4280 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4282 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
4283 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
4284 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
4285 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
4286 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
4287 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4288 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4289 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4290 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
4291 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4292 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
4293 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
4294 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4295 			BPF_MOV64_IMM(BPF_REG_2, 1),
4296 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
4297 			BPF_MOV64_IMM(BPF_REG_0, 0),
4298 			BPF_EXIT_INSN(),
4299 		},
4300 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4301 		.result = ACCEPT,
4302 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4303 	},
4304 	{
4305 		"direct packet access: test23 (x += pkt_ptr, 4)",
4306 		.insns = {
4307 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4308 				    offsetof(struct __sk_buff, data)),
4309 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4310 				    offsetof(struct __sk_buff, data_end)),
4311 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4312 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4313 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4314 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
4315 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4316 			BPF_MOV64_IMM(BPF_REG_0, 31),
4317 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4318 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4319 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
4321 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4322 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4323 			BPF_MOV64_IMM(BPF_REG_0, 0),
4324 			BPF_EXIT_INSN(),
4325 		},
4326 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4327 		.result = REJECT,
4328 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
4329 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4330 	},
4331 	{
4332 		"direct packet access: test24 (x += pkt_ptr, 5)",
4333 		.insns = {
4334 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4335 				    offsetof(struct __sk_buff, data)),
4336 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4337 				    offsetof(struct __sk_buff, data_end)),
4338 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4339 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4340 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4341 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
4342 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4343 			BPF_MOV64_IMM(BPF_REG_0, 64),
4344 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4345 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4346 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4347 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
4348 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4349 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4350 			BPF_MOV64_IMM(BPF_REG_0, 0),
4351 			BPF_EXIT_INSN(),
4352 		},
4353 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4354 		.result = ACCEPT,
4355 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4356 	},
4357 	{
4358 		"direct packet access: test25 (marking on <, good access)",
4359 		.insns = {
4360 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4361 				    offsetof(struct __sk_buff, data)),
4362 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4363 				    offsetof(struct __sk_buff, data_end)),
4364 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4365 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4366 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4367 			BPF_MOV64_IMM(BPF_REG_0, 0),
4368 			BPF_EXIT_INSN(),
4369 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4370 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4371 		},
4372 		.result = ACCEPT,
4373 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4374 	},
4375 	{
4376 		"direct packet access: test26 (marking on <, bad access)",
4377 		.insns = {
4378 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4379 				    offsetof(struct __sk_buff, data)),
4380 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4381 				    offsetof(struct __sk_buff, data_end)),
4382 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4383 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4384 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4385 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4386 			BPF_MOV64_IMM(BPF_REG_0, 0),
4387 			BPF_EXIT_INSN(),
4388 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4389 		},
4390 		.result = REJECT,
4391 		.errstr = "invalid access to packet",
4392 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4393 	},
4394 	{
4395 		"direct packet access: test27 (marking on <=, good access)",
4396 		.insns = {
4397 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4398 				    offsetof(struct __sk_buff, data)),
4399 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4400 				    offsetof(struct __sk_buff, data_end)),
4401 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4402 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4403 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4404 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4405 			BPF_MOV64_IMM(BPF_REG_0, 1),
4406 			BPF_EXIT_INSN(),
4407 		},
4408 		.result = ACCEPT,
4409 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4410 		.retval = 1,
4411 	},
4412 	{
4413 		"direct packet access: test28 (marking on <=, bad access)",
4414 		.insns = {
4415 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4416 				    offsetof(struct __sk_buff, data)),
4417 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4418 				    offsetof(struct __sk_buff, data_end)),
4419 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4421 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4422 			BPF_MOV64_IMM(BPF_REG_0, 1),
4423 			BPF_EXIT_INSN(),
4424 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4425 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4426 		},
4427 		.result = REJECT,
4428 		.errstr = "invalid access to packet",
4429 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4430 	},
4431 	{
4432 		"helper access to packet: test1, valid packet_ptr range",
4433 		.insns = {
4434 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4435 				    offsetof(struct xdp_md, data)),
4436 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4437 				    offsetof(struct xdp_md, data_end)),
4438 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4439 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4440 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4441 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4442 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4443 			BPF_MOV64_IMM(BPF_REG_4, 0),
4444 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445 				     BPF_FUNC_map_update_elem),
4446 			BPF_MOV64_IMM(BPF_REG_0, 0),
4447 			BPF_EXIT_INSN(),
4448 		},
4449 		.fixup_map_hash_8b = { 5 },
4450 		.result_unpriv = ACCEPT,
4451 		.result = ACCEPT,
4452 		.prog_type = BPF_PROG_TYPE_XDP,
4453 	},
4454 	{
4455 		"helper access to packet: test2, unchecked packet_ptr",
4456 		.insns = {
4457 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4458 				    offsetof(struct xdp_md, data)),
4459 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4460 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4461 				     BPF_FUNC_map_lookup_elem),
4462 			BPF_MOV64_IMM(BPF_REG_0, 0),
4463 			BPF_EXIT_INSN(),
4464 		},
4465 		.fixup_map_hash_8b = { 1 },
4466 		.result = REJECT,
4467 		.errstr = "invalid access to packet",
4468 		.prog_type = BPF_PROG_TYPE_XDP,
4469 	},
4470 	{
4471 		"helper access to packet: test3, variable add",
4472 		.insns = {
4473 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4474 					offsetof(struct xdp_md, data)),
4475 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4476 					offsetof(struct xdp_md, data_end)),
4477 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4479 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4480 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4481 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4482 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4483 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4484 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4485 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4486 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4487 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4488 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4489 				     BPF_FUNC_map_lookup_elem),
4490 			BPF_MOV64_IMM(BPF_REG_0, 0),
4491 			BPF_EXIT_INSN(),
4492 		},
4493 		.fixup_map_hash_8b = { 11 },
4494 		.result = ACCEPT,
4495 		.prog_type = BPF_PROG_TYPE_XDP,
4496 	},
4497 	{
4498 		"helper access to packet: test4, packet_ptr with bad range",
4499 		.insns = {
4500 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4501 				    offsetof(struct xdp_md, data)),
4502 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4503 				    offsetof(struct xdp_md, data_end)),
4504 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4505 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4506 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4507 			BPF_MOV64_IMM(BPF_REG_0, 0),
4508 			BPF_EXIT_INSN(),
4509 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4510 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4511 				     BPF_FUNC_map_lookup_elem),
4512 			BPF_MOV64_IMM(BPF_REG_0, 0),
4513 			BPF_EXIT_INSN(),
4514 		},
4515 		.fixup_map_hash_8b = { 7 },
4516 		.result = REJECT,
4517 		.errstr = "invalid access to packet",
4518 		.prog_type = BPF_PROG_TYPE_XDP,
4519 	},
4520 	{
4521 		"helper access to packet: test5, packet_ptr with too short range",
4522 		.insns = {
4523 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4524 				    offsetof(struct xdp_md, data)),
4525 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4526 				    offsetof(struct xdp_md, data_end)),
4527 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4528 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4529 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4530 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4531 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4532 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4533 				     BPF_FUNC_map_lookup_elem),
4534 			BPF_MOV64_IMM(BPF_REG_0, 0),
4535 			BPF_EXIT_INSN(),
4536 		},
4537 		.fixup_map_hash_8b = { 6 },
4538 		.result = REJECT,
4539 		.errstr = "invalid access to packet",
4540 		.prog_type = BPF_PROG_TYPE_XDP,
4541 	},
4542 	{
4543 		"helper access to packet: test6, cls valid packet_ptr range",
4544 		.insns = {
4545 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4546 				    offsetof(struct __sk_buff, data)),
4547 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4548 				    offsetof(struct __sk_buff, data_end)),
4549 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4550 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4551 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4552 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4553 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4554 			BPF_MOV64_IMM(BPF_REG_4, 0),
4555 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556 				     BPF_FUNC_map_update_elem),
4557 			BPF_MOV64_IMM(BPF_REG_0, 0),
4558 			BPF_EXIT_INSN(),
4559 		},
4560 		.fixup_map_hash_8b = { 5 },
4561 		.result = ACCEPT,
4562 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4563 	},
4564 	{
4565 		"helper access to packet: test7, cls unchecked packet_ptr",
4566 		.insns = {
4567 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4568 				    offsetof(struct __sk_buff, data)),
4569 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4570 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4571 				     BPF_FUNC_map_lookup_elem),
4572 			BPF_MOV64_IMM(BPF_REG_0, 0),
4573 			BPF_EXIT_INSN(),
4574 		},
4575 		.fixup_map_hash_8b = { 1 },
4576 		.result = REJECT,
4577 		.errstr = "invalid access to packet",
4578 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4579 	},
4580 	{
4581 		"helper access to packet: test8, cls variable add",
4582 		.insns = {
4583 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4584 					offsetof(struct __sk_buff, data)),
4585 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4586 					offsetof(struct __sk_buff, data_end)),
4587 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4588 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4589 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4590 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4591 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4592 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4593 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4594 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4595 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4596 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4597 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4598 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4599 				     BPF_FUNC_map_lookup_elem),
4600 			BPF_MOV64_IMM(BPF_REG_0, 0),
4601 			BPF_EXIT_INSN(),
4602 		},
4603 		.fixup_map_hash_8b = { 11 },
4604 		.result = ACCEPT,
4605 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4606 	},
4607 	{
4608 		"helper access to packet: test9, cls packet_ptr with bad range",
4609 		.insns = {
4610 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4611 				    offsetof(struct __sk_buff, data)),
4612 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4613 				    offsetof(struct __sk_buff, data_end)),
4614 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4615 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4616 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4617 			BPF_MOV64_IMM(BPF_REG_0, 0),
4618 			BPF_EXIT_INSN(),
4619 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4620 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621 				     BPF_FUNC_map_lookup_elem),
4622 			BPF_MOV64_IMM(BPF_REG_0, 0),
4623 			BPF_EXIT_INSN(),
4624 		},
4625 		.fixup_map_hash_8b = { 7 },
4626 		.result = REJECT,
4627 		.errstr = "invalid access to packet",
4628 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4629 	},
4630 	{
4631 		"helper access to packet: test10, cls packet_ptr with too short range",
4632 		.insns = {
4633 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4634 				    offsetof(struct __sk_buff, data)),
4635 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4636 				    offsetof(struct __sk_buff, data_end)),
4637 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4638 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4639 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4640 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4641 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4642 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4643 				     BPF_FUNC_map_lookup_elem),
4644 			BPF_MOV64_IMM(BPF_REG_0, 0),
4645 			BPF_EXIT_INSN(),
4646 		},
4647 		.fixup_map_hash_8b = { 6 },
4648 		.result = REJECT,
4649 		.errstr = "invalid access to packet",
4650 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4651 	},
4652 	{
4653 		"helper access to packet: test11, cls unsuitable helper 1",
4654 		.insns = {
4655 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4656 				    offsetof(struct __sk_buff, data)),
4657 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4658 				    offsetof(struct __sk_buff, data_end)),
4659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4660 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4661 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4662 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4663 			BPF_MOV64_IMM(BPF_REG_2, 0),
4664 			BPF_MOV64_IMM(BPF_REG_4, 42),
4665 			BPF_MOV64_IMM(BPF_REG_5, 0),
4666 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4667 				     BPF_FUNC_skb_store_bytes),
4668 			BPF_MOV64_IMM(BPF_REG_0, 0),
4669 			BPF_EXIT_INSN(),
4670 		},
4671 		.result = REJECT,
4672 		.errstr = "helper access to the packet",
4673 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4674 	},
4675 	{
4676 		"helper access to packet: test12, cls unsuitable helper 2",
4677 		.insns = {
4678 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4679 				    offsetof(struct __sk_buff, data)),
4680 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4681 				    offsetof(struct __sk_buff, data_end)),
4682 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4683 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4684 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4685 			BPF_MOV64_IMM(BPF_REG_2, 0),
4686 			BPF_MOV64_IMM(BPF_REG_4, 4),
4687 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4688 				     BPF_FUNC_skb_load_bytes),
4689 			BPF_MOV64_IMM(BPF_REG_0, 0),
4690 			BPF_EXIT_INSN(),
4691 		},
4692 		.result = REJECT,
4693 		.errstr = "helper access to the packet",
4694 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4695 	},
4696 	{
4697 		"helper access to packet: test13, cls helper ok",
4698 		.insns = {
4699 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4700 				    offsetof(struct __sk_buff, data)),
4701 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4702 				    offsetof(struct __sk_buff, data_end)),
4703 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4704 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4705 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4706 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4707 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4708 			BPF_MOV64_IMM(BPF_REG_2, 4),
4709 			BPF_MOV64_IMM(BPF_REG_3, 0),
4710 			BPF_MOV64_IMM(BPF_REG_4, 0),
4711 			BPF_MOV64_IMM(BPF_REG_5, 0),
4712 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4713 				     BPF_FUNC_csum_diff),
4714 			BPF_MOV64_IMM(BPF_REG_0, 0),
4715 			BPF_EXIT_INSN(),
4716 		},
4717 		.result = ACCEPT,
4718 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4719 	},
4720 	{
4721 		"helper access to packet: test14, cls helper ok sub",
4722 		.insns = {
4723 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4724 				    offsetof(struct __sk_buff, data)),
4725 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4726 				    offsetof(struct __sk_buff, data_end)),
4727 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4728 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4729 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4730 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4731 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4732 			BPF_MOV64_IMM(BPF_REG_2, 4),
4733 			BPF_MOV64_IMM(BPF_REG_3, 0),
4734 			BPF_MOV64_IMM(BPF_REG_4, 0),
4735 			BPF_MOV64_IMM(BPF_REG_5, 0),
4736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4737 				     BPF_FUNC_csum_diff),
4738 			BPF_MOV64_IMM(BPF_REG_0, 0),
4739 			BPF_EXIT_INSN(),
4740 		},
4741 		.result = ACCEPT,
4742 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4743 	},
4744 	{
4745 		"helper access to packet: test15, cls helper fail sub",
4746 		.insns = {
4747 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4748 				    offsetof(struct __sk_buff, data)),
4749 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4750 				    offsetof(struct __sk_buff, data_end)),
4751 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4752 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4753 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4754 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4755 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4756 			BPF_MOV64_IMM(BPF_REG_2, 4),
4757 			BPF_MOV64_IMM(BPF_REG_3, 0),
4758 			BPF_MOV64_IMM(BPF_REG_4, 0),
4759 			BPF_MOV64_IMM(BPF_REG_5, 0),
4760 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4761 				     BPF_FUNC_csum_diff),
4762 			BPF_MOV64_IMM(BPF_REG_0, 0),
4763 			BPF_EXIT_INSN(),
4764 		},
4765 		.result = REJECT,
4766 		.errstr = "invalid access to packet",
4767 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4768 	},
4769 	{
4770 		"helper access to packet: test16, cls helper fail range 1",
4771 		.insns = {
4772 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4773 				    offsetof(struct __sk_buff, data)),
4774 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4775 				    offsetof(struct __sk_buff, data_end)),
4776 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4777 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4778 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4779 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4780 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4781 			BPF_MOV64_IMM(BPF_REG_2, 8),
4782 			BPF_MOV64_IMM(BPF_REG_3, 0),
4783 			BPF_MOV64_IMM(BPF_REG_4, 0),
4784 			BPF_MOV64_IMM(BPF_REG_5, 0),
4785 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4786 				     BPF_FUNC_csum_diff),
4787 			BPF_MOV64_IMM(BPF_REG_0, 0),
4788 			BPF_EXIT_INSN(),
4789 		},
4790 		.result = REJECT,
4791 		.errstr = "invalid access to packet",
4792 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4793 	},
4794 	{
4795 		"helper access to packet: test17, cls helper fail range 2",
4796 		.insns = {
4797 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4798 				    offsetof(struct __sk_buff, data)),
4799 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4800 				    offsetof(struct __sk_buff, data_end)),
4801 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4802 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4803 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4804 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4805 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4806 			BPF_MOV64_IMM(BPF_REG_2, -9),
4807 			BPF_MOV64_IMM(BPF_REG_3, 0),
4808 			BPF_MOV64_IMM(BPF_REG_4, 0),
4809 			BPF_MOV64_IMM(BPF_REG_5, 0),
4810 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4811 				     BPF_FUNC_csum_diff),
4812 			BPF_MOV64_IMM(BPF_REG_0, 0),
4813 			BPF_EXIT_INSN(),
4814 		},
4815 		.result = REJECT,
4816 		.errstr = "R2 min value is negative",
4817 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4818 	},
4819 	{
4820 		"helper access to packet: test18, cls helper fail range 3",
4821 		.insns = {
4822 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4823 				    offsetof(struct __sk_buff, data)),
4824 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4825 				    offsetof(struct __sk_buff, data_end)),
4826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4827 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4829 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4830 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4831 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4832 			BPF_MOV64_IMM(BPF_REG_3, 0),
4833 			BPF_MOV64_IMM(BPF_REG_4, 0),
4834 			BPF_MOV64_IMM(BPF_REG_5, 0),
4835 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4836 				     BPF_FUNC_csum_diff),
4837 			BPF_MOV64_IMM(BPF_REG_0, 0),
4838 			BPF_EXIT_INSN(),
4839 		},
4840 		.result = REJECT,
4841 		.errstr = "R2 min value is negative",
4842 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4843 	},
4844 	{
4845 		"helper access to packet: test19, cls helper range zero",
4846 		.insns = {
4847 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4848 				    offsetof(struct __sk_buff, data)),
4849 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4850 				    offsetof(struct __sk_buff, data_end)),
4851 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4852 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4853 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4854 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4855 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4856 			BPF_MOV64_IMM(BPF_REG_2, 0),
4857 			BPF_MOV64_IMM(BPF_REG_3, 0),
4858 			BPF_MOV64_IMM(BPF_REG_4, 0),
4859 			BPF_MOV64_IMM(BPF_REG_5, 0),
4860 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4861 				     BPF_FUNC_csum_diff),
4862 			BPF_MOV64_IMM(BPF_REG_0, 0),
4863 			BPF_EXIT_INSN(),
4864 		},
4865 		.result = ACCEPT,
4866 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4867 	},
4868 	{
4869 		"helper access to packet: test20, pkt end as input",
4870 		.insns = {
4871 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4872 				    offsetof(struct __sk_buff, data)),
4873 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4874 				    offsetof(struct __sk_buff, data_end)),
4875 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4876 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4878 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4879 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4880 			BPF_MOV64_IMM(BPF_REG_2, 4),
4881 			BPF_MOV64_IMM(BPF_REG_3, 0),
4882 			BPF_MOV64_IMM(BPF_REG_4, 0),
4883 			BPF_MOV64_IMM(BPF_REG_5, 0),
4884 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4885 				     BPF_FUNC_csum_diff),
4886 			BPF_MOV64_IMM(BPF_REG_0, 0),
4887 			BPF_EXIT_INSN(),
4888 		},
4889 		.result = REJECT,
4890 		.errstr = "R1 type=pkt_end expected=fp",
4891 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4892 	},
4893 	{
4894 		"helper access to packet: test21, wrong reg",
4895 		.insns = {
4896 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4897 				    offsetof(struct __sk_buff, data)),
4898 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4899 				    offsetof(struct __sk_buff, data_end)),
4900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4901 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4902 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4903 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4904 			BPF_MOV64_IMM(BPF_REG_2, 4),
4905 			BPF_MOV64_IMM(BPF_REG_3, 0),
4906 			BPF_MOV64_IMM(BPF_REG_4, 0),
4907 			BPF_MOV64_IMM(BPF_REG_5, 0),
4908 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4909 				     BPF_FUNC_csum_diff),
4910 			BPF_MOV64_IMM(BPF_REG_0, 0),
4911 			BPF_EXIT_INSN(),
4912 		},
4913 		.result = REJECT,
4914 		.errstr = "invalid access to packet",
4915 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4916 	},
4917 	{
4918 		"prevent map lookup in sockmap",
4919 		.insns = {
4920 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4921 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4922 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4923 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4924 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4925 				     BPF_FUNC_map_lookup_elem),
4926 			BPF_EXIT_INSN(),
4927 		},
4928 		.fixup_map_sockmap = { 3 },
4929 		.result = REJECT,
4930 		.errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4931 		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
4932 	},
4933 	{
4934 		"prevent map lookup in sockhash",
4935 		.insns = {
4936 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4937 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4938 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4940 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4941 				     BPF_FUNC_map_lookup_elem),
4942 			BPF_EXIT_INSN(),
4943 		},
4944 		.fixup_map_sockhash = { 3 },
4945 		.result = REJECT,
4946 		.errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4947 		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
4948 	},
4949 	{
4950 		"prevent map lookup in xskmap",
4951 		.insns = {
4952 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4953 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4954 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4955 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4956 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4957 				     BPF_FUNC_map_lookup_elem),
4958 			BPF_EXIT_INSN(),
4959 		},
4960 		.fixup_map_xskmap = { 3 },
4961 		.result = REJECT,
4962 		.errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4963 		.prog_type = BPF_PROG_TYPE_XDP,
4964 	},
4965 	{
4966 		"prevent map lookup in stack trace",
4967 		.insns = {
4968 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4969 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4971 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4972 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4973 				     BPF_FUNC_map_lookup_elem),
4974 			BPF_EXIT_INSN(),
4975 		},
4976 		.fixup_map_stacktrace = { 3 },
4977 		.result = REJECT,
4978 		.errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4979 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
4980 	},
4981 	{
4982 		"prevent map lookup in prog array",
4983 		.insns = {
4984 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4985 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4986 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4987 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4988 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4989 				     BPF_FUNC_map_lookup_elem),
4990 			BPF_EXIT_INSN(),
4991 		},
4992 		.fixup_prog2 = { 3 },
4993 		.result = REJECT,
4994 		.errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4995 	},
4996 	{
4997 		"valid map access into an array with a constant",
4998 		.insns = {
4999 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5000 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5002 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5004 				     BPF_FUNC_map_lookup_elem),
5005 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5006 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5007 				   offsetof(struct test_val, foo)),
5008 			BPF_EXIT_INSN(),
5009 		},
5010 		.fixup_map_hash_48b = { 3 },
5011 		.errstr_unpriv = "R0 leaks addr",
5012 		.result_unpriv = REJECT,
5013 		.result = ACCEPT,
5014 	},
5015 	{
5016 		"valid map access into an array with a register",
5017 		.insns = {
5018 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5019 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5020 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5021 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5022 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5023 				     BPF_FUNC_map_lookup_elem),
5024 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5025 			BPF_MOV64_IMM(BPF_REG_1, 4),
5026 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5027 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5028 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5029 				   offsetof(struct test_val, foo)),
5030 			BPF_EXIT_INSN(),
5031 		},
5032 		.fixup_map_hash_48b = { 3 },
5033 		.errstr_unpriv = "R0 leaks addr",
5034 		.result_unpriv = REJECT,
5035 		.result = ACCEPT,
5036 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5037 	},
5038 	{
5039 		"valid map access into an array with a variable",
5040 		.insns = {
5041 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5042 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5043 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5044 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5045 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5046 				     BPF_FUNC_map_lookup_elem),
5047 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5048 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5049 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
5050 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5051 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5052 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5053 				   offsetof(struct test_val, foo)),
5054 			BPF_EXIT_INSN(),
5055 		},
5056 		.fixup_map_hash_48b = { 3 },
5057 		.errstr_unpriv = "R0 leaks addr",
5058 		.result_unpriv = REJECT,
5059 		.result = ACCEPT,
5060 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5061 	},
5062 	{
5063 		"valid map access into an array with a signed variable",
5064 		.insns = {
5065 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5066 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5067 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5068 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5069 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5070 				     BPF_FUNC_map_lookup_elem),
5071 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5072 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5073 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
5074 			BPF_MOV32_IMM(BPF_REG_1, 0),
5075 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5076 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5077 			BPF_MOV32_IMM(BPF_REG_1, 0),
5078 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5079 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5080 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5081 				   offsetof(struct test_val, foo)),
5082 			BPF_EXIT_INSN(),
5083 		},
5084 		.fixup_map_hash_48b = { 3 },
5085 		.errstr_unpriv = "R0 leaks addr",
5086 		.result_unpriv = REJECT,
5087 		.result = ACCEPT,
5088 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5089 	},
5090 	{
5091 		"invalid map access into an array with a constant",
5092 		.insns = {
5093 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5094 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5096 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5097 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5098 				     BPF_FUNC_map_lookup_elem),
5099 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5100 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
5101 				   offsetof(struct test_val, foo)),
5102 			BPF_EXIT_INSN(),
5103 		},
5104 		.fixup_map_hash_48b = { 3 },
5105 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
5106 		.result = REJECT,
5107 	},
5108 	{
5109 		"invalid map access into an array with a register",
5110 		.insns = {
5111 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5112 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5113 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5114 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5115 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5116 				     BPF_FUNC_map_lookup_elem),
5117 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5118 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
5119 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5120 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5121 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5122 				   offsetof(struct test_val, foo)),
5123 			BPF_EXIT_INSN(),
5124 		},
5125 		.fixup_map_hash_48b = { 3 },
5126 		.errstr = "R0 min value is outside of the array range",
5127 		.result = REJECT,
5128 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5129 	},
5130 	{
5131 		"invalid map access into an array with a variable",
5132 		.insns = {
5133 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5134 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5135 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5136 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5137 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5138 				     BPF_FUNC_map_lookup_elem),
5139 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5140 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5141 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5142 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5143 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5144 				   offsetof(struct test_val, foo)),
5145 			BPF_EXIT_INSN(),
5146 		},
5147 		.fixup_map_hash_48b = { 3 },
5148 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
5149 		.result = REJECT,
5150 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5151 	},
5152 	{
5153 		"invalid map access into an array with no floor check",
5154 		.insns = {
5155 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5156 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5157 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5158 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5160 				     BPF_FUNC_map_lookup_elem),
5161 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5162 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5163 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5164 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5165 			BPF_MOV32_IMM(BPF_REG_1, 0),
5166 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5167 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5168 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5169 				   offsetof(struct test_val, foo)),
5170 			BPF_EXIT_INSN(),
5171 		},
5172 		.fixup_map_hash_48b = { 3 },
5173 		.errstr_unpriv = "R0 leaks addr",
5174 		.errstr = "R0 unbounded memory access",
5175 		.result_unpriv = REJECT,
5176 		.result = REJECT,
5177 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5178 	},
5179 	{
5180 		"invalid map access into an array with a invalid max check",
5181 		.insns = {
5182 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5183 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5184 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5185 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5186 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5187 				     BPF_FUNC_map_lookup_elem),
5188 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5189 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5190 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
5191 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
5192 			BPF_MOV32_IMM(BPF_REG_1, 0),
5193 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5194 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5195 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5196 				   offsetof(struct test_val, foo)),
5197 			BPF_EXIT_INSN(),
5198 		},
5199 		.fixup_map_hash_48b = { 3 },
5200 		.errstr_unpriv = "R0 leaks addr",
5201 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
5202 		.result_unpriv = REJECT,
5203 		.result = REJECT,
5204 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5205 	},
5206 	{
5207 		"invalid map access into an array with a invalid max check",
5208 		.insns = {
5209 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5210 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5212 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5213 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5214 				     BPF_FUNC_map_lookup_elem),
5215 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5216 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5217 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5218 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5220 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5221 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5222 				     BPF_FUNC_map_lookup_elem),
5223 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5224 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5225 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
5226 				    offsetof(struct test_val, foo)),
5227 			BPF_EXIT_INSN(),
5228 		},
5229 		.fixup_map_hash_48b = { 3, 11 },
5230 		.errstr = "R0 pointer += pointer",
5231 		.result = REJECT,
5232 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5233 	},
5234 	{
5235 		"direct packet read test#1 for CGROUP_SKB",
5236 		.insns = {
5237 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5238 				    offsetof(struct __sk_buff, data)),
5239 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5240 				    offsetof(struct __sk_buff, data_end)),
5241 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5242 				    offsetof(struct __sk_buff, len)),
5243 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5244 				    offsetof(struct __sk_buff, pkt_type)),
5245 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5246 				    offsetof(struct __sk_buff, mark)),
5247 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5248 				    offsetof(struct __sk_buff, mark)),
5249 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5250 				    offsetof(struct __sk_buff, queue_mapping)),
5251 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5252 				    offsetof(struct __sk_buff, protocol)),
5253 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5254 				    offsetof(struct __sk_buff, vlan_present)),
5255 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5256 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5257 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5258 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5259 			BPF_MOV64_IMM(BPF_REG_0, 0),
5260 			BPF_EXIT_INSN(),
5261 		},
5262 		.result = ACCEPT,
5263 		.result_unpriv = REJECT,
5264 		.errstr_unpriv = "invalid bpf_context access off=76 size=4",
5265 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5266 	},
5267 	{
5268 		"direct packet read test#2 for CGROUP_SKB",
5269 		.insns = {
5270 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5271 				    offsetof(struct __sk_buff, vlan_tci)),
5272 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5273 				    offsetof(struct __sk_buff, vlan_proto)),
5274 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5275 				    offsetof(struct __sk_buff, priority)),
5276 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5277 				    offsetof(struct __sk_buff, priority)),
5278 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5279 				    offsetof(struct __sk_buff,
5280 					     ingress_ifindex)),
5281 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5282 				    offsetof(struct __sk_buff, tc_index)),
5283 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5284 				    offsetof(struct __sk_buff, hash)),
5285 			BPF_MOV64_IMM(BPF_REG_0, 0),
5286 			BPF_EXIT_INSN(),
5287 		},
5288 		.result = ACCEPT,
5289 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5290 	},
5291 	{
5292 		"direct packet read test#3 for CGROUP_SKB",
5293 		.insns = {
5294 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5295 				    offsetof(struct __sk_buff, cb[0])),
5296 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5297 				    offsetof(struct __sk_buff, cb[1])),
5298 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5299 				    offsetof(struct __sk_buff, cb[2])),
5300 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5301 				    offsetof(struct __sk_buff, cb[3])),
5302 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5303 				    offsetof(struct __sk_buff, cb[4])),
5304 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5305 				    offsetof(struct __sk_buff, napi_id)),
5306 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
5307 				    offsetof(struct __sk_buff, cb[0])),
5308 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
5309 				    offsetof(struct __sk_buff, cb[1])),
5310 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5311 				    offsetof(struct __sk_buff, cb[2])),
5312 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
5313 				    offsetof(struct __sk_buff, cb[3])),
5314 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
5315 				    offsetof(struct __sk_buff, cb[4])),
5316 			BPF_MOV64_IMM(BPF_REG_0, 0),
5317 			BPF_EXIT_INSN(),
5318 		},
5319 		.result = ACCEPT,
5320 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5321 	},
5322 	{
5323 		"direct packet read test#4 for CGROUP_SKB",
5324 		.insns = {
5325 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5326 				    offsetof(struct __sk_buff, family)),
5327 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5328 				    offsetof(struct __sk_buff, remote_ip4)),
5329 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5330 				    offsetof(struct __sk_buff, local_ip4)),
5331 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5332 				    offsetof(struct __sk_buff, remote_ip6[0])),
5333 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5334 				    offsetof(struct __sk_buff, remote_ip6[1])),
5335 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5336 				    offsetof(struct __sk_buff, remote_ip6[2])),
5337 			BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5338 				    offsetof(struct __sk_buff, remote_ip6[3])),
5339 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5340 				    offsetof(struct __sk_buff, local_ip6[0])),
5341 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5342 				    offsetof(struct __sk_buff, local_ip6[1])),
5343 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5344 				    offsetof(struct __sk_buff, local_ip6[2])),
5345 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5346 				    offsetof(struct __sk_buff, local_ip6[3])),
5347 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5348 				    offsetof(struct __sk_buff, remote_port)),
5349 			BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5350 				    offsetof(struct __sk_buff, local_port)),
5351 			BPF_MOV64_IMM(BPF_REG_0, 0),
5352 			BPF_EXIT_INSN(),
5353 		},
5354 		.result = ACCEPT,
5355 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5356 	},
5357 	{
5358 		"invalid access of tc_classid for CGROUP_SKB",
5359 		.insns = {
5360 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5361 				    offsetof(struct __sk_buff, tc_classid)),
5362 			BPF_MOV64_IMM(BPF_REG_0, 0),
5363 			BPF_EXIT_INSN(),
5364 		},
5365 		.result = REJECT,
5366 		.errstr = "invalid bpf_context access",
5367 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5368 	},
5369 	{
5370 		"invalid access of data_meta for CGROUP_SKB",
5371 		.insns = {
5372 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5373 				    offsetof(struct __sk_buff, data_meta)),
5374 			BPF_MOV64_IMM(BPF_REG_0, 0),
5375 			BPF_EXIT_INSN(),
5376 		},
5377 		.result = REJECT,
5378 		.errstr = "invalid bpf_context access",
5379 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5380 	},
5381 	{
5382 		"invalid access of flow_keys for CGROUP_SKB",
5383 		.insns = {
5384 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5385 				    offsetof(struct __sk_buff, flow_keys)),
5386 			BPF_MOV64_IMM(BPF_REG_0, 0),
5387 			BPF_EXIT_INSN(),
5388 		},
5389 		.result = REJECT,
5390 		.errstr = "invalid bpf_context access",
5391 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5392 	},
5393 	{
5394 		"invalid write access to napi_id for CGROUP_SKB",
5395 		.insns = {
5396 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5397 				    offsetof(struct __sk_buff, napi_id)),
5398 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5399 				    offsetof(struct __sk_buff, napi_id)),
5400 			BPF_MOV64_IMM(BPF_REG_0, 0),
5401 			BPF_EXIT_INSN(),
5402 		},
5403 		.result = REJECT,
5404 		.errstr = "invalid bpf_context access",
5405 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5406 	},
5407 	{
5408 		"valid cgroup storage access",
5409 		.insns = {
5410 			BPF_MOV64_IMM(BPF_REG_2, 0),
5411 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5412 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5413 				     BPF_FUNC_get_local_storage),
5414 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5415 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5416 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5417 			BPF_EXIT_INSN(),
5418 		},
5419 		.fixup_cgroup_storage = { 1 },
5420 		.result = ACCEPT,
5421 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5422 	},
5423 	{
5424 		"invalid cgroup storage access 1",
5425 		.insns = {
5426 			BPF_MOV64_IMM(BPF_REG_2, 0),
5427 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5428 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5429 				     BPF_FUNC_get_local_storage),
5430 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5431 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5432 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5433 			BPF_EXIT_INSN(),
5434 		},
5435 		.fixup_map_hash_8b = { 1 },
5436 		.result = REJECT,
5437 		.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5438 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5439 	},
5440 	{
5441 		"invalid cgroup storage access 2",
5442 		.insns = {
5443 			BPF_MOV64_IMM(BPF_REG_2, 0),
5444 			BPF_LD_MAP_FD(BPF_REG_1, 1),
5445 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5446 				     BPF_FUNC_get_local_storage),
5447 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5448 			BPF_EXIT_INSN(),
5449 		},
5450 		.result = REJECT,
5451 		.errstr = "fd 1 is not pointing to valid bpf_map",
5452 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5453 	},
5454 	{
5455 		"invalid cgroup storage access 3",
5456 		.insns = {
5457 			BPF_MOV64_IMM(BPF_REG_2, 0),
5458 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5459 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5460 				     BPF_FUNC_get_local_storage),
5461 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5462 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5463 			BPF_MOV64_IMM(BPF_REG_0, 0),
5464 			BPF_EXIT_INSN(),
5465 		},
5466 		.fixup_cgroup_storage = { 1 },
5467 		.result = REJECT,
5468 		.errstr = "invalid access to map value, value_size=64 off=256 size=4",
5469 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5470 	},
5471 	{
5472 		"invalid cgroup storage access 4",
5473 		.insns = {
5474 			BPF_MOV64_IMM(BPF_REG_2, 0),
5475 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5476 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5477 				     BPF_FUNC_get_local_storage),
5478 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5479 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5481 			BPF_EXIT_INSN(),
5482 		},
5483 		.fixup_cgroup_storage = { 1 },
5484 		.result = REJECT,
5485 		.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5486 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5487 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5488 	},
5489 	{
5490 		"invalid cgroup storage access 5",
5491 		.insns = {
5492 			BPF_MOV64_IMM(BPF_REG_2, 7),
5493 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5494 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5495 				     BPF_FUNC_get_local_storage),
5496 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5497 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5498 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5499 			BPF_EXIT_INSN(),
5500 		},
5501 		.fixup_cgroup_storage = { 1 },
5502 		.result = REJECT,
5503 		.errstr = "get_local_storage() doesn't support non-zero flags",
5504 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5505 	},
5506 	{
5507 		"invalid cgroup storage access 6",
5508 		.insns = {
5509 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5510 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5511 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5512 				     BPF_FUNC_get_local_storage),
5513 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5514 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5515 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5516 			BPF_EXIT_INSN(),
5517 		},
5518 		.fixup_cgroup_storage = { 1 },
5519 		.result = REJECT,
5520 		.errstr = "get_local_storage() doesn't support non-zero flags",
5521 		.errstr_unpriv = "R2 leaks addr into helper function",
5522 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5523 	},
5524 	{
5525 		"valid per-cpu cgroup storage access",
5526 		.insns = {
5527 			BPF_MOV64_IMM(BPF_REG_2, 0),
5528 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5529 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5530 				     BPF_FUNC_get_local_storage),
5531 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5532 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5533 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5534 			BPF_EXIT_INSN(),
5535 		},
5536 		.fixup_percpu_cgroup_storage = { 1 },
5537 		.result = ACCEPT,
5538 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5539 	},
5540 	{
5541 		"invalid per-cpu cgroup storage access 1",
5542 		.insns = {
5543 			BPF_MOV64_IMM(BPF_REG_2, 0),
5544 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5545 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5546 				     BPF_FUNC_get_local_storage),
5547 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5548 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5549 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5550 			BPF_EXIT_INSN(),
5551 		},
5552 		.fixup_map_hash_8b = { 1 },
5553 		.result = REJECT,
5554 		.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5555 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5556 	},
5557 	{
5558 		"invalid per-cpu cgroup storage access 2",
5559 		.insns = {
5560 			BPF_MOV64_IMM(BPF_REG_2, 0),
5561 			BPF_LD_MAP_FD(BPF_REG_1, 1),
5562 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5563 				     BPF_FUNC_get_local_storage),
5564 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5565 			BPF_EXIT_INSN(),
5566 		},
5567 		.result = REJECT,
5568 		.errstr = "fd 1 is not pointing to valid bpf_map",
5569 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5570 	},
5571 	{
5572 		"invalid per-cpu cgroup storage access 3",
5573 		.insns = {
5574 			BPF_MOV64_IMM(BPF_REG_2, 0),
5575 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5576 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5577 				     BPF_FUNC_get_local_storage),
5578 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5579 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5580 			BPF_MOV64_IMM(BPF_REG_0, 0),
5581 			BPF_EXIT_INSN(),
5582 		},
5583 		.fixup_percpu_cgroup_storage = { 1 },
5584 		.result = REJECT,
5585 		.errstr = "invalid access to map value, value_size=64 off=256 size=4",
5586 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5587 	},
5588 	{
5589 		"invalid per-cpu cgroup storage access 4",
5590 		.insns = {
5591 			BPF_MOV64_IMM(BPF_REG_2, 0),
5592 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5593 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5594 				     BPF_FUNC_get_local_storage),
5595 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5596 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5597 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5598 			BPF_EXIT_INSN(),
5599 		},
5600 		.fixup_cgroup_storage = { 1 },
5601 		.result = REJECT,
5602 		.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5603 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5604 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5605 	},
5606 	{
5607 		"invalid per-cpu cgroup storage access 5",
5608 		.insns = {
5609 			BPF_MOV64_IMM(BPF_REG_2, 7),
5610 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5611 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5612 				     BPF_FUNC_get_local_storage),
5613 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5614 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5615 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5616 			BPF_EXIT_INSN(),
5617 		},
5618 		.fixup_percpu_cgroup_storage = { 1 },
5619 		.result = REJECT,
5620 		.errstr = "get_local_storage() doesn't support non-zero flags",
5621 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5622 	},
5623 	{
5624 		"invalid per-cpu cgroup storage access 6",
5625 		.insns = {
5626 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5627 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5628 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5629 				     BPF_FUNC_get_local_storage),
5630 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5631 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5632 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5633 			BPF_EXIT_INSN(),
5634 		},
5635 		.fixup_percpu_cgroup_storage = { 1 },
5636 		.result = REJECT,
5637 		.errstr = "get_local_storage() doesn't support non-zero flags",
5638 		.errstr_unpriv = "R2 leaks addr into helper function",
5639 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5640 	},
5641 	{
5642 		"write tstamp from CGROUP_SKB",
5643 		.insns = {
5644 			BPF_MOV64_IMM(BPF_REG_0, 0),
5645 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5646 				    offsetof(struct __sk_buff, tstamp)),
5647 			BPF_MOV64_IMM(BPF_REG_0, 0),
5648 			BPF_EXIT_INSN(),
5649 		},
5650 		.result = ACCEPT,
5651 		.result_unpriv = REJECT,
5652 		.errstr_unpriv = "invalid bpf_context access off=152 size=8",
5653 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5654 	},
5655 	{
5656 		"read tstamp from CGROUP_SKB",
5657 		.insns = {
5658 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5659 				    offsetof(struct __sk_buff, tstamp)),
5660 			BPF_MOV64_IMM(BPF_REG_0, 0),
5661 			BPF_EXIT_INSN(),
5662 		},
5663 		.result = ACCEPT,
5664 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5665 	},
5666 	{
5667 		"multiple registers share map_lookup_elem result",
5668 		.insns = {
5669 			BPF_MOV64_IMM(BPF_REG_1, 10),
5670 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5671 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5672 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5673 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5674 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5675 				     BPF_FUNC_map_lookup_elem),
5676 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5677 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5678 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5679 			BPF_EXIT_INSN(),
5680 		},
5681 		.fixup_map_hash_8b = { 4 },
5682 		.result = ACCEPT,
5683 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5684 	},
5685 	{
5686 		"alu ops on ptr_to_map_value_or_null, 1",
5687 		.insns = {
5688 			BPF_MOV64_IMM(BPF_REG_1, 10),
5689 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5690 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5691 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5692 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5693 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5694 				     BPF_FUNC_map_lookup_elem),
5695 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5696 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5698 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5699 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5700 			BPF_EXIT_INSN(),
5701 		},
5702 		.fixup_map_hash_8b = { 4 },
5703 		.errstr = "R4 pointer arithmetic on map_value_or_null",
5704 		.result = REJECT,
5705 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5706 	},
5707 	{
5708 		"alu ops on ptr_to_map_value_or_null, 2",
5709 		.insns = {
5710 			BPF_MOV64_IMM(BPF_REG_1, 10),
5711 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5712 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5713 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5714 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5715 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5716 				     BPF_FUNC_map_lookup_elem),
5717 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5718 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5719 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5720 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5721 			BPF_EXIT_INSN(),
5722 		},
5723 		.fixup_map_hash_8b = { 4 },
5724 		.errstr = "R4 pointer arithmetic on map_value_or_null",
5725 		.result = REJECT,
5726 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5727 	},
5728 	{
5729 		"alu ops on ptr_to_map_value_or_null, 3",
5730 		.insns = {
5731 			BPF_MOV64_IMM(BPF_REG_1, 10),
5732 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5733 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737 				     BPF_FUNC_map_lookup_elem),
5738 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5739 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5740 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5741 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5742 			BPF_EXIT_INSN(),
5743 		},
5744 		.fixup_map_hash_8b = { 4 },
5745 		.errstr = "R4 pointer arithmetic on map_value_or_null",
5746 		.result = REJECT,
5747 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5748 	},
5749 	{
5750 		"invalid memory access with multiple map_lookup_elem calls",
5751 		.insns = {
5752 			BPF_MOV64_IMM(BPF_REG_1, 10),
5753 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5754 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5756 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5757 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5758 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5759 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5760 				     BPF_FUNC_map_lookup_elem),
5761 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5762 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5763 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5764 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5765 				     BPF_FUNC_map_lookup_elem),
5766 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5767 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5768 			BPF_EXIT_INSN(),
5769 		},
5770 		.fixup_map_hash_8b = { 4 },
5771 		.result = REJECT,
5772 		.errstr = "R4 !read_ok",
5773 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5774 	},
5775 	{
5776 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
5777 		.insns = {
5778 			BPF_MOV64_IMM(BPF_REG_1, 10),
5779 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5780 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5781 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5782 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5783 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5784 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5785 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5786 				     BPF_FUNC_map_lookup_elem),
5787 			BPF_MOV64_IMM(BPF_REG_2, 10),
5788 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5789 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5790 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5791 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5792 				     BPF_FUNC_map_lookup_elem),
5793 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5794 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5795 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5796 			BPF_EXIT_INSN(),
5797 		},
5798 		.fixup_map_hash_8b = { 4 },
5799 		.result = ACCEPT,
5800 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
5801 	},
5802 	{
5803 		"invalid map access from else condition",
5804 		.insns = {
5805 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5806 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5807 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5808 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5809 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5810 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5811 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5812 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5813 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5814 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5815 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5816 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5817 			BPF_EXIT_INSN(),
5818 		},
5819 		.fixup_map_hash_48b = { 3 },
5820 		.errstr = "R0 unbounded memory access",
5821 		.result = REJECT,
5822 		.errstr_unpriv = "R0 leaks addr",
5823 		.result_unpriv = REJECT,
5824 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5825 	},
5826 	{
5827 		"constant register |= constant should keep constant type",
5828 		.insns = {
5829 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5830 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5831 			BPF_MOV64_IMM(BPF_REG_2, 34),
5832 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5833 			BPF_MOV64_IMM(BPF_REG_3, 0),
5834 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5835 			BPF_EXIT_INSN(),
5836 		},
5837 		.result = ACCEPT,
5838 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5839 	},
5840 	{
5841 		"constant register |= constant should not bypass stack boundary checks",
5842 		.insns = {
5843 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5845 			BPF_MOV64_IMM(BPF_REG_2, 34),
5846 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5847 			BPF_MOV64_IMM(BPF_REG_3, 0),
5848 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5849 			BPF_EXIT_INSN(),
5850 		},
5851 		.errstr = "invalid stack type R1 off=-48 access_size=58",
5852 		.result = REJECT,
5853 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5854 	},
5855 	{
5856 		"constant register |= constant register should keep constant type",
5857 		.insns = {
5858 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5859 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5860 			BPF_MOV64_IMM(BPF_REG_2, 34),
5861 			BPF_MOV64_IMM(BPF_REG_4, 13),
5862 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5863 			BPF_MOV64_IMM(BPF_REG_3, 0),
5864 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5865 			BPF_EXIT_INSN(),
5866 		},
5867 		.result = ACCEPT,
5868 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5869 	},
5870 	{
5871 		"constant register |= constant register should not bypass stack boundary checks",
5872 		.insns = {
5873 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5874 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5875 			BPF_MOV64_IMM(BPF_REG_2, 34),
5876 			BPF_MOV64_IMM(BPF_REG_4, 24),
5877 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5878 			BPF_MOV64_IMM(BPF_REG_3, 0),
5879 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5880 			BPF_EXIT_INSN(),
5881 		},
5882 		.errstr = "invalid stack type R1 off=-48 access_size=58",
5883 		.result = REJECT,
5884 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5885 	},
5886 	{
5887 		"invalid direct packet write for LWT_IN",
5888 		.insns = {
5889 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5890 				    offsetof(struct __sk_buff, data)),
5891 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5892 				    offsetof(struct __sk_buff, data_end)),
5893 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5894 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5895 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5896 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5897 			BPF_MOV64_IMM(BPF_REG_0, 0),
5898 			BPF_EXIT_INSN(),
5899 		},
5900 		.errstr = "cannot write into packet",
5901 		.result = REJECT,
5902 		.prog_type = BPF_PROG_TYPE_LWT_IN,
5903 	},
5904 	{
5905 		"invalid direct packet write for LWT_OUT",
5906 		.insns = {
5907 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5908 				    offsetof(struct __sk_buff, data)),
5909 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5910 				    offsetof(struct __sk_buff, data_end)),
5911 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5912 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5913 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5914 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5915 			BPF_MOV64_IMM(BPF_REG_0, 0),
5916 			BPF_EXIT_INSN(),
5917 		},
5918 		.errstr = "cannot write into packet",
5919 		.result = REJECT,
5920 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
5921 	},
5922 	{
5923 		"direct packet write for LWT_XMIT",
5924 		.insns = {
5925 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5926 				    offsetof(struct __sk_buff, data)),
5927 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5928 				    offsetof(struct __sk_buff, data_end)),
5929 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5930 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5931 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5932 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5933 			BPF_MOV64_IMM(BPF_REG_0, 0),
5934 			BPF_EXIT_INSN(),
5935 		},
5936 		.result = ACCEPT,
5937 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5938 	},
5939 	{
5940 		"direct packet read for LWT_IN",
5941 		.insns = {
5942 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5943 				    offsetof(struct __sk_buff, data)),
5944 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5945 				    offsetof(struct __sk_buff, data_end)),
5946 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5948 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5949 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5950 			BPF_MOV64_IMM(BPF_REG_0, 0),
5951 			BPF_EXIT_INSN(),
5952 		},
5953 		.result = ACCEPT,
5954 		.prog_type = BPF_PROG_TYPE_LWT_IN,
5955 	},
5956 	{
5957 		"direct packet read for LWT_OUT",
5958 		.insns = {
5959 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5960 				    offsetof(struct __sk_buff, data)),
5961 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5962 				    offsetof(struct __sk_buff, data_end)),
5963 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5964 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5965 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5966 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5967 			BPF_MOV64_IMM(BPF_REG_0, 0),
5968 			BPF_EXIT_INSN(),
5969 		},
5970 		.result = ACCEPT,
5971 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
5972 	},
5973 	{
5974 		"direct packet read for LWT_XMIT",
5975 		.insns = {
5976 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5977 				    offsetof(struct __sk_buff, data)),
5978 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5979 				    offsetof(struct __sk_buff, data_end)),
5980 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5982 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5983 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5984 			BPF_MOV64_IMM(BPF_REG_0, 0),
5985 			BPF_EXIT_INSN(),
5986 		},
5987 		.result = ACCEPT,
5988 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5989 	},
5990 	{
5991 		"overlapping checks for direct packet access",
5992 		.insns = {
5993 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5994 				    offsetof(struct __sk_buff, data)),
5995 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5996 				    offsetof(struct __sk_buff, data_end)),
5997 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5998 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5999 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
6000 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
6001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
6002 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
6003 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
6004 			BPF_MOV64_IMM(BPF_REG_0, 0),
6005 			BPF_EXIT_INSN(),
6006 		},
6007 		.result = ACCEPT,
6008 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
6009 	},
6010 	{
6011 		"make headroom for LWT_XMIT",
6012 		.insns = {
6013 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6014 			BPF_MOV64_IMM(BPF_REG_2, 34),
6015 			BPF_MOV64_IMM(BPF_REG_3, 0),
6016 			BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6017 			/* split for s390 to succeed */
6018 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6019 			BPF_MOV64_IMM(BPF_REG_2, 42),
6020 			BPF_MOV64_IMM(BPF_REG_3, 0),
6021 			BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6022 			BPF_MOV64_IMM(BPF_REG_0, 0),
6023 			BPF_EXIT_INSN(),
6024 		},
6025 		.result = ACCEPT,
6026 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
6027 	},
6028 	{
6029 		"invalid access of tc_classid for LWT_IN",
6030 		.insns = {
6031 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6032 				    offsetof(struct __sk_buff, tc_classid)),
6033 			BPF_EXIT_INSN(),
6034 		},
6035 		.result = REJECT,
6036 		.errstr = "invalid bpf_context access",
6037 	},
6038 	{
6039 		"invalid access of tc_classid for LWT_OUT",
6040 		.insns = {
6041 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6042 				    offsetof(struct __sk_buff, tc_classid)),
6043 			BPF_EXIT_INSN(),
6044 		},
6045 		.result = REJECT,
6046 		.errstr = "invalid bpf_context access",
6047 	},
6048 	{
6049 		"invalid access of tc_classid for LWT_XMIT",
6050 		.insns = {
6051 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6052 				    offsetof(struct __sk_buff, tc_classid)),
6053 			BPF_EXIT_INSN(),
6054 		},
6055 		.result = REJECT,
6056 		.errstr = "invalid bpf_context access",
6057 	},
6058 	{
6059 		"leak pointer into ctx 1",
6060 		.insns = {
6061 			BPF_MOV64_IMM(BPF_REG_0, 0),
6062 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6063 				    offsetof(struct __sk_buff, cb[0])),
6064 			BPF_LD_MAP_FD(BPF_REG_2, 0),
6065 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
6066 				      offsetof(struct __sk_buff, cb[0])),
6067 			BPF_EXIT_INSN(),
6068 		},
6069 		.fixup_map_hash_8b = { 2 },
6070 		.errstr_unpriv = "R2 leaks addr into mem",
6071 		.result_unpriv = REJECT,
6072 		.result = REJECT,
6073 		.errstr = "BPF_XADD stores into R1 ctx is not allowed",
6074 	},
6075 	{
6076 		"leak pointer into ctx 2",
6077 		.insns = {
6078 			BPF_MOV64_IMM(BPF_REG_0, 0),
6079 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6080 				    offsetof(struct __sk_buff, cb[0])),
6081 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
6082 				      offsetof(struct __sk_buff, cb[0])),
6083 			BPF_EXIT_INSN(),
6084 		},
6085 		.errstr_unpriv = "R10 leaks addr into mem",
6086 		.result_unpriv = REJECT,
6087 		.result = REJECT,
6088 		.errstr = "BPF_XADD stores into R1 ctx is not allowed",
6089 	},
6090 	{
6091 		"leak pointer into ctx 3",
6092 		.insns = {
6093 			BPF_MOV64_IMM(BPF_REG_0, 0),
6094 			BPF_LD_MAP_FD(BPF_REG_2, 0),
6095 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
6096 				      offsetof(struct __sk_buff, cb[0])),
6097 			BPF_EXIT_INSN(),
6098 		},
6099 		.fixup_map_hash_8b = { 1 },
6100 		.errstr_unpriv = "R2 leaks addr into ctx",
6101 		.result_unpriv = REJECT,
6102 		.result = ACCEPT,
6103 	},
6104 	{
6105 		"leak pointer into map val",
6106 		.insns = {
6107 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6108 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6109 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6110 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6111 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6112 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6113 				     BPF_FUNC_map_lookup_elem),
6114 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6115 			BPF_MOV64_IMM(BPF_REG_3, 0),
6116 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
6117 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
6118 			BPF_MOV64_IMM(BPF_REG_0, 0),
6119 			BPF_EXIT_INSN(),
6120 		},
6121 		.fixup_map_hash_8b = { 4 },
6122 		.errstr_unpriv = "R6 leaks addr into mem",
6123 		.result_unpriv = REJECT,
6124 		.result = ACCEPT,
6125 	},
6126 	{
6127 		"helper access to map: full range",
6128 		.insns = {
6129 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6130 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6131 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6132 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6133 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6134 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6135 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6136 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6137 			BPF_MOV64_IMM(BPF_REG_3, 0),
6138 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6139 			BPF_EXIT_INSN(),
6140 		},
6141 		.fixup_map_hash_48b = { 3 },
6142 		.result = ACCEPT,
6143 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6144 	},
6145 	{
6146 		"helper access to map: partial range",
6147 		.insns = {
6148 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6149 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6150 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6151 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6152 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6153 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6154 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6155 			BPF_MOV64_IMM(BPF_REG_2, 8),
6156 			BPF_MOV64_IMM(BPF_REG_3, 0),
6157 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6158 			BPF_EXIT_INSN(),
6159 		},
6160 		.fixup_map_hash_48b = { 3 },
6161 		.result = ACCEPT,
6162 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6163 	},
6164 	{
6165 		"helper access to map: empty range",
6166 		.insns = {
6167 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6168 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6169 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6170 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6171 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6172 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6173 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6174 			BPF_MOV64_IMM(BPF_REG_2, 0),
6175 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6176 			BPF_EXIT_INSN(),
6177 		},
6178 		.fixup_map_hash_48b = { 3 },
6179 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
6180 		.result = REJECT,
6181 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6182 	},
6183 	{
6184 		"helper access to map: out-of-bound range",
6185 		.insns = {
6186 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6188 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6189 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6190 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6191 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6192 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6193 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
6194 			BPF_MOV64_IMM(BPF_REG_3, 0),
6195 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6196 			BPF_EXIT_INSN(),
6197 		},
6198 		.fixup_map_hash_48b = { 3 },
6199 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
6200 		.result = REJECT,
6201 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6202 	},
6203 	{
6204 		"helper access to map: negative range",
6205 		.insns = {
6206 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6207 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6208 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6209 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6210 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6211 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6212 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6213 			BPF_MOV64_IMM(BPF_REG_2, -8),
6214 			BPF_MOV64_IMM(BPF_REG_3, 0),
6215 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6216 			BPF_EXIT_INSN(),
6217 		},
6218 		.fixup_map_hash_48b = { 3 },
6219 		.errstr = "R2 min value is negative",
6220 		.result = REJECT,
6221 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6222 	},
6223 	{
6224 		"helper access to adjusted map (via const imm): full range",
6225 		.insns = {
6226 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6227 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6228 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6229 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6230 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6231 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6232 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6233 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6234 				offsetof(struct test_val, foo)),
6235 			BPF_MOV64_IMM(BPF_REG_2,
6236 				sizeof(struct test_val) -
6237 				offsetof(struct test_val, foo)),
6238 			BPF_MOV64_IMM(BPF_REG_3, 0),
6239 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6240 			BPF_EXIT_INSN(),
6241 		},
6242 		.fixup_map_hash_48b = { 3 },
6243 		.result = ACCEPT,
6244 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6245 	},
6246 	{
6247 		"helper access to adjusted map (via const imm): partial range",
6248 		.insns = {
6249 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6250 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6251 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6252 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6253 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6254 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6255 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6256 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6257 				offsetof(struct test_val, foo)),
6258 			BPF_MOV64_IMM(BPF_REG_2, 8),
6259 			BPF_MOV64_IMM(BPF_REG_3, 0),
6260 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6261 			BPF_EXIT_INSN(),
6262 		},
6263 		.fixup_map_hash_48b = { 3 },
6264 		.result = ACCEPT,
6265 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6266 	},
6267 	{
6268 		"helper access to adjusted map (via const imm): empty range",
6269 		.insns = {
6270 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6271 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6272 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6273 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6274 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6275 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6276 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6277 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6278 				offsetof(struct test_val, foo)),
6279 			BPF_MOV64_IMM(BPF_REG_2, 0),
6280 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6281 			BPF_EXIT_INSN(),
6282 		},
6283 		.fixup_map_hash_48b = { 3 },
6284 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
6285 		.result = REJECT,
6286 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6287 	},
6288 	{
6289 		"helper access to adjusted map (via const imm): out-of-bound range",
6290 		.insns = {
6291 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6292 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6293 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6294 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6295 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6296 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6297 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6298 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6299 				offsetof(struct test_val, foo)),
6300 			BPF_MOV64_IMM(BPF_REG_2,
6301 				sizeof(struct test_val) -
6302 				offsetof(struct test_val, foo) + 8),
6303 			BPF_MOV64_IMM(BPF_REG_3, 0),
6304 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6305 			BPF_EXIT_INSN(),
6306 		},
6307 		.fixup_map_hash_48b = { 3 },
6308 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
6309 		.result = REJECT,
6310 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6311 	},
6312 	{
6313 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
6314 		.insns = {
6315 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6316 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6317 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6318 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6319 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6320 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6321 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6322 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6323 				offsetof(struct test_val, foo)),
6324 			BPF_MOV64_IMM(BPF_REG_2, -8),
6325 			BPF_MOV64_IMM(BPF_REG_3, 0),
6326 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6327 			BPF_EXIT_INSN(),
6328 		},
6329 		.fixup_map_hash_48b = { 3 },
6330 		.errstr = "R2 min value is negative",
6331 		.result = REJECT,
6332 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6333 	},
6334 	{
6335 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
6336 		.insns = {
6337 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6339 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6340 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6341 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6342 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6343 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6344 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6345 				offsetof(struct test_val, foo)),
6346 			BPF_MOV64_IMM(BPF_REG_2, -1),
6347 			BPF_MOV64_IMM(BPF_REG_3, 0),
6348 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6349 			BPF_EXIT_INSN(),
6350 		},
6351 		.fixup_map_hash_48b = { 3 },
6352 		.errstr = "R2 min value is negative",
6353 		.result = REJECT,
6354 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6355 	},
6356 	{
6357 		"helper access to adjusted map (via const reg): full range",
6358 		.insns = {
6359 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6360 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6361 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6362 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6363 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6364 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6365 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6366 			BPF_MOV64_IMM(BPF_REG_3,
6367 				offsetof(struct test_val, foo)),
6368 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6369 			BPF_MOV64_IMM(BPF_REG_2,
6370 				sizeof(struct test_val) -
6371 				offsetof(struct test_val, foo)),
6372 			BPF_MOV64_IMM(BPF_REG_3, 0),
6373 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6374 			BPF_EXIT_INSN(),
6375 		},
6376 		.fixup_map_hash_48b = { 3 },
6377 		.result = ACCEPT,
6378 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6379 	},
6380 	{
6381 		"helper access to adjusted map (via const reg): partial range",
6382 		.insns = {
6383 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6384 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6385 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6386 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6387 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6388 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6389 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6390 			BPF_MOV64_IMM(BPF_REG_3,
6391 				offsetof(struct test_val, foo)),
6392 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6393 			BPF_MOV64_IMM(BPF_REG_2, 8),
6394 			BPF_MOV64_IMM(BPF_REG_3, 0),
6395 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6396 			BPF_EXIT_INSN(),
6397 		},
6398 		.fixup_map_hash_48b = { 3 },
6399 		.result = ACCEPT,
6400 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6401 	},
6402 	{
6403 		"helper access to adjusted map (via const reg): empty range",
6404 		.insns = {
6405 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6406 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6407 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6408 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6409 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6410 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6411 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6412 			BPF_MOV64_IMM(BPF_REG_3, 0),
6413 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6414 			BPF_MOV64_IMM(BPF_REG_2, 0),
6415 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6416 			BPF_EXIT_INSN(),
6417 		},
6418 		.fixup_map_hash_48b = { 3 },
6419 		.errstr = "R1 min value is outside of the array range",
6420 		.result = REJECT,
6421 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6422 	},
6423 	{
6424 		"helper access to adjusted map (via const reg): out-of-bound range",
6425 		.insns = {
6426 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6427 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6428 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6429 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6430 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6431 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6432 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6433 			BPF_MOV64_IMM(BPF_REG_3,
6434 				offsetof(struct test_val, foo)),
6435 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6436 			BPF_MOV64_IMM(BPF_REG_2,
6437 				sizeof(struct test_val) -
6438 				offsetof(struct test_val, foo) + 8),
6439 			BPF_MOV64_IMM(BPF_REG_3, 0),
6440 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6441 			BPF_EXIT_INSN(),
6442 		},
6443 		.fixup_map_hash_48b = { 3 },
6444 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
6445 		.result = REJECT,
6446 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6447 	},
6448 	{
6449 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
6450 		.insns = {
6451 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6452 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6453 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6454 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6455 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6456 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6457 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6458 			BPF_MOV64_IMM(BPF_REG_3,
6459 				offsetof(struct test_val, foo)),
6460 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6461 			BPF_MOV64_IMM(BPF_REG_2, -8),
6462 			BPF_MOV64_IMM(BPF_REG_3, 0),
6463 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6464 			BPF_EXIT_INSN(),
6465 		},
6466 		.fixup_map_hash_48b = { 3 },
6467 		.errstr = "R2 min value is negative",
6468 		.result = REJECT,
6469 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6470 	},
6471 	{
6472 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
6473 		.insns = {
6474 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6475 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6476 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6477 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6478 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6479 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6480 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6481 			BPF_MOV64_IMM(BPF_REG_3,
6482 				offsetof(struct test_val, foo)),
6483 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6484 			BPF_MOV64_IMM(BPF_REG_2, -1),
6485 			BPF_MOV64_IMM(BPF_REG_3, 0),
6486 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6487 			BPF_EXIT_INSN(),
6488 		},
6489 		.fixup_map_hash_48b = { 3 },
6490 		.errstr = "R2 min value is negative",
6491 		.result = REJECT,
6492 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6493 	},
6494 	{
6495 		"helper access to adjusted map (via variable): full range",
6496 		.insns = {
6497 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6498 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6499 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6500 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6501 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6502 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6503 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6504 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6505 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6506 				offsetof(struct test_val, foo), 4),
6507 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6508 			BPF_MOV64_IMM(BPF_REG_2,
6509 				sizeof(struct test_val) -
6510 				offsetof(struct test_val, foo)),
6511 			BPF_MOV64_IMM(BPF_REG_3, 0),
6512 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6513 			BPF_EXIT_INSN(),
6514 		},
6515 		.fixup_map_hash_48b = { 3 },
6516 		.result = ACCEPT,
6517 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6518 	},
6519 	{
6520 		"helper access to adjusted map (via variable): partial range",
6521 		.insns = {
6522 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6523 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6524 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6525 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6526 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6527 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6528 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6529 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6530 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6531 				offsetof(struct test_val, foo), 4),
6532 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6533 			BPF_MOV64_IMM(BPF_REG_2, 8),
6534 			BPF_MOV64_IMM(BPF_REG_3, 0),
6535 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6536 			BPF_EXIT_INSN(),
6537 		},
6538 		.fixup_map_hash_48b = { 3 },
6539 		.result = ACCEPT,
6540 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6541 	},
6542 	{
6543 		"helper access to adjusted map (via variable): empty range",
6544 		.insns = {
6545 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6546 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6547 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6548 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6549 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6550 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6551 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6552 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6553 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6554 				offsetof(struct test_val, foo), 3),
6555 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6556 			BPF_MOV64_IMM(BPF_REG_2, 0),
6557 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6558 			BPF_EXIT_INSN(),
6559 		},
6560 		.fixup_map_hash_48b = { 3 },
6561 		.errstr = "R1 min value is outside of the array range",
6562 		.result = REJECT,
6563 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6564 	},
6565 	{
6566 		"helper access to adjusted map (via variable): no max check",
6567 		.insns = {
6568 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6569 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6570 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6571 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6572 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6573 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6574 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6575 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6576 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6577 			BPF_MOV64_IMM(BPF_REG_2, 1),
6578 			BPF_MOV64_IMM(BPF_REG_3, 0),
6579 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6580 			BPF_EXIT_INSN(),
6581 		},
6582 		.fixup_map_hash_48b = { 3 },
6583 		.errstr = "R1 unbounded memory access",
6584 		.result = REJECT,
6585 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6586 	},
6587 	{
6588 		"helper access to adjusted map (via variable): wrong max check",
6589 		.insns = {
6590 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6591 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6592 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6593 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6594 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6595 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6596 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6597 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6598 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6599 				offsetof(struct test_val, foo), 4),
6600 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6601 			BPF_MOV64_IMM(BPF_REG_2,
6602 				sizeof(struct test_val) -
6603 				offsetof(struct test_val, foo) + 1),
6604 			BPF_MOV64_IMM(BPF_REG_3, 0),
6605 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6606 			BPF_EXIT_INSN(),
6607 		},
6608 		.fixup_map_hash_48b = { 3 },
6609 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
6610 		.result = REJECT,
6611 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6612 	},
6613 	{
6614 		"helper access to map: bounds check using <, good access",
6615 		.insns = {
6616 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6617 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6618 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6619 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6620 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6621 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6622 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6623 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6624 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
6625 			BPF_MOV64_IMM(BPF_REG_0, 0),
6626 			BPF_EXIT_INSN(),
6627 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6628 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6629 			BPF_MOV64_IMM(BPF_REG_0, 0),
6630 			BPF_EXIT_INSN(),
6631 		},
6632 		.fixup_map_hash_48b = { 3 },
6633 		.result = ACCEPT,
6634 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6635 	},
6636 	{
6637 		"helper access to map: bounds check using <, bad access",
6638 		.insns = {
6639 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6640 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6641 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6642 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6643 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6644 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6645 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6646 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6647 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
6648 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6649 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6650 			BPF_MOV64_IMM(BPF_REG_0, 0),
6651 			BPF_EXIT_INSN(),
6652 			BPF_MOV64_IMM(BPF_REG_0, 0),
6653 			BPF_EXIT_INSN(),
6654 		},
6655 		.fixup_map_hash_48b = { 3 },
6656 		.result = REJECT,
6657 		.errstr = "R1 unbounded memory access",
6658 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6659 	},
6660 	{
6661 		"helper access to map: bounds check using <=, good access",
6662 		.insns = {
6663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6665 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6666 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6667 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6669 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6670 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6671 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
6672 			BPF_MOV64_IMM(BPF_REG_0, 0),
6673 			BPF_EXIT_INSN(),
6674 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6675 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6676 			BPF_MOV64_IMM(BPF_REG_0, 0),
6677 			BPF_EXIT_INSN(),
6678 		},
6679 		.fixup_map_hash_48b = { 3 },
6680 		.result = ACCEPT,
6681 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6682 	},
6683 	{
6684 		"helper access to map: bounds check using <=, bad access",
6685 		.insns = {
6686 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6687 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6688 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6689 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6690 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6691 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6692 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6693 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6694 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
6695 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6696 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6697 			BPF_MOV64_IMM(BPF_REG_0, 0),
6698 			BPF_EXIT_INSN(),
6699 			BPF_MOV64_IMM(BPF_REG_0, 0),
6700 			BPF_EXIT_INSN(),
6701 		},
6702 		.fixup_map_hash_48b = { 3 },
6703 		.result = REJECT,
6704 		.errstr = "R1 unbounded memory access",
6705 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6706 	},
6707 	{
6708 		"helper access to map: bounds check using s<, good access",
6709 		.insns = {
6710 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6711 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6712 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6713 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6714 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6715 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6716 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6717 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6718 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6719 			BPF_MOV64_IMM(BPF_REG_0, 0),
6720 			BPF_EXIT_INSN(),
6721 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
6722 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6723 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6724 			BPF_MOV64_IMM(BPF_REG_0, 0),
6725 			BPF_EXIT_INSN(),
6726 		},
6727 		.fixup_map_hash_48b = { 3 },
6728 		.result = ACCEPT,
6729 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6730 	},
6731 	{
6732 		"helper access to map: bounds check using s<, good access 2",
6733 		.insns = {
6734 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6736 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6737 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6738 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6739 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6740 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6741 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6742 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6743 			BPF_MOV64_IMM(BPF_REG_0, 0),
6744 			BPF_EXIT_INSN(),
6745 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6746 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6747 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6748 			BPF_MOV64_IMM(BPF_REG_0, 0),
6749 			BPF_EXIT_INSN(),
6750 		},
6751 		.fixup_map_hash_48b = { 3 },
6752 		.result = ACCEPT,
6753 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6754 	},
6755 	{
6756 		"helper access to map: bounds check using s<, bad access",
6757 		.insns = {
6758 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6759 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6760 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6761 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6762 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6763 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6764 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6765 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6766 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
6767 			BPF_MOV64_IMM(BPF_REG_0, 0),
6768 			BPF_EXIT_INSN(),
6769 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
6770 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6771 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6772 			BPF_MOV64_IMM(BPF_REG_0, 0),
6773 			BPF_EXIT_INSN(),
6774 		},
6775 		.fixup_map_hash_48b = { 3 },
6776 		.result = REJECT,
6777 		.errstr = "R1 min value is negative",
6778 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6779 	},
6780 	{
6781 		"helper access to map: bounds check using s<=, good access",
6782 		.insns = {
6783 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6784 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6785 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6786 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6787 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6788 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6789 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6790 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6791 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6792 			BPF_MOV64_IMM(BPF_REG_0, 0),
6793 			BPF_EXIT_INSN(),
6794 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
6795 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6796 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6797 			BPF_MOV64_IMM(BPF_REG_0, 0),
6798 			BPF_EXIT_INSN(),
6799 		},
6800 		.fixup_map_hash_48b = { 3 },
6801 		.result = ACCEPT,
6802 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6803 	},
6804 	{
6805 		"helper access to map: bounds check using s<=, good access 2",
6806 		.insns = {
6807 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6808 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6809 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6810 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6811 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6812 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6813 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6814 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6815 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6816 			BPF_MOV64_IMM(BPF_REG_0, 0),
6817 			BPF_EXIT_INSN(),
6818 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6819 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6820 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6821 			BPF_MOV64_IMM(BPF_REG_0, 0),
6822 			BPF_EXIT_INSN(),
6823 		},
6824 		.fixup_map_hash_48b = { 3 },
6825 		.result = ACCEPT,
6826 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6827 	},
6828 	{
6829 		"helper access to map: bounds check using s<=, bad access",
6830 		.insns = {
6831 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6832 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6833 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6834 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6835 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6836 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6837 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6838 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
6839 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
6840 			BPF_MOV64_IMM(BPF_REG_0, 0),
6841 			BPF_EXIT_INSN(),
6842 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
6843 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
6844 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
6845 			BPF_MOV64_IMM(BPF_REG_0, 0),
6846 			BPF_EXIT_INSN(),
6847 		},
6848 		.fixup_map_hash_48b = { 3 },
6849 		.result = REJECT,
6850 		.errstr = "R1 min value is negative",
6851 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6852 	},
6853 	{
6854 		"map access: known scalar += value_ptr from different maps",
6855 		.insns = {
6856 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6857 				    offsetof(struct __sk_buff, len)),
6858 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6859 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6860 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6861 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6862 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6863 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6864 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6865 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6866 				     BPF_FUNC_map_lookup_elem),
6867 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6868 			BPF_MOV64_IMM(BPF_REG_1, 4),
6869 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6870 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6871 			BPF_MOV64_IMM(BPF_REG_0, 1),
6872 			BPF_EXIT_INSN(),
6873 		},
6874 		.fixup_map_hash_16b = { 5 },
6875 		.fixup_map_array_48b = { 8 },
6876 		.result = ACCEPT,
6877 		.result_unpriv = REJECT,
6878 		.errstr_unpriv = "R1 tried to add from different maps",
6879 		.retval = 1,
6880 	},
6881 	{
6882 		"map access: value_ptr -= known scalar from different maps",
6883 		.insns = {
6884 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6885 				    offsetof(struct __sk_buff, len)),
6886 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6887 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6888 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6889 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6890 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6891 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6892 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6893 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6894 				     BPF_FUNC_map_lookup_elem),
6895 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6896 			BPF_MOV64_IMM(BPF_REG_1, 4),
6897 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6898 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6899 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6900 			BPF_MOV64_IMM(BPF_REG_0, 1),
6901 			BPF_EXIT_INSN(),
6902 		},
6903 		.fixup_map_hash_16b = { 5 },
6904 		.fixup_map_array_48b = { 8 },
6905 		.result = ACCEPT,
6906 		.result_unpriv = REJECT,
6907 		.errstr_unpriv = "R0 min value is outside of the array range",
6908 		.retval = 1,
6909 	},
6910 	{
6911 		"map access: known scalar += value_ptr from different maps, but same value properties",
6912 		.insns = {
6913 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6914 				    offsetof(struct __sk_buff, len)),
6915 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6916 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6918 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 1, 3),
6919 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6920 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
6921 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6922 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6923 				     BPF_FUNC_map_lookup_elem),
6924 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6925 			BPF_MOV64_IMM(BPF_REG_1, 4),
6926 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
6927 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
6928 			BPF_MOV64_IMM(BPF_REG_0, 1),
6929 			BPF_EXIT_INSN(),
6930 		},
6931 		.fixup_map_hash_48b = { 5 },
6932 		.fixup_map_array_48b = { 8 },
6933 		.result = ACCEPT,
6934 		.retval = 1,
6935 	},
6936 	{
6937 		"map access: value_ptr += known scalar, upper oob arith, test 1",
6938 		.insns = {
6939 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6940 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6943 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6944 				     BPF_FUNC_map_lookup_elem),
6945 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6946 			BPF_MOV64_IMM(BPF_REG_1, 48),
6947 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6948 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6949 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6950 			BPF_MOV64_IMM(BPF_REG_0, 1),
6951 			BPF_EXIT_INSN(),
6952 		},
6953 		.fixup_map_array_48b = { 3 },
6954 		.result = ACCEPT,
6955 		.result_unpriv = REJECT,
6956 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
6957 		.retval = 1,
6958 	},
6959 	{
6960 		"map access: value_ptr += known scalar, upper oob arith, test 2",
6961 		.insns = {
6962 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6963 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6964 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6965 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6966 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6967 				     BPF_FUNC_map_lookup_elem),
6968 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6969 			BPF_MOV64_IMM(BPF_REG_1, 49),
6970 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6971 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6972 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6973 			BPF_MOV64_IMM(BPF_REG_0, 1),
6974 			BPF_EXIT_INSN(),
6975 		},
6976 		.fixup_map_array_48b = { 3 },
6977 		.result = ACCEPT,
6978 		.result_unpriv = REJECT,
6979 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
6980 		.retval = 1,
6981 	},
6982 	{
6983 		"map access: value_ptr += known scalar, upper oob arith, test 3",
6984 		.insns = {
6985 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6986 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6987 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6988 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6989 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6990 				     BPF_FUNC_map_lookup_elem),
6991 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6992 			BPF_MOV64_IMM(BPF_REG_1, 47),
6993 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6994 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6995 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6996 			BPF_MOV64_IMM(BPF_REG_0, 1),
6997 			BPF_EXIT_INSN(),
6998 		},
6999 		.fixup_map_array_48b = { 3 },
7000 		.result = ACCEPT,
7001 		.result_unpriv = REJECT,
7002 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7003 		.retval = 1,
7004 	},
7005 	{
7006 		"map access: value_ptr -= known scalar, lower oob arith, test 1",
7007 		.insns = {
7008 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7009 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7010 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7011 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7012 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7013 				     BPF_FUNC_map_lookup_elem),
7014 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7015 			BPF_MOV64_IMM(BPF_REG_1, 47),
7016 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7017 			BPF_MOV64_IMM(BPF_REG_1, 48),
7018 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7019 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7020 			BPF_MOV64_IMM(BPF_REG_0, 1),
7021 			BPF_EXIT_INSN(),
7022 		},
7023 		.fixup_map_array_48b = { 3 },
7024 		.result = REJECT,
7025 		.errstr = "R0 min value is outside of the array range",
7026 		.result_unpriv = REJECT,
7027 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7028 	},
7029 	{
7030 		"map access: value_ptr -= known scalar, lower oob arith, test 2",
7031 		.insns = {
7032 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7033 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7034 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7035 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7036 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7037 				     BPF_FUNC_map_lookup_elem),
7038 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7039 			BPF_MOV64_IMM(BPF_REG_1, 47),
7040 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7041 			BPF_MOV64_IMM(BPF_REG_1, 48),
7042 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7043 			BPF_MOV64_IMM(BPF_REG_1, 1),
7044 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7045 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7046 			BPF_MOV64_IMM(BPF_REG_0, 1),
7047 			BPF_EXIT_INSN(),
7048 		},
7049 		.fixup_map_array_48b = { 3 },
7050 		.result = ACCEPT,
7051 		.result_unpriv = REJECT,
7052 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7053 		.retval = 1,
7054 	},
7055 	{
7056 		"map access: value_ptr -= known scalar, lower oob arith, test 3",
7057 		.insns = {
7058 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7059 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7060 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7061 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7062 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7063 				     BPF_FUNC_map_lookup_elem),
7064 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7065 			BPF_MOV64_IMM(BPF_REG_1, 47),
7066 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7067 			BPF_MOV64_IMM(BPF_REG_1, 47),
7068 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7069 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7070 			BPF_MOV64_IMM(BPF_REG_0, 1),
7071 			BPF_EXIT_INSN(),
7072 		},
7073 		.fixup_map_array_48b = { 3 },
7074 		.result = ACCEPT,
7075 		.result_unpriv = REJECT,
7076 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7077 		.retval = 1,
7078 	},
7079 	{
7080 		"map access: known scalar += value_ptr",
7081 		.insns = {
7082 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7083 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7085 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7086 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7087 				     BPF_FUNC_map_lookup_elem),
7088 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7089 			BPF_MOV64_IMM(BPF_REG_1, 4),
7090 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7091 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7092 			BPF_MOV64_IMM(BPF_REG_0, 1),
7093 			BPF_EXIT_INSN(),
7094 		},
7095 		.fixup_map_array_48b = { 3 },
7096 		.result = ACCEPT,
7097 		.retval = 1,
7098 	},
7099 	{
7100 		"map access: value_ptr += known scalar, 1",
7101 		.insns = {
7102 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7103 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7104 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7105 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7106 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7107 				     BPF_FUNC_map_lookup_elem),
7108 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7109 			BPF_MOV64_IMM(BPF_REG_1, 4),
7110 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7111 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7112 			BPF_MOV64_IMM(BPF_REG_0, 1),
7113 			BPF_EXIT_INSN(),
7114 		},
7115 		.fixup_map_array_48b = { 3 },
7116 		.result = ACCEPT,
7117 		.retval = 1,
7118 	},
7119 	{
7120 		"map access: value_ptr += known scalar, 2",
7121 		.insns = {
7122 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7123 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7124 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7125 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7126 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7127 				     BPF_FUNC_map_lookup_elem),
7128 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7129 			BPF_MOV64_IMM(BPF_REG_1, 49),
7130 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7131 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7132 			BPF_MOV64_IMM(BPF_REG_0, 1),
7133 			BPF_EXIT_INSN(),
7134 		},
7135 		.fixup_map_array_48b = { 3 },
7136 		.result = REJECT,
7137 		.errstr = "invalid access to map value",
7138 	},
7139 	{
7140 		"map access: value_ptr += known scalar, 3",
7141 		.insns = {
7142 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7143 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7145 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7146 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7147 				     BPF_FUNC_map_lookup_elem),
7148 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7149 			BPF_MOV64_IMM(BPF_REG_1, -1),
7150 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7151 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7152 			BPF_MOV64_IMM(BPF_REG_0, 1),
7153 			BPF_EXIT_INSN(),
7154 		},
7155 		.fixup_map_array_48b = { 3 },
7156 		.result = REJECT,
7157 		.errstr = "invalid access to map value",
7158 	},
7159 	{
7160 		"map access: value_ptr += known scalar, 4",
7161 		.insns = {
7162 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7163 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7165 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7166 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7167 				     BPF_FUNC_map_lookup_elem),
7168 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7169 			BPF_MOV64_IMM(BPF_REG_1, 5),
7170 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7171 			BPF_MOV64_IMM(BPF_REG_1, -2),
7172 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7173 			BPF_MOV64_IMM(BPF_REG_1, -1),
7174 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7175 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7176 			BPF_MOV64_IMM(BPF_REG_0, 1),
7177 			BPF_EXIT_INSN(),
7178 		},
7179 		.fixup_map_array_48b = { 3 },
7180 		.result = ACCEPT,
7181 		.result_unpriv = REJECT,
7182 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7183 		.retval = 1,
7184 	},
7185 	{
7186 		"map access: value_ptr += known scalar, 5",
7187 		.insns = {
7188 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7189 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7190 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7191 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7192 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7193 				     BPF_FUNC_map_lookup_elem),
7194 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7195 			BPF_MOV64_IMM(BPF_REG_1, (6 + 1) * sizeof(int)),
7196 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7197 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7198 			BPF_EXIT_INSN(),
7199 		},
7200 		.fixup_map_array_48b = { 3 },
7201 		.result = ACCEPT,
7202 		.retval = 0xabcdef12,
7203 	},
7204 	{
7205 		"map access: value_ptr += known scalar, 6",
7206 		.insns = {
7207 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7208 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7210 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7211 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7212 				     BPF_FUNC_map_lookup_elem),
7213 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7214 			BPF_MOV64_IMM(BPF_REG_1, (3 + 1) * sizeof(int)),
7215 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7216 			BPF_MOV64_IMM(BPF_REG_1, 3 * sizeof(int)),
7217 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7218 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
7219 			BPF_EXIT_INSN(),
7220 		},
7221 		.fixup_map_array_48b = { 3 },
7222 		.result = ACCEPT,
7223 		.retval = 0xabcdef12,
7224 	},
7225 	{
7226 		"map access: unknown scalar += value_ptr, 1",
7227 		.insns = {
7228 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7229 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7231 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7232 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7233 				     BPF_FUNC_map_lookup_elem),
7234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7235 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7236 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7237 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7238 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7239 			BPF_MOV64_IMM(BPF_REG_0, 1),
7240 			BPF_EXIT_INSN(),
7241 		},
7242 		.fixup_map_array_48b = { 3 },
7243 		.result = ACCEPT,
7244 		.retval = 1,
7245 	},
7246 	{
7247 		"map access: unknown scalar += value_ptr, 2",
7248 		.insns = {
7249 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7250 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7251 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7252 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7253 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7254 				     BPF_FUNC_map_lookup_elem),
7255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7256 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7257 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7258 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7259 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7260 			BPF_EXIT_INSN(),
7261 		},
7262 		.fixup_map_array_48b = { 3 },
7263 		.result = ACCEPT,
7264 		.retval = 0xabcdef12,
7265 	},
7266 	{
7267 		"map access: unknown scalar += value_ptr, 3",
7268 		.insns = {
7269 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7270 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7271 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7272 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7273 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7274 				     BPF_FUNC_map_lookup_elem),
7275 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7276 			BPF_MOV64_IMM(BPF_REG_1, -1),
7277 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7278 			BPF_MOV64_IMM(BPF_REG_1, 1),
7279 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7280 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7281 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7282 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7283 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7284 			BPF_EXIT_INSN(),
7285 		},
7286 		.fixup_map_array_48b = { 3 },
7287 		.result = ACCEPT,
7288 		.result_unpriv = REJECT,
7289 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7290 		.retval = 0xabcdef12,
7291 	},
7292 	{
7293 		"map access: unknown scalar += value_ptr, 4",
7294 		.insns = {
7295 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7296 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7298 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7299 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7300 				     BPF_FUNC_map_lookup_elem),
7301 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7302 			BPF_MOV64_IMM(BPF_REG_1, 19),
7303 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7304 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7305 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7306 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
7307 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7308 			BPF_EXIT_INSN(),
7309 		},
7310 		.fixup_map_array_48b = { 3 },
7311 		.result = REJECT,
7312 		.errstr = "R1 max value is outside of the array range",
7313 		.errstr_unpriv = "R1 pointer arithmetic of map value goes out of range",
7314 	},
7315 	{
7316 		"map access: value_ptr += unknown scalar, 1",
7317 		.insns = {
7318 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7319 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7321 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7322 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7323 				     BPF_FUNC_map_lookup_elem),
7324 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7325 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7326 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7327 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7328 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7329 			BPF_MOV64_IMM(BPF_REG_0, 1),
7330 			BPF_EXIT_INSN(),
7331 		},
7332 		.fixup_map_array_48b = { 3 },
7333 		.result = ACCEPT,
7334 		.retval = 1,
7335 	},
7336 	{
7337 		"map access: value_ptr += unknown scalar, 2",
7338 		.insns = {
7339 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7340 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7342 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7343 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7344 				     BPF_FUNC_map_lookup_elem),
7345 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7346 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7347 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 31),
7348 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7349 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
7350 			BPF_EXIT_INSN(),
7351 		},
7352 		.fixup_map_array_48b = { 3 },
7353 		.result = ACCEPT,
7354 		.retval = 0xabcdef12,
7355 	},
7356 	{
7357 		"map access: value_ptr += unknown scalar, 3",
7358 		.insns = {
7359 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7360 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7361 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7362 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7363 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7364 				     BPF_FUNC_map_lookup_elem),
7365 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7366 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7367 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 8),
7368 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 16),
7369 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7370 			BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 1),
7371 			BPF_ALU64_IMM(BPF_OR, BPF_REG_3, 1),
7372 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_3, 4),
7373 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7374 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7375 			BPF_MOV64_IMM(BPF_REG_0, 1),
7376 			BPF_EXIT_INSN(),
7377 			BPF_MOV64_IMM(BPF_REG_0, 2),
7378 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
7379 		},
7380 		.fixup_map_array_48b = { 3 },
7381 		.result = ACCEPT,
7382 		.retval = 1,
7383 	},
7384 	{
7385 		"map access: value_ptr += value_ptr",
7386 		.insns = {
7387 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7388 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7389 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7390 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7391 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7392 				     BPF_FUNC_map_lookup_elem),
7393 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7394 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_0),
7395 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7396 			BPF_MOV64_IMM(BPF_REG_0, 1),
7397 			BPF_EXIT_INSN(),
7398 		},
7399 		.fixup_map_array_48b = { 3 },
7400 		.result = REJECT,
7401 		.errstr = "R0 pointer += pointer prohibited",
7402 	},
7403 	{
7404 		"map access: known scalar -= value_ptr",
7405 		.insns = {
7406 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7407 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7408 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7409 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7410 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7411 				     BPF_FUNC_map_lookup_elem),
7412 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7413 			BPF_MOV64_IMM(BPF_REG_1, 4),
7414 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7415 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7416 			BPF_MOV64_IMM(BPF_REG_0, 1),
7417 			BPF_EXIT_INSN(),
7418 		},
7419 		.fixup_map_array_48b = { 3 },
7420 		.result = REJECT,
7421 		.errstr = "R1 tried to subtract pointer from scalar",
7422 	},
7423 	{
7424 		"map access: value_ptr -= known scalar",
7425 		.insns = {
7426 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7427 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7428 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7429 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7430 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7431 				     BPF_FUNC_map_lookup_elem),
7432 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
7433 			BPF_MOV64_IMM(BPF_REG_1, 4),
7434 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7435 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7436 			BPF_MOV64_IMM(BPF_REG_0, 1),
7437 			BPF_EXIT_INSN(),
7438 		},
7439 		.fixup_map_array_48b = { 3 },
7440 		.result = REJECT,
7441 		.errstr = "R0 min value is outside of the array range",
7442 	},
7443 	{
7444 		"map access: value_ptr -= known scalar, 2",
7445 		.insns = {
7446 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7447 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7449 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7450 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7451 				     BPF_FUNC_map_lookup_elem),
7452 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7453 			BPF_MOV64_IMM(BPF_REG_1, 6),
7454 			BPF_MOV64_IMM(BPF_REG_2, 4),
7455 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7456 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
7457 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7458 			BPF_MOV64_IMM(BPF_REG_0, 1),
7459 			BPF_EXIT_INSN(),
7460 		},
7461 		.fixup_map_array_48b = { 3 },
7462 		.result = ACCEPT,
7463 		.result_unpriv = REJECT,
7464 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7465 		.retval = 1,
7466 	},
7467 	{
7468 		"map access: unknown scalar -= value_ptr",
7469 		.insns = {
7470 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7471 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7472 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7473 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7474 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7475 				     BPF_FUNC_map_lookup_elem),
7476 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7477 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7478 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7479 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
7480 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
7481 			BPF_MOV64_IMM(BPF_REG_0, 1),
7482 			BPF_EXIT_INSN(),
7483 		},
7484 		.fixup_map_array_48b = { 3 },
7485 		.result = REJECT,
7486 		.errstr = "R1 tried to subtract pointer from scalar",
7487 	},
7488 	{
7489 		"map access: value_ptr -= unknown scalar",
7490 		.insns = {
7491 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7492 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7493 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7494 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7495 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7496 				     BPF_FUNC_map_lookup_elem),
7497 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7498 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7499 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7500 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7501 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7502 			BPF_MOV64_IMM(BPF_REG_0, 1),
7503 			BPF_EXIT_INSN(),
7504 		},
7505 		.fixup_map_array_48b = { 3 },
7506 		.result = REJECT,
7507 		.errstr = "R0 min value is negative",
7508 	},
7509 	{
7510 		"map access: value_ptr -= unknown scalar, 2",
7511 		.insns = {
7512 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7513 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7514 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7515 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7516 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7517 				     BPF_FUNC_map_lookup_elem),
7518 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7519 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7520 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xf),
7521 			BPF_ALU64_IMM(BPF_OR, BPF_REG_1, 0x7),
7522 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7523 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7524 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0x7),
7525 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7526 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7527 			BPF_MOV64_IMM(BPF_REG_0, 1),
7528 			BPF_EXIT_INSN(),
7529 		},
7530 		.fixup_map_array_48b = { 3 },
7531 		.result = ACCEPT,
7532 		.result_unpriv = REJECT,
7533 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
7534 		.retval = 1,
7535 	},
7536 	{
7537 		"map access: value_ptr -= value_ptr",
7538 		.insns = {
7539 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7540 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7541 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7542 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7543 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7544 				     BPF_FUNC_map_lookup_elem),
7545 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7546 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_0),
7547 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7548 			BPF_MOV64_IMM(BPF_REG_0, 1),
7549 			BPF_EXIT_INSN(),
7550 		},
7551 		.fixup_map_array_48b = { 3 },
7552 		.result = REJECT,
7553 		.errstr = "R0 invalid mem access 'inv'",
7554 		.errstr_unpriv = "R0 pointer -= pointer prohibited",
7555 	},
7556 	{
7557 		"map lookup helper access to map",
7558 		.insns = {
7559 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7560 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7561 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7562 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7563 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7564 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7565 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7566 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7567 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7568 			BPF_EXIT_INSN(),
7569 		},
7570 		.fixup_map_hash_16b = { 3, 8 },
7571 		.result = ACCEPT,
7572 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7573 	},
7574 	{
7575 		"map update helper access to map",
7576 		.insns = {
7577 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7579 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7580 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7581 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7582 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7583 			BPF_MOV64_IMM(BPF_REG_4, 0),
7584 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
7585 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7586 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7587 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
7588 			BPF_EXIT_INSN(),
7589 		},
7590 		.fixup_map_hash_16b = { 3, 10 },
7591 		.result = ACCEPT,
7592 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7593 	},
7594 	{
7595 		"map update helper access to map: wrong size",
7596 		.insns = {
7597 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7598 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7599 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7600 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7601 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7602 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7603 			BPF_MOV64_IMM(BPF_REG_4, 0),
7604 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
7605 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7606 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7607 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
7608 			BPF_EXIT_INSN(),
7609 		},
7610 		.fixup_map_hash_8b = { 3 },
7611 		.fixup_map_hash_16b = { 10 },
7612 		.result = REJECT,
7613 		.errstr = "invalid access to map value, value_size=8 off=0 size=16",
7614 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7615 	},
7616 	{
7617 		"map helper access to adjusted map (via const imm)",
7618 		.insns = {
7619 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7621 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7622 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7623 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7624 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7625 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7626 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
7627 				      offsetof(struct other_val, bar)),
7628 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7629 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7630 			BPF_EXIT_INSN(),
7631 		},
7632 		.fixup_map_hash_16b = { 3, 9 },
7633 		.result = ACCEPT,
7634 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7635 	},
7636 	{
7637 		"map helper access to adjusted map (via const imm): out-of-bound 1",
7638 		.insns = {
7639 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7640 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7641 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7642 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7643 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7644 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7645 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7646 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
7647 				      sizeof(struct other_val) - 4),
7648 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7649 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7650 			BPF_EXIT_INSN(),
7651 		},
7652 		.fixup_map_hash_16b = { 3, 9 },
7653 		.result = REJECT,
7654 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
7655 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7656 	},
7657 	{
7658 		"map helper access to adjusted map (via const imm): out-of-bound 2",
7659 		.insns = {
7660 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7661 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7662 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7663 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7664 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7665 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7666 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7667 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7668 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7669 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7670 			BPF_EXIT_INSN(),
7671 		},
7672 		.fixup_map_hash_16b = { 3, 9 },
7673 		.result = REJECT,
7674 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
7675 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7676 	},
7677 	{
7678 		"map helper access to adjusted map (via const reg)",
7679 		.insns = {
7680 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7681 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7682 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7683 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7684 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7685 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7686 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7687 			BPF_MOV64_IMM(BPF_REG_3,
7688 				      offsetof(struct other_val, bar)),
7689 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7690 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7691 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7692 			BPF_EXIT_INSN(),
7693 		},
7694 		.fixup_map_hash_16b = { 3, 10 },
7695 		.result = ACCEPT,
7696 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7697 	},
7698 	{
7699 		"map helper access to adjusted map (via const reg): out-of-bound 1",
7700 		.insns = {
7701 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7702 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7703 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7704 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7705 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7706 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7707 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7708 			BPF_MOV64_IMM(BPF_REG_3,
7709 				      sizeof(struct other_val) - 4),
7710 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7711 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7712 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7713 			BPF_EXIT_INSN(),
7714 		},
7715 		.fixup_map_hash_16b = { 3, 10 },
7716 		.result = REJECT,
7717 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
7718 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7719 	},
7720 	{
7721 		"map helper access to adjusted map (via const reg): out-of-bound 2",
7722 		.insns = {
7723 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7724 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7725 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7726 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7727 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7728 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7729 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7730 			BPF_MOV64_IMM(BPF_REG_3, -4),
7731 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7732 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7733 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7734 			BPF_EXIT_INSN(),
7735 		},
7736 		.fixup_map_hash_16b = { 3, 10 },
7737 		.result = REJECT,
7738 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
7739 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7740 	},
7741 	{
7742 		"map helper access to adjusted map (via variable)",
7743 		.insns = {
7744 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7745 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7746 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7747 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7748 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7749 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7750 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7751 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7752 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7753 				    offsetof(struct other_val, bar), 4),
7754 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7755 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7756 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7757 			BPF_EXIT_INSN(),
7758 		},
7759 		.fixup_map_hash_16b = { 3, 11 },
7760 		.result = ACCEPT,
7761 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7762 	},
7763 	{
7764 		"map helper access to adjusted map (via variable): no max check",
7765 		.insns = {
7766 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7767 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7768 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7769 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7770 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7771 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7772 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7773 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7774 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7775 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7776 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7777 			BPF_EXIT_INSN(),
7778 		},
7779 		.fixup_map_hash_16b = { 3, 10 },
7780 		.result = REJECT,
7781 		.errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
7782 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7783 	},
7784 	{
7785 		"map helper access to adjusted map (via variable): wrong max check",
7786 		.insns = {
7787 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7789 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7790 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7791 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7793 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
7794 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
7795 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
7796 				    offsetof(struct other_val, bar) + 1, 4),
7797 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
7798 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7799 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7800 			BPF_EXIT_INSN(),
7801 		},
7802 		.fixup_map_hash_16b = { 3, 11 },
7803 		.result = REJECT,
7804 		.errstr = "invalid access to map value, value_size=16 off=9 size=8",
7805 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7806 	},
7807 	{
7808 		"map element value is preserved across register spilling",
7809 		.insns = {
7810 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7812 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7813 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7814 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7815 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7816 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7817 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7818 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
7819 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7820 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7821 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7822 			BPF_EXIT_INSN(),
7823 		},
7824 		.fixup_map_hash_48b = { 3 },
7825 		.errstr_unpriv = "R0 leaks addr",
7826 		.result = ACCEPT,
7827 		.result_unpriv = REJECT,
7828 	},
7829 	{
7830 		"map element value or null is marked on register spilling",
7831 		.insns = {
7832 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7833 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7834 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7835 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7836 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7837 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
7839 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7840 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7841 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
7842 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
7843 			BPF_EXIT_INSN(),
7844 		},
7845 		.fixup_map_hash_48b = { 3 },
7846 		.errstr_unpriv = "R0 leaks addr",
7847 		.result = ACCEPT,
7848 		.result_unpriv = REJECT,
7849 	},
7850 	{
7851 		"map element value store of cleared call register",
7852 		.insns = {
7853 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7854 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7855 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7856 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7857 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7858 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
7859 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
7860 			BPF_EXIT_INSN(),
7861 		},
7862 		.fixup_map_hash_48b = { 3 },
7863 		.errstr_unpriv = "R1 !read_ok",
7864 		.errstr = "R1 !read_ok",
7865 		.result = REJECT,
7866 		.result_unpriv = REJECT,
7867 	},
7868 	{
7869 		"map element value with unaligned store",
7870 		.insns = {
7871 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7873 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7874 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7875 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7876 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
7877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7878 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
7879 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
7880 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
7881 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7882 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
7883 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
7884 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
7885 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
7886 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
7887 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
7888 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
7889 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
7890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
7891 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
7892 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
7893 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
7894 			BPF_EXIT_INSN(),
7895 		},
7896 		.fixup_map_hash_48b = { 3 },
7897 		.errstr_unpriv = "R0 leaks addr",
7898 		.result = ACCEPT,
7899 		.result_unpriv = REJECT,
7900 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7901 	},
7902 	{
7903 		"map element value with unaligned load",
7904 		.insns = {
7905 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7906 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7907 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7908 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7909 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7910 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
7911 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7912 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
7913 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
7914 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7915 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
7916 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
7917 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
7918 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
7919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
7920 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
7921 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
7922 			BPF_EXIT_INSN(),
7923 		},
7924 		.fixup_map_hash_48b = { 3 },
7925 		.errstr_unpriv = "R0 leaks addr",
7926 		.result = ACCEPT,
7927 		.result_unpriv = REJECT,
7928 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7929 	},
7930 	{
7931 		"map element value illegal alu op, 1",
7932 		.insns = {
7933 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7934 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7935 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7936 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7937 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7938 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7939 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
7940 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7941 			BPF_EXIT_INSN(),
7942 		},
7943 		.fixup_map_hash_48b = { 3 },
7944 		.errstr = "R0 bitwise operator &= on pointer",
7945 		.result = REJECT,
7946 	},
7947 	{
7948 		"map element value illegal alu op, 2",
7949 		.insns = {
7950 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7951 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7952 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7953 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7954 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7955 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7956 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
7957 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7958 			BPF_EXIT_INSN(),
7959 		},
7960 		.fixup_map_hash_48b = { 3 },
7961 		.errstr = "R0 32-bit pointer arithmetic prohibited",
7962 		.result = REJECT,
7963 	},
7964 	{
7965 		"map element value illegal alu op, 3",
7966 		.insns = {
7967 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7969 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7970 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7971 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7972 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7973 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
7974 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7975 			BPF_EXIT_INSN(),
7976 		},
7977 		.fixup_map_hash_48b = { 3 },
7978 		.errstr = "R0 pointer arithmetic with /= operator",
7979 		.result = REJECT,
7980 	},
7981 	{
7982 		"map element value illegal alu op, 4",
7983 		.insns = {
7984 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7985 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7986 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7987 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7988 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
7989 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7990 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
7991 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
7992 			BPF_EXIT_INSN(),
7993 		},
7994 		.fixup_map_hash_48b = { 3 },
7995 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
7996 		.errstr = "invalid mem access 'inv'",
7997 		.result = REJECT,
7998 		.result_unpriv = REJECT,
7999 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8000 	},
8001 	{
8002 		"map element value illegal alu op, 5",
8003 		.insns = {
8004 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8006 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8007 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8008 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8009 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8010 			BPF_MOV64_IMM(BPF_REG_3, 4096),
8011 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8012 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8013 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8014 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
8015 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
8016 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
8017 			BPF_EXIT_INSN(),
8018 		},
8019 		.fixup_map_hash_48b = { 3 },
8020 		.errstr = "R0 invalid mem access 'inv'",
8021 		.result = REJECT,
8022 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8023 	},
8024 	{
8025 		"map element value is preserved across register spilling",
8026 		.insns = {
8027 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8028 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8029 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8030 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8031 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8032 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8033 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
8034 				offsetof(struct test_val, foo)),
8035 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
8036 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8037 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
8038 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8039 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
8040 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
8041 			BPF_EXIT_INSN(),
8042 		},
8043 		.fixup_map_hash_48b = { 3 },
8044 		.errstr_unpriv = "R0 leaks addr",
8045 		.result = ACCEPT,
8046 		.result_unpriv = REJECT,
8047 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8048 	},
8049 	{
8050 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
8051 		.insns = {
8052 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8053 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8054 			BPF_MOV64_IMM(BPF_REG_0, 0),
8055 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8056 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8057 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8058 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8059 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8060 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8061 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8062 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8063 			BPF_MOV64_IMM(BPF_REG_2, 16),
8064 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8065 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8066 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8067 			BPF_MOV64_IMM(BPF_REG_4, 0),
8068 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8069 			BPF_MOV64_IMM(BPF_REG_3, 0),
8070 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8071 			BPF_MOV64_IMM(BPF_REG_0, 0),
8072 			BPF_EXIT_INSN(),
8073 		},
8074 		.result = ACCEPT,
8075 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8076 	},
8077 	{
8078 		"helper access to variable memory: stack, bitwise AND, zero included",
8079 		.insns = {
8080 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8081 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8082 			BPF_MOV64_IMM(BPF_REG_2, 16),
8083 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8084 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8085 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8086 			BPF_MOV64_IMM(BPF_REG_3, 0),
8087 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8088 			BPF_EXIT_INSN(),
8089 		},
8090 		.errstr = "invalid indirect read from stack off -64+0 size 64",
8091 		.result = REJECT,
8092 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8093 	},
8094 	{
8095 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
8096 		.insns = {
8097 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8098 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8099 			BPF_MOV64_IMM(BPF_REG_2, 16),
8100 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8101 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8102 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
8103 			BPF_MOV64_IMM(BPF_REG_4, 0),
8104 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8105 			BPF_MOV64_IMM(BPF_REG_3, 0),
8106 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8107 			BPF_MOV64_IMM(BPF_REG_0, 0),
8108 			BPF_EXIT_INSN(),
8109 		},
8110 		.errstr = "invalid stack type R1 off=-64 access_size=65",
8111 		.result = REJECT,
8112 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8113 	},
8114 	{
8115 		"helper access to variable memory: stack, JMP, correct bounds",
8116 		.insns = {
8117 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8118 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8119 			BPF_MOV64_IMM(BPF_REG_0, 0),
8120 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8121 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8122 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8123 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8124 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8125 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8126 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8127 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8128 			BPF_MOV64_IMM(BPF_REG_2, 16),
8129 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8130 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8131 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
8132 			BPF_MOV64_IMM(BPF_REG_4, 0),
8133 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8134 			BPF_MOV64_IMM(BPF_REG_3, 0),
8135 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8136 			BPF_MOV64_IMM(BPF_REG_0, 0),
8137 			BPF_EXIT_INSN(),
8138 		},
8139 		.result = ACCEPT,
8140 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8141 	},
8142 	{
8143 		"helper access to variable memory: stack, JMP (signed), correct bounds",
8144 		.insns = {
8145 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8146 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8147 			BPF_MOV64_IMM(BPF_REG_0, 0),
8148 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8149 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8150 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8151 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8152 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8153 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8154 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8155 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8156 			BPF_MOV64_IMM(BPF_REG_2, 16),
8157 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8158 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8159 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
8160 			BPF_MOV64_IMM(BPF_REG_4, 0),
8161 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8162 			BPF_MOV64_IMM(BPF_REG_3, 0),
8163 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8164 			BPF_MOV64_IMM(BPF_REG_0, 0),
8165 			BPF_EXIT_INSN(),
8166 		},
8167 		.result = ACCEPT,
8168 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8169 	},
8170 	{
8171 		"helper access to variable memory: stack, JMP, bounds + offset",
8172 		.insns = {
8173 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8174 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8175 			BPF_MOV64_IMM(BPF_REG_2, 16),
8176 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8177 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8178 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
8179 			BPF_MOV64_IMM(BPF_REG_4, 0),
8180 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
8181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
8182 			BPF_MOV64_IMM(BPF_REG_3, 0),
8183 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8184 			BPF_MOV64_IMM(BPF_REG_0, 0),
8185 			BPF_EXIT_INSN(),
8186 		},
8187 		.errstr = "invalid stack type R1 off=-64 access_size=65",
8188 		.result = REJECT,
8189 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8190 	},
8191 	{
8192 		"helper access to variable memory: stack, JMP, wrong max",
8193 		.insns = {
8194 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8195 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8196 			BPF_MOV64_IMM(BPF_REG_2, 16),
8197 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8198 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8199 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
8200 			BPF_MOV64_IMM(BPF_REG_4, 0),
8201 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8202 			BPF_MOV64_IMM(BPF_REG_3, 0),
8203 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8204 			BPF_MOV64_IMM(BPF_REG_0, 0),
8205 			BPF_EXIT_INSN(),
8206 		},
8207 		.errstr = "invalid stack type R1 off=-64 access_size=65",
8208 		.result = REJECT,
8209 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8210 	},
8211 	{
8212 		"helper access to variable memory: stack, JMP, no max check",
8213 		.insns = {
8214 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8215 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8216 			BPF_MOV64_IMM(BPF_REG_2, 16),
8217 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8218 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8219 			BPF_MOV64_IMM(BPF_REG_4, 0),
8220 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
8221 			BPF_MOV64_IMM(BPF_REG_3, 0),
8222 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8223 			BPF_MOV64_IMM(BPF_REG_0, 0),
8224 			BPF_EXIT_INSN(),
8225 		},
8226 		/* because max wasn't checked, signed min is negative */
8227 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
8228 		.result = REJECT,
8229 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8230 	},
8231 	{
8232 		"helper access to variable memory: stack, JMP, no min check",
8233 		.insns = {
8234 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8235 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8236 			BPF_MOV64_IMM(BPF_REG_2, 16),
8237 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8238 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8239 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
8240 			BPF_MOV64_IMM(BPF_REG_3, 0),
8241 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8242 			BPF_MOV64_IMM(BPF_REG_0, 0),
8243 			BPF_EXIT_INSN(),
8244 		},
8245 		.errstr = "invalid indirect read from stack off -64+0 size 64",
8246 		.result = REJECT,
8247 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8248 	},
8249 	{
8250 		"helper access to variable memory: stack, JMP (signed), no min check",
8251 		.insns = {
8252 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8253 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8254 			BPF_MOV64_IMM(BPF_REG_2, 16),
8255 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
8256 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
8257 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
8258 			BPF_MOV64_IMM(BPF_REG_3, 0),
8259 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8260 			BPF_MOV64_IMM(BPF_REG_0, 0),
8261 			BPF_EXIT_INSN(),
8262 		},
8263 		.errstr = "R2 min value is negative",
8264 		.result = REJECT,
8265 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8266 	},
8267 	{
8268 		"helper access to variable memory: map, JMP, correct bounds",
8269 		.insns = {
8270 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8271 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8272 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8273 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8274 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8275 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8276 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8277 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8278 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8279 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8280 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8281 				sizeof(struct test_val), 4),
8282 			BPF_MOV64_IMM(BPF_REG_4, 0),
8283 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8284 			BPF_MOV64_IMM(BPF_REG_3, 0),
8285 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8286 			BPF_MOV64_IMM(BPF_REG_0, 0),
8287 			BPF_EXIT_INSN(),
8288 		},
8289 		.fixup_map_hash_48b = { 3 },
8290 		.result = ACCEPT,
8291 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8292 	},
8293 	{
8294 		"helper access to variable memory: map, JMP, wrong max",
8295 		.insns = {
8296 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8298 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8299 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8300 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8301 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
8302 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8303 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8304 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8305 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8306 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8307 				sizeof(struct test_val) + 1, 4),
8308 			BPF_MOV64_IMM(BPF_REG_4, 0),
8309 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8310 			BPF_MOV64_IMM(BPF_REG_3, 0),
8311 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8312 			BPF_MOV64_IMM(BPF_REG_0, 0),
8313 			BPF_EXIT_INSN(),
8314 		},
8315 		.fixup_map_hash_48b = { 3 },
8316 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
8317 		.result = REJECT,
8318 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8319 	},
8320 	{
8321 		"helper access to variable memory: map adjusted, JMP, correct bounds",
8322 		.insns = {
8323 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8324 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8325 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8326 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8327 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8328 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8329 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
8331 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8332 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8333 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8334 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8335 				sizeof(struct test_val) - 20, 4),
8336 			BPF_MOV64_IMM(BPF_REG_4, 0),
8337 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8338 			BPF_MOV64_IMM(BPF_REG_3, 0),
8339 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8340 			BPF_MOV64_IMM(BPF_REG_0, 0),
8341 			BPF_EXIT_INSN(),
8342 		},
8343 		.fixup_map_hash_48b = { 3 },
8344 		.result = ACCEPT,
8345 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8346 	},
8347 	{
8348 		"helper access to variable memory: map adjusted, JMP, wrong max",
8349 		.insns = {
8350 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8352 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
8353 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8354 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8355 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
8356 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8357 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
8358 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
8359 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8360 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8361 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
8362 				sizeof(struct test_val) - 19, 4),
8363 			BPF_MOV64_IMM(BPF_REG_4, 0),
8364 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
8365 			BPF_MOV64_IMM(BPF_REG_3, 0),
8366 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8367 			BPF_MOV64_IMM(BPF_REG_0, 0),
8368 			BPF_EXIT_INSN(),
8369 		},
8370 		.fixup_map_hash_48b = { 3 },
8371 		.errstr = "R1 min value is outside of the array range",
8372 		.result = REJECT,
8373 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8374 	},
8375 	{
8376 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
8377 		.insns = {
8378 			BPF_MOV64_IMM(BPF_REG_1, 0),
8379 			BPF_MOV64_IMM(BPF_REG_2, 0),
8380 			BPF_MOV64_IMM(BPF_REG_3, 0),
8381 			BPF_MOV64_IMM(BPF_REG_4, 0),
8382 			BPF_MOV64_IMM(BPF_REG_5, 0),
8383 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8384 			BPF_EXIT_INSN(),
8385 		},
8386 		.result = ACCEPT,
8387 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8388 	},
8389 	{
8390 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
8391 		.insns = {
8392 			BPF_MOV64_IMM(BPF_REG_1, 0),
8393 			BPF_MOV64_IMM(BPF_REG_2, 1),
8394 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8395 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8396 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
8397 			BPF_MOV64_IMM(BPF_REG_3, 0),
8398 			BPF_MOV64_IMM(BPF_REG_4, 0),
8399 			BPF_MOV64_IMM(BPF_REG_5, 0),
8400 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8401 			BPF_EXIT_INSN(),
8402 		},
8403 		.errstr = "R1 type=inv expected=fp",
8404 		.result = REJECT,
8405 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8406 	},
8407 	{
8408 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
8409 		.insns = {
8410 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8411 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8412 			BPF_MOV64_IMM(BPF_REG_2, 0),
8413 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
8414 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
8415 			BPF_MOV64_IMM(BPF_REG_3, 0),
8416 			BPF_MOV64_IMM(BPF_REG_4, 0),
8417 			BPF_MOV64_IMM(BPF_REG_5, 0),
8418 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8419 			BPF_EXIT_INSN(),
8420 		},
8421 		.result = ACCEPT,
8422 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8423 	},
8424 	{
8425 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
8426 		.insns = {
8427 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8428 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8429 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8430 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8431 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8432 				     BPF_FUNC_map_lookup_elem),
8433 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8434 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8435 			BPF_MOV64_IMM(BPF_REG_2, 0),
8436 			BPF_MOV64_IMM(BPF_REG_3, 0),
8437 			BPF_MOV64_IMM(BPF_REG_4, 0),
8438 			BPF_MOV64_IMM(BPF_REG_5, 0),
8439 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8440 			BPF_EXIT_INSN(),
8441 		},
8442 		.fixup_map_hash_8b = { 3 },
8443 		.result = ACCEPT,
8444 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8445 	},
8446 	{
8447 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
8448 		.insns = {
8449 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8450 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8452 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8453 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8454 				     BPF_FUNC_map_lookup_elem),
8455 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8456 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8457 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
8458 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8460 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
8461 			BPF_MOV64_IMM(BPF_REG_3, 0),
8462 			BPF_MOV64_IMM(BPF_REG_4, 0),
8463 			BPF_MOV64_IMM(BPF_REG_5, 0),
8464 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8465 			BPF_EXIT_INSN(),
8466 		},
8467 		.fixup_map_hash_8b = { 3 },
8468 		.result = ACCEPT,
8469 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8470 	},
8471 	{
8472 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
8473 		.insns = {
8474 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8475 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8476 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8477 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8478 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8479 				     BPF_FUNC_map_lookup_elem),
8480 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
8481 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8482 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8483 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8484 			BPF_MOV64_IMM(BPF_REG_3, 0),
8485 			BPF_MOV64_IMM(BPF_REG_4, 0),
8486 			BPF_MOV64_IMM(BPF_REG_5, 0),
8487 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8488 			BPF_EXIT_INSN(),
8489 		},
8490 		.fixup_map_hash_8b = { 3 },
8491 		.result = ACCEPT,
8492 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8493 	},
8494 	{
8495 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
8496 		.insns = {
8497 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8498 				    offsetof(struct __sk_buff, data)),
8499 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8500 				    offsetof(struct __sk_buff, data_end)),
8501 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
8502 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8503 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
8504 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8505 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
8506 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8507 			BPF_MOV64_IMM(BPF_REG_3, 0),
8508 			BPF_MOV64_IMM(BPF_REG_4, 0),
8509 			BPF_MOV64_IMM(BPF_REG_5, 0),
8510 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
8511 			BPF_EXIT_INSN(),
8512 		},
8513 		.result = ACCEPT,
8514 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8515 		.retval = 0 /* csum_diff of 64-byte packet */,
8516 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8517 	},
8518 	{
8519 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
8520 		.insns = {
8521 			BPF_MOV64_IMM(BPF_REG_1, 0),
8522 			BPF_MOV64_IMM(BPF_REG_2, 0),
8523 			BPF_MOV64_IMM(BPF_REG_3, 0),
8524 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8525 			BPF_EXIT_INSN(),
8526 		},
8527 		.errstr = "R1 type=inv expected=fp",
8528 		.result = REJECT,
8529 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8530 	},
8531 	{
8532 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
8533 		.insns = {
8534 			BPF_MOV64_IMM(BPF_REG_1, 0),
8535 			BPF_MOV64_IMM(BPF_REG_2, 1),
8536 			BPF_MOV64_IMM(BPF_REG_3, 0),
8537 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8538 			BPF_EXIT_INSN(),
8539 		},
8540 		.errstr = "R1 type=inv expected=fp",
8541 		.result = REJECT,
8542 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8543 	},
8544 	{
8545 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8546 		.insns = {
8547 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8548 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8549 			BPF_MOV64_IMM(BPF_REG_2, 0),
8550 			BPF_MOV64_IMM(BPF_REG_3, 0),
8551 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8552 			BPF_EXIT_INSN(),
8553 		},
8554 		.result = ACCEPT,
8555 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8556 	},
8557 	{
8558 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8559 		.insns = {
8560 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8561 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8562 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8563 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8564 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8565 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8566 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8567 			BPF_MOV64_IMM(BPF_REG_2, 0),
8568 			BPF_MOV64_IMM(BPF_REG_3, 0),
8569 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8570 			BPF_EXIT_INSN(),
8571 		},
8572 		.fixup_map_hash_8b = { 3 },
8573 		.result = ACCEPT,
8574 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8575 	},
8576 	{
8577 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8578 		.insns = {
8579 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8580 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8581 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8582 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8583 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8584 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8585 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8586 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
8587 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8588 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
8589 			BPF_MOV64_IMM(BPF_REG_3, 0),
8590 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8591 			BPF_EXIT_INSN(),
8592 		},
8593 		.fixup_map_hash_8b = { 3 },
8594 		.result = ACCEPT,
8595 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8596 	},
8597 	{
8598 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
8599 		.insns = {
8600 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8601 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8602 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8603 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8604 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
8605 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8606 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8607 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8608 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
8609 			BPF_MOV64_IMM(BPF_REG_3, 0),
8610 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8611 			BPF_EXIT_INSN(),
8612 		},
8613 		.fixup_map_hash_8b = { 3 },
8614 		.result = ACCEPT,
8615 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8616 	},
8617 	{
8618 		"helper access to variable memory: 8 bytes leak",
8619 		.insns = {
8620 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8621 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8622 			BPF_MOV64_IMM(BPF_REG_0, 0),
8623 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8624 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8625 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8626 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8627 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8628 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8629 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8630 			BPF_MOV64_IMM(BPF_REG_2, 1),
8631 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
8632 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
8633 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
8634 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
8635 			BPF_MOV64_IMM(BPF_REG_3, 0),
8636 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8637 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8638 			BPF_EXIT_INSN(),
8639 		},
8640 		.errstr = "invalid indirect read from stack off -64+32 size 64",
8641 		.result = REJECT,
8642 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8643 	},
8644 	{
8645 		"helper access to variable memory: 8 bytes no leak (init memory)",
8646 		.insns = {
8647 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8648 			BPF_MOV64_IMM(BPF_REG_0, 0),
8649 			BPF_MOV64_IMM(BPF_REG_0, 0),
8650 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
8651 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
8652 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
8653 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
8654 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
8655 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
8656 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
8657 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
8658 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
8659 			BPF_MOV64_IMM(BPF_REG_2, 0),
8660 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
8661 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
8662 			BPF_MOV64_IMM(BPF_REG_3, 0),
8663 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
8664 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
8665 			BPF_EXIT_INSN(),
8666 		},
8667 		.result = ACCEPT,
8668 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8669 	},
8670 	{
8671 		"invalid and of negative number",
8672 		.insns = {
8673 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8674 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8675 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8676 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8677 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8678 				     BPF_FUNC_map_lookup_elem),
8679 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8680 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8681 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
8682 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
8683 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8684 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8685 				   offsetof(struct test_val, foo)),
8686 			BPF_EXIT_INSN(),
8687 		},
8688 		.fixup_map_hash_48b = { 3 },
8689 		.errstr = "R0 max value is outside of the array range",
8690 		.result = REJECT,
8691 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8692 	},
8693 	{
8694 		"invalid range check",
8695 		.insns = {
8696 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8697 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8698 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8699 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8700 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8701 				     BPF_FUNC_map_lookup_elem),
8702 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
8703 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
8704 			BPF_MOV64_IMM(BPF_REG_9, 1),
8705 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
8706 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
8707 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
8708 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
8709 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
8710 			BPF_MOV32_IMM(BPF_REG_3, 1),
8711 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
8712 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
8713 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
8714 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
8715 			BPF_MOV64_REG(BPF_REG_0, 0),
8716 			BPF_EXIT_INSN(),
8717 		},
8718 		.fixup_map_hash_48b = { 3 },
8719 		.errstr = "R0 max value is outside of the array range",
8720 		.result = REJECT,
8721 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8722 	},
8723 	{
8724 		"map in map access",
8725 		.insns = {
8726 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8727 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8728 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8729 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8730 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8731 				     BPF_FUNC_map_lookup_elem),
8732 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8733 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8734 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8736 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8737 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8738 				     BPF_FUNC_map_lookup_elem),
8739 			BPF_MOV64_IMM(BPF_REG_0, 0),
8740 			BPF_EXIT_INSN(),
8741 		},
8742 		.fixup_map_in_map = { 3 },
8743 		.result = ACCEPT,
8744 	},
8745 	{
8746 		"invalid inner map pointer",
8747 		.insns = {
8748 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8749 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8751 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8752 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8753 				     BPF_FUNC_map_lookup_elem),
8754 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8755 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8756 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8757 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8758 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8759 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8760 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8761 				     BPF_FUNC_map_lookup_elem),
8762 			BPF_MOV64_IMM(BPF_REG_0, 0),
8763 			BPF_EXIT_INSN(),
8764 		},
8765 		.fixup_map_in_map = { 3 },
8766 		.errstr = "R1 pointer arithmetic on map_ptr prohibited",
8767 		.result = REJECT,
8768 	},
8769 	{
8770 		"forgot null checking on the inner map pointer",
8771 		.insns = {
8772 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8773 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8775 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8776 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8777 				     BPF_FUNC_map_lookup_elem),
8778 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
8779 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8780 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
8781 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
8782 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8783 				     BPF_FUNC_map_lookup_elem),
8784 			BPF_MOV64_IMM(BPF_REG_0, 0),
8785 			BPF_EXIT_INSN(),
8786 		},
8787 		.fixup_map_in_map = { 3 },
8788 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
8789 		.result = REJECT,
8790 	},
8791 	{
8792 		"ld_abs: check calling conv, r1",
8793 		.insns = {
8794 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8795 			BPF_MOV64_IMM(BPF_REG_1, 0),
8796 			BPF_LD_ABS(BPF_W, -0x200000),
8797 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8798 			BPF_EXIT_INSN(),
8799 		},
8800 		.errstr = "R1 !read_ok",
8801 		.result = REJECT,
8802 	},
8803 	{
8804 		"ld_abs: check calling conv, r2",
8805 		.insns = {
8806 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8807 			BPF_MOV64_IMM(BPF_REG_2, 0),
8808 			BPF_LD_ABS(BPF_W, -0x200000),
8809 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8810 			BPF_EXIT_INSN(),
8811 		},
8812 		.errstr = "R2 !read_ok",
8813 		.result = REJECT,
8814 	},
8815 	{
8816 		"ld_abs: check calling conv, r3",
8817 		.insns = {
8818 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8819 			BPF_MOV64_IMM(BPF_REG_3, 0),
8820 			BPF_LD_ABS(BPF_W, -0x200000),
8821 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8822 			BPF_EXIT_INSN(),
8823 		},
8824 		.errstr = "R3 !read_ok",
8825 		.result = REJECT,
8826 	},
8827 	{
8828 		"ld_abs: check calling conv, r4",
8829 		.insns = {
8830 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8831 			BPF_MOV64_IMM(BPF_REG_4, 0),
8832 			BPF_LD_ABS(BPF_W, -0x200000),
8833 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8834 			BPF_EXIT_INSN(),
8835 		},
8836 		.errstr = "R4 !read_ok",
8837 		.result = REJECT,
8838 	},
8839 	{
8840 		"ld_abs: check calling conv, r5",
8841 		.insns = {
8842 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8843 			BPF_MOV64_IMM(BPF_REG_5, 0),
8844 			BPF_LD_ABS(BPF_W, -0x200000),
8845 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8846 			BPF_EXIT_INSN(),
8847 		},
8848 		.errstr = "R5 !read_ok",
8849 		.result = REJECT,
8850 	},
8851 	{
8852 		"ld_abs: check calling conv, r7",
8853 		.insns = {
8854 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8855 			BPF_MOV64_IMM(BPF_REG_7, 0),
8856 			BPF_LD_ABS(BPF_W, -0x200000),
8857 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8858 			BPF_EXIT_INSN(),
8859 		},
8860 		.result = ACCEPT,
8861 	},
8862 	{
8863 		"ld_abs: tests on r6 and skb data reload helper",
8864 		.insns = {
8865 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8866 			BPF_LD_ABS(BPF_B, 0),
8867 			BPF_LD_ABS(BPF_H, 0),
8868 			BPF_LD_ABS(BPF_W, 0),
8869 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
8870 			BPF_MOV64_IMM(BPF_REG_6, 0),
8871 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
8872 			BPF_MOV64_IMM(BPF_REG_2, 1),
8873 			BPF_MOV64_IMM(BPF_REG_3, 2),
8874 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8875 				     BPF_FUNC_skb_vlan_push),
8876 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
8877 			BPF_LD_ABS(BPF_B, 0),
8878 			BPF_LD_ABS(BPF_H, 0),
8879 			BPF_LD_ABS(BPF_W, 0),
8880 			BPF_MOV64_IMM(BPF_REG_0, 42),
8881 			BPF_EXIT_INSN(),
8882 		},
8883 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8884 		.result = ACCEPT,
8885 		.retval = 42 /* ultimate return value */,
8886 	},
8887 	{
8888 		"ld_ind: check calling conv, r1",
8889 		.insns = {
8890 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8891 			BPF_MOV64_IMM(BPF_REG_1, 1),
8892 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
8893 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8894 			BPF_EXIT_INSN(),
8895 		},
8896 		.errstr = "R1 !read_ok",
8897 		.result = REJECT,
8898 	},
8899 	{
8900 		"ld_ind: check calling conv, r2",
8901 		.insns = {
8902 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8903 			BPF_MOV64_IMM(BPF_REG_2, 1),
8904 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
8905 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8906 			BPF_EXIT_INSN(),
8907 		},
8908 		.errstr = "R2 !read_ok",
8909 		.result = REJECT,
8910 	},
8911 	{
8912 		"ld_ind: check calling conv, r3",
8913 		.insns = {
8914 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8915 			BPF_MOV64_IMM(BPF_REG_3, 1),
8916 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
8917 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8918 			BPF_EXIT_INSN(),
8919 		},
8920 		.errstr = "R3 !read_ok",
8921 		.result = REJECT,
8922 	},
8923 	{
8924 		"ld_ind: check calling conv, r4",
8925 		.insns = {
8926 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8927 			BPF_MOV64_IMM(BPF_REG_4, 1),
8928 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
8929 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8930 			BPF_EXIT_INSN(),
8931 		},
8932 		.errstr = "R4 !read_ok",
8933 		.result = REJECT,
8934 	},
8935 	{
8936 		"ld_ind: check calling conv, r5",
8937 		.insns = {
8938 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8939 			BPF_MOV64_IMM(BPF_REG_5, 1),
8940 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
8941 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
8942 			BPF_EXIT_INSN(),
8943 		},
8944 		.errstr = "R5 !read_ok",
8945 		.result = REJECT,
8946 	},
8947 	{
8948 		"ld_ind: check calling conv, r7",
8949 		.insns = {
8950 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8951 			BPF_MOV64_IMM(BPF_REG_7, 1),
8952 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
8953 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8954 			BPF_EXIT_INSN(),
8955 		},
8956 		.result = ACCEPT,
8957 		.retval = 1,
8958 	},
8959 	{
8960 		"check bpf_perf_event_data->sample_period byte load permitted",
8961 		.insns = {
8962 			BPF_MOV64_IMM(BPF_REG_0, 0),
8963 #if __BYTE_ORDER == __LITTLE_ENDIAN
8964 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8965 				    offsetof(struct bpf_perf_event_data, sample_period)),
8966 #else
8967 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
8968 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
8969 #endif
8970 			BPF_EXIT_INSN(),
8971 		},
8972 		.result = ACCEPT,
8973 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
8974 	},
8975 	{
8976 		"check bpf_perf_event_data->sample_period half load permitted",
8977 		.insns = {
8978 			BPF_MOV64_IMM(BPF_REG_0, 0),
8979 #if __BYTE_ORDER == __LITTLE_ENDIAN
8980 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8981 				    offsetof(struct bpf_perf_event_data, sample_period)),
8982 #else
8983 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
8984 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
8985 #endif
8986 			BPF_EXIT_INSN(),
8987 		},
8988 		.result = ACCEPT,
8989 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
8990 	},
8991 	{
8992 		"check bpf_perf_event_data->sample_period word load permitted",
8993 		.insns = {
8994 			BPF_MOV64_IMM(BPF_REG_0, 0),
8995 #if __BYTE_ORDER == __LITTLE_ENDIAN
8996 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8997 				    offsetof(struct bpf_perf_event_data, sample_period)),
8998 #else
8999 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9000 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
9001 #endif
9002 			BPF_EXIT_INSN(),
9003 		},
9004 		.result = ACCEPT,
9005 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
9006 	},
9007 	{
9008 		"check bpf_perf_event_data->sample_period dword load permitted",
9009 		.insns = {
9010 			BPF_MOV64_IMM(BPF_REG_0, 0),
9011 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
9012 				    offsetof(struct bpf_perf_event_data, sample_period)),
9013 			BPF_EXIT_INSN(),
9014 		},
9015 		.result = ACCEPT,
9016 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
9017 	},
9018 	{
9019 		"check skb->data half load not permitted",
9020 		.insns = {
9021 			BPF_MOV64_IMM(BPF_REG_0, 0),
9022 #if __BYTE_ORDER == __LITTLE_ENDIAN
9023 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9024 				    offsetof(struct __sk_buff, data)),
9025 #else
9026 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9027 				    offsetof(struct __sk_buff, data) + 2),
9028 #endif
9029 			BPF_EXIT_INSN(),
9030 		},
9031 		.result = REJECT,
9032 		.errstr = "invalid bpf_context access",
9033 	},
9034 	{
9035 		"check skb->tc_classid half load not permitted for lwt prog",
9036 		.insns = {
9037 			BPF_MOV64_IMM(BPF_REG_0, 0),
9038 #if __BYTE_ORDER == __LITTLE_ENDIAN
9039 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9040 				    offsetof(struct __sk_buff, tc_classid)),
9041 #else
9042 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
9043 				    offsetof(struct __sk_buff, tc_classid) + 2),
9044 #endif
9045 			BPF_EXIT_INSN(),
9046 		},
9047 		.result = REJECT,
9048 		.errstr = "invalid bpf_context access",
9049 		.prog_type = BPF_PROG_TYPE_LWT_IN,
9050 	},
9051 	{
9052 		"bounds checks mixing signed and unsigned, positive bounds",
9053 		.insns = {
9054 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9055 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9056 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9057 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9058 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9059 				     BPF_FUNC_map_lookup_elem),
9060 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9061 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9062 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9063 			BPF_MOV64_IMM(BPF_REG_2, 2),
9064 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
9065 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
9066 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9067 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9068 			BPF_MOV64_IMM(BPF_REG_0, 0),
9069 			BPF_EXIT_INSN(),
9070 		},
9071 		.fixup_map_hash_8b = { 3 },
9072 		.errstr = "unbounded min value",
9073 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9074 		.result = REJECT,
9075 	},
9076 	{
9077 		"bounds checks mixing signed and unsigned",
9078 		.insns = {
9079 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9080 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9081 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9082 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9083 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9084 				     BPF_FUNC_map_lookup_elem),
9085 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9086 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9087 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9088 			BPF_MOV64_IMM(BPF_REG_2, -1),
9089 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
9090 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9091 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9092 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9093 			BPF_MOV64_IMM(BPF_REG_0, 0),
9094 			BPF_EXIT_INSN(),
9095 		},
9096 		.fixup_map_hash_8b = { 3 },
9097 		.errstr = "unbounded min value",
9098 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9099 		.result = REJECT,
9100 	},
9101 	{
9102 		"bounds checks mixing signed and unsigned, variant 2",
9103 		.insns = {
9104 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9105 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9106 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9107 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9108 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9109 				     BPF_FUNC_map_lookup_elem),
9110 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9111 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9112 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9113 			BPF_MOV64_IMM(BPF_REG_2, -1),
9114 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
9115 			BPF_MOV64_IMM(BPF_REG_8, 0),
9116 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
9117 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
9118 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
9119 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
9120 			BPF_MOV64_IMM(BPF_REG_0, 0),
9121 			BPF_EXIT_INSN(),
9122 		},
9123 		.fixup_map_hash_8b = { 3 },
9124 		.errstr = "unbounded min value",
9125 		.errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
9126 		.result = REJECT,
9127 	},
9128 	{
9129 		"bounds checks mixing signed and unsigned, variant 3",
9130 		.insns = {
9131 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9132 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9133 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9134 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9135 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9136 				     BPF_FUNC_map_lookup_elem),
9137 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9138 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9139 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9140 			BPF_MOV64_IMM(BPF_REG_2, -1),
9141 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
9142 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
9143 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
9144 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
9145 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
9146 			BPF_MOV64_IMM(BPF_REG_0, 0),
9147 			BPF_EXIT_INSN(),
9148 		},
9149 		.fixup_map_hash_8b = { 3 },
9150 		.errstr = "unbounded min value",
9151 		.errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
9152 		.result = REJECT,
9153 	},
9154 	{
9155 		"bounds checks mixing signed and unsigned, variant 4",
9156 		.insns = {
9157 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9158 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9159 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9160 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9161 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9162 				     BPF_FUNC_map_lookup_elem),
9163 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9164 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9165 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9166 			BPF_MOV64_IMM(BPF_REG_2, 1),
9167 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
9168 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9169 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9170 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9171 			BPF_MOV64_IMM(BPF_REG_0, 0),
9172 			BPF_EXIT_INSN(),
9173 		},
9174 		.fixup_map_hash_8b = { 3 },
9175 		.result = ACCEPT,
9176 	},
9177 	{
9178 		"bounds checks mixing signed and unsigned, variant 5",
9179 		.insns = {
9180 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9181 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9182 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9183 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9184 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9185 				     BPF_FUNC_map_lookup_elem),
9186 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9187 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9188 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9189 			BPF_MOV64_IMM(BPF_REG_2, -1),
9190 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
9191 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
9192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
9193 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9194 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9195 			BPF_MOV64_IMM(BPF_REG_0, 0),
9196 			BPF_EXIT_INSN(),
9197 		},
9198 		.fixup_map_hash_8b = { 3 },
9199 		.errstr = "unbounded min value",
9200 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9201 		.result = REJECT,
9202 	},
9203 	{
9204 		"bounds checks mixing signed and unsigned, variant 6",
9205 		.insns = {
9206 			BPF_MOV64_IMM(BPF_REG_2, 0),
9207 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
9208 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
9209 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9210 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
9211 			BPF_MOV64_IMM(BPF_REG_6, -1),
9212 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
9213 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
9214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
9215 			BPF_MOV64_IMM(BPF_REG_5, 0),
9216 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
9217 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9218 				     BPF_FUNC_skb_load_bytes),
9219 			BPF_MOV64_IMM(BPF_REG_0, 0),
9220 			BPF_EXIT_INSN(),
9221 		},
9222 		.errstr = "R4 min value is negative, either use unsigned",
9223 		.result = REJECT,
9224 	},
9225 	{
9226 		"bounds checks mixing signed and unsigned, variant 7",
9227 		.insns = {
9228 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9229 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9231 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9232 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9233 				     BPF_FUNC_map_lookup_elem),
9234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
9235 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9236 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9237 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
9238 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
9239 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9240 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9241 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9242 			BPF_MOV64_IMM(BPF_REG_0, 0),
9243 			BPF_EXIT_INSN(),
9244 		},
9245 		.fixup_map_hash_8b = { 3 },
9246 		.result = ACCEPT,
9247 	},
9248 	{
9249 		"bounds checks mixing signed and unsigned, variant 8",
9250 		.insns = {
9251 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9252 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9253 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9254 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9255 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9256 				     BPF_FUNC_map_lookup_elem),
9257 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9258 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9259 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9260 			BPF_MOV64_IMM(BPF_REG_2, -1),
9261 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9262 			BPF_MOV64_IMM(BPF_REG_0, 0),
9263 			BPF_EXIT_INSN(),
9264 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9265 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9266 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9267 			BPF_MOV64_IMM(BPF_REG_0, 0),
9268 			BPF_EXIT_INSN(),
9269 		},
9270 		.fixup_map_hash_8b = { 3 },
9271 		.errstr = "unbounded min value",
9272 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9273 		.result = REJECT,
9274 	},
9275 	{
9276 		"bounds checks mixing signed and unsigned, variant 9",
9277 		.insns = {
9278 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9279 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9280 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9281 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9282 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9283 				     BPF_FUNC_map_lookup_elem),
9284 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
9285 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9286 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9287 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
9288 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9289 			BPF_MOV64_IMM(BPF_REG_0, 0),
9290 			BPF_EXIT_INSN(),
9291 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9292 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9293 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9294 			BPF_MOV64_IMM(BPF_REG_0, 0),
9295 			BPF_EXIT_INSN(),
9296 		},
9297 		.fixup_map_hash_8b = { 3 },
9298 		.result = ACCEPT,
9299 	},
9300 	{
9301 		"bounds checks mixing signed and unsigned, variant 10",
9302 		.insns = {
9303 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9304 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9305 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9306 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9307 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9308 				     BPF_FUNC_map_lookup_elem),
9309 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9310 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9311 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9312 			BPF_MOV64_IMM(BPF_REG_2, 0),
9313 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
9314 			BPF_MOV64_IMM(BPF_REG_0, 0),
9315 			BPF_EXIT_INSN(),
9316 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9317 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9318 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9319 			BPF_MOV64_IMM(BPF_REG_0, 0),
9320 			BPF_EXIT_INSN(),
9321 		},
9322 		.fixup_map_hash_8b = { 3 },
9323 		.errstr = "unbounded min value",
9324 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9325 		.result = REJECT,
9326 	},
9327 	{
9328 		"bounds checks mixing signed and unsigned, variant 11",
9329 		.insns = {
9330 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9331 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9332 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9333 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9334 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9335 				     BPF_FUNC_map_lookup_elem),
9336 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9337 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9338 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9339 			BPF_MOV64_IMM(BPF_REG_2, -1),
9340 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9341 			/* Dead branch. */
9342 			BPF_MOV64_IMM(BPF_REG_0, 0),
9343 			BPF_EXIT_INSN(),
9344 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9345 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9346 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9347 			BPF_MOV64_IMM(BPF_REG_0, 0),
9348 			BPF_EXIT_INSN(),
9349 		},
9350 		.fixup_map_hash_8b = { 3 },
9351 		.errstr = "unbounded min value",
9352 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9353 		.result = REJECT,
9354 	},
9355 	{
9356 		"bounds checks mixing signed and unsigned, variant 12",
9357 		.insns = {
9358 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9359 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9360 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9361 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9362 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9363 				     BPF_FUNC_map_lookup_elem),
9364 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9365 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9366 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9367 			BPF_MOV64_IMM(BPF_REG_2, -6),
9368 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9369 			BPF_MOV64_IMM(BPF_REG_0, 0),
9370 			BPF_EXIT_INSN(),
9371 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9372 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9373 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9374 			BPF_MOV64_IMM(BPF_REG_0, 0),
9375 			BPF_EXIT_INSN(),
9376 		},
9377 		.fixup_map_hash_8b = { 3 },
9378 		.errstr = "unbounded min value",
9379 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9380 		.result = REJECT,
9381 	},
9382 	{
9383 		"bounds checks mixing signed and unsigned, variant 13",
9384 		.insns = {
9385 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9386 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9387 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9388 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9389 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9390 				     BPF_FUNC_map_lookup_elem),
9391 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9392 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9393 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9394 			BPF_MOV64_IMM(BPF_REG_2, 2),
9395 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9396 			BPF_MOV64_IMM(BPF_REG_7, 1),
9397 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
9398 			BPF_MOV64_IMM(BPF_REG_0, 0),
9399 			BPF_EXIT_INSN(),
9400 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
9401 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
9402 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
9403 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9404 			BPF_MOV64_IMM(BPF_REG_0, 0),
9405 			BPF_EXIT_INSN(),
9406 		},
9407 		.fixup_map_hash_8b = { 3 },
9408 		.errstr = "unbounded min value",
9409 		.errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
9410 		.result = REJECT,
9411 	},
9412 	{
9413 		"bounds checks mixing signed and unsigned, variant 14",
9414 		.insns = {
9415 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
9416 				    offsetof(struct __sk_buff, mark)),
9417 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9418 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9419 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9420 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9421 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9422 				     BPF_FUNC_map_lookup_elem),
9423 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9424 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9425 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9426 			BPF_MOV64_IMM(BPF_REG_2, -1),
9427 			BPF_MOV64_IMM(BPF_REG_8, 2),
9428 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
9429 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
9430 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
9431 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9432 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9433 			BPF_MOV64_IMM(BPF_REG_0, 0),
9434 			BPF_EXIT_INSN(),
9435 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
9436 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
9437 		},
9438 		.fixup_map_hash_8b = { 4 },
9439 		.errstr = "unbounded min value",
9440 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9441 		.result = REJECT,
9442 	},
9443 	{
9444 		"bounds checks mixing signed and unsigned, variant 15",
9445 		.insns = {
9446 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9447 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9449 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9450 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9451 				     BPF_FUNC_map_lookup_elem),
9452 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9453 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
9454 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
9455 			BPF_MOV64_IMM(BPF_REG_2, -6),
9456 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
9457 			BPF_MOV64_IMM(BPF_REG_0, 0),
9458 			BPF_EXIT_INSN(),
9459 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9460 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
9461 			BPF_MOV64_IMM(BPF_REG_0, 0),
9462 			BPF_EXIT_INSN(),
9463 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
9464 			BPF_MOV64_IMM(BPF_REG_0, 0),
9465 			BPF_EXIT_INSN(),
9466 		},
9467 		.fixup_map_hash_8b = { 3 },
9468 		.errstr = "unbounded min value",
9469 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9470 		.result = REJECT,
9471 		.result_unpriv = REJECT,
9472 	},
9473 	{
9474 		"subtraction bounds (map value) variant 1",
9475 		.insns = {
9476 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9477 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9479 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9480 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9481 				     BPF_FUNC_map_lookup_elem),
9482 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9483 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9484 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
9485 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
9486 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
9487 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
9488 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
9489 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9490 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9491 			BPF_EXIT_INSN(),
9492 			BPF_MOV64_IMM(BPF_REG_0, 0),
9493 			BPF_EXIT_INSN(),
9494 		},
9495 		.fixup_map_hash_8b = { 3 },
9496 		.errstr = "R0 max value is outside of the array range",
9497 		.result = REJECT,
9498 	},
9499 	{
9500 		"subtraction bounds (map value) variant 2",
9501 		.insns = {
9502 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9503 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9504 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9505 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9506 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9507 				     BPF_FUNC_map_lookup_elem),
9508 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
9509 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9510 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
9511 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
9512 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
9513 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
9514 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9515 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9516 			BPF_EXIT_INSN(),
9517 			BPF_MOV64_IMM(BPF_REG_0, 0),
9518 			BPF_EXIT_INSN(),
9519 		},
9520 		.fixup_map_hash_8b = { 3 },
9521 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
9522 		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
9523 		.result = REJECT,
9524 	},
9525 	{
9526 		"check subtraction on pointers for unpriv",
9527 		.insns = {
9528 			BPF_MOV64_IMM(BPF_REG_0, 0),
9529 			BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
9530 			BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
9531 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
9532 			BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 9),
9533 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9534 				     BPF_FUNC_map_lookup_elem),
9535 			BPF_MOV64_REG(BPF_REG_9, BPF_REG_FP),
9536 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_0),
9537 			BPF_LD_MAP_FD(BPF_REG_ARG1, 0),
9538 			BPF_MOV64_REG(BPF_REG_ARG2, BPF_REG_FP),
9539 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_ARG2, -8),
9540 			BPF_ST_MEM(BPF_DW, BPF_REG_ARG2, 0, 0),
9541 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9542 				     BPF_FUNC_map_lookup_elem),
9543 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9544 			BPF_EXIT_INSN(),
9545 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_9, 0),
9546 			BPF_MOV64_IMM(BPF_REG_0, 0),
9547 			BPF_EXIT_INSN(),
9548 		},
9549 		.fixup_map_hash_8b = { 1, 9 },
9550 		.result = ACCEPT,
9551 		.result_unpriv = REJECT,
9552 		.errstr_unpriv = "R9 pointer -= pointer prohibited",
9553 	},
9554 	{
9555 		"bounds check based on zero-extended MOV",
9556 		.insns = {
9557 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9558 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9559 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9560 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9561 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9562 				     BPF_FUNC_map_lookup_elem),
9563 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9564 			/* r2 = 0x0000'0000'ffff'ffff */
9565 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
9566 			/* r2 = 0 */
9567 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
9568 			/* no-op */
9569 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9570 			/* access at offset 0 */
9571 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9572 			/* exit */
9573 			BPF_MOV64_IMM(BPF_REG_0, 0),
9574 			BPF_EXIT_INSN(),
9575 		},
9576 		.fixup_map_hash_8b = { 3 },
9577 		.result = ACCEPT
9578 	},
9579 	{
9580 		"bounds check based on sign-extended MOV. test1",
9581 		.insns = {
9582 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9583 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9584 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9585 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9586 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9587 				     BPF_FUNC_map_lookup_elem),
9588 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9589 			/* r2 = 0xffff'ffff'ffff'ffff */
9590 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
9591 			/* r2 = 0xffff'ffff */
9592 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
9593 			/* r0 = <oob pointer> */
9594 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9595 			/* access to OOB pointer */
9596 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9597 			/* exit */
9598 			BPF_MOV64_IMM(BPF_REG_0, 0),
9599 			BPF_EXIT_INSN(),
9600 		},
9601 		.fixup_map_hash_8b = { 3 },
9602 		.errstr = "map_value pointer and 4294967295",
9603 		.result = REJECT
9604 	},
9605 	{
9606 		"bounds check based on sign-extended MOV. test2",
9607 		.insns = {
9608 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9609 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9610 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9611 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9612 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9613 				     BPF_FUNC_map_lookup_elem),
9614 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9615 			/* r2 = 0xffff'ffff'ffff'ffff */
9616 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
9617 			/* r2 = 0xfff'ffff */
9618 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
9619 			/* r0 = <oob pointer> */
9620 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
9621 			/* access to OOB pointer */
9622 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9623 			/* exit */
9624 			BPF_MOV64_IMM(BPF_REG_0, 0),
9625 			BPF_EXIT_INSN(),
9626 		},
9627 		.fixup_map_hash_8b = { 3 },
9628 		.errstr = "R0 min value is outside of the array range",
9629 		.result = REJECT
9630 	},
9631 	{
9632 		"bounds check based on reg_off + var_off + insn_off. test1",
9633 		.insns = {
9634 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9635 				    offsetof(struct __sk_buff, mark)),
9636 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9637 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9638 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9639 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9640 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9641 				     BPF_FUNC_map_lookup_elem),
9642 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9643 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
9644 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
9645 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
9646 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
9647 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
9648 			BPF_MOV64_IMM(BPF_REG_0, 0),
9649 			BPF_EXIT_INSN(),
9650 		},
9651 		.fixup_map_hash_8b = { 4 },
9652 		.errstr = "value_size=8 off=1073741825",
9653 		.result = REJECT,
9654 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9655 	},
9656 	{
9657 		"bounds check based on reg_off + var_off + insn_off. test2",
9658 		.insns = {
9659 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
9660 				    offsetof(struct __sk_buff, mark)),
9661 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9662 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9664 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9665 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9666 				     BPF_FUNC_map_lookup_elem),
9667 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
9668 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
9669 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
9670 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
9671 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
9672 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
9673 			BPF_MOV64_IMM(BPF_REG_0, 0),
9674 			BPF_EXIT_INSN(),
9675 		},
9676 		.fixup_map_hash_8b = { 4 },
9677 		.errstr = "value 1073741823",
9678 		.result = REJECT,
9679 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9680 	},
9681 	{
9682 		"bounds check after truncation of non-boundary-crossing range",
9683 		.insns = {
9684 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9685 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9687 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9688 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9689 				     BPF_FUNC_map_lookup_elem),
9690 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9691 			/* r1 = [0x00, 0xff] */
9692 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9693 			BPF_MOV64_IMM(BPF_REG_2, 1),
9694 			/* r2 = 0x10'0000'0000 */
9695 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
9696 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
9697 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
9698 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
9699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9700 			/* r1 = [0x00, 0xff] */
9701 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
9702 			/* r1 = 0 */
9703 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9704 			/* no-op */
9705 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9706 			/* access at offset 0 */
9707 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9708 			/* exit */
9709 			BPF_MOV64_IMM(BPF_REG_0, 0),
9710 			BPF_EXIT_INSN(),
9711 		},
9712 		.fixup_map_hash_8b = { 3 },
9713 		.result = ACCEPT
9714 	},
9715 	{
9716 		"bounds check after truncation of boundary-crossing range (1)",
9717 		.insns = {
9718 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9719 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9720 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9721 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9722 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9723 				     BPF_FUNC_map_lookup_elem),
9724 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9725 			/* r1 = [0x00, 0xff] */
9726 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9727 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9728 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
9729 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9730 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
9731 			 *      [0x0000'0000, 0x0000'007f]
9732 			 */
9733 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
9734 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9735 			/* r1 = [0x00, 0xff] or
9736 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
9737 			 */
9738 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9739 			/* r1 = 0 or
9740 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9741 			 */
9742 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9743 			/* no-op or OOB pointer computation */
9744 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9745 			/* potentially OOB access */
9746 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9747 			/* exit */
9748 			BPF_MOV64_IMM(BPF_REG_0, 0),
9749 			BPF_EXIT_INSN(),
9750 		},
9751 		.fixup_map_hash_8b = { 3 },
9752 		/* not actually fully unbounded, but the bound is very high */
9753 		.errstr = "R0 unbounded memory access",
9754 		.result = REJECT
9755 	},
9756 	{
9757 		"bounds check after truncation of boundary-crossing range (2)",
9758 		.insns = {
9759 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9760 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9762 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9763 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9764 				     BPF_FUNC_map_lookup_elem),
9765 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
9766 			/* r1 = [0x00, 0xff] */
9767 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9769 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
9770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
9771 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
9772 			 *      [0x0000'0000, 0x0000'007f]
9773 			 * difference to previous test: truncation via MOV32
9774 			 * instead of ALU32.
9775 			 */
9776 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
9777 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9778 			/* r1 = [0x00, 0xff] or
9779 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
9780 			 */
9781 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
9782 			/* r1 = 0 or
9783 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
9784 			 */
9785 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9786 			/* no-op or OOB pointer computation */
9787 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9788 			/* potentially OOB access */
9789 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9790 			/* exit */
9791 			BPF_MOV64_IMM(BPF_REG_0, 0),
9792 			BPF_EXIT_INSN(),
9793 		},
9794 		.fixup_map_hash_8b = { 3 },
9795 		/* not actually fully unbounded, but the bound is very high */
9796 		.errstr = "R0 unbounded memory access",
9797 		.result = REJECT
9798 	},
9799 	{
9800 		"bounds check after wrapping 32-bit addition",
9801 		.insns = {
9802 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9803 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9804 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9805 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9806 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9807 				     BPF_FUNC_map_lookup_elem),
9808 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
9809 			/* r1 = 0x7fff'ffff */
9810 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
9811 			/* r1 = 0xffff'fffe */
9812 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
9813 			/* r1 = 0 */
9814 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
9815 			/* no-op */
9816 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9817 			/* access at offset 0 */
9818 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9819 			/* exit */
9820 			BPF_MOV64_IMM(BPF_REG_0, 0),
9821 			BPF_EXIT_INSN(),
9822 		},
9823 		.fixup_map_hash_8b = { 3 },
9824 		.result = ACCEPT
9825 	},
9826 	{
9827 		"bounds check after shift with oversized count operand",
9828 		.insns = {
9829 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9830 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9832 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9833 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9834 				     BPF_FUNC_map_lookup_elem),
9835 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9836 			BPF_MOV64_IMM(BPF_REG_2, 32),
9837 			BPF_MOV64_IMM(BPF_REG_1, 1),
9838 			/* r1 = (u32)1 << (u32)32 = ? */
9839 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
9840 			/* r1 = [0x0000, 0xffff] */
9841 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
9842 			/* computes unknown pointer, potentially OOB */
9843 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9844 			/* potentially OOB access */
9845 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9846 			/* exit */
9847 			BPF_MOV64_IMM(BPF_REG_0, 0),
9848 			BPF_EXIT_INSN(),
9849 		},
9850 		.fixup_map_hash_8b = { 3 },
9851 		.errstr = "R0 max value is outside of the array range",
9852 		.result = REJECT
9853 	},
9854 	{
9855 		"bounds check after right shift of maybe-negative number",
9856 		.insns = {
9857 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9858 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9859 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9860 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9861 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9862 				     BPF_FUNC_map_lookup_elem),
9863 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9864 			/* r1 = [0x00, 0xff] */
9865 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
9866 			/* r1 = [-0x01, 0xfe] */
9867 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
9868 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
9869 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9870 			/* r1 = 0 or 0xffff'ffff'ffff */
9871 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
9872 			/* computes unknown pointer, potentially OOB */
9873 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9874 			/* potentially OOB access */
9875 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9876 			/* exit */
9877 			BPF_MOV64_IMM(BPF_REG_0, 0),
9878 			BPF_EXIT_INSN(),
9879 		},
9880 		.fixup_map_hash_8b = { 3 },
9881 		.errstr = "R0 unbounded memory access",
9882 		.result = REJECT
9883 	},
9884 	{
9885 		"bounds check after 32-bit right shift with 64-bit input",
9886 		.insns = {
9887 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9888 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9889 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9890 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9891 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9892 				     BPF_FUNC_map_lookup_elem),
9893 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
9894 			/* r1 = 2 */
9895 			BPF_MOV64_IMM(BPF_REG_1, 2),
9896 			/* r1 = 1<<32 */
9897 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 31),
9898 			/* r1 = 0 (NOT 2!) */
9899 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
9900 			/* r1 = 0xffff'fffe (NOT 0!) */
9901 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
9902 			/* computes OOB pointer */
9903 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9904 			/* OOB access */
9905 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9906 			/* exit */
9907 			BPF_MOV64_IMM(BPF_REG_0, 0),
9908 			BPF_EXIT_INSN(),
9909 		},
9910 		.fixup_map_hash_8b = { 3 },
9911 		.errstr = "R0 invalid mem access",
9912 		.result = REJECT,
9913 	},
9914 	{
9915 		"bounds check map access with off+size signed 32bit overflow. test1",
9916 		.insns = {
9917 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9918 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9920 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9921 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9922 				     BPF_FUNC_map_lookup_elem),
9923 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9924 			BPF_EXIT_INSN(),
9925 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
9926 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9927 			BPF_JMP_A(0),
9928 			BPF_EXIT_INSN(),
9929 		},
9930 		.fixup_map_hash_8b = { 3 },
9931 		.errstr = "map_value pointer and 2147483646",
9932 		.result = REJECT
9933 	},
9934 	{
9935 		"bounds check map access with off+size signed 32bit overflow. test2",
9936 		.insns = {
9937 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9938 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9939 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9940 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9941 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9942 				     BPF_FUNC_map_lookup_elem),
9943 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9944 			BPF_EXIT_INSN(),
9945 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9946 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
9948 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
9949 			BPF_JMP_A(0),
9950 			BPF_EXIT_INSN(),
9951 		},
9952 		.fixup_map_hash_8b = { 3 },
9953 		.errstr = "pointer offset 1073741822",
9954 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
9955 		.result = REJECT
9956 	},
9957 	{
9958 		"bounds check map access with off+size signed 32bit overflow. test3",
9959 		.insns = {
9960 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9961 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9963 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9965 				     BPF_FUNC_map_lookup_elem),
9966 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9967 			BPF_EXIT_INSN(),
9968 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9969 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
9970 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9971 			BPF_JMP_A(0),
9972 			BPF_EXIT_INSN(),
9973 		},
9974 		.fixup_map_hash_8b = { 3 },
9975 		.errstr = "pointer offset -1073741822",
9976 		.errstr_unpriv = "R0 pointer arithmetic of map value goes out of range",
9977 		.result = REJECT
9978 	},
9979 	{
9980 		"bounds check map access with off+size signed 32bit overflow. test4",
9981 		.insns = {
9982 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9983 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9984 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9985 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9986 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9987 				     BPF_FUNC_map_lookup_elem),
9988 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9989 			BPF_EXIT_INSN(),
9990 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
9991 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
9992 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
9993 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
9994 			BPF_JMP_A(0),
9995 			BPF_EXIT_INSN(),
9996 		},
9997 		.fixup_map_hash_8b = { 3 },
9998 		.errstr = "map_value pointer and 1000000000000",
9999 		.result = REJECT
10000 	},
10001 	{
10002 		"pointer/scalar confusion in state equality check (way 1)",
10003 		.insns = {
10004 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10005 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10006 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10007 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10008 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10009 				     BPF_FUNC_map_lookup_elem),
10010 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10011 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10012 			BPF_JMP_A(1),
10013 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10014 			BPF_JMP_A(0),
10015 			BPF_EXIT_INSN(),
10016 		},
10017 		.fixup_map_hash_8b = { 3 },
10018 		.result = ACCEPT,
10019 		.retval = POINTER_VALUE,
10020 		.result_unpriv = REJECT,
10021 		.errstr_unpriv = "R0 leaks addr as return value"
10022 	},
10023 	{
10024 		"pointer/scalar confusion in state equality check (way 2)",
10025 		.insns = {
10026 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10027 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10028 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10029 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10030 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10031 				     BPF_FUNC_map_lookup_elem),
10032 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10033 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10034 			BPF_JMP_A(1),
10035 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
10036 			BPF_EXIT_INSN(),
10037 		},
10038 		.fixup_map_hash_8b = { 3 },
10039 		.result = ACCEPT,
10040 		.retval = POINTER_VALUE,
10041 		.result_unpriv = REJECT,
10042 		.errstr_unpriv = "R0 leaks addr as return value"
10043 	},
10044 	{
10045 		"variable-offset ctx access",
10046 		.insns = {
10047 			/* Get an unknown value */
10048 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10049 			/* Make it small and 4-byte aligned */
10050 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10051 			/* add it to skb.  We now have either &skb->len or
10052 			 * &skb->pkt_type, but we don't know which
10053 			 */
10054 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
10055 			/* dereference it */
10056 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10057 			BPF_EXIT_INSN(),
10058 		},
10059 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
10060 		.result = REJECT,
10061 		.prog_type = BPF_PROG_TYPE_LWT_IN,
10062 	},
10063 	{
10064 		"variable-offset stack access",
10065 		.insns = {
10066 			/* Fill the top 8 bytes of the stack */
10067 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10068 			/* Get an unknown value */
10069 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10070 			/* Make it small and 4-byte aligned */
10071 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10072 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
10073 			/* add it to fp.  We now have either fp-4 or fp-8, but
10074 			 * we don't know which
10075 			 */
10076 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
10077 			/* dereference it */
10078 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
10079 			BPF_EXIT_INSN(),
10080 		},
10081 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
10082 		.result = REJECT,
10083 		.prog_type = BPF_PROG_TYPE_LWT_IN,
10084 	},
10085 	{
10086 		"indirect variable-offset stack access",
10087 		.insns = {
10088 			/* Fill the top 8 bytes of the stack */
10089 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10090 			/* Get an unknown value */
10091 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10092 			/* Make it small and 4-byte aligned */
10093 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
10094 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
10095 			/* add it to fp.  We now have either fp-4 or fp-8, but
10096 			 * we don't know which
10097 			 */
10098 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
10099 			/* dereference it indirectly */
10100 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10101 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10102 				     BPF_FUNC_map_lookup_elem),
10103 			BPF_MOV64_IMM(BPF_REG_0, 0),
10104 			BPF_EXIT_INSN(),
10105 		},
10106 		.fixup_map_hash_8b = { 5 },
10107 		.errstr = "variable stack read R2",
10108 		.result = REJECT,
10109 		.prog_type = BPF_PROG_TYPE_LWT_IN,
10110 	},
10111 	{
10112 		"direct stack access with 32-bit wraparound. test1",
10113 		.insns = {
10114 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10115 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
10116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
10117 			BPF_MOV32_IMM(BPF_REG_0, 0),
10118 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10119 			BPF_EXIT_INSN()
10120 		},
10121 		.errstr = "fp pointer and 2147483647",
10122 		.result = REJECT
10123 	},
10124 	{
10125 		"direct stack access with 32-bit wraparound. test2",
10126 		.insns = {
10127 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10128 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
10129 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
10130 			BPF_MOV32_IMM(BPF_REG_0, 0),
10131 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10132 			BPF_EXIT_INSN()
10133 		},
10134 		.errstr = "fp pointer and 1073741823",
10135 		.result = REJECT
10136 	},
10137 	{
10138 		"direct stack access with 32-bit wraparound. test3",
10139 		.insns = {
10140 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10141 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
10142 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
10143 			BPF_MOV32_IMM(BPF_REG_0, 0),
10144 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
10145 			BPF_EXIT_INSN()
10146 		},
10147 		.errstr = "fp pointer offset 1073741822",
10148 		.errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
10149 		.result = REJECT
10150 	},
10151 	{
10152 		"liveness pruning and write screening",
10153 		.insns = {
10154 			/* Get an unknown value */
10155 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
10156 			/* branch conditions teach us nothing about R2 */
10157 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
10158 			BPF_MOV64_IMM(BPF_REG_0, 0),
10159 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
10160 			BPF_MOV64_IMM(BPF_REG_0, 0),
10161 			BPF_EXIT_INSN(),
10162 		},
10163 		.errstr = "R0 !read_ok",
10164 		.result = REJECT,
10165 		.prog_type = BPF_PROG_TYPE_LWT_IN,
10166 	},
10167 	{
10168 		"varlen_map_value_access pruning",
10169 		.insns = {
10170 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10171 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10172 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10173 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10174 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10175 				     BPF_FUNC_map_lookup_elem),
10176 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
10177 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
10178 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
10179 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
10180 			BPF_MOV32_IMM(BPF_REG_1, 0),
10181 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
10182 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
10183 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
10184 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
10185 				   offsetof(struct test_val, foo)),
10186 			BPF_EXIT_INSN(),
10187 		},
10188 		.fixup_map_hash_48b = { 3 },
10189 		.errstr_unpriv = "R0 leaks addr",
10190 		.errstr = "R0 unbounded memory access",
10191 		.result_unpriv = REJECT,
10192 		.result = REJECT,
10193 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10194 	},
10195 	{
10196 		"invalid 64-bit BPF_END",
10197 		.insns = {
10198 			BPF_MOV32_IMM(BPF_REG_0, 0),
10199 			{
10200 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
10201 				.dst_reg = BPF_REG_0,
10202 				.src_reg = 0,
10203 				.off   = 0,
10204 				.imm   = 32,
10205 			},
10206 			BPF_EXIT_INSN(),
10207 		},
10208 		.errstr = "unknown opcode d7",
10209 		.result = REJECT,
10210 	},
10211 	{
10212 		"XDP, using ifindex from netdev",
10213 		.insns = {
10214 			BPF_MOV64_IMM(BPF_REG_0, 0),
10215 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10216 				    offsetof(struct xdp_md, ingress_ifindex)),
10217 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
10218 			BPF_MOV64_IMM(BPF_REG_0, 1),
10219 			BPF_EXIT_INSN(),
10220 		},
10221 		.result = ACCEPT,
10222 		.prog_type = BPF_PROG_TYPE_XDP,
10223 		.retval = 1,
10224 	},
10225 	{
10226 		"meta access, test1",
10227 		.insns = {
10228 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10229 				    offsetof(struct xdp_md, data_meta)),
10230 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10231 				    offsetof(struct xdp_md, data)),
10232 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10233 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10234 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10235 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10236 			BPF_MOV64_IMM(BPF_REG_0, 0),
10237 			BPF_EXIT_INSN(),
10238 		},
10239 		.result = ACCEPT,
10240 		.prog_type = BPF_PROG_TYPE_XDP,
10241 	},
10242 	{
10243 		"meta access, test2",
10244 		.insns = {
10245 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10246 				    offsetof(struct xdp_md, data_meta)),
10247 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10248 				    offsetof(struct xdp_md, data)),
10249 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10250 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
10251 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10252 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10253 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10254 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10255 			BPF_MOV64_IMM(BPF_REG_0, 0),
10256 			BPF_EXIT_INSN(),
10257 		},
10258 		.result = REJECT,
10259 		.errstr = "invalid access to packet, off=-8",
10260 		.prog_type = BPF_PROG_TYPE_XDP,
10261 	},
10262 	{
10263 		"meta access, test3",
10264 		.insns = {
10265 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10266 				    offsetof(struct xdp_md, data_meta)),
10267 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10268 				    offsetof(struct xdp_md, data_end)),
10269 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10270 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10271 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10272 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10273 			BPF_MOV64_IMM(BPF_REG_0, 0),
10274 			BPF_EXIT_INSN(),
10275 		},
10276 		.result = REJECT,
10277 		.errstr = "invalid access to packet",
10278 		.prog_type = BPF_PROG_TYPE_XDP,
10279 	},
10280 	{
10281 		"meta access, test4",
10282 		.insns = {
10283 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10284 				    offsetof(struct xdp_md, data_meta)),
10285 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10286 				    offsetof(struct xdp_md, data_end)),
10287 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10288 				    offsetof(struct xdp_md, data)),
10289 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
10290 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10291 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
10292 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10293 			BPF_MOV64_IMM(BPF_REG_0, 0),
10294 			BPF_EXIT_INSN(),
10295 		},
10296 		.result = REJECT,
10297 		.errstr = "invalid access to packet",
10298 		.prog_type = BPF_PROG_TYPE_XDP,
10299 	},
10300 	{
10301 		"meta access, test5",
10302 		.insns = {
10303 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10304 				    offsetof(struct xdp_md, data_meta)),
10305 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10306 				    offsetof(struct xdp_md, data)),
10307 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10308 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10309 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
10310 			BPF_MOV64_IMM(BPF_REG_2, -8),
10311 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10312 				     BPF_FUNC_xdp_adjust_meta),
10313 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
10314 			BPF_MOV64_IMM(BPF_REG_0, 0),
10315 			BPF_EXIT_INSN(),
10316 		},
10317 		.result = REJECT,
10318 		.errstr = "R3 !read_ok",
10319 		.prog_type = BPF_PROG_TYPE_XDP,
10320 	},
10321 	{
10322 		"meta access, test6",
10323 		.insns = {
10324 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10325 				    offsetof(struct xdp_md, data_meta)),
10326 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10327 				    offsetof(struct xdp_md, data)),
10328 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10329 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10330 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10331 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10332 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
10333 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10334 			BPF_MOV64_IMM(BPF_REG_0, 0),
10335 			BPF_EXIT_INSN(),
10336 		},
10337 		.result = REJECT,
10338 		.errstr = "invalid access to packet",
10339 		.prog_type = BPF_PROG_TYPE_XDP,
10340 	},
10341 	{
10342 		"meta access, test7",
10343 		.insns = {
10344 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10345 				    offsetof(struct xdp_md, data_meta)),
10346 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10347 				    offsetof(struct xdp_md, data)),
10348 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
10349 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10350 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
10352 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10353 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10354 			BPF_MOV64_IMM(BPF_REG_0, 0),
10355 			BPF_EXIT_INSN(),
10356 		},
10357 		.result = ACCEPT,
10358 		.prog_type = BPF_PROG_TYPE_XDP,
10359 	},
10360 	{
10361 		"meta access, test8",
10362 		.insns = {
10363 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10364 				    offsetof(struct xdp_md, data_meta)),
10365 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10366 				    offsetof(struct xdp_md, data)),
10367 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10368 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
10369 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10370 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10371 			BPF_MOV64_IMM(BPF_REG_0, 0),
10372 			BPF_EXIT_INSN(),
10373 		},
10374 		.result = ACCEPT,
10375 		.prog_type = BPF_PROG_TYPE_XDP,
10376 	},
10377 	{
10378 		"meta access, test9",
10379 		.insns = {
10380 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10381 				    offsetof(struct xdp_md, data_meta)),
10382 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10383 				    offsetof(struct xdp_md, data)),
10384 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
10385 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
10386 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
10387 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
10388 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10389 			BPF_MOV64_IMM(BPF_REG_0, 0),
10390 			BPF_EXIT_INSN(),
10391 		},
10392 		.result = REJECT,
10393 		.errstr = "invalid access to packet",
10394 		.prog_type = BPF_PROG_TYPE_XDP,
10395 	},
10396 	{
10397 		"meta access, test10",
10398 		.insns = {
10399 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10400 				    offsetof(struct xdp_md, data_meta)),
10401 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10402 				    offsetof(struct xdp_md, data)),
10403 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10404 				    offsetof(struct xdp_md, data_end)),
10405 			BPF_MOV64_IMM(BPF_REG_5, 42),
10406 			BPF_MOV64_IMM(BPF_REG_6, 24),
10407 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
10408 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
10409 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
10410 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
10411 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
10412 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
10413 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10414 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
10415 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
10416 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
10417 			BPF_MOV64_IMM(BPF_REG_0, 0),
10418 			BPF_EXIT_INSN(),
10419 		},
10420 		.result = REJECT,
10421 		.errstr = "invalid access to packet",
10422 		.prog_type = BPF_PROG_TYPE_XDP,
10423 	},
10424 	{
10425 		"meta access, test11",
10426 		.insns = {
10427 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10428 				    offsetof(struct xdp_md, data_meta)),
10429 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10430 				    offsetof(struct xdp_md, data)),
10431 			BPF_MOV64_IMM(BPF_REG_5, 42),
10432 			BPF_MOV64_IMM(BPF_REG_6, 24),
10433 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
10434 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
10435 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
10436 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
10437 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
10438 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
10439 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
10441 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
10442 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
10443 			BPF_MOV64_IMM(BPF_REG_0, 0),
10444 			BPF_EXIT_INSN(),
10445 		},
10446 		.result = ACCEPT,
10447 		.prog_type = BPF_PROG_TYPE_XDP,
10448 	},
10449 	{
10450 		"meta access, test12",
10451 		.insns = {
10452 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10453 				    offsetof(struct xdp_md, data_meta)),
10454 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10455 				    offsetof(struct xdp_md, data)),
10456 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
10457 				    offsetof(struct xdp_md, data_end)),
10458 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
10459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
10460 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
10461 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
10462 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
10463 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
10464 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
10465 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
10466 			BPF_MOV64_IMM(BPF_REG_0, 0),
10467 			BPF_EXIT_INSN(),
10468 		},
10469 		.result = ACCEPT,
10470 		.prog_type = BPF_PROG_TYPE_XDP,
10471 	},
10472 	{
10473 		"arithmetic ops make PTR_TO_CTX unusable",
10474 		.insns = {
10475 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
10476 				      offsetof(struct __sk_buff, data) -
10477 				      offsetof(struct __sk_buff, mark)),
10478 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10479 				    offsetof(struct __sk_buff, mark)),
10480 			BPF_EXIT_INSN(),
10481 		},
10482 		.errstr = "dereference of modified ctx ptr",
10483 		.result = REJECT,
10484 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10485 	},
10486 	{
10487 		"pkt_end - pkt_start is allowed",
10488 		.insns = {
10489 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10490 				    offsetof(struct __sk_buff, data_end)),
10491 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10492 				    offsetof(struct __sk_buff, data)),
10493 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
10494 			BPF_EXIT_INSN(),
10495 		},
10496 		.result = ACCEPT,
10497 		.retval = TEST_DATA_LEN,
10498 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10499 	},
10500 	{
10501 		"XDP pkt read, pkt_end mangling, bad access 1",
10502 		.insns = {
10503 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10504 				    offsetof(struct xdp_md, data)),
10505 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10506 				    offsetof(struct xdp_md, data_end)),
10507 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10508 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10509 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
10510 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10511 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10512 			BPF_MOV64_IMM(BPF_REG_0, 0),
10513 			BPF_EXIT_INSN(),
10514 		},
10515 		.errstr = "R3 pointer arithmetic on pkt_end",
10516 		.result = REJECT,
10517 		.prog_type = BPF_PROG_TYPE_XDP,
10518 	},
10519 	{
10520 		"XDP pkt read, pkt_end mangling, bad access 2",
10521 		.insns = {
10522 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10523 				    offsetof(struct xdp_md, data)),
10524 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10525 				    offsetof(struct xdp_md, data_end)),
10526 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10527 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10528 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
10529 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10530 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10531 			BPF_MOV64_IMM(BPF_REG_0, 0),
10532 			BPF_EXIT_INSN(),
10533 		},
10534 		.errstr = "R3 pointer arithmetic on pkt_end",
10535 		.result = REJECT,
10536 		.prog_type = BPF_PROG_TYPE_XDP,
10537 	},
10538 	{
10539 		"XDP pkt read, pkt_data' > pkt_end, good access",
10540 		.insns = {
10541 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10542 				    offsetof(struct xdp_md, data)),
10543 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10544 				    offsetof(struct xdp_md, data_end)),
10545 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10546 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10547 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10548 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10549 			BPF_MOV64_IMM(BPF_REG_0, 0),
10550 			BPF_EXIT_INSN(),
10551 		},
10552 		.result = ACCEPT,
10553 		.prog_type = BPF_PROG_TYPE_XDP,
10554 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10555 	},
10556 	{
10557 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
10558 		.insns = {
10559 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10560 				    offsetof(struct xdp_md, data)),
10561 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10562 				    offsetof(struct xdp_md, data_end)),
10563 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10564 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10565 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
10566 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10567 			BPF_MOV64_IMM(BPF_REG_0, 0),
10568 			BPF_EXIT_INSN(),
10569 		},
10570 		.errstr = "R1 offset is outside of the packet",
10571 		.result = REJECT,
10572 		.prog_type = BPF_PROG_TYPE_XDP,
10573 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10574 	},
10575 	{
10576 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
10577 		.insns = {
10578 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10579 				    offsetof(struct xdp_md, data)),
10580 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10581 				    offsetof(struct xdp_md, data_end)),
10582 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10583 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10584 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
10585 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10586 			BPF_MOV64_IMM(BPF_REG_0, 0),
10587 			BPF_EXIT_INSN(),
10588 		},
10589 		.errstr = "R1 offset is outside of the packet",
10590 		.result = REJECT,
10591 		.prog_type = BPF_PROG_TYPE_XDP,
10592 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10593 	},
10594 	{
10595 		"XDP pkt read, pkt_end > pkt_data', good access",
10596 		.insns = {
10597 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10598 				    offsetof(struct xdp_md, data)),
10599 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10600 				    offsetof(struct xdp_md, data_end)),
10601 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10602 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10603 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10604 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10605 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10606 			BPF_MOV64_IMM(BPF_REG_0, 0),
10607 			BPF_EXIT_INSN(),
10608 		},
10609 		.result = ACCEPT,
10610 		.prog_type = BPF_PROG_TYPE_XDP,
10611 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10612 	},
10613 	{
10614 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
10615 		.insns = {
10616 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10617 				    offsetof(struct xdp_md, data)),
10618 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10619 				    offsetof(struct xdp_md, data_end)),
10620 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10621 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10622 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10623 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10624 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10625 			BPF_MOV64_IMM(BPF_REG_0, 0),
10626 			BPF_EXIT_INSN(),
10627 		},
10628 		.errstr = "R1 offset is outside of the packet",
10629 		.result = REJECT,
10630 		.prog_type = BPF_PROG_TYPE_XDP,
10631 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10632 	},
10633 	{
10634 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
10635 		.insns = {
10636 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10637 				    offsetof(struct xdp_md, data)),
10638 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10639 				    offsetof(struct xdp_md, data_end)),
10640 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10641 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10642 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
10643 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10644 			BPF_MOV64_IMM(BPF_REG_0, 0),
10645 			BPF_EXIT_INSN(),
10646 		},
10647 		.errstr = "R1 offset is outside of the packet",
10648 		.result = REJECT,
10649 		.prog_type = BPF_PROG_TYPE_XDP,
10650 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10651 	},
10652 	{
10653 		"XDP pkt read, pkt_data' < pkt_end, good access",
10654 		.insns = {
10655 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10656 				    offsetof(struct xdp_md, data)),
10657 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10658 				    offsetof(struct xdp_md, data_end)),
10659 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10660 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10661 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10662 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10663 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10664 			BPF_MOV64_IMM(BPF_REG_0, 0),
10665 			BPF_EXIT_INSN(),
10666 		},
10667 		.result = ACCEPT,
10668 		.prog_type = BPF_PROG_TYPE_XDP,
10669 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10670 	},
10671 	{
10672 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
10673 		.insns = {
10674 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10675 				    offsetof(struct xdp_md, data)),
10676 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10677 				    offsetof(struct xdp_md, data_end)),
10678 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10679 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10680 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10681 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10682 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10683 			BPF_MOV64_IMM(BPF_REG_0, 0),
10684 			BPF_EXIT_INSN(),
10685 		},
10686 		.errstr = "R1 offset is outside of the packet",
10687 		.result = REJECT,
10688 		.prog_type = BPF_PROG_TYPE_XDP,
10689 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10690 	},
10691 	{
10692 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
10693 		.insns = {
10694 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10695 				    offsetof(struct xdp_md, data)),
10696 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10697 				    offsetof(struct xdp_md, data_end)),
10698 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10700 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
10701 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10702 			BPF_MOV64_IMM(BPF_REG_0, 0),
10703 			BPF_EXIT_INSN(),
10704 		},
10705 		.errstr = "R1 offset is outside of the packet",
10706 		.result = REJECT,
10707 		.prog_type = BPF_PROG_TYPE_XDP,
10708 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10709 	},
10710 	{
10711 		"XDP pkt read, pkt_end < pkt_data', good access",
10712 		.insns = {
10713 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10714 				    offsetof(struct xdp_md, data)),
10715 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10716 				    offsetof(struct xdp_md, data_end)),
10717 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10718 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10719 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10720 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10721 			BPF_MOV64_IMM(BPF_REG_0, 0),
10722 			BPF_EXIT_INSN(),
10723 		},
10724 		.result = ACCEPT,
10725 		.prog_type = BPF_PROG_TYPE_XDP,
10726 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10727 	},
10728 	{
10729 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
10730 		.insns = {
10731 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10732 				    offsetof(struct xdp_md, data)),
10733 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10734 				    offsetof(struct xdp_md, data_end)),
10735 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10736 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10737 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
10738 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10739 			BPF_MOV64_IMM(BPF_REG_0, 0),
10740 			BPF_EXIT_INSN(),
10741 		},
10742 		.errstr = "R1 offset is outside of the packet",
10743 		.result = REJECT,
10744 		.prog_type = BPF_PROG_TYPE_XDP,
10745 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10746 	},
10747 	{
10748 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
10749 		.insns = {
10750 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10751 				    offsetof(struct xdp_md, data)),
10752 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10753 				    offsetof(struct xdp_md, data_end)),
10754 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10756 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
10757 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10758 			BPF_MOV64_IMM(BPF_REG_0, 0),
10759 			BPF_EXIT_INSN(),
10760 		},
10761 		.errstr = "R1 offset is outside of the packet",
10762 		.result = REJECT,
10763 		.prog_type = BPF_PROG_TYPE_XDP,
10764 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10765 	},
10766 	{
10767 		"XDP pkt read, pkt_data' >= pkt_end, good access",
10768 		.insns = {
10769 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10770 				    offsetof(struct xdp_md, data)),
10771 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10772 				    offsetof(struct xdp_md, data_end)),
10773 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10775 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10776 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10777 			BPF_MOV64_IMM(BPF_REG_0, 0),
10778 			BPF_EXIT_INSN(),
10779 		},
10780 		.result = ACCEPT,
10781 		.prog_type = BPF_PROG_TYPE_XDP,
10782 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10783 	},
10784 	{
10785 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
10786 		.insns = {
10787 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10788 				    offsetof(struct xdp_md, data)),
10789 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10790 				    offsetof(struct xdp_md, data_end)),
10791 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10792 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10793 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
10794 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10795 			BPF_MOV64_IMM(BPF_REG_0, 0),
10796 			BPF_EXIT_INSN(),
10797 		},
10798 		.errstr = "R1 offset is outside of the packet",
10799 		.result = REJECT,
10800 		.prog_type = BPF_PROG_TYPE_XDP,
10801 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10802 	},
10803 	{
10804 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
10805 		.insns = {
10806 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10807 				    offsetof(struct xdp_md, data)),
10808 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10809 				    offsetof(struct xdp_md, data_end)),
10810 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10812 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
10813 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10814 			BPF_MOV64_IMM(BPF_REG_0, 0),
10815 			BPF_EXIT_INSN(),
10816 		},
10817 		.errstr = "R1 offset is outside of the packet",
10818 		.result = REJECT,
10819 		.prog_type = BPF_PROG_TYPE_XDP,
10820 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10821 	},
10822 	{
10823 		"XDP pkt read, pkt_end >= pkt_data', good access",
10824 		.insns = {
10825 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10826 				    offsetof(struct xdp_md, data)),
10827 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10828 				    offsetof(struct xdp_md, data_end)),
10829 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10830 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10831 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10832 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10833 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10834 			BPF_MOV64_IMM(BPF_REG_0, 0),
10835 			BPF_EXIT_INSN(),
10836 		},
10837 		.result = ACCEPT,
10838 		.prog_type = BPF_PROG_TYPE_XDP,
10839 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10840 	},
10841 	{
10842 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
10843 		.insns = {
10844 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10845 				    offsetof(struct xdp_md, data)),
10846 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10847 				    offsetof(struct xdp_md, data_end)),
10848 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10849 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10850 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10851 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10852 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10853 			BPF_MOV64_IMM(BPF_REG_0, 0),
10854 			BPF_EXIT_INSN(),
10855 		},
10856 		.errstr = "R1 offset is outside of the packet",
10857 		.result = REJECT,
10858 		.prog_type = BPF_PROG_TYPE_XDP,
10859 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10860 	},
10861 	{
10862 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
10863 		.insns = {
10864 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10865 				    offsetof(struct xdp_md, data)),
10866 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10867 				    offsetof(struct xdp_md, data_end)),
10868 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10869 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10870 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
10871 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10872 			BPF_MOV64_IMM(BPF_REG_0, 0),
10873 			BPF_EXIT_INSN(),
10874 		},
10875 		.errstr = "R1 offset is outside of the packet",
10876 		.result = REJECT,
10877 		.prog_type = BPF_PROG_TYPE_XDP,
10878 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10879 	},
10880 	{
10881 		"XDP pkt read, pkt_data' <= pkt_end, good access",
10882 		.insns = {
10883 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10884 				    offsetof(struct xdp_md, data)),
10885 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10886 				    offsetof(struct xdp_md, data_end)),
10887 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10888 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10889 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10890 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10891 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10892 			BPF_MOV64_IMM(BPF_REG_0, 0),
10893 			BPF_EXIT_INSN(),
10894 		},
10895 		.result = ACCEPT,
10896 		.prog_type = BPF_PROG_TYPE_XDP,
10897 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10898 	},
10899 	{
10900 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
10901 		.insns = {
10902 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10903 				    offsetof(struct xdp_md, data)),
10904 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10905 				    offsetof(struct xdp_md, data_end)),
10906 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10907 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10908 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10909 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10910 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
10911 			BPF_MOV64_IMM(BPF_REG_0, 0),
10912 			BPF_EXIT_INSN(),
10913 		},
10914 		.errstr = "R1 offset is outside of the packet",
10915 		.result = REJECT,
10916 		.prog_type = BPF_PROG_TYPE_XDP,
10917 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10918 	},
10919 	{
10920 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
10921 		.insns = {
10922 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10923 				    offsetof(struct xdp_md, data)),
10924 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10925 				    offsetof(struct xdp_md, data_end)),
10926 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10927 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10928 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
10929 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10930 			BPF_MOV64_IMM(BPF_REG_0, 0),
10931 			BPF_EXIT_INSN(),
10932 		},
10933 		.errstr = "R1 offset is outside of the packet",
10934 		.result = REJECT,
10935 		.prog_type = BPF_PROG_TYPE_XDP,
10936 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10937 	},
10938 	{
10939 		"XDP pkt read, pkt_end <= pkt_data', good access",
10940 		.insns = {
10941 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10942 				    offsetof(struct xdp_md, data)),
10943 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10944 				    offsetof(struct xdp_md, data_end)),
10945 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10946 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10947 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10948 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10949 			BPF_MOV64_IMM(BPF_REG_0, 0),
10950 			BPF_EXIT_INSN(),
10951 		},
10952 		.result = ACCEPT,
10953 		.prog_type = BPF_PROG_TYPE_XDP,
10954 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10955 	},
10956 	{
10957 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
10958 		.insns = {
10959 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10960 				    offsetof(struct xdp_md, data)),
10961 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10962 				    offsetof(struct xdp_md, data_end)),
10963 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10964 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10965 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
10966 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
10967 			BPF_MOV64_IMM(BPF_REG_0, 0),
10968 			BPF_EXIT_INSN(),
10969 		},
10970 		.errstr = "R1 offset is outside of the packet",
10971 		.result = REJECT,
10972 		.prog_type = BPF_PROG_TYPE_XDP,
10973 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10974 	},
10975 	{
10976 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
10977 		.insns = {
10978 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10979 				    offsetof(struct xdp_md, data)),
10980 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10981 				    offsetof(struct xdp_md, data_end)),
10982 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
10983 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
10984 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
10985 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
10986 			BPF_MOV64_IMM(BPF_REG_0, 0),
10987 			BPF_EXIT_INSN(),
10988 		},
10989 		.errstr = "R1 offset is outside of the packet",
10990 		.result = REJECT,
10991 		.prog_type = BPF_PROG_TYPE_XDP,
10992 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
10993 	},
10994 	{
10995 		"XDP pkt read, pkt_meta' > pkt_data, good access",
10996 		.insns = {
10997 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10998 				    offsetof(struct xdp_md, data_meta)),
10999 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11000 				    offsetof(struct xdp_md, data)),
11001 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11002 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11003 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
11004 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11005 			BPF_MOV64_IMM(BPF_REG_0, 0),
11006 			BPF_EXIT_INSN(),
11007 		},
11008 		.result = ACCEPT,
11009 		.prog_type = BPF_PROG_TYPE_XDP,
11010 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11011 	},
11012 	{
11013 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
11014 		.insns = {
11015 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11016 				    offsetof(struct xdp_md, data_meta)),
11017 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11018 				    offsetof(struct xdp_md, data)),
11019 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11020 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11021 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
11022 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11023 			BPF_MOV64_IMM(BPF_REG_0, 0),
11024 			BPF_EXIT_INSN(),
11025 		},
11026 		.errstr = "R1 offset is outside of the packet",
11027 		.result = REJECT,
11028 		.prog_type = BPF_PROG_TYPE_XDP,
11029 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11030 	},
11031 	{
11032 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
11033 		.insns = {
11034 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11035 				    offsetof(struct xdp_md, data_meta)),
11036 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11037 				    offsetof(struct xdp_md, data)),
11038 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11039 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11040 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
11041 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11042 			BPF_MOV64_IMM(BPF_REG_0, 0),
11043 			BPF_EXIT_INSN(),
11044 		},
11045 		.errstr = "R1 offset is outside of the packet",
11046 		.result = REJECT,
11047 		.prog_type = BPF_PROG_TYPE_XDP,
11048 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11049 	},
11050 	{
11051 		"XDP pkt read, pkt_data > pkt_meta', good access",
11052 		.insns = {
11053 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11054 				    offsetof(struct xdp_md, data_meta)),
11055 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11056 				    offsetof(struct xdp_md, data)),
11057 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11058 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11059 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11060 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11061 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11062 			BPF_MOV64_IMM(BPF_REG_0, 0),
11063 			BPF_EXIT_INSN(),
11064 		},
11065 		.result = ACCEPT,
11066 		.prog_type = BPF_PROG_TYPE_XDP,
11067 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11068 	},
11069 	{
11070 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
11071 		.insns = {
11072 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11073 				    offsetof(struct xdp_md, data_meta)),
11074 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11075 				    offsetof(struct xdp_md, data)),
11076 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11077 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11078 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11079 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11080 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11081 			BPF_MOV64_IMM(BPF_REG_0, 0),
11082 			BPF_EXIT_INSN(),
11083 		},
11084 		.errstr = "R1 offset is outside of the packet",
11085 		.result = REJECT,
11086 		.prog_type = BPF_PROG_TYPE_XDP,
11087 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11088 	},
11089 	{
11090 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
11091 		.insns = {
11092 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11093 				    offsetof(struct xdp_md, data_meta)),
11094 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11095 				    offsetof(struct xdp_md, data)),
11096 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11097 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11098 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
11099 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11100 			BPF_MOV64_IMM(BPF_REG_0, 0),
11101 			BPF_EXIT_INSN(),
11102 		},
11103 		.errstr = "R1 offset is outside of the packet",
11104 		.result = REJECT,
11105 		.prog_type = BPF_PROG_TYPE_XDP,
11106 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11107 	},
11108 	{
11109 		"XDP pkt read, pkt_meta' < pkt_data, good access",
11110 		.insns = {
11111 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11112 				    offsetof(struct xdp_md, data_meta)),
11113 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11114 				    offsetof(struct xdp_md, data)),
11115 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11117 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11118 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11119 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11120 			BPF_MOV64_IMM(BPF_REG_0, 0),
11121 			BPF_EXIT_INSN(),
11122 		},
11123 		.result = ACCEPT,
11124 		.prog_type = BPF_PROG_TYPE_XDP,
11125 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11126 	},
11127 	{
11128 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
11129 		.insns = {
11130 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11131 				    offsetof(struct xdp_md, data_meta)),
11132 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11133 				    offsetof(struct xdp_md, data)),
11134 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11135 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11136 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11137 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11138 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11139 			BPF_MOV64_IMM(BPF_REG_0, 0),
11140 			BPF_EXIT_INSN(),
11141 		},
11142 		.errstr = "R1 offset is outside of the packet",
11143 		.result = REJECT,
11144 		.prog_type = BPF_PROG_TYPE_XDP,
11145 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11146 	},
11147 	{
11148 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
11149 		.insns = {
11150 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11151 				    offsetof(struct xdp_md, data_meta)),
11152 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11153 				    offsetof(struct xdp_md, data)),
11154 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11155 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11156 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
11157 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11158 			BPF_MOV64_IMM(BPF_REG_0, 0),
11159 			BPF_EXIT_INSN(),
11160 		},
11161 		.errstr = "R1 offset is outside of the packet",
11162 		.result = REJECT,
11163 		.prog_type = BPF_PROG_TYPE_XDP,
11164 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11165 	},
11166 	{
11167 		"XDP pkt read, pkt_data < pkt_meta', good access",
11168 		.insns = {
11169 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11170 				    offsetof(struct xdp_md, data_meta)),
11171 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11172 				    offsetof(struct xdp_md, data)),
11173 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11174 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11175 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
11176 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11177 			BPF_MOV64_IMM(BPF_REG_0, 0),
11178 			BPF_EXIT_INSN(),
11179 		},
11180 		.result = ACCEPT,
11181 		.prog_type = BPF_PROG_TYPE_XDP,
11182 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11183 	},
11184 	{
11185 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
11186 		.insns = {
11187 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11188 				    offsetof(struct xdp_md, data_meta)),
11189 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11190 				    offsetof(struct xdp_md, data)),
11191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11193 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
11194 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11195 			BPF_MOV64_IMM(BPF_REG_0, 0),
11196 			BPF_EXIT_INSN(),
11197 		},
11198 		.errstr = "R1 offset is outside of the packet",
11199 		.result = REJECT,
11200 		.prog_type = BPF_PROG_TYPE_XDP,
11201 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11202 	},
11203 	{
11204 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
11205 		.insns = {
11206 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11207 				    offsetof(struct xdp_md, data_meta)),
11208 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11209 				    offsetof(struct xdp_md, data)),
11210 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11212 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
11213 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11214 			BPF_MOV64_IMM(BPF_REG_0, 0),
11215 			BPF_EXIT_INSN(),
11216 		},
11217 		.errstr = "R1 offset is outside of the packet",
11218 		.result = REJECT,
11219 		.prog_type = BPF_PROG_TYPE_XDP,
11220 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11221 	},
11222 	{
11223 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
11224 		.insns = {
11225 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11226 				    offsetof(struct xdp_md, data_meta)),
11227 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11228 				    offsetof(struct xdp_md, data)),
11229 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11231 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
11232 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11233 			BPF_MOV64_IMM(BPF_REG_0, 0),
11234 			BPF_EXIT_INSN(),
11235 		},
11236 		.result = ACCEPT,
11237 		.prog_type = BPF_PROG_TYPE_XDP,
11238 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11239 	},
11240 	{
11241 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
11242 		.insns = {
11243 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11244 				    offsetof(struct xdp_md, data_meta)),
11245 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11246 				    offsetof(struct xdp_md, data)),
11247 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11249 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
11250 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11251 			BPF_MOV64_IMM(BPF_REG_0, 0),
11252 			BPF_EXIT_INSN(),
11253 		},
11254 		.errstr = "R1 offset is outside of the packet",
11255 		.result = REJECT,
11256 		.prog_type = BPF_PROG_TYPE_XDP,
11257 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11258 	},
11259 	{
11260 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
11261 		.insns = {
11262 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11263 				    offsetof(struct xdp_md, data_meta)),
11264 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11265 				    offsetof(struct xdp_md, data)),
11266 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11267 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11268 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
11269 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11270 			BPF_MOV64_IMM(BPF_REG_0, 0),
11271 			BPF_EXIT_INSN(),
11272 		},
11273 		.errstr = "R1 offset is outside of the packet",
11274 		.result = REJECT,
11275 		.prog_type = BPF_PROG_TYPE_XDP,
11276 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11277 	},
11278 	{
11279 		"XDP pkt read, pkt_data >= pkt_meta', good access",
11280 		.insns = {
11281 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11282 				    offsetof(struct xdp_md, data_meta)),
11283 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11284 				    offsetof(struct xdp_md, data)),
11285 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11287 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11288 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11289 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11290 			BPF_MOV64_IMM(BPF_REG_0, 0),
11291 			BPF_EXIT_INSN(),
11292 		},
11293 		.result = ACCEPT,
11294 		.prog_type = BPF_PROG_TYPE_XDP,
11295 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11296 	},
11297 	{
11298 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
11299 		.insns = {
11300 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11301 				    offsetof(struct xdp_md, data_meta)),
11302 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11303 				    offsetof(struct xdp_md, data)),
11304 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11305 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11306 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11307 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11308 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11309 			BPF_MOV64_IMM(BPF_REG_0, 0),
11310 			BPF_EXIT_INSN(),
11311 		},
11312 		.errstr = "R1 offset is outside of the packet",
11313 		.result = REJECT,
11314 		.prog_type = BPF_PROG_TYPE_XDP,
11315 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11316 	},
11317 	{
11318 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
11319 		.insns = {
11320 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11321 				    offsetof(struct xdp_md, data_meta)),
11322 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11323 				    offsetof(struct xdp_md, data)),
11324 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11325 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11326 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
11327 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11328 			BPF_MOV64_IMM(BPF_REG_0, 0),
11329 			BPF_EXIT_INSN(),
11330 		},
11331 		.errstr = "R1 offset is outside of the packet",
11332 		.result = REJECT,
11333 		.prog_type = BPF_PROG_TYPE_XDP,
11334 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11335 	},
11336 	{
11337 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
11338 		.insns = {
11339 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11340 				    offsetof(struct xdp_md, data_meta)),
11341 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11342 				    offsetof(struct xdp_md, data)),
11343 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11344 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11345 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11346 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11347 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11348 			BPF_MOV64_IMM(BPF_REG_0, 0),
11349 			BPF_EXIT_INSN(),
11350 		},
11351 		.result = ACCEPT,
11352 		.prog_type = BPF_PROG_TYPE_XDP,
11353 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11354 	},
11355 	{
11356 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
11357 		.insns = {
11358 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11359 				    offsetof(struct xdp_md, data_meta)),
11360 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11361 				    offsetof(struct xdp_md, data)),
11362 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11364 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11365 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11366 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
11367 			BPF_MOV64_IMM(BPF_REG_0, 0),
11368 			BPF_EXIT_INSN(),
11369 		},
11370 		.errstr = "R1 offset is outside of the packet",
11371 		.result = REJECT,
11372 		.prog_type = BPF_PROG_TYPE_XDP,
11373 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11374 	},
11375 	{
11376 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
11377 		.insns = {
11378 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11379 				    offsetof(struct xdp_md, data_meta)),
11380 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11381 				    offsetof(struct xdp_md, data)),
11382 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11383 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11384 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
11385 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11386 			BPF_MOV64_IMM(BPF_REG_0, 0),
11387 			BPF_EXIT_INSN(),
11388 		},
11389 		.errstr = "R1 offset is outside of the packet",
11390 		.result = REJECT,
11391 		.prog_type = BPF_PROG_TYPE_XDP,
11392 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11393 	},
11394 	{
11395 		"XDP pkt read, pkt_data <= pkt_meta', good access",
11396 		.insns = {
11397 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11398 				    offsetof(struct xdp_md, data_meta)),
11399 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11400 				    offsetof(struct xdp_md, data)),
11401 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11402 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11403 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11404 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11405 			BPF_MOV64_IMM(BPF_REG_0, 0),
11406 			BPF_EXIT_INSN(),
11407 		},
11408 		.result = ACCEPT,
11409 		.prog_type = BPF_PROG_TYPE_XDP,
11410 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11411 	},
11412 	{
11413 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
11414 		.insns = {
11415 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11416 				    offsetof(struct xdp_md, data_meta)),
11417 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11418 				    offsetof(struct xdp_md, data)),
11419 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11421 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
11422 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
11423 			BPF_MOV64_IMM(BPF_REG_0, 0),
11424 			BPF_EXIT_INSN(),
11425 		},
11426 		.errstr = "R1 offset is outside of the packet",
11427 		.result = REJECT,
11428 		.prog_type = BPF_PROG_TYPE_XDP,
11429 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11430 	},
11431 	{
11432 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
11433 		.insns = {
11434 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11435 				    offsetof(struct xdp_md, data_meta)),
11436 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11437 				    offsetof(struct xdp_md, data)),
11438 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11439 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11440 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
11441 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
11442 			BPF_MOV64_IMM(BPF_REG_0, 0),
11443 			BPF_EXIT_INSN(),
11444 		},
11445 		.errstr = "R1 offset is outside of the packet",
11446 		.result = REJECT,
11447 		.prog_type = BPF_PROG_TYPE_XDP,
11448 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11449 	},
11450 	{
11451 		"check deducing bounds from const, 1",
11452 		.insns = {
11453 			BPF_MOV64_IMM(BPF_REG_0, 1),
11454 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
11455 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11456 			BPF_EXIT_INSN(),
11457 		},
11458 		.result = REJECT,
11459 		.errstr = "R0 tried to subtract pointer from scalar",
11460 	},
11461 	{
11462 		"check deducing bounds from const, 2",
11463 		.insns = {
11464 			BPF_MOV64_IMM(BPF_REG_0, 1),
11465 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
11466 			BPF_EXIT_INSN(),
11467 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
11468 			BPF_EXIT_INSN(),
11469 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11470 			BPF_EXIT_INSN(),
11471 		},
11472 		.result = ACCEPT,
11473 		.retval = 1,
11474 	},
11475 	{
11476 		"check deducing bounds from const, 3",
11477 		.insns = {
11478 			BPF_MOV64_IMM(BPF_REG_0, 0),
11479 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
11480 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11481 			BPF_EXIT_INSN(),
11482 		},
11483 		.result = REJECT,
11484 		.errstr = "R0 tried to subtract pointer from scalar",
11485 	},
11486 	{
11487 		"check deducing bounds from const, 4",
11488 		.insns = {
11489 			BPF_MOV64_IMM(BPF_REG_0, 0),
11490 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
11491 			BPF_EXIT_INSN(),
11492 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11493 			BPF_EXIT_INSN(),
11494 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11495 			BPF_EXIT_INSN(),
11496 		},
11497 		.result = ACCEPT,
11498 	},
11499 	{
11500 		"check deducing bounds from const, 5",
11501 		.insns = {
11502 			BPF_MOV64_IMM(BPF_REG_0, 0),
11503 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
11504 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11505 			BPF_EXIT_INSN(),
11506 		},
11507 		.result = REJECT,
11508 		.errstr = "R0 tried to subtract pointer from scalar",
11509 	},
11510 	{
11511 		"check deducing bounds from const, 6",
11512 		.insns = {
11513 			BPF_MOV64_IMM(BPF_REG_0, 0),
11514 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11515 			BPF_EXIT_INSN(),
11516 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11517 			BPF_EXIT_INSN(),
11518 		},
11519 		.result = REJECT,
11520 		.errstr = "R0 tried to subtract pointer from scalar",
11521 	},
11522 	{
11523 		"check deducing bounds from const, 7",
11524 		.insns = {
11525 			BPF_MOV64_IMM(BPF_REG_0, ~0),
11526 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
11527 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
11528 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11529 				    offsetof(struct __sk_buff, mark)),
11530 			BPF_EXIT_INSN(),
11531 		},
11532 		.result = REJECT,
11533 		.errstr = "dereference of modified ctx ptr",
11534 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11535 	},
11536 	{
11537 		"check deducing bounds from const, 8",
11538 		.insns = {
11539 			BPF_MOV64_IMM(BPF_REG_0, ~0),
11540 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
11541 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
11542 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11543 				    offsetof(struct __sk_buff, mark)),
11544 			BPF_EXIT_INSN(),
11545 		},
11546 		.result = REJECT,
11547 		.errstr = "dereference of modified ctx ptr",
11548 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
11549 	},
11550 	{
11551 		"check deducing bounds from const, 9",
11552 		.insns = {
11553 			BPF_MOV64_IMM(BPF_REG_0, 0),
11554 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
11555 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11556 			BPF_EXIT_INSN(),
11557 		},
11558 		.result = REJECT,
11559 		.errstr = "R0 tried to subtract pointer from scalar",
11560 	},
11561 	{
11562 		"check deducing bounds from const, 10",
11563 		.insns = {
11564 			BPF_MOV64_IMM(BPF_REG_0, 0),
11565 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
11566 			/* Marks reg as unknown. */
11567 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
11568 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
11569 			BPF_EXIT_INSN(),
11570 		},
11571 		.result = REJECT,
11572 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
11573 	},
11574 	{
11575 		"bpf_exit with invalid return code. test1",
11576 		.insns = {
11577 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11578 			BPF_EXIT_INSN(),
11579 		},
11580 		.errstr = "R0 has value (0x0; 0xffffffff)",
11581 		.result = REJECT,
11582 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11583 	},
11584 	{
11585 		"bpf_exit with invalid return code. test2",
11586 		.insns = {
11587 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11588 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
11589 			BPF_EXIT_INSN(),
11590 		},
11591 		.result = ACCEPT,
11592 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11593 	},
11594 	{
11595 		"bpf_exit with invalid return code. test3",
11596 		.insns = {
11597 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11598 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
11599 			BPF_EXIT_INSN(),
11600 		},
11601 		.errstr = "R0 has value (0x0; 0x3)",
11602 		.result = REJECT,
11603 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11604 	},
11605 	{
11606 		"bpf_exit with invalid return code. test4",
11607 		.insns = {
11608 			BPF_MOV64_IMM(BPF_REG_0, 1),
11609 			BPF_EXIT_INSN(),
11610 		},
11611 		.result = ACCEPT,
11612 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11613 	},
11614 	{
11615 		"bpf_exit with invalid return code. test5",
11616 		.insns = {
11617 			BPF_MOV64_IMM(BPF_REG_0, 2),
11618 			BPF_EXIT_INSN(),
11619 		},
11620 		.errstr = "R0 has value (0x2; 0x0)",
11621 		.result = REJECT,
11622 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11623 	},
11624 	{
11625 		"bpf_exit with invalid return code. test6",
11626 		.insns = {
11627 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11628 			BPF_EXIT_INSN(),
11629 		},
11630 		.errstr = "R0 is not a known value (ctx)",
11631 		.result = REJECT,
11632 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11633 	},
11634 	{
11635 		"bpf_exit with invalid return code. test7",
11636 		.insns = {
11637 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
11638 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
11639 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
11640 			BPF_EXIT_INSN(),
11641 		},
11642 		.errstr = "R0 has unknown scalar value",
11643 		.result = REJECT,
11644 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
11645 	},
11646 	{
11647 		"calls: basic sanity",
11648 		.insns = {
11649 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11650 			BPF_MOV64_IMM(BPF_REG_0, 1),
11651 			BPF_EXIT_INSN(),
11652 			BPF_MOV64_IMM(BPF_REG_0, 2),
11653 			BPF_EXIT_INSN(),
11654 		},
11655 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11656 		.result = ACCEPT,
11657 	},
11658 	{
11659 		"calls: not on unpriviledged",
11660 		.insns = {
11661 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11662 			BPF_MOV64_IMM(BPF_REG_0, 1),
11663 			BPF_EXIT_INSN(),
11664 			BPF_MOV64_IMM(BPF_REG_0, 2),
11665 			BPF_EXIT_INSN(),
11666 		},
11667 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
11668 		.result_unpriv = REJECT,
11669 		.result = ACCEPT,
11670 		.retval = 1,
11671 	},
11672 	{
11673 		"calls: div by 0 in subprog",
11674 		.insns = {
11675 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11676 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11677 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11678 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11679 				    offsetof(struct __sk_buff, data_end)),
11680 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11681 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11682 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11683 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11684 			BPF_MOV64_IMM(BPF_REG_0, 1),
11685 			BPF_EXIT_INSN(),
11686 			BPF_MOV32_IMM(BPF_REG_2, 0),
11687 			BPF_MOV32_IMM(BPF_REG_3, 1),
11688 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
11689 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11690 				    offsetof(struct __sk_buff, data)),
11691 			BPF_EXIT_INSN(),
11692 		},
11693 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11694 		.result = ACCEPT,
11695 		.retval = 1,
11696 	},
11697 	{
11698 		"calls: multiple ret types in subprog 1",
11699 		.insns = {
11700 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11701 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11702 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11703 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11704 				    offsetof(struct __sk_buff, data_end)),
11705 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11706 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11707 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11708 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11709 			BPF_MOV64_IMM(BPF_REG_0, 1),
11710 			BPF_EXIT_INSN(),
11711 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11712 				    offsetof(struct __sk_buff, data)),
11713 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11714 			BPF_MOV32_IMM(BPF_REG_0, 42),
11715 			BPF_EXIT_INSN(),
11716 		},
11717 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11718 		.result = REJECT,
11719 		.errstr = "R0 invalid mem access 'inv'",
11720 	},
11721 	{
11722 		"calls: multiple ret types in subprog 2",
11723 		.insns = {
11724 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11725 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
11726 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11727 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
11728 				    offsetof(struct __sk_buff, data_end)),
11729 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
11730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
11731 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
11732 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
11733 			BPF_MOV64_IMM(BPF_REG_0, 1),
11734 			BPF_EXIT_INSN(),
11735 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11736 				    offsetof(struct __sk_buff, data)),
11737 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11738 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
11739 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11740 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11741 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11742 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11743 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11744 				     BPF_FUNC_map_lookup_elem),
11745 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11746 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
11747 				    offsetof(struct __sk_buff, data)),
11748 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
11749 			BPF_EXIT_INSN(),
11750 		},
11751 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11752 		.fixup_map_hash_8b = { 16 },
11753 		.result = REJECT,
11754 		.errstr = "R0 min value is outside of the array range",
11755 	},
11756 	{
11757 		"calls: overlapping caller/callee",
11758 		.insns = {
11759 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
11760 			BPF_MOV64_IMM(BPF_REG_0, 1),
11761 			BPF_EXIT_INSN(),
11762 		},
11763 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11764 		.errstr = "last insn is not an exit or jmp",
11765 		.result = REJECT,
11766 	},
11767 	{
11768 		"calls: wrong recursive calls",
11769 		.insns = {
11770 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11771 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11772 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11773 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11774 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
11775 			BPF_MOV64_IMM(BPF_REG_0, 1),
11776 			BPF_EXIT_INSN(),
11777 		},
11778 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11779 		.errstr = "jump out of range",
11780 		.result = REJECT,
11781 	},
11782 	{
11783 		"calls: wrong src reg",
11784 		.insns = {
11785 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
11786 			BPF_MOV64_IMM(BPF_REG_0, 1),
11787 			BPF_EXIT_INSN(),
11788 		},
11789 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11790 		.errstr = "BPF_CALL uses reserved fields",
11791 		.result = REJECT,
11792 	},
11793 	{
11794 		"calls: wrong off value",
11795 		.insns = {
11796 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
11797 			BPF_MOV64_IMM(BPF_REG_0, 1),
11798 			BPF_EXIT_INSN(),
11799 			BPF_MOV64_IMM(BPF_REG_0, 2),
11800 			BPF_EXIT_INSN(),
11801 		},
11802 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11803 		.errstr = "BPF_CALL uses reserved fields",
11804 		.result = REJECT,
11805 	},
11806 	{
11807 		"calls: jump back loop",
11808 		.insns = {
11809 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
11810 			BPF_MOV64_IMM(BPF_REG_0, 1),
11811 			BPF_EXIT_INSN(),
11812 		},
11813 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11814 		.errstr = "back-edge from insn 0 to 0",
11815 		.result = REJECT,
11816 	},
11817 	{
11818 		"calls: conditional call",
11819 		.insns = {
11820 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11821 				    offsetof(struct __sk_buff, mark)),
11822 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11823 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11824 			BPF_MOV64_IMM(BPF_REG_0, 1),
11825 			BPF_EXIT_INSN(),
11826 			BPF_MOV64_IMM(BPF_REG_0, 2),
11827 			BPF_EXIT_INSN(),
11828 		},
11829 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11830 		.errstr = "jump out of range",
11831 		.result = REJECT,
11832 	},
11833 	{
11834 		"calls: conditional call 2",
11835 		.insns = {
11836 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11837 				    offsetof(struct __sk_buff, mark)),
11838 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11839 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11840 			BPF_MOV64_IMM(BPF_REG_0, 1),
11841 			BPF_EXIT_INSN(),
11842 			BPF_MOV64_IMM(BPF_REG_0, 2),
11843 			BPF_EXIT_INSN(),
11844 			BPF_MOV64_IMM(BPF_REG_0, 3),
11845 			BPF_EXIT_INSN(),
11846 		},
11847 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11848 		.result = ACCEPT,
11849 	},
11850 	{
11851 		"calls: conditional call 3",
11852 		.insns = {
11853 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11854 				    offsetof(struct __sk_buff, mark)),
11855 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11856 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
11857 			BPF_MOV64_IMM(BPF_REG_0, 1),
11858 			BPF_EXIT_INSN(),
11859 			BPF_MOV64_IMM(BPF_REG_0, 1),
11860 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11861 			BPF_MOV64_IMM(BPF_REG_0, 3),
11862 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11863 		},
11864 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11865 		.errstr = "back-edge from insn",
11866 		.result = REJECT,
11867 	},
11868 	{
11869 		"calls: conditional call 4",
11870 		.insns = {
11871 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11872 				    offsetof(struct __sk_buff, mark)),
11873 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11874 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11875 			BPF_MOV64_IMM(BPF_REG_0, 1),
11876 			BPF_EXIT_INSN(),
11877 			BPF_MOV64_IMM(BPF_REG_0, 1),
11878 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
11879 			BPF_MOV64_IMM(BPF_REG_0, 3),
11880 			BPF_EXIT_INSN(),
11881 		},
11882 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11883 		.result = ACCEPT,
11884 	},
11885 	{
11886 		"calls: conditional call 5",
11887 		.insns = {
11888 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11889 				    offsetof(struct __sk_buff, mark)),
11890 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
11891 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11892 			BPF_MOV64_IMM(BPF_REG_0, 1),
11893 			BPF_EXIT_INSN(),
11894 			BPF_MOV64_IMM(BPF_REG_0, 1),
11895 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
11896 			BPF_MOV64_IMM(BPF_REG_0, 3),
11897 			BPF_EXIT_INSN(),
11898 		},
11899 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11900 		.errstr = "back-edge from insn",
11901 		.result = REJECT,
11902 	},
11903 	{
11904 		"calls: conditional call 6",
11905 		.insns = {
11906 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11907 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
11908 			BPF_EXIT_INSN(),
11909 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11910 				    offsetof(struct __sk_buff, mark)),
11911 			BPF_EXIT_INSN(),
11912 		},
11913 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11914 		.errstr = "back-edge from insn",
11915 		.result = REJECT,
11916 	},
11917 	{
11918 		"calls: using r0 returned by callee",
11919 		.insns = {
11920 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11921 			BPF_EXIT_INSN(),
11922 			BPF_MOV64_IMM(BPF_REG_0, 2),
11923 			BPF_EXIT_INSN(),
11924 		},
11925 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11926 		.result = ACCEPT,
11927 	},
11928 	{
11929 		"calls: using uninit r0 from callee",
11930 		.insns = {
11931 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11932 			BPF_EXIT_INSN(),
11933 			BPF_EXIT_INSN(),
11934 		},
11935 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11936 		.errstr = "!read_ok",
11937 		.result = REJECT,
11938 	},
11939 	{
11940 		"calls: callee is using r1",
11941 		.insns = {
11942 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11943 			BPF_EXIT_INSN(),
11944 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
11945 				    offsetof(struct __sk_buff, len)),
11946 			BPF_EXIT_INSN(),
11947 		},
11948 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
11949 		.result = ACCEPT,
11950 		.retval = TEST_DATA_LEN,
11951 	},
11952 	{
11953 		"calls: callee using args1",
11954 		.insns = {
11955 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11956 			BPF_EXIT_INSN(),
11957 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11958 			BPF_EXIT_INSN(),
11959 		},
11960 		.errstr_unpriv = "allowed for root only",
11961 		.result_unpriv = REJECT,
11962 		.result = ACCEPT,
11963 		.retval = POINTER_VALUE,
11964 	},
11965 	{
11966 		"calls: callee using wrong args2",
11967 		.insns = {
11968 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11969 			BPF_EXIT_INSN(),
11970 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11971 			BPF_EXIT_INSN(),
11972 		},
11973 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11974 		.errstr = "R2 !read_ok",
11975 		.result = REJECT,
11976 	},
11977 	{
11978 		"calls: callee using two args",
11979 		.insns = {
11980 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11981 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
11982 				    offsetof(struct __sk_buff, len)),
11983 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
11984 				    offsetof(struct __sk_buff, len)),
11985 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11986 			BPF_EXIT_INSN(),
11987 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
11988 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
11989 			BPF_EXIT_INSN(),
11990 		},
11991 		.errstr_unpriv = "allowed for root only",
11992 		.result_unpriv = REJECT,
11993 		.result = ACCEPT,
11994 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
11995 	},
11996 	{
11997 		"calls: callee changing pkt pointers",
11998 		.insns = {
11999 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
12000 				    offsetof(struct xdp_md, data)),
12001 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
12002 				    offsetof(struct xdp_md, data_end)),
12003 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
12004 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
12005 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
12006 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12007 			/* clear_all_pkt_pointers() has to walk all frames
12008 			 * to make sure that pkt pointers in the caller
12009 			 * are cleared when callee is calling a helper that
12010 			 * adjusts packet size
12011 			 */
12012 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12013 			BPF_MOV32_IMM(BPF_REG_0, 0),
12014 			BPF_EXIT_INSN(),
12015 			BPF_MOV64_IMM(BPF_REG_2, 0),
12016 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12017 				     BPF_FUNC_xdp_adjust_head),
12018 			BPF_EXIT_INSN(),
12019 		},
12020 		.result = REJECT,
12021 		.errstr = "R6 invalid mem access 'inv'",
12022 		.prog_type = BPF_PROG_TYPE_XDP,
12023 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12024 	},
12025 	{
12026 		"calls: two calls with args",
12027 		.insns = {
12028 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12029 			BPF_EXIT_INSN(),
12030 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12031 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12032 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12033 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12034 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12035 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12036 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12037 			BPF_EXIT_INSN(),
12038 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12039 				    offsetof(struct __sk_buff, len)),
12040 			BPF_EXIT_INSN(),
12041 		},
12042 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12043 		.result = ACCEPT,
12044 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
12045 	},
12046 	{
12047 		"calls: calls with stack arith",
12048 		.insns = {
12049 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12050 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12051 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12052 			BPF_EXIT_INSN(),
12053 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12054 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12055 			BPF_EXIT_INSN(),
12056 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
12057 			BPF_MOV64_IMM(BPF_REG_0, 42),
12058 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
12059 			BPF_EXIT_INSN(),
12060 		},
12061 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12062 		.result = ACCEPT,
12063 		.retval = 42,
12064 	},
12065 	{
12066 		"calls: calls with misaligned stack access",
12067 		.insns = {
12068 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12069 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
12070 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12071 			BPF_EXIT_INSN(),
12072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
12073 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12074 			BPF_EXIT_INSN(),
12075 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
12076 			BPF_MOV64_IMM(BPF_REG_0, 42),
12077 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
12078 			BPF_EXIT_INSN(),
12079 		},
12080 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12081 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
12082 		.errstr = "misaligned stack access",
12083 		.result = REJECT,
12084 	},
12085 	{
12086 		"calls: calls control flow, jump test",
12087 		.insns = {
12088 			BPF_MOV64_IMM(BPF_REG_0, 42),
12089 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12090 			BPF_MOV64_IMM(BPF_REG_0, 43),
12091 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12092 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
12093 			BPF_EXIT_INSN(),
12094 		},
12095 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12096 		.result = ACCEPT,
12097 		.retval = 43,
12098 	},
12099 	{
12100 		"calls: calls control flow, jump test 2",
12101 		.insns = {
12102 			BPF_MOV64_IMM(BPF_REG_0, 42),
12103 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12104 			BPF_MOV64_IMM(BPF_REG_0, 43),
12105 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
12106 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
12107 			BPF_EXIT_INSN(),
12108 		},
12109 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12110 		.errstr = "jump out of range from insn 1 to 4",
12111 		.result = REJECT,
12112 	},
12113 	{
12114 		"calls: two calls with bad jump",
12115 		.insns = {
12116 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12117 			BPF_EXIT_INSN(),
12118 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12119 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12120 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12121 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12122 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12123 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12124 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12125 			BPF_EXIT_INSN(),
12126 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12127 				    offsetof(struct __sk_buff, len)),
12128 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
12129 			BPF_EXIT_INSN(),
12130 		},
12131 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12132 		.errstr = "jump out of range from insn 11 to 9",
12133 		.result = REJECT,
12134 	},
12135 	{
12136 		"calls: recursive call. test1",
12137 		.insns = {
12138 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12139 			BPF_EXIT_INSN(),
12140 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
12141 			BPF_EXIT_INSN(),
12142 		},
12143 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12144 		.errstr = "back-edge",
12145 		.result = REJECT,
12146 	},
12147 	{
12148 		"calls: recursive call. test2",
12149 		.insns = {
12150 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12151 			BPF_EXIT_INSN(),
12152 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
12153 			BPF_EXIT_INSN(),
12154 		},
12155 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12156 		.errstr = "back-edge",
12157 		.result = REJECT,
12158 	},
12159 	{
12160 		"calls: unreachable code",
12161 		.insns = {
12162 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12163 			BPF_EXIT_INSN(),
12164 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12165 			BPF_EXIT_INSN(),
12166 			BPF_MOV64_IMM(BPF_REG_0, 0),
12167 			BPF_EXIT_INSN(),
12168 			BPF_MOV64_IMM(BPF_REG_0, 0),
12169 			BPF_EXIT_INSN(),
12170 		},
12171 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12172 		.errstr = "unreachable insn 6",
12173 		.result = REJECT,
12174 	},
12175 	{
12176 		"calls: invalid call",
12177 		.insns = {
12178 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12179 			BPF_EXIT_INSN(),
12180 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
12181 			BPF_EXIT_INSN(),
12182 		},
12183 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12184 		.errstr = "invalid destination",
12185 		.result = REJECT,
12186 	},
12187 	{
12188 		"calls: invalid call 2",
12189 		.insns = {
12190 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12191 			BPF_EXIT_INSN(),
12192 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
12193 			BPF_EXIT_INSN(),
12194 		},
12195 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12196 		.errstr = "invalid destination",
12197 		.result = REJECT,
12198 	},
12199 	{
12200 		"calls: jumping across function bodies. test1",
12201 		.insns = {
12202 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12203 			BPF_MOV64_IMM(BPF_REG_0, 0),
12204 			BPF_EXIT_INSN(),
12205 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
12206 			BPF_EXIT_INSN(),
12207 		},
12208 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12209 		.errstr = "jump out of range",
12210 		.result = REJECT,
12211 	},
12212 	{
12213 		"calls: jumping across function bodies. test2",
12214 		.insns = {
12215 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
12216 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12217 			BPF_MOV64_IMM(BPF_REG_0, 0),
12218 			BPF_EXIT_INSN(),
12219 			BPF_EXIT_INSN(),
12220 		},
12221 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12222 		.errstr = "jump out of range",
12223 		.result = REJECT,
12224 	},
12225 	{
12226 		"calls: call without exit",
12227 		.insns = {
12228 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12229 			BPF_EXIT_INSN(),
12230 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12231 			BPF_EXIT_INSN(),
12232 			BPF_MOV64_IMM(BPF_REG_0, 0),
12233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
12234 		},
12235 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12236 		.errstr = "not an exit",
12237 		.result = REJECT,
12238 	},
12239 	{
12240 		"calls: call into middle of ld_imm64",
12241 		.insns = {
12242 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12243 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12244 			BPF_MOV64_IMM(BPF_REG_0, 0),
12245 			BPF_EXIT_INSN(),
12246 			BPF_LD_IMM64(BPF_REG_0, 0),
12247 			BPF_EXIT_INSN(),
12248 		},
12249 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12250 		.errstr = "last insn",
12251 		.result = REJECT,
12252 	},
12253 	{
12254 		"calls: call into middle of other call",
12255 		.insns = {
12256 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12257 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12258 			BPF_MOV64_IMM(BPF_REG_0, 0),
12259 			BPF_EXIT_INSN(),
12260 			BPF_MOV64_IMM(BPF_REG_0, 0),
12261 			BPF_MOV64_IMM(BPF_REG_0, 0),
12262 			BPF_EXIT_INSN(),
12263 		},
12264 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12265 		.errstr = "last insn",
12266 		.result = REJECT,
12267 	},
12268 	{
12269 		"calls: ld_abs with changing ctx data in callee",
12270 		.insns = {
12271 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12272 			BPF_LD_ABS(BPF_B, 0),
12273 			BPF_LD_ABS(BPF_H, 0),
12274 			BPF_LD_ABS(BPF_W, 0),
12275 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12276 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12277 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12278 			BPF_LD_ABS(BPF_B, 0),
12279 			BPF_LD_ABS(BPF_H, 0),
12280 			BPF_LD_ABS(BPF_W, 0),
12281 			BPF_EXIT_INSN(),
12282 			BPF_MOV64_IMM(BPF_REG_2, 1),
12283 			BPF_MOV64_IMM(BPF_REG_3, 2),
12284 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12285 				     BPF_FUNC_skb_vlan_push),
12286 			BPF_EXIT_INSN(),
12287 		},
12288 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12289 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
12290 		.result = REJECT,
12291 	},
12292 	{
12293 		"calls: two calls with bad fallthrough",
12294 		.insns = {
12295 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12296 			BPF_EXIT_INSN(),
12297 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12298 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12299 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12300 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12301 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12302 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12303 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12304 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
12305 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
12306 				    offsetof(struct __sk_buff, len)),
12307 			BPF_EXIT_INSN(),
12308 		},
12309 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12310 		.errstr = "not an exit",
12311 		.result = REJECT,
12312 	},
12313 	{
12314 		"calls: two calls with stack read",
12315 		.insns = {
12316 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12317 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12318 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12319 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12320 			BPF_EXIT_INSN(),
12321 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12322 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
12323 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12324 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12325 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12326 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
12327 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
12328 			BPF_EXIT_INSN(),
12329 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
12330 			BPF_EXIT_INSN(),
12331 		},
12332 		.prog_type = BPF_PROG_TYPE_XDP,
12333 		.result = ACCEPT,
12334 	},
12335 	{
12336 		"calls: two calls with stack write",
12337 		.insns = {
12338 			/* main prog */
12339 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12340 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12342 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12343 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12344 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12345 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12346 			BPF_EXIT_INSN(),
12347 
12348 			/* subprog 1 */
12349 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12350 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12351 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
12352 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12353 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12354 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12355 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12356 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
12357 			/* write into stack frame of main prog */
12358 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12359 			BPF_EXIT_INSN(),
12360 
12361 			/* subprog 2 */
12362 			/* read from stack frame of main prog */
12363 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
12364 			BPF_EXIT_INSN(),
12365 		},
12366 		.prog_type = BPF_PROG_TYPE_XDP,
12367 		.result = ACCEPT,
12368 	},
12369 	{
12370 		"calls: stack overflow using two frames (pre-call access)",
12371 		.insns = {
12372 			/* prog 1 */
12373 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12374 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
12375 			BPF_EXIT_INSN(),
12376 
12377 			/* prog 2 */
12378 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12379 			BPF_MOV64_IMM(BPF_REG_0, 0),
12380 			BPF_EXIT_INSN(),
12381 		},
12382 		.prog_type = BPF_PROG_TYPE_XDP,
12383 		.errstr = "combined stack size",
12384 		.result = REJECT,
12385 	},
12386 	{
12387 		"calls: stack overflow using two frames (post-call access)",
12388 		.insns = {
12389 			/* prog 1 */
12390 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
12391 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12392 			BPF_EXIT_INSN(),
12393 
12394 			/* prog 2 */
12395 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12396 			BPF_MOV64_IMM(BPF_REG_0, 0),
12397 			BPF_EXIT_INSN(),
12398 		},
12399 		.prog_type = BPF_PROG_TYPE_XDP,
12400 		.errstr = "combined stack size",
12401 		.result = REJECT,
12402 	},
12403 	{
12404 		"calls: stack depth check using three frames. test1",
12405 		.insns = {
12406 			/* main */
12407 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12408 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
12409 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
12410 			BPF_MOV64_IMM(BPF_REG_0, 0),
12411 			BPF_EXIT_INSN(),
12412 			/* A */
12413 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12414 			BPF_EXIT_INSN(),
12415 			/* B */
12416 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
12417 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12418 			BPF_EXIT_INSN(),
12419 		},
12420 		.prog_type = BPF_PROG_TYPE_XDP,
12421 		/* stack_main=32, stack_A=256, stack_B=64
12422 		 * and max(main+A, main+A+B) < 512
12423 		 */
12424 		.result = ACCEPT,
12425 	},
12426 	{
12427 		"calls: stack depth check using three frames. test2",
12428 		.insns = {
12429 			/* main */
12430 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12431 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
12432 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
12433 			BPF_MOV64_IMM(BPF_REG_0, 0),
12434 			BPF_EXIT_INSN(),
12435 			/* A */
12436 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12437 			BPF_EXIT_INSN(),
12438 			/* B */
12439 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
12440 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12441 			BPF_EXIT_INSN(),
12442 		},
12443 		.prog_type = BPF_PROG_TYPE_XDP,
12444 		/* stack_main=32, stack_A=64, stack_B=256
12445 		 * and max(main+A, main+A+B) < 512
12446 		 */
12447 		.result = ACCEPT,
12448 	},
12449 	{
12450 		"calls: stack depth check using three frames. test3",
12451 		.insns = {
12452 			/* main */
12453 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12454 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
12455 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12456 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
12457 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
12458 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
12459 			BPF_MOV64_IMM(BPF_REG_0, 0),
12460 			BPF_EXIT_INSN(),
12461 			/* A */
12462 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
12463 			BPF_EXIT_INSN(),
12464 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
12465 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
12466 			/* B */
12467 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
12468 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
12469 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
12470 			BPF_EXIT_INSN(),
12471 		},
12472 		.prog_type = BPF_PROG_TYPE_XDP,
12473 		/* stack_main=64, stack_A=224, stack_B=256
12474 		 * and max(main+A, main+A+B) > 512
12475 		 */
12476 		.errstr = "combined stack",
12477 		.result = REJECT,
12478 	},
12479 	{
12480 		"calls: stack depth check using three frames. test4",
12481 		/* void main(void) {
12482 		 *   func1(0);
12483 		 *   func1(1);
12484 		 *   func2(1);
12485 		 * }
12486 		 * void func1(int alloc_or_recurse) {
12487 		 *   if (alloc_or_recurse) {
12488 		 *     frame_pointer[-300] = 1;
12489 		 *   } else {
12490 		 *     func2(alloc_or_recurse);
12491 		 *   }
12492 		 * }
12493 		 * void func2(int alloc_or_recurse) {
12494 		 *   if (alloc_or_recurse) {
12495 		 *     frame_pointer[-300] = 1;
12496 		 *   }
12497 		 * }
12498 		 */
12499 		.insns = {
12500 			/* main */
12501 			BPF_MOV64_IMM(BPF_REG_1, 0),
12502 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
12503 			BPF_MOV64_IMM(BPF_REG_1, 1),
12504 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
12505 			BPF_MOV64_IMM(BPF_REG_1, 1),
12506 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
12507 			BPF_MOV64_IMM(BPF_REG_0, 0),
12508 			BPF_EXIT_INSN(),
12509 			/* A */
12510 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
12511 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12512 			BPF_EXIT_INSN(),
12513 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
12514 			BPF_EXIT_INSN(),
12515 			/* B */
12516 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
12517 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
12518 			BPF_EXIT_INSN(),
12519 		},
12520 		.prog_type = BPF_PROG_TYPE_XDP,
12521 		.result = REJECT,
12522 		.errstr = "combined stack",
12523 	},
12524 	{
12525 		"calls: stack depth check using three frames. test5",
12526 		.insns = {
12527 			/* main */
12528 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
12529 			BPF_EXIT_INSN(),
12530 			/* A */
12531 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
12532 			BPF_EXIT_INSN(),
12533 			/* B */
12534 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
12535 			BPF_EXIT_INSN(),
12536 			/* C */
12537 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
12538 			BPF_EXIT_INSN(),
12539 			/* D */
12540 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
12541 			BPF_EXIT_INSN(),
12542 			/* E */
12543 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
12544 			BPF_EXIT_INSN(),
12545 			/* F */
12546 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
12547 			BPF_EXIT_INSN(),
12548 			/* G */
12549 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
12550 			BPF_EXIT_INSN(),
12551 			/* H */
12552 			BPF_MOV64_IMM(BPF_REG_0, 0),
12553 			BPF_EXIT_INSN(),
12554 		},
12555 		.prog_type = BPF_PROG_TYPE_XDP,
12556 		.errstr = "call stack",
12557 		.result = REJECT,
12558 	},
12559 	{
12560 		"calls: spill into caller stack frame",
12561 		.insns = {
12562 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12563 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12564 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12565 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12566 			BPF_EXIT_INSN(),
12567 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
12568 			BPF_MOV64_IMM(BPF_REG_0, 0),
12569 			BPF_EXIT_INSN(),
12570 		},
12571 		.prog_type = BPF_PROG_TYPE_XDP,
12572 		.errstr = "cannot spill",
12573 		.result = REJECT,
12574 	},
12575 	{
12576 		"calls: write into caller stack frame",
12577 		.insns = {
12578 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12579 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12580 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12581 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12582 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12583 			BPF_EXIT_INSN(),
12584 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
12585 			BPF_MOV64_IMM(BPF_REG_0, 0),
12586 			BPF_EXIT_INSN(),
12587 		},
12588 		.prog_type = BPF_PROG_TYPE_XDP,
12589 		.result = ACCEPT,
12590 		.retval = 42,
12591 	},
12592 	{
12593 		"calls: write into callee stack frame",
12594 		.insns = {
12595 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12596 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
12597 			BPF_EXIT_INSN(),
12598 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
12599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
12600 			BPF_EXIT_INSN(),
12601 		},
12602 		.prog_type = BPF_PROG_TYPE_XDP,
12603 		.errstr = "cannot return stack pointer",
12604 		.result = REJECT,
12605 	},
12606 	{
12607 		"calls: two calls with stack write and void return",
12608 		.insns = {
12609 			/* main prog */
12610 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12611 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12612 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12613 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12615 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12616 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12617 			BPF_EXIT_INSN(),
12618 
12619 			/* subprog 1 */
12620 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12621 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12622 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12623 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12624 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12625 			BPF_EXIT_INSN(),
12626 
12627 			/* subprog 2 */
12628 			/* write into stack frame of main prog */
12629 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
12630 			BPF_EXIT_INSN(), /* void return */
12631 		},
12632 		.prog_type = BPF_PROG_TYPE_XDP,
12633 		.result = ACCEPT,
12634 	},
12635 	{
12636 		"calls: ambiguous return value",
12637 		.insns = {
12638 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12639 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
12640 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12641 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12642 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12643 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
12644 			BPF_EXIT_INSN(),
12645 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
12646 			BPF_MOV64_IMM(BPF_REG_0, 0),
12647 			BPF_EXIT_INSN(),
12648 		},
12649 		.errstr_unpriv = "allowed for root only",
12650 		.result_unpriv = REJECT,
12651 		.errstr = "R0 !read_ok",
12652 		.result = REJECT,
12653 	},
12654 	{
12655 		"calls: two calls that return map_value",
12656 		.insns = {
12657 			/* main prog */
12658 			/* pass fp-16, fp-8 into a function */
12659 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12660 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12661 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12662 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12663 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
12664 
12665 			/* fetch map_value_ptr from the stack of this function */
12666 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12667 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12668 			/* write into map value */
12669 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12670 			/* fetch secound map_value_ptr from the stack */
12671 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
12672 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
12673 			/* write into map value */
12674 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12675 			BPF_MOV64_IMM(BPF_REG_0, 0),
12676 			BPF_EXIT_INSN(),
12677 
12678 			/* subprog 1 */
12679 			/* call 3rd function twice */
12680 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12681 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12682 			/* first time with fp-8 */
12683 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
12684 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12685 			/* second time with fp-16 */
12686 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
12687 			BPF_EXIT_INSN(),
12688 
12689 			/* subprog 2 */
12690 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12691 			/* lookup from map */
12692 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12693 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12694 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12695 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12696 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12697 				     BPF_FUNC_map_lookup_elem),
12698 			/* write map_value_ptr into stack frame of main prog */
12699 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12700 			BPF_MOV64_IMM(BPF_REG_0, 0),
12701 			BPF_EXIT_INSN(), /* return 0 */
12702 		},
12703 		.prog_type = BPF_PROG_TYPE_XDP,
12704 		.fixup_map_hash_8b = { 23 },
12705 		.result = ACCEPT,
12706 	},
12707 	{
12708 		"calls: two calls that return map_value with bool condition",
12709 		.insns = {
12710 			/* main prog */
12711 			/* pass fp-16, fp-8 into a function */
12712 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12713 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12714 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12715 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12716 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12717 			BPF_MOV64_IMM(BPF_REG_0, 0),
12718 			BPF_EXIT_INSN(),
12719 
12720 			/* subprog 1 */
12721 			/* call 3rd function twice */
12722 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12723 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12724 			/* first time with fp-8 */
12725 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
12726 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12727 			/* fetch map_value_ptr from the stack of this function */
12728 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12729 			/* write into map value */
12730 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12731 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12732 			/* second time with fp-16 */
12733 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12734 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12735 			/* fetch secound map_value_ptr from the stack */
12736 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
12737 			/* write into map value */
12738 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12739 			BPF_EXIT_INSN(),
12740 
12741 			/* subprog 2 */
12742 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12743 			/* lookup from map */
12744 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12745 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12746 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12747 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12748 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12749 				     BPF_FUNC_map_lookup_elem),
12750 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12751 			BPF_MOV64_IMM(BPF_REG_0, 0),
12752 			BPF_EXIT_INSN(), /* return 0 */
12753 			/* write map_value_ptr into stack frame of main prog */
12754 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12755 			BPF_MOV64_IMM(BPF_REG_0, 1),
12756 			BPF_EXIT_INSN(), /* return 1 */
12757 		},
12758 		.prog_type = BPF_PROG_TYPE_XDP,
12759 		.fixup_map_hash_8b = { 23 },
12760 		.result = ACCEPT,
12761 	},
12762 	{
12763 		"calls: two calls that return map_value with incorrect bool check",
12764 		.insns = {
12765 			/* main prog */
12766 			/* pass fp-16, fp-8 into a function */
12767 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12769 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12771 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12772 			BPF_MOV64_IMM(BPF_REG_0, 0),
12773 			BPF_EXIT_INSN(),
12774 
12775 			/* subprog 1 */
12776 			/* call 3rd function twice */
12777 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12778 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12779 			/* first time with fp-8 */
12780 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
12781 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
12782 			/* fetch map_value_ptr from the stack of this function */
12783 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
12784 			/* write into map value */
12785 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12786 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12787 			/* second time with fp-16 */
12788 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
12789 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12790 			/* fetch secound map_value_ptr from the stack */
12791 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
12792 			/* write into map value */
12793 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12794 			BPF_EXIT_INSN(),
12795 
12796 			/* subprog 2 */
12797 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12798 			/* lookup from map */
12799 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12800 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12801 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12802 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12803 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12804 				     BPF_FUNC_map_lookup_elem),
12805 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12806 			BPF_MOV64_IMM(BPF_REG_0, 0),
12807 			BPF_EXIT_INSN(), /* return 0 */
12808 			/* write map_value_ptr into stack frame of main prog */
12809 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12810 			BPF_MOV64_IMM(BPF_REG_0, 1),
12811 			BPF_EXIT_INSN(), /* return 1 */
12812 		},
12813 		.prog_type = BPF_PROG_TYPE_XDP,
12814 		.fixup_map_hash_8b = { 23 },
12815 		.result = REJECT,
12816 		.errstr = "invalid read from stack off -16+0 size 8",
12817 	},
12818 	{
12819 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
12820 		.insns = {
12821 			/* main prog */
12822 			/* pass fp-16, fp-8 into a function */
12823 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12825 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12827 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12828 			BPF_MOV64_IMM(BPF_REG_0, 0),
12829 			BPF_EXIT_INSN(),
12830 
12831 			/* subprog 1 */
12832 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12833 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12834 			/* 1st lookup from map */
12835 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12836 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12837 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12838 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12839 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12840 				     BPF_FUNC_map_lookup_elem),
12841 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12842 			BPF_MOV64_IMM(BPF_REG_8, 0),
12843 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12844 			/* write map_value_ptr into stack frame of main prog at fp-8 */
12845 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12846 			BPF_MOV64_IMM(BPF_REG_8, 1),
12847 
12848 			/* 2nd lookup from map */
12849 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
12850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12851 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12852 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
12853 				     BPF_FUNC_map_lookup_elem),
12854 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12855 			BPF_MOV64_IMM(BPF_REG_9, 0),
12856 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12857 			/* write map_value_ptr into stack frame of main prog at fp-16 */
12858 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12859 			BPF_MOV64_IMM(BPF_REG_9, 1),
12860 
12861 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12862 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
12863 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12864 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12865 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12866 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
12867 			BPF_EXIT_INSN(),
12868 
12869 			/* subprog 2 */
12870 			/* if arg2 == 1 do *arg1 = 0 */
12871 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12872 			/* fetch map_value_ptr from the stack of this function */
12873 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12874 			/* write into map value */
12875 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12876 
12877 			/* if arg4 == 1 do *arg3 = 0 */
12878 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12879 			/* fetch map_value_ptr from the stack of this function */
12880 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12881 			/* write into map value */
12882 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
12883 			BPF_EXIT_INSN(),
12884 		},
12885 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12886 		.fixup_map_hash_8b = { 12, 22 },
12887 		.result = REJECT,
12888 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
12889 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
12890 	},
12891 	{
12892 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
12893 		.insns = {
12894 			/* main prog */
12895 			/* pass fp-16, fp-8 into a function */
12896 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12897 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12898 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12899 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12900 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
12901 			BPF_MOV64_IMM(BPF_REG_0, 0),
12902 			BPF_EXIT_INSN(),
12903 
12904 			/* subprog 1 */
12905 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12906 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12907 			/* 1st lookup from map */
12908 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12909 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12910 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12911 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12913 				     BPF_FUNC_map_lookup_elem),
12914 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12915 			BPF_MOV64_IMM(BPF_REG_8, 0),
12916 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12917 			/* write map_value_ptr into stack frame of main prog at fp-8 */
12918 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12919 			BPF_MOV64_IMM(BPF_REG_8, 1),
12920 
12921 			/* 2nd lookup from map */
12922 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
12923 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12924 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12925 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
12926 				     BPF_FUNC_map_lookup_elem),
12927 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12928 			BPF_MOV64_IMM(BPF_REG_9, 0),
12929 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12930 			/* write map_value_ptr into stack frame of main prog at fp-16 */
12931 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
12932 			BPF_MOV64_IMM(BPF_REG_9, 1),
12933 
12934 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
12935 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
12936 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
12937 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
12938 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
12939 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
12940 			BPF_EXIT_INSN(),
12941 
12942 			/* subprog 2 */
12943 			/* if arg2 == 1 do *arg1 = 0 */
12944 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
12945 			/* fetch map_value_ptr from the stack of this function */
12946 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
12947 			/* write into map value */
12948 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12949 
12950 			/* if arg4 == 1 do *arg3 = 0 */
12951 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
12952 			/* fetch map_value_ptr from the stack of this function */
12953 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
12954 			/* write into map value */
12955 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
12956 			BPF_EXIT_INSN(),
12957 		},
12958 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12959 		.fixup_map_hash_8b = { 12, 22 },
12960 		.result = ACCEPT,
12961 	},
12962 	{
12963 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
12964 		.insns = {
12965 			/* main prog */
12966 			/* pass fp-16, fp-8 into a function */
12967 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
12968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
12969 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
12971 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
12972 			BPF_MOV64_IMM(BPF_REG_0, 0),
12973 			BPF_EXIT_INSN(),
12974 
12975 			/* subprog 1 */
12976 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12977 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
12978 			/* 1st lookup from map */
12979 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
12980 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12982 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12983 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12984 				     BPF_FUNC_map_lookup_elem),
12985 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12986 			BPF_MOV64_IMM(BPF_REG_8, 0),
12987 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
12988 			/* write map_value_ptr into stack frame of main prog at fp-8 */
12989 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
12990 			BPF_MOV64_IMM(BPF_REG_8, 1),
12991 
12992 			/* 2nd lookup from map */
12993 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
12995 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12996 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12997 				     BPF_FUNC_map_lookup_elem),
12998 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12999 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
13000 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13001 			/* write map_value_ptr into stack frame of main prog at fp-16 */
13002 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13003 			BPF_MOV64_IMM(BPF_REG_9, 1),
13004 
13005 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13006 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
13007 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13008 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13009 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13010 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
13011 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
13012 
13013 			/* subprog 2 */
13014 			/* if arg2 == 1 do *arg1 = 0 */
13015 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13016 			/* fetch map_value_ptr from the stack of this function */
13017 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13018 			/* write into map value */
13019 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13020 
13021 			/* if arg4 == 1 do *arg3 = 0 */
13022 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13023 			/* fetch map_value_ptr from the stack of this function */
13024 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13025 			/* write into map value */
13026 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
13027 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
13028 		},
13029 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13030 		.fixup_map_hash_8b = { 12, 22 },
13031 		.result = REJECT,
13032 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
13033 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13034 	},
13035 	{
13036 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
13037 		.insns = {
13038 			/* main prog */
13039 			/* pass fp-16, fp-8 into a function */
13040 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13042 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13043 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13044 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13045 			BPF_MOV64_IMM(BPF_REG_0, 0),
13046 			BPF_EXIT_INSN(),
13047 
13048 			/* subprog 1 */
13049 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13050 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13051 			/* 1st lookup from map */
13052 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13053 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13054 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13055 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13056 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13057 				     BPF_FUNC_map_lookup_elem),
13058 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13059 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13060 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13061 			BPF_MOV64_IMM(BPF_REG_8, 0),
13062 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13063 			BPF_MOV64_IMM(BPF_REG_8, 1),
13064 
13065 			/* 2nd lookup from map */
13066 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13067 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13068 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13069 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13070 				     BPF_FUNC_map_lookup_elem),
13071 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
13072 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13073 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13074 			BPF_MOV64_IMM(BPF_REG_9, 0),
13075 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13076 			BPF_MOV64_IMM(BPF_REG_9, 1),
13077 
13078 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13079 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13080 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13081 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13082 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13083 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13084 			BPF_EXIT_INSN(),
13085 
13086 			/* subprog 2 */
13087 			/* if arg2 == 1 do *arg1 = 0 */
13088 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13089 			/* fetch map_value_ptr from the stack of this function */
13090 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13091 			/* write into map value */
13092 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13093 
13094 			/* if arg4 == 1 do *arg3 = 0 */
13095 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
13096 			/* fetch map_value_ptr from the stack of this function */
13097 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13098 			/* write into map value */
13099 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13100 			BPF_EXIT_INSN(),
13101 		},
13102 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13103 		.fixup_map_hash_8b = { 12, 22 },
13104 		.result = ACCEPT,
13105 	},
13106 	{
13107 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
13108 		.insns = {
13109 			/* main prog */
13110 			/* pass fp-16, fp-8 into a function */
13111 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
13112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
13113 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13114 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
13115 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
13116 			BPF_MOV64_IMM(BPF_REG_0, 0),
13117 			BPF_EXIT_INSN(),
13118 
13119 			/* subprog 1 */
13120 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13121 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
13122 			/* 1st lookup from map */
13123 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13124 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13125 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13126 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13127 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13128 				     BPF_FUNC_map_lookup_elem),
13129 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13130 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13131 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13132 			BPF_MOV64_IMM(BPF_REG_8, 0),
13133 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13134 			BPF_MOV64_IMM(BPF_REG_8, 1),
13135 
13136 			/* 2nd lookup from map */
13137 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13138 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13139 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13140 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13141 				     BPF_FUNC_map_lookup_elem),
13142 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
13143 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
13144 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
13145 			BPF_MOV64_IMM(BPF_REG_9, 0),
13146 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13147 			BPF_MOV64_IMM(BPF_REG_9, 1),
13148 
13149 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
13150 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13151 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
13152 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
13153 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
13154 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13155 			BPF_EXIT_INSN(),
13156 
13157 			/* subprog 2 */
13158 			/* if arg2 == 1 do *arg1 = 0 */
13159 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
13160 			/* fetch map_value_ptr from the stack of this function */
13161 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
13162 			/* write into map value */
13163 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13164 
13165 			/* if arg4 == 0 do *arg3 = 0 */
13166 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
13167 			/* fetch map_value_ptr from the stack of this function */
13168 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
13169 			/* write into map value */
13170 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
13171 			BPF_EXIT_INSN(),
13172 		},
13173 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13174 		.fixup_map_hash_8b = { 12, 22 },
13175 		.result = REJECT,
13176 		.errstr = "R0 invalid mem access 'inv'",
13177 	},
13178 	{
13179 		"calls: pkt_ptr spill into caller stack",
13180 		.insns = {
13181 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13182 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13183 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
13184 			BPF_EXIT_INSN(),
13185 
13186 			/* subprog 1 */
13187 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13188 				    offsetof(struct __sk_buff, data)),
13189 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13190 				    offsetof(struct __sk_buff, data_end)),
13191 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13193 			/* spill unchecked pkt_ptr into stack of caller */
13194 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13195 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13196 			/* now the pkt range is verified, read pkt_ptr from stack */
13197 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13198 			/* write 4 bytes into packet */
13199 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13200 			BPF_EXIT_INSN(),
13201 		},
13202 		.result = ACCEPT,
13203 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13204 		.retval = POINTER_VALUE,
13205 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13206 	},
13207 	{
13208 		"calls: pkt_ptr spill into caller stack 2",
13209 		.insns = {
13210 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13212 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13213 			/* Marking is still kept, but not in all cases safe. */
13214 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13215 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13216 			BPF_EXIT_INSN(),
13217 
13218 			/* subprog 1 */
13219 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13220 				    offsetof(struct __sk_buff, data)),
13221 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13222 				    offsetof(struct __sk_buff, data_end)),
13223 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13224 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13225 			/* spill unchecked pkt_ptr into stack of caller */
13226 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13227 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13228 			/* now the pkt range is verified, read pkt_ptr from stack */
13229 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13230 			/* write 4 bytes into packet */
13231 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13232 			BPF_EXIT_INSN(),
13233 		},
13234 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13235 		.errstr = "invalid access to packet",
13236 		.result = REJECT,
13237 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13238 	},
13239 	{
13240 		"calls: pkt_ptr spill into caller stack 3",
13241 		.insns = {
13242 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13243 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13244 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13245 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13246 			/* Marking is still kept and safe here. */
13247 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13248 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13249 			BPF_EXIT_INSN(),
13250 
13251 			/* subprog 1 */
13252 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13253 				    offsetof(struct __sk_buff, data)),
13254 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13255 				    offsetof(struct __sk_buff, data_end)),
13256 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13257 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13258 			/* spill unchecked pkt_ptr into stack of caller */
13259 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13260 			BPF_MOV64_IMM(BPF_REG_5, 0),
13261 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13262 			BPF_MOV64_IMM(BPF_REG_5, 1),
13263 			/* now the pkt range is verified, read pkt_ptr from stack */
13264 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
13265 			/* write 4 bytes into packet */
13266 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13267 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13268 			BPF_EXIT_INSN(),
13269 		},
13270 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13271 		.result = ACCEPT,
13272 		.retval = 1,
13273 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13274 	},
13275 	{
13276 		"calls: pkt_ptr spill into caller stack 4",
13277 		.insns = {
13278 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13280 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13281 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13282 			/* Check marking propagated. */
13283 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13284 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
13285 			BPF_EXIT_INSN(),
13286 
13287 			/* subprog 1 */
13288 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13289 				    offsetof(struct __sk_buff, data)),
13290 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13291 				    offsetof(struct __sk_buff, data_end)),
13292 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13293 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13294 			/* spill unchecked pkt_ptr into stack of caller */
13295 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13296 			BPF_MOV64_IMM(BPF_REG_5, 0),
13297 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13298 			BPF_MOV64_IMM(BPF_REG_5, 1),
13299 			/* don't read back pkt_ptr from stack here */
13300 			/* write 4 bytes into packet */
13301 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13302 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13303 			BPF_EXIT_INSN(),
13304 		},
13305 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13306 		.result = ACCEPT,
13307 		.retval = 1,
13308 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13309 	},
13310 	{
13311 		"calls: pkt_ptr spill into caller stack 5",
13312 		.insns = {
13313 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13314 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13315 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
13316 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13317 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13318 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13319 			BPF_EXIT_INSN(),
13320 
13321 			/* subprog 1 */
13322 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13323 				    offsetof(struct __sk_buff, data)),
13324 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13325 				    offsetof(struct __sk_buff, data_end)),
13326 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13328 			BPF_MOV64_IMM(BPF_REG_5, 0),
13329 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13330 			/* spill checked pkt_ptr into stack of caller */
13331 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13332 			BPF_MOV64_IMM(BPF_REG_5, 1),
13333 			/* don't read back pkt_ptr from stack here */
13334 			/* write 4 bytes into packet */
13335 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13336 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13337 			BPF_EXIT_INSN(),
13338 		},
13339 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13340 		.errstr = "same insn cannot be used with different",
13341 		.result = REJECT,
13342 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13343 	},
13344 	{
13345 		"calls: pkt_ptr spill into caller stack 6",
13346 		.insns = {
13347 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13348 				    offsetof(struct __sk_buff, data_end)),
13349 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13350 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13351 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13352 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13353 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13354 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13355 			BPF_EXIT_INSN(),
13356 
13357 			/* subprog 1 */
13358 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13359 				    offsetof(struct __sk_buff, data)),
13360 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13361 				    offsetof(struct __sk_buff, data_end)),
13362 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13364 			BPF_MOV64_IMM(BPF_REG_5, 0),
13365 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13366 			/* spill checked pkt_ptr into stack of caller */
13367 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13368 			BPF_MOV64_IMM(BPF_REG_5, 1),
13369 			/* don't read back pkt_ptr from stack here */
13370 			/* write 4 bytes into packet */
13371 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13372 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13373 			BPF_EXIT_INSN(),
13374 		},
13375 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13376 		.errstr = "R4 invalid mem access",
13377 		.result = REJECT,
13378 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13379 	},
13380 	{
13381 		"calls: pkt_ptr spill into caller stack 7",
13382 		.insns = {
13383 			BPF_MOV64_IMM(BPF_REG_2, 0),
13384 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13385 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13386 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13387 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13388 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13389 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13390 			BPF_EXIT_INSN(),
13391 
13392 			/* subprog 1 */
13393 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13394 				    offsetof(struct __sk_buff, data)),
13395 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13396 				    offsetof(struct __sk_buff, data_end)),
13397 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13399 			BPF_MOV64_IMM(BPF_REG_5, 0),
13400 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13401 			/* spill checked pkt_ptr into stack of caller */
13402 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13403 			BPF_MOV64_IMM(BPF_REG_5, 1),
13404 			/* don't read back pkt_ptr from stack here */
13405 			/* write 4 bytes into packet */
13406 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13407 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13408 			BPF_EXIT_INSN(),
13409 		},
13410 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13411 		.errstr = "R4 invalid mem access",
13412 		.result = REJECT,
13413 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13414 	},
13415 	{
13416 		"calls: pkt_ptr spill into caller stack 8",
13417 		.insns = {
13418 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13419 				    offsetof(struct __sk_buff, data)),
13420 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13421 				    offsetof(struct __sk_buff, data_end)),
13422 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13423 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13424 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13425 			BPF_EXIT_INSN(),
13426 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13427 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13428 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13429 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13430 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13431 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13432 			BPF_EXIT_INSN(),
13433 
13434 			/* subprog 1 */
13435 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13436 				    offsetof(struct __sk_buff, data)),
13437 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13438 				    offsetof(struct __sk_buff, data_end)),
13439 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13441 			BPF_MOV64_IMM(BPF_REG_5, 0),
13442 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
13443 			/* spill checked pkt_ptr into stack of caller */
13444 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13445 			BPF_MOV64_IMM(BPF_REG_5, 1),
13446 			/* don't read back pkt_ptr from stack here */
13447 			/* write 4 bytes into packet */
13448 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13449 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13450 			BPF_EXIT_INSN(),
13451 		},
13452 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13453 		.result = ACCEPT,
13454 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13455 	},
13456 	{
13457 		"calls: pkt_ptr spill into caller stack 9",
13458 		.insns = {
13459 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13460 				    offsetof(struct __sk_buff, data)),
13461 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13462 				    offsetof(struct __sk_buff, data_end)),
13463 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13464 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13465 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
13466 			BPF_EXIT_INSN(),
13467 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
13468 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
13469 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13470 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
13471 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
13472 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
13473 			BPF_EXIT_INSN(),
13474 
13475 			/* subprog 1 */
13476 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13477 				    offsetof(struct __sk_buff, data)),
13478 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13479 				    offsetof(struct __sk_buff, data_end)),
13480 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
13481 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
13482 			BPF_MOV64_IMM(BPF_REG_5, 0),
13483 			/* spill unchecked pkt_ptr into stack of caller */
13484 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
13485 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
13486 			BPF_MOV64_IMM(BPF_REG_5, 1),
13487 			/* don't read back pkt_ptr from stack here */
13488 			/* write 4 bytes into packet */
13489 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13490 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
13491 			BPF_EXIT_INSN(),
13492 		},
13493 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13494 		.errstr = "invalid access to packet",
13495 		.result = REJECT,
13496 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13497 	},
13498 	{
13499 		"calls: caller stack init to zero or map_value_or_null",
13500 		.insns = {
13501 			BPF_MOV64_IMM(BPF_REG_0, 0),
13502 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13503 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13504 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13505 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
13506 			/* fetch map_value_or_null or const_zero from stack */
13507 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13508 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
13509 			/* store into map_value */
13510 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
13511 			BPF_EXIT_INSN(),
13512 
13513 			/* subprog 1 */
13514 			/* if (ctx == 0) return; */
13515 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
13516 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
13517 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
13518 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13520 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13521 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13522 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13523 				     BPF_FUNC_map_lookup_elem),
13524 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
13525 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
13526 			BPF_EXIT_INSN(),
13527 		},
13528 		.fixup_map_hash_8b = { 13 },
13529 		.result = ACCEPT,
13530 		.prog_type = BPF_PROG_TYPE_XDP,
13531 	},
13532 	{
13533 		"calls: stack init to zero and pruning",
13534 		.insns = {
13535 			/* first make allocated_stack 16 byte */
13536 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
13537 			/* now fork the execution such that the false branch
13538 			 * of JGT insn will be verified second and it skisp zero
13539 			 * init of fp-8 stack slot. If stack liveness marking
13540 			 * is missing live_read marks from call map_lookup
13541 			 * processing then pruning will incorrectly assume
13542 			 * that fp-8 stack slot was unused in the fall-through
13543 			 * branch and will accept the program incorrectly
13544 			 */
13545 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
13546 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13547 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
13548 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13549 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13550 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13551 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13552 				     BPF_FUNC_map_lookup_elem),
13553 			BPF_EXIT_INSN(),
13554 		},
13555 		.fixup_map_hash_48b = { 6 },
13556 		.errstr = "invalid indirect read from stack off -8+0 size 8",
13557 		.result = REJECT,
13558 		.prog_type = BPF_PROG_TYPE_XDP,
13559 	},
13560 	{
13561 		"calls: two calls returning different map pointers for lookup (hash, array)",
13562 		.insns = {
13563 			/* main prog */
13564 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13565 			BPF_CALL_REL(11),
13566 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13567 			BPF_CALL_REL(12),
13568 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13569 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13570 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13571 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13572 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13573 				     BPF_FUNC_map_lookup_elem),
13574 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13575 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
13576 				   offsetof(struct test_val, foo)),
13577 			BPF_MOV64_IMM(BPF_REG_0, 1),
13578 			BPF_EXIT_INSN(),
13579 			/* subprog 1 */
13580 			BPF_LD_MAP_FD(BPF_REG_0, 0),
13581 			BPF_EXIT_INSN(),
13582 			/* subprog 2 */
13583 			BPF_LD_MAP_FD(BPF_REG_0, 0),
13584 			BPF_EXIT_INSN(),
13585 		},
13586 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13587 		.fixup_map_hash_48b = { 13 },
13588 		.fixup_map_array_48b = { 16 },
13589 		.result = ACCEPT,
13590 		.retval = 1,
13591 	},
13592 	{
13593 		"calls: two calls returning different map pointers for lookup (hash, map in map)",
13594 		.insns = {
13595 			/* main prog */
13596 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
13597 			BPF_CALL_REL(11),
13598 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
13599 			BPF_CALL_REL(12),
13600 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
13601 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13602 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13604 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13605 				     BPF_FUNC_map_lookup_elem),
13606 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
13607 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
13608 				   offsetof(struct test_val, foo)),
13609 			BPF_MOV64_IMM(BPF_REG_0, 1),
13610 			BPF_EXIT_INSN(),
13611 			/* subprog 1 */
13612 			BPF_LD_MAP_FD(BPF_REG_0, 0),
13613 			BPF_EXIT_INSN(),
13614 			/* subprog 2 */
13615 			BPF_LD_MAP_FD(BPF_REG_0, 0),
13616 			BPF_EXIT_INSN(),
13617 		},
13618 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13619 		.fixup_map_in_map = { 16 },
13620 		.fixup_map_array_48b = { 13 },
13621 		.result = REJECT,
13622 		.errstr = "R0 invalid mem access 'map_ptr'",
13623 	},
13624 	{
13625 		"cond: two branches returning different map pointers for lookup (tail, tail)",
13626 		.insns = {
13627 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
13628 				    offsetof(struct __sk_buff, mark)),
13629 			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
13630 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13631 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13632 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13633 			BPF_MOV64_IMM(BPF_REG_3, 7),
13634 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13635 				     BPF_FUNC_tail_call),
13636 			BPF_MOV64_IMM(BPF_REG_0, 1),
13637 			BPF_EXIT_INSN(),
13638 		},
13639 		.fixup_prog1 = { 5 },
13640 		.fixup_prog2 = { 2 },
13641 		.result_unpriv = REJECT,
13642 		.errstr_unpriv = "tail_call abusing map_ptr",
13643 		.result = ACCEPT,
13644 		.retval = 42,
13645 	},
13646 	{
13647 		"cond: two branches returning same map pointers for lookup (tail, tail)",
13648 		.insns = {
13649 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
13650 				    offsetof(struct __sk_buff, mark)),
13651 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
13652 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13653 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
13654 			BPF_LD_MAP_FD(BPF_REG_2, 0),
13655 			BPF_MOV64_IMM(BPF_REG_3, 7),
13656 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13657 				     BPF_FUNC_tail_call),
13658 			BPF_MOV64_IMM(BPF_REG_0, 1),
13659 			BPF_EXIT_INSN(),
13660 		},
13661 		.fixup_prog2 = { 2, 5 },
13662 		.result_unpriv = ACCEPT,
13663 		.result = ACCEPT,
13664 		.retval = 42,
13665 	},
13666 	{
13667 		"search pruning: all branches should be verified (nop operation)",
13668 		.insns = {
13669 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13670 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13671 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
13672 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13673 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
13674 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
13675 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
13676 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
13677 			BPF_MOV64_IMM(BPF_REG_4, 0),
13678 			BPF_JMP_A(1),
13679 			BPF_MOV64_IMM(BPF_REG_4, 1),
13680 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
13681 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
13682 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
13683 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
13684 			BPF_MOV64_IMM(BPF_REG_6, 0),
13685 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
13686 			BPF_EXIT_INSN(),
13687 		},
13688 		.fixup_map_hash_8b = { 3 },
13689 		.errstr = "R6 invalid mem access 'inv'",
13690 		.result = REJECT,
13691 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
13692 	},
13693 	{
13694 		"search pruning: all branches should be verified (invalid stack access)",
13695 		.insns = {
13696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13698 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
13699 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13700 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
13701 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
13702 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
13703 			BPF_MOV64_IMM(BPF_REG_4, 0),
13704 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
13705 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
13706 			BPF_JMP_A(1),
13707 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
13708 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
13709 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
13710 			BPF_EXIT_INSN(),
13711 		},
13712 		.fixup_map_hash_8b = { 3 },
13713 		.errstr = "invalid read from stack off -16+0 size 8",
13714 		.result = REJECT,
13715 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
13716 	},
13717 	{
13718 		"jit: lsh, rsh, arsh by 1",
13719 		.insns = {
13720 			BPF_MOV64_IMM(BPF_REG_0, 1),
13721 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
13722 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
13723 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
13724 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
13725 			BPF_EXIT_INSN(),
13726 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
13727 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
13728 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
13729 			BPF_EXIT_INSN(),
13730 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
13731 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
13732 			BPF_EXIT_INSN(),
13733 			BPF_MOV64_IMM(BPF_REG_0, 2),
13734 			BPF_EXIT_INSN(),
13735 		},
13736 		.result = ACCEPT,
13737 		.retval = 2,
13738 	},
13739 	{
13740 		"jit: mov32 for ldimm64, 1",
13741 		.insns = {
13742 			BPF_MOV64_IMM(BPF_REG_0, 2),
13743 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
13744 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
13745 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
13746 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
13747 			BPF_MOV64_IMM(BPF_REG_0, 1),
13748 			BPF_EXIT_INSN(),
13749 		},
13750 		.result = ACCEPT,
13751 		.retval = 2,
13752 	},
13753 	{
13754 		"jit: mov32 for ldimm64, 2",
13755 		.insns = {
13756 			BPF_MOV64_IMM(BPF_REG_0, 1),
13757 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
13758 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
13759 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
13760 			BPF_MOV64_IMM(BPF_REG_0, 2),
13761 			BPF_EXIT_INSN(),
13762 		},
13763 		.result = ACCEPT,
13764 		.retval = 2,
13765 	},
13766 	{
13767 		"jit: various mul tests",
13768 		.insns = {
13769 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
13770 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
13771 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
13772 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
13773 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
13774 			BPF_MOV64_IMM(BPF_REG_0, 1),
13775 			BPF_EXIT_INSN(),
13776 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
13777 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
13778 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
13779 			BPF_MOV64_IMM(BPF_REG_0, 1),
13780 			BPF_EXIT_INSN(),
13781 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
13782 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
13783 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
13784 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
13785 			BPF_MOV64_IMM(BPF_REG_0, 1),
13786 			BPF_EXIT_INSN(),
13787 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
13788 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
13789 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
13790 			BPF_MOV64_IMM(BPF_REG_0, 1),
13791 			BPF_EXIT_INSN(),
13792 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
13793 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
13794 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
13795 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
13796 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
13797 			BPF_MOV64_IMM(BPF_REG_0, 1),
13798 			BPF_EXIT_INSN(),
13799 			BPF_MOV64_IMM(BPF_REG_0, 2),
13800 			BPF_EXIT_INSN(),
13801 		},
13802 		.result = ACCEPT,
13803 		.retval = 2,
13804 	},
13805 	{
13806 		"xadd/w check unaligned stack",
13807 		.insns = {
13808 			BPF_MOV64_IMM(BPF_REG_0, 1),
13809 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13810 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
13811 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13812 			BPF_EXIT_INSN(),
13813 		},
13814 		.result = REJECT,
13815 		.errstr = "misaligned stack access off",
13816 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13817 	},
13818 	{
13819 		"xadd/w check unaligned map",
13820 		.insns = {
13821 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13822 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13823 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13824 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13825 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13826 				     BPF_FUNC_map_lookup_elem),
13827 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
13828 			BPF_EXIT_INSN(),
13829 			BPF_MOV64_IMM(BPF_REG_1, 1),
13830 			BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
13831 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
13832 			BPF_EXIT_INSN(),
13833 		},
13834 		.fixup_map_hash_8b = { 3 },
13835 		.result = REJECT,
13836 		.errstr = "misaligned value access off",
13837 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13838 	},
13839 	{
13840 		"xadd/w check unaligned pkt",
13841 		.insns = {
13842 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
13843 				    offsetof(struct xdp_md, data)),
13844 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
13845 				    offsetof(struct xdp_md, data_end)),
13846 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
13847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
13848 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
13849 			BPF_MOV64_IMM(BPF_REG_0, 99),
13850 			BPF_JMP_IMM(BPF_JA, 0, 0, 6),
13851 			BPF_MOV64_IMM(BPF_REG_0, 1),
13852 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
13853 			BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
13854 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
13855 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
13856 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
13857 			BPF_EXIT_INSN(),
13858 		},
13859 		.result = REJECT,
13860 		.errstr = "BPF_XADD stores into R2 pkt is not allowed",
13861 		.prog_type = BPF_PROG_TYPE_XDP,
13862 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
13863 	},
13864 	{
13865 		"xadd/w check whether src/dst got mangled, 1",
13866 		.insns = {
13867 			BPF_MOV64_IMM(BPF_REG_0, 1),
13868 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13869 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
13870 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13871 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13872 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
13873 			BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
13874 			BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
13875 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
13876 			BPF_EXIT_INSN(),
13877 			BPF_MOV64_IMM(BPF_REG_0, 42),
13878 			BPF_EXIT_INSN(),
13879 		},
13880 		.result = ACCEPT,
13881 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13882 		.retval = 3,
13883 	},
13884 	{
13885 		"xadd/w check whether src/dst got mangled, 2",
13886 		.insns = {
13887 			BPF_MOV64_IMM(BPF_REG_0, 1),
13888 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
13889 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
13890 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13891 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13892 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
13893 			BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
13894 			BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
13895 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
13896 			BPF_EXIT_INSN(),
13897 			BPF_MOV64_IMM(BPF_REG_0, 42),
13898 			BPF_EXIT_INSN(),
13899 		},
13900 		.result = ACCEPT,
13901 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13902 		.retval = 3,
13903 	},
13904 	{
13905 		"bpf_get_stack return R0 within range",
13906 		.insns = {
13907 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13908 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
13909 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
13910 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
13911 			BPF_LD_MAP_FD(BPF_REG_1, 0),
13912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
13913 				     BPF_FUNC_map_lookup_elem),
13914 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
13915 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
13916 			BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
13917 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13918 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
13919 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
13920 			BPF_MOV64_IMM(BPF_REG_4, 256),
13921 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
13922 			BPF_MOV64_IMM(BPF_REG_1, 0),
13923 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
13924 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
13925 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
13926 			BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
13927 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
13928 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
13929 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
13930 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
13931 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
13932 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
13933 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
13934 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
13935 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
13936 			BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
13937 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
13938 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
13939 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
13940 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
13941 			BPF_MOV64_IMM(BPF_REG_4, 0),
13942 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
13943 			BPF_EXIT_INSN(),
13944 		},
13945 		.fixup_map_hash_48b = { 4 },
13946 		.result = ACCEPT,
13947 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
13948 	},
13949 	{
13950 		"ld_abs: invalid op 1",
13951 		.insns = {
13952 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13953 			BPF_LD_ABS(BPF_DW, 0),
13954 			BPF_EXIT_INSN(),
13955 		},
13956 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13957 		.result = REJECT,
13958 		.errstr = "unknown opcode",
13959 	},
13960 	{
13961 		"ld_abs: invalid op 2",
13962 		.insns = {
13963 			BPF_MOV32_IMM(BPF_REG_0, 256),
13964 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13965 			BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
13966 			BPF_EXIT_INSN(),
13967 		},
13968 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
13969 		.result = REJECT,
13970 		.errstr = "unknown opcode",
13971 	},
13972 	{
13973 		"ld_abs: nmap reduced",
13974 		.insns = {
13975 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
13976 			BPF_LD_ABS(BPF_H, 12),
13977 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
13978 			BPF_LD_ABS(BPF_H, 12),
13979 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
13980 			BPF_MOV32_IMM(BPF_REG_0, 18),
13981 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
13982 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
13983 			BPF_LD_IND(BPF_W, BPF_REG_7, 14),
13984 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
13985 			BPF_MOV32_IMM(BPF_REG_0, 280971478),
13986 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13987 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13988 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
13989 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
13990 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
13991 			BPF_LD_ABS(BPF_H, 12),
13992 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
13993 			BPF_MOV32_IMM(BPF_REG_0, 22),
13994 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
13995 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
13996 			BPF_LD_IND(BPF_H, BPF_REG_7, 14),
13997 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
13998 			BPF_MOV32_IMM(BPF_REG_0, 17366),
13999 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
14000 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
14001 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
14002 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
14003 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
14004 			BPF_MOV32_IMM(BPF_REG_0, 256),
14005 			BPF_EXIT_INSN(),
14006 			BPF_MOV32_IMM(BPF_REG_0, 0),
14007 			BPF_EXIT_INSN(),
14008 		},
14009 		.data = {
14010 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
14011 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
14012 			0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
14013 		},
14014 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14015 		.result = ACCEPT,
14016 		.retval = 256,
14017 	},
14018 	{
14019 		"ld_abs: div + abs, test 1",
14020 		.insns = {
14021 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14022 			BPF_LD_ABS(BPF_B, 3),
14023 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
14024 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
14025 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
14026 			BPF_LD_ABS(BPF_B, 4),
14027 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
14028 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
14029 			BPF_EXIT_INSN(),
14030 		},
14031 		.data = {
14032 			10, 20, 30, 40, 50,
14033 		},
14034 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14035 		.result = ACCEPT,
14036 		.retval = 10,
14037 	},
14038 	{
14039 		"ld_abs: div + abs, test 2",
14040 		.insns = {
14041 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14042 			BPF_LD_ABS(BPF_B, 3),
14043 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
14044 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
14045 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
14046 			BPF_LD_ABS(BPF_B, 128),
14047 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
14048 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
14049 			BPF_EXIT_INSN(),
14050 		},
14051 		.data = {
14052 			10, 20, 30, 40, 50,
14053 		},
14054 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14055 		.result = ACCEPT,
14056 		.retval = 0,
14057 	},
14058 	{
14059 		"ld_abs: div + abs, test 3",
14060 		.insns = {
14061 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14062 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
14063 			BPF_LD_ABS(BPF_B, 3),
14064 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
14065 			BPF_EXIT_INSN(),
14066 		},
14067 		.data = {
14068 			10, 20, 30, 40, 50,
14069 		},
14070 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14071 		.result = ACCEPT,
14072 		.retval = 0,
14073 	},
14074 	{
14075 		"ld_abs: div + abs, test 4",
14076 		.insns = {
14077 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14078 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
14079 			BPF_LD_ABS(BPF_B, 256),
14080 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
14081 			BPF_EXIT_INSN(),
14082 		},
14083 		.data = {
14084 			10, 20, 30, 40, 50,
14085 		},
14086 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14087 		.result = ACCEPT,
14088 		.retval = 0,
14089 	},
14090 	{
14091 		"ld_abs: vlan + abs, test 1",
14092 		.insns = { },
14093 		.data = {
14094 			0x34,
14095 		},
14096 		.fill_helper = bpf_fill_ld_abs_vlan_push_pop,
14097 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14098 		.result = ACCEPT,
14099 		.retval = 0xbef,
14100 	},
14101 	{
14102 		"ld_abs: vlan + abs, test 2",
14103 		.insns = {
14104 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14105 			BPF_LD_ABS(BPF_B, 0),
14106 			BPF_LD_ABS(BPF_H, 0),
14107 			BPF_LD_ABS(BPF_W, 0),
14108 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
14109 			BPF_MOV64_IMM(BPF_REG_6, 0),
14110 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
14111 			BPF_MOV64_IMM(BPF_REG_2, 1),
14112 			BPF_MOV64_IMM(BPF_REG_3, 2),
14113 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14114 				     BPF_FUNC_skb_vlan_push),
14115 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
14116 			BPF_LD_ABS(BPF_B, 0),
14117 			BPF_LD_ABS(BPF_H, 0),
14118 			BPF_LD_ABS(BPF_W, 0),
14119 			BPF_MOV64_IMM(BPF_REG_0, 42),
14120 			BPF_EXIT_INSN(),
14121 		},
14122 		.data = {
14123 			0x34,
14124 		},
14125 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14126 		.result = ACCEPT,
14127 		.retval = 42,
14128 	},
14129 	{
14130 		"ld_abs: jump around ld_abs",
14131 		.insns = { },
14132 		.data = {
14133 			10, 11,
14134 		},
14135 		.fill_helper = bpf_fill_jump_around_ld_abs,
14136 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14137 		.result = ACCEPT,
14138 		.retval = 10,
14139 	},
14140 	{
14141 		"ld_dw: xor semi-random 64 bit imms, test 1",
14142 		.insns = { },
14143 		.data = { },
14144 		.fill_helper = bpf_fill_rand_ld_dw,
14145 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14146 		.result = ACCEPT,
14147 		.retval = 4090,
14148 	},
14149 	{
14150 		"ld_dw: xor semi-random 64 bit imms, test 2",
14151 		.insns = { },
14152 		.data = { },
14153 		.fill_helper = bpf_fill_rand_ld_dw,
14154 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14155 		.result = ACCEPT,
14156 		.retval = 2047,
14157 	},
14158 	{
14159 		"ld_dw: xor semi-random 64 bit imms, test 3",
14160 		.insns = { },
14161 		.data = { },
14162 		.fill_helper = bpf_fill_rand_ld_dw,
14163 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14164 		.result = ACCEPT,
14165 		.retval = 511,
14166 	},
14167 	{
14168 		"ld_dw: xor semi-random 64 bit imms, test 4",
14169 		.insns = { },
14170 		.data = { },
14171 		.fill_helper = bpf_fill_rand_ld_dw,
14172 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14173 		.result = ACCEPT,
14174 		.retval = 5,
14175 	},
14176 	{
14177 		"pass unmodified ctx pointer to helper",
14178 		.insns = {
14179 			BPF_MOV64_IMM(BPF_REG_2, 0),
14180 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14181 				     BPF_FUNC_csum_update),
14182 			BPF_MOV64_IMM(BPF_REG_0, 0),
14183 			BPF_EXIT_INSN(),
14184 		},
14185 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14186 		.result = ACCEPT,
14187 	},
14188 	{
14189 		"reference tracking: leak potential reference",
14190 		.insns = {
14191 			BPF_SK_LOOKUP,
14192 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0), /* leak reference */
14193 			BPF_EXIT_INSN(),
14194 		},
14195 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14196 		.errstr = "Unreleased reference",
14197 		.result = REJECT,
14198 	},
14199 	{
14200 		"reference tracking: leak potential reference on stack",
14201 		.insns = {
14202 			BPF_SK_LOOKUP,
14203 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14204 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14205 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14206 			BPF_MOV64_IMM(BPF_REG_0, 0),
14207 			BPF_EXIT_INSN(),
14208 		},
14209 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14210 		.errstr = "Unreleased reference",
14211 		.result = REJECT,
14212 	},
14213 	{
14214 		"reference tracking: leak potential reference on stack 2",
14215 		.insns = {
14216 			BPF_SK_LOOKUP,
14217 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14218 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14219 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14220 			BPF_MOV64_IMM(BPF_REG_0, 0),
14221 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
14222 			BPF_EXIT_INSN(),
14223 		},
14224 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14225 		.errstr = "Unreleased reference",
14226 		.result = REJECT,
14227 	},
14228 	{
14229 		"reference tracking: zero potential reference",
14230 		.insns = {
14231 			BPF_SK_LOOKUP,
14232 			BPF_MOV64_IMM(BPF_REG_0, 0), /* leak reference */
14233 			BPF_EXIT_INSN(),
14234 		},
14235 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14236 		.errstr = "Unreleased reference",
14237 		.result = REJECT,
14238 	},
14239 	{
14240 		"reference tracking: copy and zero potential references",
14241 		.insns = {
14242 			BPF_SK_LOOKUP,
14243 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
14244 			BPF_MOV64_IMM(BPF_REG_0, 0),
14245 			BPF_MOV64_IMM(BPF_REG_7, 0), /* leak reference */
14246 			BPF_EXIT_INSN(),
14247 		},
14248 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14249 		.errstr = "Unreleased reference",
14250 		.result = REJECT,
14251 	},
14252 	{
14253 		"reference tracking: release reference without check",
14254 		.insns = {
14255 			BPF_SK_LOOKUP,
14256 			/* reference in r0 may be NULL */
14257 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14258 			BPF_MOV64_IMM(BPF_REG_2, 0),
14259 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14260 			BPF_EXIT_INSN(),
14261 		},
14262 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14263 		.errstr = "type=sock_or_null expected=sock",
14264 		.result = REJECT,
14265 	},
14266 	{
14267 		"reference tracking: release reference",
14268 		.insns = {
14269 			BPF_SK_LOOKUP,
14270 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14271 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14272 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14273 			BPF_EXIT_INSN(),
14274 		},
14275 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14276 		.result = ACCEPT,
14277 	},
14278 	{
14279 		"reference tracking: release reference 2",
14280 		.insns = {
14281 			BPF_SK_LOOKUP,
14282 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14283 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
14284 			BPF_EXIT_INSN(),
14285 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14286 			BPF_EXIT_INSN(),
14287 		},
14288 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14289 		.result = ACCEPT,
14290 	},
14291 	{
14292 		"reference tracking: release reference twice",
14293 		.insns = {
14294 			BPF_SK_LOOKUP,
14295 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14296 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14297 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14298 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14299 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14300 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14301 			BPF_EXIT_INSN(),
14302 		},
14303 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14304 		.errstr = "type=inv expected=sock",
14305 		.result = REJECT,
14306 	},
14307 	{
14308 		"reference tracking: release reference twice inside branch",
14309 		.insns = {
14310 			BPF_SK_LOOKUP,
14311 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14312 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14313 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3), /* goto end */
14314 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14315 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14316 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14317 			BPF_EXIT_INSN(),
14318 		},
14319 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14320 		.errstr = "type=inv expected=sock",
14321 		.result = REJECT,
14322 	},
14323 	{
14324 		"reference tracking: alloc, check, free in one subbranch",
14325 		.insns = {
14326 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14327 				    offsetof(struct __sk_buff, data)),
14328 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14329 				    offsetof(struct __sk_buff, data_end)),
14330 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14331 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
14332 			/* if (offsetof(skb, mark) > data_len) exit; */
14333 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
14334 			BPF_EXIT_INSN(),
14335 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
14336 				    offsetof(struct __sk_buff, mark)),
14337 			BPF_SK_LOOKUP,
14338 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 1), /* mark == 0? */
14339 			/* Leak reference in R0 */
14340 			BPF_EXIT_INSN(),
14341 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14342 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14343 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14344 			BPF_EXIT_INSN(),
14345 		},
14346 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14347 		.errstr = "Unreleased reference",
14348 		.result = REJECT,
14349 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14350 	},
14351 	{
14352 		"reference tracking: alloc, check, free in both subbranches",
14353 		.insns = {
14354 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
14355 				    offsetof(struct __sk_buff, data)),
14356 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
14357 				    offsetof(struct __sk_buff, data_end)),
14358 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
14359 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 16),
14360 			/* if (offsetof(skb, mark) > data_len) exit; */
14361 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
14362 			BPF_EXIT_INSN(),
14363 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_2,
14364 				    offsetof(struct __sk_buff, mark)),
14365 			BPF_SK_LOOKUP,
14366 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 4), /* mark == 0? */
14367 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14368 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14369 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14370 			BPF_EXIT_INSN(),
14371 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2), /* sk NULL? */
14372 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14373 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14374 			BPF_EXIT_INSN(),
14375 		},
14376 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14377 		.result = ACCEPT,
14378 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
14379 	},
14380 	{
14381 		"reference tracking in call: free reference in subprog",
14382 		.insns = {
14383 			BPF_SK_LOOKUP,
14384 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
14385 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14386 			BPF_MOV64_IMM(BPF_REG_0, 0),
14387 			BPF_EXIT_INSN(),
14388 
14389 			/* subprog 1 */
14390 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
14391 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
14392 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14393 			BPF_EXIT_INSN(),
14394 		},
14395 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14396 		.result = ACCEPT,
14397 	},
14398 	{
14399 		"pass modified ctx pointer to helper, 1",
14400 		.insns = {
14401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
14402 			BPF_MOV64_IMM(BPF_REG_2, 0),
14403 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14404 				     BPF_FUNC_csum_update),
14405 			BPF_MOV64_IMM(BPF_REG_0, 0),
14406 			BPF_EXIT_INSN(),
14407 		},
14408 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14409 		.result = REJECT,
14410 		.errstr = "dereference of modified ctx ptr",
14411 	},
14412 	{
14413 		"pass modified ctx pointer to helper, 2",
14414 		.insns = {
14415 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
14416 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14417 				     BPF_FUNC_get_socket_cookie),
14418 			BPF_MOV64_IMM(BPF_REG_0, 0),
14419 			BPF_EXIT_INSN(),
14420 		},
14421 		.result_unpriv = REJECT,
14422 		.result = REJECT,
14423 		.errstr_unpriv = "dereference of modified ctx ptr",
14424 		.errstr = "dereference of modified ctx ptr",
14425 	},
14426 	{
14427 		"pass modified ctx pointer to helper, 3",
14428 		.insns = {
14429 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
14430 			BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
14431 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
14432 			BPF_MOV64_IMM(BPF_REG_2, 0),
14433 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
14434 				     BPF_FUNC_csum_update),
14435 			BPF_MOV64_IMM(BPF_REG_0, 0),
14436 			BPF_EXIT_INSN(),
14437 		},
14438 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14439 		.result = REJECT,
14440 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
14441 	},
14442 	{
14443 		"mov64 src == dst",
14444 		.insns = {
14445 			BPF_MOV64_IMM(BPF_REG_2, 0),
14446 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
14447 			// Check bounds are OK
14448 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
14449 			BPF_MOV64_IMM(BPF_REG_0, 0),
14450 			BPF_EXIT_INSN(),
14451 		},
14452 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14453 		.result = ACCEPT,
14454 	},
14455 	{
14456 		"mov64 src != dst",
14457 		.insns = {
14458 			BPF_MOV64_IMM(BPF_REG_3, 0),
14459 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
14460 			// Check bounds are OK
14461 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
14462 			BPF_MOV64_IMM(BPF_REG_0, 0),
14463 			BPF_EXIT_INSN(),
14464 		},
14465 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14466 		.result = ACCEPT,
14467 	},
14468 	{
14469 		"allocated_stack",
14470 		.insns = {
14471 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
14472 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_get_prandom_u32),
14473 			BPF_ALU64_REG(BPF_MOV, BPF_REG_7, BPF_REG_0),
14474 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
14475 			BPF_MOV64_IMM(BPF_REG_0, 0),
14476 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
14477 			BPF_LDX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, -8),
14478 			BPF_STX_MEM(BPF_B, BPF_REG_10, BPF_REG_7, -9),
14479 			BPF_LDX_MEM(BPF_B, BPF_REG_7, BPF_REG_10, -9),
14480 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14481 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14482 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14483 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 0),
14484 			BPF_EXIT_INSN(),
14485 		},
14486 		.result = ACCEPT,
14487 		.result_unpriv = ACCEPT,
14488 		.insn_processed = 15,
14489 	},
14490 	{
14491 		"masking, test out of bounds 1",
14492 		.insns = {
14493 			BPF_MOV32_IMM(BPF_REG_1, 5),
14494 			BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14495 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14496 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14497 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14498 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14499 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14500 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14501 			BPF_EXIT_INSN(),
14502 		},
14503 		.result = ACCEPT,
14504 		.retval = 0,
14505 	},
14506 	{
14507 		"masking, test out of bounds 2",
14508 		.insns = {
14509 			BPF_MOV32_IMM(BPF_REG_1, 1),
14510 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14511 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14512 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14513 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14514 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14515 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14516 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14517 			BPF_EXIT_INSN(),
14518 		},
14519 		.result = ACCEPT,
14520 		.retval = 0,
14521 	},
14522 	{
14523 		"masking, test out of bounds 3",
14524 		.insns = {
14525 			BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
14526 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14527 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14528 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14529 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14530 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14531 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14532 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14533 			BPF_EXIT_INSN(),
14534 		},
14535 		.result = ACCEPT,
14536 		.retval = 0,
14537 	},
14538 	{
14539 		"masking, test out of bounds 4",
14540 		.insns = {
14541 			BPF_MOV32_IMM(BPF_REG_1, 0xffffffff),
14542 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14543 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14544 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14545 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14546 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14547 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14548 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14549 			BPF_EXIT_INSN(),
14550 		},
14551 		.result = ACCEPT,
14552 		.retval = 0,
14553 	},
14554 	{
14555 		"masking, test out of bounds 5",
14556 		.insns = {
14557 			BPF_MOV32_IMM(BPF_REG_1, -1),
14558 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14559 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14560 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14561 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14562 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14563 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14564 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14565 			BPF_EXIT_INSN(),
14566 		},
14567 		.result = ACCEPT,
14568 		.retval = 0,
14569 	},
14570 	{
14571 		"masking, test out of bounds 6",
14572 		.insns = {
14573 			BPF_MOV32_IMM(BPF_REG_1, -1),
14574 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14575 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14576 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14577 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14578 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14579 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14580 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14581 			BPF_EXIT_INSN(),
14582 		},
14583 		.result = ACCEPT,
14584 		.retval = 0,
14585 	},
14586 	{
14587 		"masking, test out of bounds 7",
14588 		.insns = {
14589 			BPF_MOV64_IMM(BPF_REG_1, 5),
14590 			BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14591 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14592 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14593 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14594 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14595 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14596 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14597 			BPF_EXIT_INSN(),
14598 		},
14599 		.result = ACCEPT,
14600 		.retval = 0,
14601 	},
14602 	{
14603 		"masking, test out of bounds 8",
14604 		.insns = {
14605 			BPF_MOV64_IMM(BPF_REG_1, 1),
14606 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14607 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14608 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14609 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14610 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14611 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14612 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14613 			BPF_EXIT_INSN(),
14614 		},
14615 		.result = ACCEPT,
14616 		.retval = 0,
14617 	},
14618 	{
14619 		"masking, test out of bounds 9",
14620 		.insns = {
14621 			BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
14622 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14623 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14624 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14625 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14626 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14627 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14628 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14629 			BPF_EXIT_INSN(),
14630 		},
14631 		.result = ACCEPT,
14632 		.retval = 0,
14633 	},
14634 	{
14635 		"masking, test out of bounds 10",
14636 		.insns = {
14637 			BPF_MOV64_IMM(BPF_REG_1, 0xffffffff),
14638 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14639 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14640 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14641 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14642 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14643 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14644 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14645 			BPF_EXIT_INSN(),
14646 		},
14647 		.result = ACCEPT,
14648 		.retval = 0,
14649 	},
14650 	{
14651 		"masking, test out of bounds 11",
14652 		.insns = {
14653 			BPF_MOV64_IMM(BPF_REG_1, -1),
14654 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14655 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14656 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14657 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14658 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14659 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14660 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14661 			BPF_EXIT_INSN(),
14662 		},
14663 		.result = ACCEPT,
14664 		.retval = 0,
14665 	},
14666 	{
14667 		"masking, test out of bounds 12",
14668 		.insns = {
14669 			BPF_MOV64_IMM(BPF_REG_1, -1),
14670 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14671 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14672 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14673 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14674 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14675 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14676 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14677 			BPF_EXIT_INSN(),
14678 		},
14679 		.result = ACCEPT,
14680 		.retval = 0,
14681 	},
14682 	{
14683 		"masking, test in bounds 1",
14684 		.insns = {
14685 			BPF_MOV32_IMM(BPF_REG_1, 4),
14686 			BPF_MOV32_IMM(BPF_REG_2, 5 - 1),
14687 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14688 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14689 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14690 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14691 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14692 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14693 			BPF_EXIT_INSN(),
14694 		},
14695 		.result = ACCEPT,
14696 		.retval = 4,
14697 	},
14698 	{
14699 		"masking, test in bounds 2",
14700 		.insns = {
14701 			BPF_MOV32_IMM(BPF_REG_1, 0),
14702 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14703 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14704 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14705 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14706 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14707 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14708 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14709 			BPF_EXIT_INSN(),
14710 		},
14711 		.result = ACCEPT,
14712 		.retval = 0,
14713 	},
14714 	{
14715 		"masking, test in bounds 3",
14716 		.insns = {
14717 			BPF_MOV32_IMM(BPF_REG_1, 0xfffffffe),
14718 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff - 1),
14719 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14720 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14721 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14722 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14723 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14724 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14725 			BPF_EXIT_INSN(),
14726 		},
14727 		.result = ACCEPT,
14728 		.retval = 0xfffffffe,
14729 	},
14730 	{
14731 		"masking, test in bounds 4",
14732 		.insns = {
14733 			BPF_MOV32_IMM(BPF_REG_1, 0xabcde),
14734 			BPF_MOV32_IMM(BPF_REG_2, 0xabcdef - 1),
14735 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14736 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14737 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14738 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14739 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14740 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14741 			BPF_EXIT_INSN(),
14742 		},
14743 		.result = ACCEPT,
14744 		.retval = 0xabcde,
14745 	},
14746 	{
14747 		"masking, test in bounds 5",
14748 		.insns = {
14749 			BPF_MOV32_IMM(BPF_REG_1, 0),
14750 			BPF_MOV32_IMM(BPF_REG_2, 1 - 1),
14751 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14752 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14753 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14754 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14755 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14756 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14757 			BPF_EXIT_INSN(),
14758 		},
14759 		.result = ACCEPT,
14760 		.retval = 0,
14761 	},
14762 	{
14763 		"masking, test in bounds 6",
14764 		.insns = {
14765 			BPF_MOV32_IMM(BPF_REG_1, 46),
14766 			BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14767 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_1),
14768 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_1),
14769 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14770 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14771 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
14772 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
14773 			BPF_EXIT_INSN(),
14774 		},
14775 		.result = ACCEPT,
14776 		.retval = 46,
14777 	},
14778 	{
14779 		"masking, test in bounds 7",
14780 		.insns = {
14781 			BPF_MOV64_IMM(BPF_REG_3, -46),
14782 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
14783 			BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14784 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
14785 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
14786 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14787 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14788 			BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
14789 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
14790 			BPF_EXIT_INSN(),
14791 		},
14792 		.result = ACCEPT,
14793 		.retval = 46,
14794 	},
14795 	{
14796 		"masking, test in bounds 8",
14797 		.insns = {
14798 			BPF_MOV64_IMM(BPF_REG_3, -47),
14799 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_3, -1),
14800 			BPF_MOV32_IMM(BPF_REG_2, 47 - 1),
14801 			BPF_ALU64_REG(BPF_SUB, BPF_REG_2, BPF_REG_3),
14802 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_3),
14803 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_2, 0),
14804 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_2, 63),
14805 			BPF_ALU64_REG(BPF_AND, BPF_REG_3, BPF_REG_2),
14806 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
14807 			BPF_EXIT_INSN(),
14808 		},
14809 		.result = ACCEPT,
14810 		.retval = 0,
14811 	},
14812 	{
14813 		"reference tracking in call: free reference in subprog and outside",
14814 		.insns = {
14815 			BPF_SK_LOOKUP,
14816 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), /* unchecked reference */
14817 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
14818 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
14819 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
14820 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14821 			BPF_EXIT_INSN(),
14822 
14823 			/* subprog 1 */
14824 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
14825 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 1),
14826 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14827 			BPF_EXIT_INSN(),
14828 		},
14829 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14830 		.errstr = "type=inv expected=sock",
14831 		.result = REJECT,
14832 	},
14833 	{
14834 		"reference tracking in call: alloc & leak reference in subprog",
14835 		.insns = {
14836 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14837 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14838 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
14839 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14840 			BPF_MOV64_IMM(BPF_REG_0, 0),
14841 			BPF_EXIT_INSN(),
14842 
14843 			/* subprog 1 */
14844 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_4),
14845 			BPF_SK_LOOKUP,
14846 			/* spill unchecked sk_ptr into stack of caller */
14847 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
14848 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14849 			BPF_EXIT_INSN(),
14850 		},
14851 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14852 		.errstr = "Unreleased reference",
14853 		.result = REJECT,
14854 	},
14855 	{
14856 		"reference tracking in call: alloc in subprog, release outside",
14857 		.insns = {
14858 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14859 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
14860 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14861 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14862 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14863 			BPF_EXIT_INSN(),
14864 
14865 			/* subprog 1 */
14866 			BPF_SK_LOOKUP,
14867 			BPF_EXIT_INSN(), /* return sk */
14868 		},
14869 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14870 		.retval = POINTER_VALUE,
14871 		.result = ACCEPT,
14872 	},
14873 	{
14874 		"reference tracking in call: sk_ptr leak into caller stack",
14875 		.insns = {
14876 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14878 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14879 			BPF_MOV64_IMM(BPF_REG_0, 0),
14880 			BPF_EXIT_INSN(),
14881 
14882 			/* subprog 1 */
14883 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14884 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14885 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
14886 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
14887 			/* spill unchecked sk_ptr into stack of caller */
14888 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14889 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14890 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
14891 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14892 			BPF_EXIT_INSN(),
14893 
14894 			/* subprog 2 */
14895 			BPF_SK_LOOKUP,
14896 			BPF_EXIT_INSN(),
14897 		},
14898 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14899 		.errstr = "Unreleased reference",
14900 		.result = REJECT,
14901 	},
14902 	{
14903 		"reference tracking in call: sk_ptr spill into caller stack",
14904 		.insns = {
14905 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
14906 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
14907 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
14908 			BPF_MOV64_IMM(BPF_REG_0, 0),
14909 			BPF_EXIT_INSN(),
14910 
14911 			/* subprog 1 */
14912 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14913 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14914 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
14915 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
14916 			/* spill unchecked sk_ptr into stack of caller */
14917 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
14918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, -8),
14919 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
14920 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_0, 0),
14921 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
14922 			/* now the sk_ptr is verified, free the reference */
14923 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_4, 0),
14924 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14925 			BPF_EXIT_INSN(),
14926 
14927 			/* subprog 2 */
14928 			BPF_SK_LOOKUP,
14929 			BPF_EXIT_INSN(),
14930 		},
14931 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14932 		.result = ACCEPT,
14933 	},
14934 	{
14935 		"reference tracking: allow LD_ABS",
14936 		.insns = {
14937 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14938 			BPF_SK_LOOKUP,
14939 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14940 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14941 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14942 			BPF_LD_ABS(BPF_B, 0),
14943 			BPF_LD_ABS(BPF_H, 0),
14944 			BPF_LD_ABS(BPF_W, 0),
14945 			BPF_EXIT_INSN(),
14946 		},
14947 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14948 		.result = ACCEPT,
14949 	},
14950 	{
14951 		"reference tracking: forbid LD_ABS while holding reference",
14952 		.insns = {
14953 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14954 			BPF_SK_LOOKUP,
14955 			BPF_LD_ABS(BPF_B, 0),
14956 			BPF_LD_ABS(BPF_H, 0),
14957 			BPF_LD_ABS(BPF_W, 0),
14958 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14959 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14960 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14961 			BPF_EXIT_INSN(),
14962 		},
14963 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14964 		.errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
14965 		.result = REJECT,
14966 	},
14967 	{
14968 		"reference tracking: allow LD_IND",
14969 		.insns = {
14970 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14971 			BPF_SK_LOOKUP,
14972 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
14973 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
14974 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14975 			BPF_MOV64_IMM(BPF_REG_7, 1),
14976 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
14977 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
14978 			BPF_EXIT_INSN(),
14979 		},
14980 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14981 		.result = ACCEPT,
14982 		.retval = 1,
14983 	},
14984 	{
14985 		"reference tracking: forbid LD_IND while holding reference",
14986 		.insns = {
14987 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
14988 			BPF_SK_LOOKUP,
14989 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
14990 			BPF_MOV64_IMM(BPF_REG_7, 1),
14991 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
14992 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
14993 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_4),
14994 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
14995 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
14996 			BPF_EXIT_INSN(),
14997 		},
14998 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14999 		.errstr = "BPF_LD_[ABS|IND] cannot be mixed with socket references",
15000 		.result = REJECT,
15001 	},
15002 	{
15003 		"reference tracking: check reference or tail call",
15004 		.insns = {
15005 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15006 			BPF_SK_LOOKUP,
15007 			/* if (sk) bpf_sk_release() */
15008 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15009 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 7),
15010 			/* bpf_tail_call() */
15011 			BPF_MOV64_IMM(BPF_REG_3, 2),
15012 			BPF_LD_MAP_FD(BPF_REG_2, 0),
15013 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15014 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15015 				     BPF_FUNC_tail_call),
15016 			BPF_MOV64_IMM(BPF_REG_0, 0),
15017 			BPF_EXIT_INSN(),
15018 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15019 			BPF_EXIT_INSN(),
15020 		},
15021 		.fixup_prog1 = { 17 },
15022 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15023 		.result = ACCEPT,
15024 	},
15025 	{
15026 		"reference tracking: release reference then tail call",
15027 		.insns = {
15028 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15029 			BPF_SK_LOOKUP,
15030 			/* if (sk) bpf_sk_release() */
15031 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15032 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15033 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15034 			/* bpf_tail_call() */
15035 			BPF_MOV64_IMM(BPF_REG_3, 2),
15036 			BPF_LD_MAP_FD(BPF_REG_2, 0),
15037 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15038 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15039 				     BPF_FUNC_tail_call),
15040 			BPF_MOV64_IMM(BPF_REG_0, 0),
15041 			BPF_EXIT_INSN(),
15042 		},
15043 		.fixup_prog1 = { 18 },
15044 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15045 		.result = ACCEPT,
15046 	},
15047 	{
15048 		"reference tracking: leak possible reference over tail call",
15049 		.insns = {
15050 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15051 			/* Look up socket and store in REG_6 */
15052 			BPF_SK_LOOKUP,
15053 			/* bpf_tail_call() */
15054 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15055 			BPF_MOV64_IMM(BPF_REG_3, 2),
15056 			BPF_LD_MAP_FD(BPF_REG_2, 0),
15057 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15058 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15059 				     BPF_FUNC_tail_call),
15060 			BPF_MOV64_IMM(BPF_REG_0, 0),
15061 			/* if (sk) bpf_sk_release() */
15062 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15063 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
15064 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15065 			BPF_EXIT_INSN(),
15066 		},
15067 		.fixup_prog1 = { 16 },
15068 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15069 		.errstr = "tail_call would lead to reference leak",
15070 		.result = REJECT,
15071 	},
15072 	{
15073 		"reference tracking: leak checked reference over tail call",
15074 		.insns = {
15075 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_1),
15076 			/* Look up socket and store in REG_6 */
15077 			BPF_SK_LOOKUP,
15078 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15079 			/* if (!sk) goto end */
15080 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
15081 			/* bpf_tail_call() */
15082 			BPF_MOV64_IMM(BPF_REG_3, 0),
15083 			BPF_LD_MAP_FD(BPF_REG_2, 0),
15084 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
15085 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15086 				     BPF_FUNC_tail_call),
15087 			BPF_MOV64_IMM(BPF_REG_0, 0),
15088 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15089 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15090 			BPF_EXIT_INSN(),
15091 		},
15092 		.fixup_prog1 = { 17 },
15093 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15094 		.errstr = "tail_call would lead to reference leak",
15095 		.result = REJECT,
15096 	},
15097 	{
15098 		"reference tracking: mangle and release sock_or_null",
15099 		.insns = {
15100 			BPF_SK_LOOKUP,
15101 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
15103 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
15104 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15105 			BPF_EXIT_INSN(),
15106 		},
15107 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15108 		.errstr = "R1 pointer arithmetic on sock_or_null prohibited",
15109 		.result = REJECT,
15110 	},
15111 	{
15112 		"reference tracking: mangle and release sock",
15113 		.insns = {
15114 			BPF_SK_LOOKUP,
15115 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15116 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 5),
15118 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15119 			BPF_EXIT_INSN(),
15120 		},
15121 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15122 		.errstr = "R1 pointer arithmetic on sock prohibited",
15123 		.result = REJECT,
15124 	},
15125 	{
15126 		"reference tracking: access member",
15127 		.insns = {
15128 			BPF_SK_LOOKUP,
15129 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15130 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15131 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
15132 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15133 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15134 			BPF_EXIT_INSN(),
15135 		},
15136 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15137 		.result = ACCEPT,
15138 	},
15139 	{
15140 		"reference tracking: write to member",
15141 		.insns = {
15142 			BPF_SK_LOOKUP,
15143 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15144 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
15145 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15146 			BPF_LD_IMM64(BPF_REG_2, 42),
15147 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_2,
15148 				    offsetof(struct bpf_sock, mark)),
15149 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15150 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15151 			BPF_LD_IMM64(BPF_REG_0, 0),
15152 			BPF_EXIT_INSN(),
15153 		},
15154 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15155 		.errstr = "cannot write into socket",
15156 		.result = REJECT,
15157 	},
15158 	{
15159 		"reference tracking: invalid 64-bit access of member",
15160 		.insns = {
15161 			BPF_SK_LOOKUP,
15162 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15163 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15164 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
15165 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15166 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15167 			BPF_EXIT_INSN(),
15168 		},
15169 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15170 		.errstr = "invalid bpf_sock access off=0 size=8",
15171 		.result = REJECT,
15172 	},
15173 	{
15174 		"reference tracking: access after release",
15175 		.insns = {
15176 			BPF_SK_LOOKUP,
15177 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15178 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
15179 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15180 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
15181 			BPF_EXIT_INSN(),
15182 		},
15183 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15184 		.errstr = "!read_ok",
15185 		.result = REJECT,
15186 	},
15187 	{
15188 		"reference tracking: direct access for lookup",
15189 		.insns = {
15190 			/* Check that the packet is at least 64B long */
15191 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15192 				    offsetof(struct __sk_buff, data)),
15193 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15194 				    offsetof(struct __sk_buff, data_end)),
15195 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
15196 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
15197 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
15198 			/* sk = sk_lookup_tcp(ctx, skb->data, ...) */
15199 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),
15200 			BPF_MOV64_IMM(BPF_REG_4, 0),
15201 			BPF_MOV64_IMM(BPF_REG_5, 0),
15202 			BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp),
15203 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
15204 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
15205 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_0, 4),
15206 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15207 			BPF_EMIT_CALL(BPF_FUNC_sk_release),
15208 			BPF_EXIT_INSN(),
15209 		},
15210 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15211 		.result = ACCEPT,
15212 	},
15213 	{
15214 		"calls: ctx read at start of subprog",
15215 		.insns = {
15216 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
15217 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
15218 			BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
15219 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
15220 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
15221 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15222 			BPF_EXIT_INSN(),
15223 			BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
15224 			BPF_MOV64_IMM(BPF_REG_0, 0),
15225 			BPF_EXIT_INSN(),
15226 		},
15227 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15228 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15229 		.result_unpriv = REJECT,
15230 		.result = ACCEPT,
15231 	},
15232 	{
15233 		"check wire_len is not readable by sockets",
15234 		.insns = {
15235 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
15236 				    offsetof(struct __sk_buff, wire_len)),
15237 			BPF_EXIT_INSN(),
15238 		},
15239 		.errstr = "invalid bpf_context access",
15240 		.result = REJECT,
15241 	},
15242 	{
15243 		"check wire_len is readable by tc classifier",
15244 		.insns = {
15245 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
15246 				    offsetof(struct __sk_buff, wire_len)),
15247 			BPF_EXIT_INSN(),
15248 		},
15249 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15250 		.result = ACCEPT,
15251 	},
15252 	{
15253 		"check wire_len is not writable by tc classifier",
15254 		.insns = {
15255 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
15256 				    offsetof(struct __sk_buff, wire_len)),
15257 			BPF_EXIT_INSN(),
15258 		},
15259 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15260 		.errstr = "invalid bpf_context access",
15261 		.errstr_unpriv = "R1 leaks addr",
15262 		.result = REJECT,
15263 	},
15264 	{
15265 		"calls: cross frame pruning",
15266 		.insns = {
15267 			/* r8 = !!random();
15268 			 * call pruner()
15269 			 * if (r8)
15270 			 *     do something bad;
15271 			 */
15272 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15273 				     BPF_FUNC_get_prandom_u32),
15274 			BPF_MOV64_IMM(BPF_REG_8, 0),
15275 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
15276 			BPF_MOV64_IMM(BPF_REG_8, 1),
15277 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
15278 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
15279 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_8, 1, 1),
15280 			BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
15281 			BPF_MOV64_IMM(BPF_REG_0, 0),
15282 			BPF_EXIT_INSN(),
15283 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
15284 			BPF_EXIT_INSN(),
15285 		},
15286 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15287 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
15288 		.errstr = "!read_ok",
15289 		.result = REJECT,
15290 	},
15291 	{
15292 		"jset: functional",
15293 		.insns = {
15294 			/* r0 = 0 */
15295 			BPF_MOV64_IMM(BPF_REG_0, 0),
15296 			/* prep for direct packet access via r2 */
15297 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15298 				    offsetof(struct __sk_buff, data)),
15299 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15300 				    offsetof(struct __sk_buff, data_end)),
15301 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
15302 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
15303 			BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1),
15304 			BPF_EXIT_INSN(),
15305 
15306 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_2, 0),
15307 
15308 			/* reg, bit 63 or bit 0 set, taken */
15309 			BPF_LD_IMM64(BPF_REG_8, 0x8000000000000001),
15310 			BPF_JMP_REG(BPF_JSET, BPF_REG_7, BPF_REG_8, 1),
15311 			BPF_EXIT_INSN(),
15312 
15313 			/* reg, bit 62, not taken */
15314 			BPF_LD_IMM64(BPF_REG_8, 0x4000000000000000),
15315 			BPF_JMP_REG(BPF_JSET, BPF_REG_7, BPF_REG_8, 1),
15316 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15317 			BPF_EXIT_INSN(),
15318 
15319 			/* imm, any bit set, taken */
15320 			BPF_JMP_IMM(BPF_JSET, BPF_REG_7, -1, 1),
15321 			BPF_EXIT_INSN(),
15322 
15323 			/* imm, bit 31 set, taken */
15324 			BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x80000000, 1),
15325 			BPF_EXIT_INSN(),
15326 
15327 			/* all good - return r0 == 2 */
15328 			BPF_MOV64_IMM(BPF_REG_0, 2),
15329 			BPF_EXIT_INSN(),
15330 		},
15331 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15332 		.result = ACCEPT,
15333 		.runs = 7,
15334 		.retvals = {
15335 			{ .retval = 2,
15336 			  .data64 = { (1ULL << 63) | (1U << 31) | (1U << 0), }
15337 			},
15338 			{ .retval = 2,
15339 			  .data64 = { (1ULL << 63) | (1U << 31), }
15340 			},
15341 			{ .retval = 2,
15342 			  .data64 = { (1ULL << 31) | (1U << 0), }
15343 			},
15344 			{ .retval = 2,
15345 			  .data64 = { (__u32)-1, }
15346 			},
15347 			{ .retval = 2,
15348 			  .data64 = { ~0x4000000000000000ULL, }
15349 			},
15350 			{ .retval = 0,
15351 			  .data64 = { 0, }
15352 			},
15353 			{ .retval = 0,
15354 			  .data64 = { ~0ULL, }
15355 			},
15356 		},
15357 	},
15358 	{
15359 		"jset: sign-extend",
15360 		.insns = {
15361 			/* r0 = 0 */
15362 			BPF_MOV64_IMM(BPF_REG_0, 0),
15363 			/* prep for direct packet access via r2 */
15364 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
15365 				    offsetof(struct __sk_buff, data)),
15366 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
15367 				    offsetof(struct __sk_buff, data_end)),
15368 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
15369 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
15370 			BPF_JMP_REG(BPF_JLE, BPF_REG_4, BPF_REG_3, 1),
15371 			BPF_EXIT_INSN(),
15372 
15373 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_2, 0),
15374 
15375 			BPF_JMP_IMM(BPF_JSET, BPF_REG_7, 0x80000000, 1),
15376 			BPF_EXIT_INSN(),
15377 
15378 			BPF_MOV64_IMM(BPF_REG_0, 2),
15379 			BPF_EXIT_INSN(),
15380 		},
15381 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
15382 		.result = ACCEPT,
15383 		.retval = 2,
15384 		.data = { 1, 0, 0, 0, 0, 0, 0, 1, },
15385 	},
15386 	{
15387 		"jset: known const compare",
15388 		.insns = {
15389 			BPF_MOV64_IMM(BPF_REG_0, 1),
15390 			BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15391 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15392 			BPF_EXIT_INSN(),
15393 		},
15394 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15395 		.retval_unpriv = 1,
15396 		.result_unpriv = ACCEPT,
15397 		.retval = 1,
15398 		.result = ACCEPT,
15399 	},
15400 	{
15401 		"jset: known const compare bad",
15402 		.insns = {
15403 			BPF_MOV64_IMM(BPF_REG_0, 0),
15404 			BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15405 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15406 			BPF_EXIT_INSN(),
15407 		},
15408 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15409 		.errstr_unpriv = "!read_ok",
15410 		.result_unpriv = REJECT,
15411 		.errstr = "!read_ok",
15412 		.result = REJECT,
15413 	},
15414 	{
15415 		"jset: unknown const compare taken",
15416 		.insns = {
15417 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15418 				     BPF_FUNC_get_prandom_u32),
15419 			BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15420 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
15421 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15422 			BPF_EXIT_INSN(),
15423 		},
15424 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15425 		.errstr_unpriv = "!read_ok",
15426 		.result_unpriv = REJECT,
15427 		.errstr = "!read_ok",
15428 		.result = REJECT,
15429 	},
15430 	{
15431 		"jset: unknown const compare not taken",
15432 		.insns = {
15433 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15434 				     BPF_FUNC_get_prandom_u32),
15435 			BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 1, 1),
15436 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15437 			BPF_EXIT_INSN(),
15438 		},
15439 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15440 		.errstr_unpriv = "!read_ok",
15441 		.result_unpriv = REJECT,
15442 		.errstr = "!read_ok",
15443 		.result = REJECT,
15444 	},
15445 	{
15446 		"jset: half-known const compare",
15447 		.insns = {
15448 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15449 				     BPF_FUNC_get_prandom_u32),
15450 			BPF_ALU64_IMM(BPF_OR, BPF_REG_0, 2),
15451 			BPF_JMP_IMM(BPF_JSET, BPF_REG_0, 3, 1),
15452 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15453 			BPF_MOV64_IMM(BPF_REG_0, 0),
15454 			BPF_EXIT_INSN(),
15455 		},
15456 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15457 		.result_unpriv = ACCEPT,
15458 		.result = ACCEPT,
15459 	},
15460 	{
15461 		"jset: range",
15462 		.insns = {
15463 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15464 				     BPF_FUNC_get_prandom_u32),
15465 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
15466 			BPF_MOV64_IMM(BPF_REG_0, 0),
15467 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xff),
15468 			BPF_JMP_IMM(BPF_JSET, BPF_REG_1, 0xf0, 3),
15469 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 0x10, 1),
15470 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15471 			BPF_EXIT_INSN(),
15472 			BPF_JMP_IMM(BPF_JSET, BPF_REG_1, 0x10, 1),
15473 			BPF_EXIT_INSN(),
15474 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0x10, 1),
15475 			BPF_LDX_MEM(BPF_B, BPF_REG_8, BPF_REG_9, 0),
15476 			BPF_EXIT_INSN(),
15477 		},
15478 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
15479 		.result_unpriv = ACCEPT,
15480 		.result = ACCEPT,
15481 	},
15482 };
15483 
15484 static int probe_filter_length(const struct bpf_insn *fp)
15485 {
15486 	int len;
15487 
15488 	for (len = MAX_INSNS - 1; len > 0; --len)
15489 		if (fp[len].code != 0 || fp[len].imm != 0)
15490 			break;
15491 	return len + 1;
15492 }
15493 
15494 static int create_map(uint32_t type, uint32_t size_key,
15495 		      uint32_t size_value, uint32_t max_elem)
15496 {
15497 	int fd;
15498 
15499 	fd = bpf_create_map(type, size_key, size_value, max_elem,
15500 			    type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
15501 	if (fd < 0)
15502 		printf("Failed to create hash map '%s'!\n", strerror(errno));
15503 
15504 	return fd;
15505 }
15506 
15507 static void update_map(int fd, int index)
15508 {
15509 	struct test_val value = {
15510 		.index = (6 + 1) * sizeof(int),
15511 		.foo[6] = 0xabcdef12,
15512 	};
15513 
15514 	assert(!bpf_map_update_elem(fd, &index, &value, 0));
15515 }
15516 
15517 static int create_prog_dummy1(enum bpf_prog_type prog_type)
15518 {
15519 	struct bpf_insn prog[] = {
15520 		BPF_MOV64_IMM(BPF_REG_0, 42),
15521 		BPF_EXIT_INSN(),
15522 	};
15523 
15524 	return bpf_load_program(prog_type, prog,
15525 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
15526 }
15527 
15528 static int create_prog_dummy2(enum bpf_prog_type prog_type, int mfd, int idx)
15529 {
15530 	struct bpf_insn prog[] = {
15531 		BPF_MOV64_IMM(BPF_REG_3, idx),
15532 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
15533 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
15534 			     BPF_FUNC_tail_call),
15535 		BPF_MOV64_IMM(BPF_REG_0, 41),
15536 		BPF_EXIT_INSN(),
15537 	};
15538 
15539 	return bpf_load_program(prog_type, prog,
15540 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
15541 }
15542 
15543 static int create_prog_array(enum bpf_prog_type prog_type, uint32_t max_elem,
15544 			     int p1key)
15545 {
15546 	int p2key = 1;
15547 	int mfd, p1fd, p2fd;
15548 
15549 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
15550 			     sizeof(int), max_elem, 0);
15551 	if (mfd < 0) {
15552 		printf("Failed to create prog array '%s'!\n", strerror(errno));
15553 		return -1;
15554 	}
15555 
15556 	p1fd = create_prog_dummy1(prog_type);
15557 	p2fd = create_prog_dummy2(prog_type, mfd, p2key);
15558 	if (p1fd < 0 || p2fd < 0)
15559 		goto out;
15560 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
15561 		goto out;
15562 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
15563 		goto out;
15564 	close(p2fd);
15565 	close(p1fd);
15566 
15567 	return mfd;
15568 out:
15569 	close(p2fd);
15570 	close(p1fd);
15571 	close(mfd);
15572 	return -1;
15573 }
15574 
15575 static int create_map_in_map(void)
15576 {
15577 	int inner_map_fd, outer_map_fd;
15578 
15579 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
15580 				      sizeof(int), 1, 0);
15581 	if (inner_map_fd < 0) {
15582 		printf("Failed to create array '%s'!\n", strerror(errno));
15583 		return inner_map_fd;
15584 	}
15585 
15586 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
15587 					     sizeof(int), inner_map_fd, 1, 0);
15588 	if (outer_map_fd < 0)
15589 		printf("Failed to create array of maps '%s'!\n",
15590 		       strerror(errno));
15591 
15592 	close(inner_map_fd);
15593 
15594 	return outer_map_fd;
15595 }
15596 
15597 static int create_cgroup_storage(bool percpu)
15598 {
15599 	enum bpf_map_type type = percpu ? BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE :
15600 		BPF_MAP_TYPE_CGROUP_STORAGE;
15601 	int fd;
15602 
15603 	fd = bpf_create_map(type, sizeof(struct bpf_cgroup_storage_key),
15604 			    TEST_DATA_LEN, 0, 0);
15605 	if (fd < 0)
15606 		printf("Failed to create cgroup storage '%s'!\n",
15607 		       strerror(errno));
15608 
15609 	return fd;
15610 }
15611 
15612 static char bpf_vlog[UINT_MAX >> 8];
15613 
15614 static void do_test_fixup(struct bpf_test *test, enum bpf_prog_type prog_type,
15615 			  struct bpf_insn *prog, int *map_fds)
15616 {
15617 	int *fixup_map_hash_8b = test->fixup_map_hash_8b;
15618 	int *fixup_map_hash_48b = test->fixup_map_hash_48b;
15619 	int *fixup_map_hash_16b = test->fixup_map_hash_16b;
15620 	int *fixup_map_array_48b = test->fixup_map_array_48b;
15621 	int *fixup_map_sockmap = test->fixup_map_sockmap;
15622 	int *fixup_map_sockhash = test->fixup_map_sockhash;
15623 	int *fixup_map_xskmap = test->fixup_map_xskmap;
15624 	int *fixup_map_stacktrace = test->fixup_map_stacktrace;
15625 	int *fixup_prog1 = test->fixup_prog1;
15626 	int *fixup_prog2 = test->fixup_prog2;
15627 	int *fixup_map_in_map = test->fixup_map_in_map;
15628 	int *fixup_cgroup_storage = test->fixup_cgroup_storage;
15629 	int *fixup_percpu_cgroup_storage = test->fixup_percpu_cgroup_storage;
15630 
15631 	if (test->fill_helper)
15632 		test->fill_helper(test);
15633 
15634 	/* Allocating HTs with 1 elem is fine here, since we only test
15635 	 * for verifier and not do a runtime lookup, so the only thing
15636 	 * that really matters is value size in this case.
15637 	 */
15638 	if (*fixup_map_hash_8b) {
15639 		map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15640 					sizeof(long long), 1);
15641 		do {
15642 			prog[*fixup_map_hash_8b].imm = map_fds[0];
15643 			fixup_map_hash_8b++;
15644 		} while (*fixup_map_hash_8b);
15645 	}
15646 
15647 	if (*fixup_map_hash_48b) {
15648 		map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15649 					sizeof(struct test_val), 1);
15650 		do {
15651 			prog[*fixup_map_hash_48b].imm = map_fds[1];
15652 			fixup_map_hash_48b++;
15653 		} while (*fixup_map_hash_48b);
15654 	}
15655 
15656 	if (*fixup_map_hash_16b) {
15657 		map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
15658 					sizeof(struct other_val), 1);
15659 		do {
15660 			prog[*fixup_map_hash_16b].imm = map_fds[2];
15661 			fixup_map_hash_16b++;
15662 		} while (*fixup_map_hash_16b);
15663 	}
15664 
15665 	if (*fixup_map_array_48b) {
15666 		map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
15667 					sizeof(struct test_val), 1);
15668 		update_map(map_fds[3], 0);
15669 		do {
15670 			prog[*fixup_map_array_48b].imm = map_fds[3];
15671 			fixup_map_array_48b++;
15672 		} while (*fixup_map_array_48b);
15673 	}
15674 
15675 	if (*fixup_prog1) {
15676 		map_fds[4] = create_prog_array(prog_type, 4, 0);
15677 		do {
15678 			prog[*fixup_prog1].imm = map_fds[4];
15679 			fixup_prog1++;
15680 		} while (*fixup_prog1);
15681 	}
15682 
15683 	if (*fixup_prog2) {
15684 		map_fds[5] = create_prog_array(prog_type, 8, 7);
15685 		do {
15686 			prog[*fixup_prog2].imm = map_fds[5];
15687 			fixup_prog2++;
15688 		} while (*fixup_prog2);
15689 	}
15690 
15691 	if (*fixup_map_in_map) {
15692 		map_fds[6] = create_map_in_map();
15693 		do {
15694 			prog[*fixup_map_in_map].imm = map_fds[6];
15695 			fixup_map_in_map++;
15696 		} while (*fixup_map_in_map);
15697 	}
15698 
15699 	if (*fixup_cgroup_storage) {
15700 		map_fds[7] = create_cgroup_storage(false);
15701 		do {
15702 			prog[*fixup_cgroup_storage].imm = map_fds[7];
15703 			fixup_cgroup_storage++;
15704 		} while (*fixup_cgroup_storage);
15705 	}
15706 
15707 	if (*fixup_percpu_cgroup_storage) {
15708 		map_fds[8] = create_cgroup_storage(true);
15709 		do {
15710 			prog[*fixup_percpu_cgroup_storage].imm = map_fds[8];
15711 			fixup_percpu_cgroup_storage++;
15712 		} while (*fixup_percpu_cgroup_storage);
15713 	}
15714 	if (*fixup_map_sockmap) {
15715 		map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
15716 					sizeof(int), 1);
15717 		do {
15718 			prog[*fixup_map_sockmap].imm = map_fds[9];
15719 			fixup_map_sockmap++;
15720 		} while (*fixup_map_sockmap);
15721 	}
15722 	if (*fixup_map_sockhash) {
15723 		map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
15724 					sizeof(int), 1);
15725 		do {
15726 			prog[*fixup_map_sockhash].imm = map_fds[10];
15727 			fixup_map_sockhash++;
15728 		} while (*fixup_map_sockhash);
15729 	}
15730 	if (*fixup_map_xskmap) {
15731 		map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
15732 					sizeof(int), 1);
15733 		do {
15734 			prog[*fixup_map_xskmap].imm = map_fds[11];
15735 			fixup_map_xskmap++;
15736 		} while (*fixup_map_xskmap);
15737 	}
15738 	if (*fixup_map_stacktrace) {
15739 		map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
15740 					 sizeof(u64), 1);
15741 		do {
15742 			prog[*fixup_map_stacktrace].imm = map_fds[12];
15743 			fixup_map_stacktrace++;
15744 		} while (*fixup_map_stacktrace);
15745 	}
15746 }
15747 
15748 static int set_admin(bool admin)
15749 {
15750 	cap_t caps;
15751 	const cap_value_t cap_val = CAP_SYS_ADMIN;
15752 	int ret = -1;
15753 
15754 	caps = cap_get_proc();
15755 	if (!caps) {
15756 		perror("cap_get_proc");
15757 		return -1;
15758 	}
15759 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
15760 				admin ? CAP_SET : CAP_CLEAR)) {
15761 		perror("cap_set_flag");
15762 		goto out;
15763 	}
15764 	if (cap_set_proc(caps)) {
15765 		perror("cap_set_proc");
15766 		goto out;
15767 	}
15768 	ret = 0;
15769 out:
15770 	if (cap_free(caps))
15771 		perror("cap_free");
15772 	return ret;
15773 }
15774 
15775 static int do_prog_test_run(int fd_prog, bool unpriv, uint32_t expected_val,
15776 			    void *data, size_t size_data)
15777 {
15778 	__u8 tmp[TEST_DATA_LEN << 2];
15779 	__u32 size_tmp = sizeof(tmp);
15780 	uint32_t retval;
15781 	int err;
15782 
15783 	if (unpriv)
15784 		set_admin(true);
15785 	err = bpf_prog_test_run(fd_prog, 1, data, size_data,
15786 				tmp, &size_tmp, &retval, NULL);
15787 	if (unpriv)
15788 		set_admin(false);
15789 	if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
15790 		printf("Unexpected bpf_prog_test_run error ");
15791 		return err;
15792 	}
15793 	if (!err && retval != expected_val &&
15794 	    expected_val != POINTER_VALUE) {
15795 		printf("FAIL retval %d != %d ", retval, expected_val);
15796 		return 1;
15797 	}
15798 
15799 	return 0;
15800 }
15801 
15802 static void do_test_single(struct bpf_test *test, bool unpriv,
15803 			   int *passes, int *errors)
15804 {
15805 	int fd_prog, expected_ret, alignment_prevented_execution;
15806 	int prog_len, prog_type = test->prog_type;
15807 	struct bpf_insn *prog = test->insns;
15808 	int run_errs, run_successes;
15809 	int map_fds[MAX_NR_MAPS];
15810 	const char *expected_err;
15811 	__u32 pflags;
15812 	int i, err;
15813 
15814 	for (i = 0; i < MAX_NR_MAPS; i++)
15815 		map_fds[i] = -1;
15816 
15817 	if (!prog_type)
15818 		prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
15819 	do_test_fixup(test, prog_type, prog, map_fds);
15820 	prog_len = probe_filter_length(prog);
15821 
15822 	pflags = 0;
15823 	if (test->flags & F_LOAD_WITH_STRICT_ALIGNMENT)
15824 		pflags |= BPF_F_STRICT_ALIGNMENT;
15825 	if (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS)
15826 		pflags |= BPF_F_ANY_ALIGNMENT;
15827 	fd_prog = bpf_verify_program(prog_type, prog, prog_len, pflags,
15828 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
15829 
15830 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
15831 		       test->result_unpriv : test->result;
15832 	expected_err = unpriv && test->errstr_unpriv ?
15833 		       test->errstr_unpriv : test->errstr;
15834 
15835 	alignment_prevented_execution = 0;
15836 
15837 	if (expected_ret == ACCEPT) {
15838 		if (fd_prog < 0) {
15839 			printf("FAIL\nFailed to load prog '%s'!\n",
15840 			       strerror(errno));
15841 			goto fail_log;
15842 		}
15843 #ifndef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
15844 		if (fd_prog >= 0 &&
15845 		    (test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS))
15846 			alignment_prevented_execution = 1;
15847 #endif
15848 	} else {
15849 		if (fd_prog >= 0) {
15850 			printf("FAIL\nUnexpected success to load!\n");
15851 			goto fail_log;
15852 		}
15853 		if (!strstr(bpf_vlog, expected_err)) {
15854 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
15855 			      expected_err, bpf_vlog);
15856 			goto fail_log;
15857 		}
15858 	}
15859 
15860 	if (test->insn_processed) {
15861 		uint32_t insn_processed;
15862 		char *proc;
15863 
15864 		proc = strstr(bpf_vlog, "processed ");
15865 		insn_processed = atoi(proc + 10);
15866 		if (test->insn_processed != insn_processed) {
15867 			printf("FAIL\nUnexpected insn_processed %u vs %u\n",
15868 			       insn_processed, test->insn_processed);
15869 			goto fail_log;
15870 		}
15871 	}
15872 
15873 	run_errs = 0;
15874 	run_successes = 0;
15875 	if (!alignment_prevented_execution && fd_prog >= 0) {
15876 		uint32_t expected_val;
15877 		int i;
15878 
15879 		if (!test->runs) {
15880 			expected_val = unpriv && test->retval_unpriv ?
15881 				test->retval_unpriv : test->retval;
15882 
15883 			err = do_prog_test_run(fd_prog, unpriv, expected_val,
15884 					       test->data, sizeof(test->data));
15885 			if (err)
15886 				run_errs++;
15887 			else
15888 				run_successes++;
15889 		}
15890 
15891 		for (i = 0; i < test->runs; i++) {
15892 			if (unpriv && test->retvals[i].retval_unpriv)
15893 				expected_val = test->retvals[i].retval_unpriv;
15894 			else
15895 				expected_val = test->retvals[i].retval;
15896 
15897 			err = do_prog_test_run(fd_prog, unpriv, expected_val,
15898 					       test->retvals[i].data,
15899 					       sizeof(test->retvals[i].data));
15900 			if (err) {
15901 				printf("(run %d/%d) ", i + 1, test->runs);
15902 				run_errs++;
15903 			} else {
15904 				run_successes++;
15905 			}
15906 		}
15907 	}
15908 
15909 	if (!run_errs) {
15910 		(*passes)++;
15911 		if (run_successes > 1)
15912 			printf("%d cases ", run_successes);
15913 		printf("OK");
15914 		if (alignment_prevented_execution)
15915 			printf(" (NOTE: not executed due to unknown alignment)");
15916 		printf("\n");
15917 	} else {
15918 		printf("\n");
15919 		goto fail_log;
15920 	}
15921 close_fds:
15922 	close(fd_prog);
15923 	for (i = 0; i < MAX_NR_MAPS; i++)
15924 		close(map_fds[i]);
15925 	sched_yield();
15926 	return;
15927 fail_log:
15928 	(*errors)++;
15929 	printf("%s", bpf_vlog);
15930 	goto close_fds;
15931 }
15932 
15933 static bool is_admin(void)
15934 {
15935 	cap_t caps;
15936 	cap_flag_value_t sysadmin = CAP_CLEAR;
15937 	const cap_value_t cap_val = CAP_SYS_ADMIN;
15938 
15939 #ifdef CAP_IS_SUPPORTED
15940 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
15941 		perror("cap_get_flag");
15942 		return false;
15943 	}
15944 #endif
15945 	caps = cap_get_proc();
15946 	if (!caps) {
15947 		perror("cap_get_proc");
15948 		return false;
15949 	}
15950 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
15951 		perror("cap_get_flag");
15952 	if (cap_free(caps))
15953 		perror("cap_free");
15954 	return (sysadmin == CAP_SET);
15955 }
15956 
15957 static void get_unpriv_disabled()
15958 {
15959 	char buf[2];
15960 	FILE *fd;
15961 
15962 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
15963 	if (!fd) {
15964 		perror("fopen /proc/sys/"UNPRIV_SYSCTL);
15965 		unpriv_disabled = true;
15966 		return;
15967 	}
15968 	if (fgets(buf, 2, fd) == buf && atoi(buf))
15969 		unpriv_disabled = true;
15970 	fclose(fd);
15971 }
15972 
15973 static bool test_as_unpriv(struct bpf_test *test)
15974 {
15975 	return !test->prog_type ||
15976 	       test->prog_type == BPF_PROG_TYPE_SOCKET_FILTER ||
15977 	       test->prog_type == BPF_PROG_TYPE_CGROUP_SKB;
15978 }
15979 
15980 static int do_test(bool unpriv, unsigned int from, unsigned int to)
15981 {
15982 	int i, passes = 0, errors = 0, skips = 0;
15983 
15984 	for (i = from; i < to; i++) {
15985 		struct bpf_test *test = &tests[i];
15986 
15987 		/* Program types that are not supported by non-root we
15988 		 * skip right away.
15989 		 */
15990 		if (test_as_unpriv(test) && unpriv_disabled) {
15991 			printf("#%d/u %s SKIP\n", i, test->descr);
15992 			skips++;
15993 		} else if (test_as_unpriv(test)) {
15994 			if (!unpriv)
15995 				set_admin(false);
15996 			printf("#%d/u %s ", i, test->descr);
15997 			do_test_single(test, true, &passes, &errors);
15998 			if (!unpriv)
15999 				set_admin(true);
16000 		}
16001 
16002 		if (unpriv) {
16003 			printf("#%d/p %s SKIP\n", i, test->descr);
16004 			skips++;
16005 		} else {
16006 			printf("#%d/p %s ", i, test->descr);
16007 			do_test_single(test, false, &passes, &errors);
16008 		}
16009 	}
16010 
16011 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
16012 	       skips, errors);
16013 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
16014 }
16015 
16016 int main(int argc, char **argv)
16017 {
16018 	unsigned int from = 0, to = ARRAY_SIZE(tests);
16019 	bool unpriv = !is_admin();
16020 
16021 	if (argc == 3) {
16022 		unsigned int l = atoi(argv[argc - 2]);
16023 		unsigned int u = atoi(argv[argc - 1]);
16024 
16025 		if (l < to && u < to) {
16026 			from = l;
16027 			to   = u + 1;
16028 		}
16029 	} else if (argc == 2) {
16030 		unsigned int t = atoi(argv[argc - 1]);
16031 
16032 		if (t < to) {
16033 			from = t;
16034 			to   = t + 1;
16035 		}
16036 	}
16037 
16038 	get_unpriv_disabled();
16039 	if (unpriv && unpriv_disabled) {
16040 		printf("Cannot run as unprivileged user with sysctl %s.\n",
16041 		       UNPRIV_SYSCTL);
16042 		return EXIT_FAILURE;
16043 	}
16044 
16045 	bpf_semi_rand_init();
16046 	return do_test(unpriv, from, to);
16047 }
16048