1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of version 2 of the GNU General Public
9  * License as published by the Free Software Foundation.
10  */
11 
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 #include <limits.h>
25 
26 #include <sys/capability.h>
27 
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
33 
34 #include <bpf/bpf.h>
35 
36 #ifdef HAVE_GENHDR
37 # include "autoconf.h"
38 #else
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 # endif
42 #endif
43 #include "bpf_rlimit.h"
44 #include "bpf_rand.h"
45 #include "../../../include/linux/filter.h"
46 
47 #ifndef ARRAY_SIZE
48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
49 #endif
50 
51 #define MAX_INSNS	BPF_MAXINSNS
52 #define MAX_FIXUPS	8
53 #define MAX_NR_MAPS	7
54 #define POINTER_VALUE	0xcafe4all
55 #define TEST_DATA_LEN	64
56 
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
59 
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
62 
63 struct bpf_test {
64 	const char *descr;
65 	struct bpf_insn	insns[MAX_INSNS];
66 	int fixup_map1[MAX_FIXUPS];
67 	int fixup_map2[MAX_FIXUPS];
68 	int fixup_map3[MAX_FIXUPS];
69 	int fixup_map4[MAX_FIXUPS];
70 	int fixup_prog1[MAX_FIXUPS];
71 	int fixup_prog2[MAX_FIXUPS];
72 	int fixup_map_in_map[MAX_FIXUPS];
73 	const char *errstr;
74 	const char *errstr_unpriv;
75 	uint32_t retval;
76 	enum {
77 		UNDEF,
78 		ACCEPT,
79 		REJECT
80 	} result, result_unpriv;
81 	enum bpf_prog_type prog_type;
82 	uint8_t flags;
83 	__u8 data[TEST_DATA_LEN];
84 	void (*fill_helper)(struct bpf_test *self);
85 };
86 
87 /* Note we want this to be 64 bit aligned so that the end of our array is
88  * actually the end of the structure.
89  */
90 #define MAX_ENTRIES 11
91 
92 struct test_val {
93 	unsigned int index;
94 	int foo[MAX_ENTRIES];
95 };
96 
97 struct other_val {
98 	long long foo;
99 	long long bar;
100 };
101 
102 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
103 {
104 	/* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
105 #define PUSH_CNT 51
106 	unsigned int len = BPF_MAXINSNS;
107 	struct bpf_insn *insn = self->insns;
108 	int i = 0, j, k = 0;
109 
110 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
111 loop:
112 	for (j = 0; j < PUSH_CNT; j++) {
113 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
114 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
115 		i++;
116 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
117 		insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
118 		insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
119 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
120 					 BPF_FUNC_skb_vlan_push),
121 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
122 		i++;
123 	}
124 
125 	for (j = 0; j < PUSH_CNT; j++) {
126 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
127 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
128 		i++;
129 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
130 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
131 					 BPF_FUNC_skb_vlan_pop),
132 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
133 		i++;
134 	}
135 	if (++k < 5)
136 		goto loop;
137 
138 	for (; i < len - 1; i++)
139 		insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
140 	insn[len - 1] = BPF_EXIT_INSN();
141 }
142 
143 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
144 {
145 	struct bpf_insn *insn = self->insns;
146 	unsigned int len = BPF_MAXINSNS;
147 	int i = 0;
148 
149 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
150 	insn[i++] = BPF_LD_ABS(BPF_B, 0);
151 	insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
152 	i++;
153 	while (i < len - 1)
154 		insn[i++] = BPF_LD_ABS(BPF_B, 1);
155 	insn[i] = BPF_EXIT_INSN();
156 }
157 
158 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
159 {
160 	struct bpf_insn *insn = self->insns;
161 	uint64_t res = 0;
162 	int i = 0;
163 
164 	insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
165 	while (i < self->retval) {
166 		uint64_t val = bpf_semi_rand_get();
167 		struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
168 
169 		res ^= val;
170 		insn[i++] = tmp[0];
171 		insn[i++] = tmp[1];
172 		insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
173 	}
174 	insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
175 	insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
176 	insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
177 	insn[i] = BPF_EXIT_INSN();
178 	res ^= (res >> 32);
179 	self->retval = (uint32_t)res;
180 }
181 
182 static struct bpf_test tests[] = {
183 	{
184 		"add+sub+mul",
185 		.insns = {
186 			BPF_MOV64_IMM(BPF_REG_1, 1),
187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
188 			BPF_MOV64_IMM(BPF_REG_2, 3),
189 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
190 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
191 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
192 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
193 			BPF_EXIT_INSN(),
194 		},
195 		.result = ACCEPT,
196 		.retval = -3,
197 	},
198 	{
199 		"DIV32 by 0, zero check 1",
200 		.insns = {
201 			BPF_MOV32_IMM(BPF_REG_0, 42),
202 			BPF_MOV32_IMM(BPF_REG_1, 0),
203 			BPF_MOV32_IMM(BPF_REG_2, 1),
204 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
205 			BPF_EXIT_INSN(),
206 		},
207 		.result = ACCEPT,
208 		.retval = 42,
209 	},
210 	{
211 		"DIV32 by 0, zero check 2",
212 		.insns = {
213 			BPF_MOV32_IMM(BPF_REG_0, 42),
214 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
215 			BPF_MOV32_IMM(BPF_REG_2, 1),
216 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
217 			BPF_EXIT_INSN(),
218 		},
219 		.result = ACCEPT,
220 		.retval = 42,
221 	},
222 	{
223 		"DIV64 by 0, zero check",
224 		.insns = {
225 			BPF_MOV32_IMM(BPF_REG_0, 42),
226 			BPF_MOV32_IMM(BPF_REG_1, 0),
227 			BPF_MOV32_IMM(BPF_REG_2, 1),
228 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
229 			BPF_EXIT_INSN(),
230 		},
231 		.result = ACCEPT,
232 		.retval = 42,
233 	},
234 	{
235 		"MOD32 by 0, zero check 1",
236 		.insns = {
237 			BPF_MOV32_IMM(BPF_REG_0, 42),
238 			BPF_MOV32_IMM(BPF_REG_1, 0),
239 			BPF_MOV32_IMM(BPF_REG_2, 1),
240 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
241 			BPF_EXIT_INSN(),
242 		},
243 		.result = ACCEPT,
244 		.retval = 42,
245 	},
246 	{
247 		"MOD32 by 0, zero check 2",
248 		.insns = {
249 			BPF_MOV32_IMM(BPF_REG_0, 42),
250 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
251 			BPF_MOV32_IMM(BPF_REG_2, 1),
252 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
253 			BPF_EXIT_INSN(),
254 		},
255 		.result = ACCEPT,
256 		.retval = 42,
257 	},
258 	{
259 		"MOD64 by 0, zero check",
260 		.insns = {
261 			BPF_MOV32_IMM(BPF_REG_0, 42),
262 			BPF_MOV32_IMM(BPF_REG_1, 0),
263 			BPF_MOV32_IMM(BPF_REG_2, 1),
264 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
265 			BPF_EXIT_INSN(),
266 		},
267 		.result = ACCEPT,
268 		.retval = 42,
269 	},
270 	{
271 		"DIV32 by 0, zero check ok, cls",
272 		.insns = {
273 			BPF_MOV32_IMM(BPF_REG_0, 42),
274 			BPF_MOV32_IMM(BPF_REG_1, 2),
275 			BPF_MOV32_IMM(BPF_REG_2, 16),
276 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
277 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
278 			BPF_EXIT_INSN(),
279 		},
280 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
281 		.result = ACCEPT,
282 		.retval = 8,
283 	},
284 	{
285 		"DIV32 by 0, zero check 1, cls",
286 		.insns = {
287 			BPF_MOV32_IMM(BPF_REG_1, 0),
288 			BPF_MOV32_IMM(BPF_REG_0, 1),
289 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
290 			BPF_EXIT_INSN(),
291 		},
292 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
293 		.result = ACCEPT,
294 		.retval = 0,
295 	},
296 	{
297 		"DIV32 by 0, zero check 2, cls",
298 		.insns = {
299 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
300 			BPF_MOV32_IMM(BPF_REG_0, 1),
301 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
302 			BPF_EXIT_INSN(),
303 		},
304 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
305 		.result = ACCEPT,
306 		.retval = 0,
307 	},
308 	{
309 		"DIV64 by 0, zero check, cls",
310 		.insns = {
311 			BPF_MOV32_IMM(BPF_REG_1, 0),
312 			BPF_MOV32_IMM(BPF_REG_0, 1),
313 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314 			BPF_EXIT_INSN(),
315 		},
316 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
317 		.result = ACCEPT,
318 		.retval = 0,
319 	},
320 	{
321 		"MOD32 by 0, zero check ok, cls",
322 		.insns = {
323 			BPF_MOV32_IMM(BPF_REG_0, 42),
324 			BPF_MOV32_IMM(BPF_REG_1, 3),
325 			BPF_MOV32_IMM(BPF_REG_2, 5),
326 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
327 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
328 			BPF_EXIT_INSN(),
329 		},
330 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
331 		.result = ACCEPT,
332 		.retval = 2,
333 	},
334 	{
335 		"MOD32 by 0, zero check 1, cls",
336 		.insns = {
337 			BPF_MOV32_IMM(BPF_REG_1, 0),
338 			BPF_MOV32_IMM(BPF_REG_0, 1),
339 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
340 			BPF_EXIT_INSN(),
341 		},
342 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
343 		.result = ACCEPT,
344 		.retval = 1,
345 	},
346 	{
347 		"MOD32 by 0, zero check 2, cls",
348 		.insns = {
349 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
350 			BPF_MOV32_IMM(BPF_REG_0, 1),
351 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
352 			BPF_EXIT_INSN(),
353 		},
354 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
355 		.result = ACCEPT,
356 		.retval = 1,
357 	},
358 	{
359 		"MOD64 by 0, zero check 1, cls",
360 		.insns = {
361 			BPF_MOV32_IMM(BPF_REG_1, 0),
362 			BPF_MOV32_IMM(BPF_REG_0, 2),
363 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364 			BPF_EXIT_INSN(),
365 		},
366 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
367 		.result = ACCEPT,
368 		.retval = 2,
369 	},
370 	{
371 		"MOD64 by 0, zero check 2, cls",
372 		.insns = {
373 			BPF_MOV32_IMM(BPF_REG_1, 0),
374 			BPF_MOV32_IMM(BPF_REG_0, -1),
375 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376 			BPF_EXIT_INSN(),
377 		},
378 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
379 		.result = ACCEPT,
380 		.retval = -1,
381 	},
382 	/* Just make sure that JITs used udiv/umod as otherwise we get
383 	 * an exception from INT_MIN/-1 overflow similarly as with div
384 	 * by zero.
385 	 */
386 	{
387 		"DIV32 overflow, check 1",
388 		.insns = {
389 			BPF_MOV32_IMM(BPF_REG_1, -1),
390 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
391 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
392 			BPF_EXIT_INSN(),
393 		},
394 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
395 		.result = ACCEPT,
396 		.retval = 0,
397 	},
398 	{
399 		"DIV32 overflow, check 2",
400 		.insns = {
401 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
402 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
403 			BPF_EXIT_INSN(),
404 		},
405 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
406 		.result = ACCEPT,
407 		.retval = 0,
408 	},
409 	{
410 		"DIV64 overflow, check 1",
411 		.insns = {
412 			BPF_MOV64_IMM(BPF_REG_1, -1),
413 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
414 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
415 			BPF_EXIT_INSN(),
416 		},
417 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
418 		.result = ACCEPT,
419 		.retval = 0,
420 	},
421 	{
422 		"DIV64 overflow, check 2",
423 		.insns = {
424 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
425 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
426 			BPF_EXIT_INSN(),
427 		},
428 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
429 		.result = ACCEPT,
430 		.retval = 0,
431 	},
432 	{
433 		"MOD32 overflow, check 1",
434 		.insns = {
435 			BPF_MOV32_IMM(BPF_REG_1, -1),
436 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
437 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
438 			BPF_EXIT_INSN(),
439 		},
440 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
441 		.result = ACCEPT,
442 		.retval = INT_MIN,
443 	},
444 	{
445 		"MOD32 overflow, check 2",
446 		.insns = {
447 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
448 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
449 			BPF_EXIT_INSN(),
450 		},
451 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
452 		.result = ACCEPT,
453 		.retval = INT_MIN,
454 	},
455 	{
456 		"MOD64 overflow, check 1",
457 		.insns = {
458 			BPF_MOV64_IMM(BPF_REG_1, -1),
459 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
460 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
461 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
462 			BPF_MOV32_IMM(BPF_REG_0, 0),
463 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
464 			BPF_MOV32_IMM(BPF_REG_0, 1),
465 			BPF_EXIT_INSN(),
466 		},
467 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
468 		.result = ACCEPT,
469 		.retval = 1,
470 	},
471 	{
472 		"MOD64 overflow, check 2",
473 		.insns = {
474 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
475 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
476 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
477 			BPF_MOV32_IMM(BPF_REG_0, 0),
478 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
479 			BPF_MOV32_IMM(BPF_REG_0, 1),
480 			BPF_EXIT_INSN(),
481 		},
482 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
483 		.result = ACCEPT,
484 		.retval = 1,
485 	},
486 	{
487 		"xor32 zero extend check",
488 		.insns = {
489 			BPF_MOV32_IMM(BPF_REG_2, -1),
490 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
491 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
492 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
493 			BPF_MOV32_IMM(BPF_REG_0, 2),
494 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
495 			BPF_MOV32_IMM(BPF_REG_0, 1),
496 			BPF_EXIT_INSN(),
497 		},
498 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
499 		.result = ACCEPT,
500 		.retval = 1,
501 	},
502 	{
503 		"empty prog",
504 		.insns = {
505 		},
506 		.errstr = "unknown opcode 00",
507 		.result = REJECT,
508 	},
509 	{
510 		"only exit insn",
511 		.insns = {
512 			BPF_EXIT_INSN(),
513 		},
514 		.errstr = "R0 !read_ok",
515 		.result = REJECT,
516 	},
517 	{
518 		"unreachable",
519 		.insns = {
520 			BPF_EXIT_INSN(),
521 			BPF_EXIT_INSN(),
522 		},
523 		.errstr = "unreachable",
524 		.result = REJECT,
525 	},
526 	{
527 		"unreachable2",
528 		.insns = {
529 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
530 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
531 			BPF_EXIT_INSN(),
532 		},
533 		.errstr = "unreachable",
534 		.result = REJECT,
535 	},
536 	{
537 		"out of range jump",
538 		.insns = {
539 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
540 			BPF_EXIT_INSN(),
541 		},
542 		.errstr = "jump out of range",
543 		.result = REJECT,
544 	},
545 	{
546 		"out of range jump2",
547 		.insns = {
548 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
549 			BPF_EXIT_INSN(),
550 		},
551 		.errstr = "jump out of range",
552 		.result = REJECT,
553 	},
554 	{
555 		"test1 ld_imm64",
556 		.insns = {
557 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
558 			BPF_LD_IMM64(BPF_REG_0, 0),
559 			BPF_LD_IMM64(BPF_REG_0, 0),
560 			BPF_LD_IMM64(BPF_REG_0, 1),
561 			BPF_LD_IMM64(BPF_REG_0, 1),
562 			BPF_MOV64_IMM(BPF_REG_0, 2),
563 			BPF_EXIT_INSN(),
564 		},
565 		.errstr = "invalid BPF_LD_IMM insn",
566 		.errstr_unpriv = "R1 pointer comparison",
567 		.result = REJECT,
568 	},
569 	{
570 		"test2 ld_imm64",
571 		.insns = {
572 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
573 			BPF_LD_IMM64(BPF_REG_0, 0),
574 			BPF_LD_IMM64(BPF_REG_0, 0),
575 			BPF_LD_IMM64(BPF_REG_0, 1),
576 			BPF_LD_IMM64(BPF_REG_0, 1),
577 			BPF_EXIT_INSN(),
578 		},
579 		.errstr = "invalid BPF_LD_IMM insn",
580 		.errstr_unpriv = "R1 pointer comparison",
581 		.result = REJECT,
582 	},
583 	{
584 		"test3 ld_imm64",
585 		.insns = {
586 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
587 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
588 			BPF_LD_IMM64(BPF_REG_0, 0),
589 			BPF_LD_IMM64(BPF_REG_0, 0),
590 			BPF_LD_IMM64(BPF_REG_0, 1),
591 			BPF_LD_IMM64(BPF_REG_0, 1),
592 			BPF_EXIT_INSN(),
593 		},
594 		.errstr = "invalid bpf_ld_imm64 insn",
595 		.result = REJECT,
596 	},
597 	{
598 		"test4 ld_imm64",
599 		.insns = {
600 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
601 			BPF_EXIT_INSN(),
602 		},
603 		.errstr = "invalid bpf_ld_imm64 insn",
604 		.result = REJECT,
605 	},
606 	{
607 		"test5 ld_imm64",
608 		.insns = {
609 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610 		},
611 		.errstr = "invalid bpf_ld_imm64 insn",
612 		.result = REJECT,
613 	},
614 	{
615 		"test6 ld_imm64",
616 		.insns = {
617 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
618 			BPF_RAW_INSN(0, 0, 0, 0, 0),
619 			BPF_EXIT_INSN(),
620 		},
621 		.result = ACCEPT,
622 	},
623 	{
624 		"test7 ld_imm64",
625 		.insns = {
626 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
627 			BPF_RAW_INSN(0, 0, 0, 0, 1),
628 			BPF_EXIT_INSN(),
629 		},
630 		.result = ACCEPT,
631 		.retval = 1,
632 	},
633 	{
634 		"test8 ld_imm64",
635 		.insns = {
636 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
637 			BPF_RAW_INSN(0, 0, 0, 0, 1),
638 			BPF_EXIT_INSN(),
639 		},
640 		.errstr = "uses reserved fields",
641 		.result = REJECT,
642 	},
643 	{
644 		"test9 ld_imm64",
645 		.insns = {
646 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
647 			BPF_RAW_INSN(0, 0, 0, 1, 1),
648 			BPF_EXIT_INSN(),
649 		},
650 		.errstr = "invalid bpf_ld_imm64 insn",
651 		.result = REJECT,
652 	},
653 	{
654 		"test10 ld_imm64",
655 		.insns = {
656 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
657 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
658 			BPF_EXIT_INSN(),
659 		},
660 		.errstr = "invalid bpf_ld_imm64 insn",
661 		.result = REJECT,
662 	},
663 	{
664 		"test11 ld_imm64",
665 		.insns = {
666 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
667 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
668 			BPF_EXIT_INSN(),
669 		},
670 		.errstr = "invalid bpf_ld_imm64 insn",
671 		.result = REJECT,
672 	},
673 	{
674 		"test12 ld_imm64",
675 		.insns = {
676 			BPF_MOV64_IMM(BPF_REG_1, 0),
677 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
678 			BPF_RAW_INSN(0, 0, 0, 0, 1),
679 			BPF_EXIT_INSN(),
680 		},
681 		.errstr = "not pointing to valid bpf_map",
682 		.result = REJECT,
683 	},
684 	{
685 		"test13 ld_imm64",
686 		.insns = {
687 			BPF_MOV64_IMM(BPF_REG_1, 0),
688 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
689 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690 			BPF_EXIT_INSN(),
691 		},
692 		.errstr = "invalid bpf_ld_imm64 insn",
693 		.result = REJECT,
694 	},
695 	{
696 		"arsh32 on imm",
697 		.insns = {
698 			BPF_MOV64_IMM(BPF_REG_0, 1),
699 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
700 			BPF_EXIT_INSN(),
701 		},
702 		.result = REJECT,
703 		.errstr = "unknown opcode c4",
704 	},
705 	{
706 		"arsh32 on reg",
707 		.insns = {
708 			BPF_MOV64_IMM(BPF_REG_0, 1),
709 			BPF_MOV64_IMM(BPF_REG_1, 5),
710 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
711 			BPF_EXIT_INSN(),
712 		},
713 		.result = REJECT,
714 		.errstr = "unknown opcode cc",
715 	},
716 	{
717 		"arsh64 on imm",
718 		.insns = {
719 			BPF_MOV64_IMM(BPF_REG_0, 1),
720 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
721 			BPF_EXIT_INSN(),
722 		},
723 		.result = ACCEPT,
724 	},
725 	{
726 		"arsh64 on reg",
727 		.insns = {
728 			BPF_MOV64_IMM(BPF_REG_0, 1),
729 			BPF_MOV64_IMM(BPF_REG_1, 5),
730 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
731 			BPF_EXIT_INSN(),
732 		},
733 		.result = ACCEPT,
734 	},
735 	{
736 		"no bpf_exit",
737 		.insns = {
738 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
739 		},
740 		.errstr = "not an exit",
741 		.result = REJECT,
742 	},
743 	{
744 		"loop (back-edge)",
745 		.insns = {
746 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
747 			BPF_EXIT_INSN(),
748 		},
749 		.errstr = "back-edge",
750 		.result = REJECT,
751 	},
752 	{
753 		"loop2 (back-edge)",
754 		.insns = {
755 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
756 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
757 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
758 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
759 			BPF_EXIT_INSN(),
760 		},
761 		.errstr = "back-edge",
762 		.result = REJECT,
763 	},
764 	{
765 		"conditional loop",
766 		.insns = {
767 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
768 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
769 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
770 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
771 			BPF_EXIT_INSN(),
772 		},
773 		.errstr = "back-edge",
774 		.result = REJECT,
775 	},
776 	{
777 		"read uninitialized register",
778 		.insns = {
779 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
780 			BPF_EXIT_INSN(),
781 		},
782 		.errstr = "R2 !read_ok",
783 		.result = REJECT,
784 	},
785 	{
786 		"read invalid register",
787 		.insns = {
788 			BPF_MOV64_REG(BPF_REG_0, -1),
789 			BPF_EXIT_INSN(),
790 		},
791 		.errstr = "R15 is invalid",
792 		.result = REJECT,
793 	},
794 	{
795 		"program doesn't init R0 before exit",
796 		.insns = {
797 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
798 			BPF_EXIT_INSN(),
799 		},
800 		.errstr = "R0 !read_ok",
801 		.result = REJECT,
802 	},
803 	{
804 		"program doesn't init R0 before exit in all branches",
805 		.insns = {
806 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
807 			BPF_MOV64_IMM(BPF_REG_0, 1),
808 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
809 			BPF_EXIT_INSN(),
810 		},
811 		.errstr = "R0 !read_ok",
812 		.errstr_unpriv = "R1 pointer comparison",
813 		.result = REJECT,
814 	},
815 	{
816 		"stack out of bounds",
817 		.insns = {
818 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
819 			BPF_EXIT_INSN(),
820 		},
821 		.errstr = "invalid stack",
822 		.result = REJECT,
823 	},
824 	{
825 		"invalid call insn1",
826 		.insns = {
827 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
828 			BPF_EXIT_INSN(),
829 		},
830 		.errstr = "unknown opcode 8d",
831 		.result = REJECT,
832 	},
833 	{
834 		"invalid call insn2",
835 		.insns = {
836 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
837 			BPF_EXIT_INSN(),
838 		},
839 		.errstr = "BPF_CALL uses reserved",
840 		.result = REJECT,
841 	},
842 	{
843 		"invalid function call",
844 		.insns = {
845 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
846 			BPF_EXIT_INSN(),
847 		},
848 		.errstr = "invalid func unknown#1234567",
849 		.result = REJECT,
850 	},
851 	{
852 		"uninitialized stack1",
853 		.insns = {
854 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
855 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
856 			BPF_LD_MAP_FD(BPF_REG_1, 0),
857 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
858 				     BPF_FUNC_map_lookup_elem),
859 			BPF_EXIT_INSN(),
860 		},
861 		.fixup_map1 = { 2 },
862 		.errstr = "invalid indirect read from stack",
863 		.result = REJECT,
864 	},
865 	{
866 		"uninitialized stack2",
867 		.insns = {
868 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
869 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
870 			BPF_EXIT_INSN(),
871 		},
872 		.errstr = "invalid read from stack",
873 		.result = REJECT,
874 	},
875 	{
876 		"invalid fp arithmetic",
877 		/* If this gets ever changed, make sure JITs can deal with it. */
878 		.insns = {
879 			BPF_MOV64_IMM(BPF_REG_0, 0),
880 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
881 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
882 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
883 			BPF_EXIT_INSN(),
884 		},
885 		.errstr = "R1 subtraction from stack pointer",
886 		.result = REJECT,
887 	},
888 	{
889 		"non-invalid fp arithmetic",
890 		.insns = {
891 			BPF_MOV64_IMM(BPF_REG_0, 0),
892 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
893 			BPF_EXIT_INSN(),
894 		},
895 		.result = ACCEPT,
896 	},
897 	{
898 		"invalid argument register",
899 		.insns = {
900 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 				     BPF_FUNC_get_cgroup_classid),
902 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
903 				     BPF_FUNC_get_cgroup_classid),
904 			BPF_EXIT_INSN(),
905 		},
906 		.errstr = "R1 !read_ok",
907 		.result = REJECT,
908 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
909 	},
910 	{
911 		"non-invalid argument register",
912 		.insns = {
913 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
914 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
915 				     BPF_FUNC_get_cgroup_classid),
916 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
917 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
918 				     BPF_FUNC_get_cgroup_classid),
919 			BPF_EXIT_INSN(),
920 		},
921 		.result = ACCEPT,
922 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
923 	},
924 	{
925 		"check valid spill/fill",
926 		.insns = {
927 			/* spill R1(ctx) into stack */
928 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
929 			/* fill it back into R2 */
930 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
931 			/* should be able to access R0 = *(R2 + 8) */
932 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
933 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
934 			BPF_EXIT_INSN(),
935 		},
936 		.errstr_unpriv = "R0 leaks addr",
937 		.result = ACCEPT,
938 		.result_unpriv = REJECT,
939 		.retval = POINTER_VALUE,
940 	},
941 	{
942 		"check valid spill/fill, skb mark",
943 		.insns = {
944 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
945 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
946 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
947 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
948 				    offsetof(struct __sk_buff, mark)),
949 			BPF_EXIT_INSN(),
950 		},
951 		.result = ACCEPT,
952 		.result_unpriv = ACCEPT,
953 	},
954 	{
955 		"check corrupted spill/fill",
956 		.insns = {
957 			/* spill R1(ctx) into stack */
958 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
959 			/* mess up with R1 pointer on stack */
960 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
961 			/* fill back into R0 should fail */
962 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
963 			BPF_EXIT_INSN(),
964 		},
965 		.errstr_unpriv = "attempt to corrupt spilled",
966 		.errstr = "corrupted spill",
967 		.result = REJECT,
968 	},
969 	{
970 		"invalid src register in STX",
971 		.insns = {
972 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
973 			BPF_EXIT_INSN(),
974 		},
975 		.errstr = "R15 is invalid",
976 		.result = REJECT,
977 	},
978 	{
979 		"invalid dst register in STX",
980 		.insns = {
981 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
982 			BPF_EXIT_INSN(),
983 		},
984 		.errstr = "R14 is invalid",
985 		.result = REJECT,
986 	},
987 	{
988 		"invalid dst register in ST",
989 		.insns = {
990 			BPF_ST_MEM(BPF_B, 14, -1, -1),
991 			BPF_EXIT_INSN(),
992 		},
993 		.errstr = "R14 is invalid",
994 		.result = REJECT,
995 	},
996 	{
997 		"invalid src register in LDX",
998 		.insns = {
999 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1000 			BPF_EXIT_INSN(),
1001 		},
1002 		.errstr = "R12 is invalid",
1003 		.result = REJECT,
1004 	},
1005 	{
1006 		"invalid dst register in LDX",
1007 		.insns = {
1008 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1009 			BPF_EXIT_INSN(),
1010 		},
1011 		.errstr = "R11 is invalid",
1012 		.result = REJECT,
1013 	},
1014 	{
1015 		"junk insn",
1016 		.insns = {
1017 			BPF_RAW_INSN(0, 0, 0, 0, 0),
1018 			BPF_EXIT_INSN(),
1019 		},
1020 		.errstr = "unknown opcode 00",
1021 		.result = REJECT,
1022 	},
1023 	{
1024 		"junk insn2",
1025 		.insns = {
1026 			BPF_RAW_INSN(1, 0, 0, 0, 0),
1027 			BPF_EXIT_INSN(),
1028 		},
1029 		.errstr = "BPF_LDX uses reserved fields",
1030 		.result = REJECT,
1031 	},
1032 	{
1033 		"junk insn3",
1034 		.insns = {
1035 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
1036 			BPF_EXIT_INSN(),
1037 		},
1038 		.errstr = "unknown opcode ff",
1039 		.result = REJECT,
1040 	},
1041 	{
1042 		"junk insn4",
1043 		.insns = {
1044 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
1045 			BPF_EXIT_INSN(),
1046 		},
1047 		.errstr = "unknown opcode ff",
1048 		.result = REJECT,
1049 	},
1050 	{
1051 		"junk insn5",
1052 		.insns = {
1053 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1054 			BPF_EXIT_INSN(),
1055 		},
1056 		.errstr = "BPF_ALU uses reserved fields",
1057 		.result = REJECT,
1058 	},
1059 	{
1060 		"misaligned read from stack",
1061 		.insns = {
1062 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1063 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1064 			BPF_EXIT_INSN(),
1065 		},
1066 		.errstr = "misaligned stack access",
1067 		.result = REJECT,
1068 	},
1069 	{
1070 		"invalid map_fd for function call",
1071 		.insns = {
1072 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1073 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1074 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1075 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1076 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1077 				     BPF_FUNC_map_delete_elem),
1078 			BPF_EXIT_INSN(),
1079 		},
1080 		.errstr = "fd 0 is not pointing to valid bpf_map",
1081 		.result = REJECT,
1082 	},
1083 	{
1084 		"don't check return value before access",
1085 		.insns = {
1086 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1087 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1088 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1089 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1090 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1091 				     BPF_FUNC_map_lookup_elem),
1092 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1093 			BPF_EXIT_INSN(),
1094 		},
1095 		.fixup_map1 = { 3 },
1096 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1097 		.result = REJECT,
1098 	},
1099 	{
1100 		"access memory with incorrect alignment",
1101 		.insns = {
1102 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1103 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1104 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1105 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1106 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1107 				     BPF_FUNC_map_lookup_elem),
1108 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1109 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1110 			BPF_EXIT_INSN(),
1111 		},
1112 		.fixup_map1 = { 3 },
1113 		.errstr = "misaligned value access",
1114 		.result = REJECT,
1115 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1116 	},
1117 	{
1118 		"sometimes access memory with incorrect alignment",
1119 		.insns = {
1120 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1121 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1122 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1123 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1124 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1125 				     BPF_FUNC_map_lookup_elem),
1126 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1127 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1128 			BPF_EXIT_INSN(),
1129 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1130 			BPF_EXIT_INSN(),
1131 		},
1132 		.fixup_map1 = { 3 },
1133 		.errstr = "R0 invalid mem access",
1134 		.errstr_unpriv = "R0 leaks addr",
1135 		.result = REJECT,
1136 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1137 	},
1138 	{
1139 		"jump test 1",
1140 		.insns = {
1141 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1142 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1143 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1144 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1146 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1147 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1148 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1149 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1150 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1151 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1152 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1153 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1154 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1155 			BPF_MOV64_IMM(BPF_REG_0, 0),
1156 			BPF_EXIT_INSN(),
1157 		},
1158 		.errstr_unpriv = "R1 pointer comparison",
1159 		.result_unpriv = REJECT,
1160 		.result = ACCEPT,
1161 	},
1162 	{
1163 		"jump test 2",
1164 		.insns = {
1165 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1166 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1167 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1168 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1169 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1170 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1171 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1172 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1173 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1174 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1175 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1176 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1177 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1178 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1179 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1180 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1181 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1182 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1183 			BPF_MOV64_IMM(BPF_REG_0, 0),
1184 			BPF_EXIT_INSN(),
1185 		},
1186 		.errstr_unpriv = "R1 pointer comparison",
1187 		.result_unpriv = REJECT,
1188 		.result = ACCEPT,
1189 	},
1190 	{
1191 		"jump test 3",
1192 		.insns = {
1193 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1194 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1195 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1196 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1197 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1198 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1199 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1200 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1201 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1202 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1203 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1204 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1205 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1206 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1207 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1208 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1209 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1211 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1213 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1214 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1215 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1216 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1217 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1218 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1219 				     BPF_FUNC_map_delete_elem),
1220 			BPF_EXIT_INSN(),
1221 		},
1222 		.fixup_map1 = { 24 },
1223 		.errstr_unpriv = "R1 pointer comparison",
1224 		.result_unpriv = REJECT,
1225 		.result = ACCEPT,
1226 		.retval = -ENOENT,
1227 	},
1228 	{
1229 		"jump test 4",
1230 		.insns = {
1231 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1232 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1237 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1238 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1239 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1240 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1241 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1242 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1243 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1244 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1245 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1246 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1247 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1248 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1249 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1250 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1251 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1252 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1254 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1256 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1257 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1258 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1259 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1260 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1261 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1262 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1263 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1264 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1265 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1266 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1267 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1270 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1271 			BPF_MOV64_IMM(BPF_REG_0, 0),
1272 			BPF_EXIT_INSN(),
1273 		},
1274 		.errstr_unpriv = "R1 pointer comparison",
1275 		.result_unpriv = REJECT,
1276 		.result = ACCEPT,
1277 	},
1278 	{
1279 		"jump test 5",
1280 		.insns = {
1281 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1282 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1283 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1284 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1285 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1286 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1287 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1288 			BPF_MOV64_IMM(BPF_REG_0, 0),
1289 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1290 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1291 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1292 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1293 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1294 			BPF_MOV64_IMM(BPF_REG_0, 0),
1295 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1296 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1297 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1298 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1299 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1300 			BPF_MOV64_IMM(BPF_REG_0, 0),
1301 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1302 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1303 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1304 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1305 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1306 			BPF_MOV64_IMM(BPF_REG_0, 0),
1307 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1308 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1309 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1310 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1311 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1312 			BPF_MOV64_IMM(BPF_REG_0, 0),
1313 			BPF_EXIT_INSN(),
1314 		},
1315 		.errstr_unpriv = "R1 pointer comparison",
1316 		.result_unpriv = REJECT,
1317 		.result = ACCEPT,
1318 	},
1319 	{
1320 		"access skb fields ok",
1321 		.insns = {
1322 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1323 				    offsetof(struct __sk_buff, len)),
1324 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1325 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1326 				    offsetof(struct __sk_buff, mark)),
1327 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1328 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1329 				    offsetof(struct __sk_buff, pkt_type)),
1330 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1331 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1332 				    offsetof(struct __sk_buff, queue_mapping)),
1333 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1334 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1335 				    offsetof(struct __sk_buff, protocol)),
1336 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1337 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1338 				    offsetof(struct __sk_buff, vlan_present)),
1339 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1340 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1341 				    offsetof(struct __sk_buff, vlan_tci)),
1342 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1343 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1344 				    offsetof(struct __sk_buff, napi_id)),
1345 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1346 			BPF_EXIT_INSN(),
1347 		},
1348 		.result = ACCEPT,
1349 	},
1350 	{
1351 		"access skb fields bad1",
1352 		.insns = {
1353 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1354 			BPF_EXIT_INSN(),
1355 		},
1356 		.errstr = "invalid bpf_context access",
1357 		.result = REJECT,
1358 	},
1359 	{
1360 		"access skb fields bad2",
1361 		.insns = {
1362 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1363 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1364 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1366 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1367 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1368 				     BPF_FUNC_map_lookup_elem),
1369 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1370 			BPF_EXIT_INSN(),
1371 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1372 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1373 				    offsetof(struct __sk_buff, pkt_type)),
1374 			BPF_EXIT_INSN(),
1375 		},
1376 		.fixup_map1 = { 4 },
1377 		.errstr = "different pointers",
1378 		.errstr_unpriv = "R1 pointer comparison",
1379 		.result = REJECT,
1380 	},
1381 	{
1382 		"access skb fields bad3",
1383 		.insns = {
1384 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1386 				    offsetof(struct __sk_buff, pkt_type)),
1387 			BPF_EXIT_INSN(),
1388 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1389 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1390 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1391 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1392 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1393 				     BPF_FUNC_map_lookup_elem),
1394 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1395 			BPF_EXIT_INSN(),
1396 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1397 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1398 		},
1399 		.fixup_map1 = { 6 },
1400 		.errstr = "different pointers",
1401 		.errstr_unpriv = "R1 pointer comparison",
1402 		.result = REJECT,
1403 	},
1404 	{
1405 		"access skb fields bad4",
1406 		.insns = {
1407 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1408 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1409 				    offsetof(struct __sk_buff, len)),
1410 			BPF_MOV64_IMM(BPF_REG_0, 0),
1411 			BPF_EXIT_INSN(),
1412 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1413 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1414 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1415 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1416 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1417 				     BPF_FUNC_map_lookup_elem),
1418 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1419 			BPF_EXIT_INSN(),
1420 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1421 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1422 		},
1423 		.fixup_map1 = { 7 },
1424 		.errstr = "different pointers",
1425 		.errstr_unpriv = "R1 pointer comparison",
1426 		.result = REJECT,
1427 	},
1428 	{
1429 		"invalid access __sk_buff family",
1430 		.insns = {
1431 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1432 				    offsetof(struct __sk_buff, family)),
1433 			BPF_EXIT_INSN(),
1434 		},
1435 		.errstr = "invalid bpf_context access",
1436 		.result = REJECT,
1437 	},
1438 	{
1439 		"invalid access __sk_buff remote_ip4",
1440 		.insns = {
1441 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1442 				    offsetof(struct __sk_buff, remote_ip4)),
1443 			BPF_EXIT_INSN(),
1444 		},
1445 		.errstr = "invalid bpf_context access",
1446 		.result = REJECT,
1447 	},
1448 	{
1449 		"invalid access __sk_buff local_ip4",
1450 		.insns = {
1451 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1452 				    offsetof(struct __sk_buff, local_ip4)),
1453 			BPF_EXIT_INSN(),
1454 		},
1455 		.errstr = "invalid bpf_context access",
1456 		.result = REJECT,
1457 	},
1458 	{
1459 		"invalid access __sk_buff remote_ip6",
1460 		.insns = {
1461 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1462 				    offsetof(struct __sk_buff, remote_ip6)),
1463 			BPF_EXIT_INSN(),
1464 		},
1465 		.errstr = "invalid bpf_context access",
1466 		.result = REJECT,
1467 	},
1468 	{
1469 		"invalid access __sk_buff local_ip6",
1470 		.insns = {
1471 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1472 				    offsetof(struct __sk_buff, local_ip6)),
1473 			BPF_EXIT_INSN(),
1474 		},
1475 		.errstr = "invalid bpf_context access",
1476 		.result = REJECT,
1477 	},
1478 	{
1479 		"invalid access __sk_buff remote_port",
1480 		.insns = {
1481 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1482 				    offsetof(struct __sk_buff, remote_port)),
1483 			BPF_EXIT_INSN(),
1484 		},
1485 		.errstr = "invalid bpf_context access",
1486 		.result = REJECT,
1487 	},
1488 	{
1489 		"invalid access __sk_buff remote_port",
1490 		.insns = {
1491 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1492 				    offsetof(struct __sk_buff, local_port)),
1493 			BPF_EXIT_INSN(),
1494 		},
1495 		.errstr = "invalid bpf_context access",
1496 		.result = REJECT,
1497 	},
1498 	{
1499 		"valid access __sk_buff family",
1500 		.insns = {
1501 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1502 				    offsetof(struct __sk_buff, family)),
1503 			BPF_EXIT_INSN(),
1504 		},
1505 		.result = ACCEPT,
1506 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1507 	},
1508 	{
1509 		"valid access __sk_buff remote_ip4",
1510 		.insns = {
1511 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1512 				    offsetof(struct __sk_buff, remote_ip4)),
1513 			BPF_EXIT_INSN(),
1514 		},
1515 		.result = ACCEPT,
1516 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1517 	},
1518 	{
1519 		"valid access __sk_buff local_ip4",
1520 		.insns = {
1521 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1522 				    offsetof(struct __sk_buff, local_ip4)),
1523 			BPF_EXIT_INSN(),
1524 		},
1525 		.result = ACCEPT,
1526 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1527 	},
1528 	{
1529 		"valid access __sk_buff remote_ip6",
1530 		.insns = {
1531 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 				    offsetof(struct __sk_buff, remote_ip6[0])),
1533 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 				    offsetof(struct __sk_buff, remote_ip6[1])),
1535 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 				    offsetof(struct __sk_buff, remote_ip6[2])),
1537 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1538 				    offsetof(struct __sk_buff, remote_ip6[3])),
1539 			BPF_EXIT_INSN(),
1540 		},
1541 		.result = ACCEPT,
1542 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1543 	},
1544 	{
1545 		"valid access __sk_buff local_ip6",
1546 		.insns = {
1547 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 				    offsetof(struct __sk_buff, local_ip6[0])),
1549 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 				    offsetof(struct __sk_buff, local_ip6[1])),
1551 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 				    offsetof(struct __sk_buff, local_ip6[2])),
1553 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554 				    offsetof(struct __sk_buff, local_ip6[3])),
1555 			BPF_EXIT_INSN(),
1556 		},
1557 		.result = ACCEPT,
1558 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1559 	},
1560 	{
1561 		"valid access __sk_buff remote_port",
1562 		.insns = {
1563 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1564 				    offsetof(struct __sk_buff, remote_port)),
1565 			BPF_EXIT_INSN(),
1566 		},
1567 		.result = ACCEPT,
1568 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1569 	},
1570 	{
1571 		"valid access __sk_buff remote_port",
1572 		.insns = {
1573 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 				    offsetof(struct __sk_buff, local_port)),
1575 			BPF_EXIT_INSN(),
1576 		},
1577 		.result = ACCEPT,
1578 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1579 	},
1580 	{
1581 		"invalid access of tc_classid for SK_SKB",
1582 		.insns = {
1583 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1584 				    offsetof(struct __sk_buff, tc_classid)),
1585 			BPF_EXIT_INSN(),
1586 		},
1587 		.result = REJECT,
1588 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1589 		.errstr = "invalid bpf_context access",
1590 	},
1591 	{
1592 		"invalid access of skb->mark for SK_SKB",
1593 		.insns = {
1594 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595 				    offsetof(struct __sk_buff, mark)),
1596 			BPF_EXIT_INSN(),
1597 		},
1598 		.result =  REJECT,
1599 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1600 		.errstr = "invalid bpf_context access",
1601 	},
1602 	{
1603 		"check skb->mark is not writeable by SK_SKB",
1604 		.insns = {
1605 			BPF_MOV64_IMM(BPF_REG_0, 0),
1606 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1607 				    offsetof(struct __sk_buff, mark)),
1608 			BPF_EXIT_INSN(),
1609 		},
1610 		.result =  REJECT,
1611 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1612 		.errstr = "invalid bpf_context access",
1613 	},
1614 	{
1615 		"check skb->tc_index is writeable by SK_SKB",
1616 		.insns = {
1617 			BPF_MOV64_IMM(BPF_REG_0, 0),
1618 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1619 				    offsetof(struct __sk_buff, tc_index)),
1620 			BPF_EXIT_INSN(),
1621 		},
1622 		.result = ACCEPT,
1623 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1624 	},
1625 	{
1626 		"check skb->priority is writeable by SK_SKB",
1627 		.insns = {
1628 			BPF_MOV64_IMM(BPF_REG_0, 0),
1629 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1630 				    offsetof(struct __sk_buff, priority)),
1631 			BPF_EXIT_INSN(),
1632 		},
1633 		.result = ACCEPT,
1634 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1635 	},
1636 	{
1637 		"direct packet read for SK_SKB",
1638 		.insns = {
1639 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1640 				    offsetof(struct __sk_buff, data)),
1641 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1642 				    offsetof(struct __sk_buff, data_end)),
1643 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1644 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1645 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1646 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1647 			BPF_MOV64_IMM(BPF_REG_0, 0),
1648 			BPF_EXIT_INSN(),
1649 		},
1650 		.result = ACCEPT,
1651 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1652 	},
1653 	{
1654 		"direct packet write for SK_SKB",
1655 		.insns = {
1656 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1657 				    offsetof(struct __sk_buff, data)),
1658 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1659 				    offsetof(struct __sk_buff, data_end)),
1660 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1661 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1662 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1663 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1664 			BPF_MOV64_IMM(BPF_REG_0, 0),
1665 			BPF_EXIT_INSN(),
1666 		},
1667 		.result = ACCEPT,
1668 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1669 	},
1670 	{
1671 		"overlapping checks for direct packet access SK_SKB",
1672 		.insns = {
1673 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1674 				    offsetof(struct __sk_buff, data)),
1675 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1676 				    offsetof(struct __sk_buff, data_end)),
1677 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1678 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1679 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1680 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1681 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1682 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1683 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1684 			BPF_MOV64_IMM(BPF_REG_0, 0),
1685 			BPF_EXIT_INSN(),
1686 		},
1687 		.result = ACCEPT,
1688 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1689 	},
1690 	{
1691 		"valid access family in SK_MSG",
1692 		.insns = {
1693 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1694 				    offsetof(struct sk_msg_md, family)),
1695 			BPF_EXIT_INSN(),
1696 		},
1697 		.result = ACCEPT,
1698 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1699 	},
1700 	{
1701 		"valid access remote_ip4 in SK_MSG",
1702 		.insns = {
1703 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1704 				    offsetof(struct sk_msg_md, remote_ip4)),
1705 			BPF_EXIT_INSN(),
1706 		},
1707 		.result = ACCEPT,
1708 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1709 	},
1710 	{
1711 		"valid access local_ip4 in SK_MSG",
1712 		.insns = {
1713 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1714 				    offsetof(struct sk_msg_md, local_ip4)),
1715 			BPF_EXIT_INSN(),
1716 		},
1717 		.result = ACCEPT,
1718 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1719 	},
1720 	{
1721 		"valid access remote_port in SK_MSG",
1722 		.insns = {
1723 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1724 				    offsetof(struct sk_msg_md, remote_port)),
1725 			BPF_EXIT_INSN(),
1726 		},
1727 		.result = ACCEPT,
1728 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1729 	},
1730 	{
1731 		"valid access local_port in SK_MSG",
1732 		.insns = {
1733 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1734 				    offsetof(struct sk_msg_md, local_port)),
1735 			BPF_EXIT_INSN(),
1736 		},
1737 		.result = ACCEPT,
1738 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1739 	},
1740 	{
1741 		"valid access remote_ip6 in SK_MSG",
1742 		.insns = {
1743 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 				    offsetof(struct sk_msg_md, remote_ip6[0])),
1745 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 				    offsetof(struct sk_msg_md, remote_ip6[1])),
1747 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748 				    offsetof(struct sk_msg_md, remote_ip6[2])),
1749 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1750 				    offsetof(struct sk_msg_md, remote_ip6[3])),
1751 			BPF_EXIT_INSN(),
1752 		},
1753 		.result = ACCEPT,
1754 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1755 	},
1756 	{
1757 		"valid access local_ip6 in SK_MSG",
1758 		.insns = {
1759 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 				    offsetof(struct sk_msg_md, local_ip6[0])),
1761 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 				    offsetof(struct sk_msg_md, local_ip6[1])),
1763 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 				    offsetof(struct sk_msg_md, local_ip6[2])),
1765 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766 				    offsetof(struct sk_msg_md, local_ip6[3])),
1767 			BPF_EXIT_INSN(),
1768 		},
1769 		.result = ACCEPT,
1770 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1771 	},
1772 	{
1773 		"invalid 64B read of family in SK_MSG",
1774 		.insns = {
1775 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1776 				    offsetof(struct sk_msg_md, family)),
1777 			BPF_EXIT_INSN(),
1778 		},
1779 		.errstr = "invalid bpf_context access",
1780 		.result = REJECT,
1781 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1782 	},
1783 	{
1784 		"invalid read past end of SK_MSG",
1785 		.insns = {
1786 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1787 				    offsetof(struct sk_msg_md, local_port) + 4),
1788 			BPF_EXIT_INSN(),
1789 		},
1790 		.errstr = "R0 !read_ok",
1791 		.result = REJECT,
1792 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1793 	},
1794 	{
1795 		"invalid read offset in SK_MSG",
1796 		.insns = {
1797 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1798 				    offsetof(struct sk_msg_md, family) + 1),
1799 			BPF_EXIT_INSN(),
1800 		},
1801 		.errstr = "invalid bpf_context access",
1802 		.result = REJECT,
1803 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1804 	},
1805 	{
1806 		"direct packet read for SK_MSG",
1807 		.insns = {
1808 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1809 				    offsetof(struct sk_msg_md, data)),
1810 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1811 				    offsetof(struct sk_msg_md, data_end)),
1812 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1813 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1814 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1815 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1816 			BPF_MOV64_IMM(BPF_REG_0, 0),
1817 			BPF_EXIT_INSN(),
1818 		},
1819 		.result = ACCEPT,
1820 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1821 	},
1822 	{
1823 		"direct packet write for SK_MSG",
1824 		.insns = {
1825 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1826 				    offsetof(struct sk_msg_md, data)),
1827 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1828 				    offsetof(struct sk_msg_md, data_end)),
1829 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1830 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1831 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1832 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1833 			BPF_MOV64_IMM(BPF_REG_0, 0),
1834 			BPF_EXIT_INSN(),
1835 		},
1836 		.result = ACCEPT,
1837 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1838 	},
1839 	{
1840 		"overlapping checks for direct packet access SK_MSG",
1841 		.insns = {
1842 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1843 				    offsetof(struct sk_msg_md, data)),
1844 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1845 				    offsetof(struct sk_msg_md, data_end)),
1846 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1848 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1849 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1851 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1852 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1853 			BPF_MOV64_IMM(BPF_REG_0, 0),
1854 			BPF_EXIT_INSN(),
1855 		},
1856 		.result = ACCEPT,
1857 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1858 	},
1859 	{
1860 		"check skb->mark is not writeable by sockets",
1861 		.insns = {
1862 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1863 				    offsetof(struct __sk_buff, mark)),
1864 			BPF_EXIT_INSN(),
1865 		},
1866 		.errstr = "invalid bpf_context access",
1867 		.errstr_unpriv = "R1 leaks addr",
1868 		.result = REJECT,
1869 	},
1870 	{
1871 		"check skb->tc_index is not writeable by sockets",
1872 		.insns = {
1873 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1874 				    offsetof(struct __sk_buff, tc_index)),
1875 			BPF_EXIT_INSN(),
1876 		},
1877 		.errstr = "invalid bpf_context access",
1878 		.errstr_unpriv = "R1 leaks addr",
1879 		.result = REJECT,
1880 	},
1881 	{
1882 		"check cb access: byte",
1883 		.insns = {
1884 			BPF_MOV64_IMM(BPF_REG_0, 0),
1885 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886 				    offsetof(struct __sk_buff, cb[0])),
1887 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888 				    offsetof(struct __sk_buff, cb[0]) + 1),
1889 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890 				    offsetof(struct __sk_buff, cb[0]) + 2),
1891 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892 				    offsetof(struct __sk_buff, cb[0]) + 3),
1893 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894 				    offsetof(struct __sk_buff, cb[1])),
1895 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896 				    offsetof(struct __sk_buff, cb[1]) + 1),
1897 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898 				    offsetof(struct __sk_buff, cb[1]) + 2),
1899 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900 				    offsetof(struct __sk_buff, cb[1]) + 3),
1901 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902 				    offsetof(struct __sk_buff, cb[2])),
1903 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904 				    offsetof(struct __sk_buff, cb[2]) + 1),
1905 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906 				    offsetof(struct __sk_buff, cb[2]) + 2),
1907 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 				    offsetof(struct __sk_buff, cb[2]) + 3),
1909 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 				    offsetof(struct __sk_buff, cb[3])),
1911 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 				    offsetof(struct __sk_buff, cb[3]) + 1),
1913 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 				    offsetof(struct __sk_buff, cb[3]) + 2),
1915 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 				    offsetof(struct __sk_buff, cb[3]) + 3),
1917 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 				    offsetof(struct __sk_buff, cb[4])),
1919 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 				    offsetof(struct __sk_buff, cb[4]) + 1),
1921 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 				    offsetof(struct __sk_buff, cb[4]) + 2),
1923 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924 				    offsetof(struct __sk_buff, cb[4]) + 3),
1925 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926 				    offsetof(struct __sk_buff, cb[0])),
1927 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928 				    offsetof(struct __sk_buff, cb[0]) + 1),
1929 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930 				    offsetof(struct __sk_buff, cb[0]) + 2),
1931 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932 				    offsetof(struct __sk_buff, cb[0]) + 3),
1933 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934 				    offsetof(struct __sk_buff, cb[1])),
1935 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936 				    offsetof(struct __sk_buff, cb[1]) + 1),
1937 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938 				    offsetof(struct __sk_buff, cb[1]) + 2),
1939 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940 				    offsetof(struct __sk_buff, cb[1]) + 3),
1941 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942 				    offsetof(struct __sk_buff, cb[2])),
1943 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944 				    offsetof(struct __sk_buff, cb[2]) + 1),
1945 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946 				    offsetof(struct __sk_buff, cb[2]) + 2),
1947 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 				    offsetof(struct __sk_buff, cb[2]) + 3),
1949 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 				    offsetof(struct __sk_buff, cb[3])),
1951 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 				    offsetof(struct __sk_buff, cb[3]) + 1),
1953 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 				    offsetof(struct __sk_buff, cb[3]) + 2),
1955 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 				    offsetof(struct __sk_buff, cb[3]) + 3),
1957 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 				    offsetof(struct __sk_buff, cb[4])),
1959 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 				    offsetof(struct __sk_buff, cb[4]) + 1),
1961 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 				    offsetof(struct __sk_buff, cb[4]) + 2),
1963 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964 				    offsetof(struct __sk_buff, cb[4]) + 3),
1965 			BPF_EXIT_INSN(),
1966 		},
1967 		.result = ACCEPT,
1968 	},
1969 	{
1970 		"__sk_buff->hash, offset 0, byte store not permitted",
1971 		.insns = {
1972 			BPF_MOV64_IMM(BPF_REG_0, 0),
1973 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1974 				    offsetof(struct __sk_buff, hash)),
1975 			BPF_EXIT_INSN(),
1976 		},
1977 		.errstr = "invalid bpf_context access",
1978 		.result = REJECT,
1979 	},
1980 	{
1981 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1982 		.insns = {
1983 			BPF_MOV64_IMM(BPF_REG_0, 0),
1984 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1985 				    offsetof(struct __sk_buff, tc_index) + 3),
1986 			BPF_EXIT_INSN(),
1987 		},
1988 		.errstr = "invalid bpf_context access",
1989 		.result = REJECT,
1990 	},
1991 	{
1992 		"check skb->hash byte load permitted",
1993 		.insns = {
1994 			BPF_MOV64_IMM(BPF_REG_0, 0),
1995 #if __BYTE_ORDER == __LITTLE_ENDIAN
1996 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1997 				    offsetof(struct __sk_buff, hash)),
1998 #else
1999 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2000 				    offsetof(struct __sk_buff, hash) + 3),
2001 #endif
2002 			BPF_EXIT_INSN(),
2003 		},
2004 		.result = ACCEPT,
2005 	},
2006 	{
2007 		"check skb->hash byte load not permitted 1",
2008 		.insns = {
2009 			BPF_MOV64_IMM(BPF_REG_0, 0),
2010 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2011 				    offsetof(struct __sk_buff, hash) + 1),
2012 			BPF_EXIT_INSN(),
2013 		},
2014 		.errstr = "invalid bpf_context access",
2015 		.result = REJECT,
2016 	},
2017 	{
2018 		"check skb->hash byte load not permitted 2",
2019 		.insns = {
2020 			BPF_MOV64_IMM(BPF_REG_0, 0),
2021 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022 				    offsetof(struct __sk_buff, hash) + 2),
2023 			BPF_EXIT_INSN(),
2024 		},
2025 		.errstr = "invalid bpf_context access",
2026 		.result = REJECT,
2027 	},
2028 	{
2029 		"check skb->hash byte load not permitted 3",
2030 		.insns = {
2031 			BPF_MOV64_IMM(BPF_REG_0, 0),
2032 #if __BYTE_ORDER == __LITTLE_ENDIAN
2033 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034 				    offsetof(struct __sk_buff, hash) + 3),
2035 #else
2036 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2037 				    offsetof(struct __sk_buff, hash)),
2038 #endif
2039 			BPF_EXIT_INSN(),
2040 		},
2041 		.errstr = "invalid bpf_context access",
2042 		.result = REJECT,
2043 	},
2044 	{
2045 		"check cb access: byte, wrong type",
2046 		.insns = {
2047 			BPF_MOV64_IMM(BPF_REG_0, 0),
2048 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2049 				    offsetof(struct __sk_buff, cb[0])),
2050 			BPF_EXIT_INSN(),
2051 		},
2052 		.errstr = "invalid bpf_context access",
2053 		.result = REJECT,
2054 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2055 	},
2056 	{
2057 		"check cb access: half",
2058 		.insns = {
2059 			BPF_MOV64_IMM(BPF_REG_0, 0),
2060 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061 				    offsetof(struct __sk_buff, cb[0])),
2062 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063 				    offsetof(struct __sk_buff, cb[0]) + 2),
2064 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065 				    offsetof(struct __sk_buff, cb[1])),
2066 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067 				    offsetof(struct __sk_buff, cb[1]) + 2),
2068 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069 				    offsetof(struct __sk_buff, cb[2])),
2070 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071 				    offsetof(struct __sk_buff, cb[2]) + 2),
2072 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073 				    offsetof(struct __sk_buff, cb[3])),
2074 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075 				    offsetof(struct __sk_buff, cb[3]) + 2),
2076 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077 				    offsetof(struct __sk_buff, cb[4])),
2078 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2079 				    offsetof(struct __sk_buff, cb[4]) + 2),
2080 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081 				    offsetof(struct __sk_buff, cb[0])),
2082 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083 				    offsetof(struct __sk_buff, cb[0]) + 2),
2084 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085 				    offsetof(struct __sk_buff, cb[1])),
2086 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087 				    offsetof(struct __sk_buff, cb[1]) + 2),
2088 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089 				    offsetof(struct __sk_buff, cb[2])),
2090 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091 				    offsetof(struct __sk_buff, cb[2]) + 2),
2092 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093 				    offsetof(struct __sk_buff, cb[3])),
2094 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095 				    offsetof(struct __sk_buff, cb[3]) + 2),
2096 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097 				    offsetof(struct __sk_buff, cb[4])),
2098 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2099 				    offsetof(struct __sk_buff, cb[4]) + 2),
2100 			BPF_EXIT_INSN(),
2101 		},
2102 		.result = ACCEPT,
2103 	},
2104 	{
2105 		"check cb access: half, unaligned",
2106 		.insns = {
2107 			BPF_MOV64_IMM(BPF_REG_0, 0),
2108 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2109 				    offsetof(struct __sk_buff, cb[0]) + 1),
2110 			BPF_EXIT_INSN(),
2111 		},
2112 		.errstr = "misaligned context access",
2113 		.result = REJECT,
2114 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2115 	},
2116 	{
2117 		"check __sk_buff->hash, offset 0, half store not permitted",
2118 		.insns = {
2119 			BPF_MOV64_IMM(BPF_REG_0, 0),
2120 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2121 				    offsetof(struct __sk_buff, hash)),
2122 			BPF_EXIT_INSN(),
2123 		},
2124 		.errstr = "invalid bpf_context access",
2125 		.result = REJECT,
2126 	},
2127 	{
2128 		"check __sk_buff->tc_index, offset 2, half store not permitted",
2129 		.insns = {
2130 			BPF_MOV64_IMM(BPF_REG_0, 0),
2131 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2132 				    offsetof(struct __sk_buff, tc_index) + 2),
2133 			BPF_EXIT_INSN(),
2134 		},
2135 		.errstr = "invalid bpf_context access",
2136 		.result = REJECT,
2137 	},
2138 	{
2139 		"check skb->hash half load permitted",
2140 		.insns = {
2141 			BPF_MOV64_IMM(BPF_REG_0, 0),
2142 #if __BYTE_ORDER == __LITTLE_ENDIAN
2143 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2144 				    offsetof(struct __sk_buff, hash)),
2145 #else
2146 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2147 				    offsetof(struct __sk_buff, hash) + 2),
2148 #endif
2149 			BPF_EXIT_INSN(),
2150 		},
2151 		.result = ACCEPT,
2152 	},
2153 	{
2154 		"check skb->hash half load not permitted",
2155 		.insns = {
2156 			BPF_MOV64_IMM(BPF_REG_0, 0),
2157 #if __BYTE_ORDER == __LITTLE_ENDIAN
2158 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2159 				    offsetof(struct __sk_buff, hash) + 2),
2160 #else
2161 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2162 				    offsetof(struct __sk_buff, hash)),
2163 #endif
2164 			BPF_EXIT_INSN(),
2165 		},
2166 		.errstr = "invalid bpf_context access",
2167 		.result = REJECT,
2168 	},
2169 	{
2170 		"check cb access: half, wrong type",
2171 		.insns = {
2172 			BPF_MOV64_IMM(BPF_REG_0, 0),
2173 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2174 				    offsetof(struct __sk_buff, cb[0])),
2175 			BPF_EXIT_INSN(),
2176 		},
2177 		.errstr = "invalid bpf_context access",
2178 		.result = REJECT,
2179 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2180 	},
2181 	{
2182 		"check cb access: word",
2183 		.insns = {
2184 			BPF_MOV64_IMM(BPF_REG_0, 0),
2185 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186 				    offsetof(struct __sk_buff, cb[0])),
2187 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188 				    offsetof(struct __sk_buff, cb[1])),
2189 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190 				    offsetof(struct __sk_buff, cb[2])),
2191 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192 				    offsetof(struct __sk_buff, cb[3])),
2193 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2194 				    offsetof(struct __sk_buff, cb[4])),
2195 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196 				    offsetof(struct __sk_buff, cb[0])),
2197 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198 				    offsetof(struct __sk_buff, cb[1])),
2199 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200 				    offsetof(struct __sk_buff, cb[2])),
2201 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202 				    offsetof(struct __sk_buff, cb[3])),
2203 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2204 				    offsetof(struct __sk_buff, cb[4])),
2205 			BPF_EXIT_INSN(),
2206 		},
2207 		.result = ACCEPT,
2208 	},
2209 	{
2210 		"check cb access: word, unaligned 1",
2211 		.insns = {
2212 			BPF_MOV64_IMM(BPF_REG_0, 0),
2213 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214 				    offsetof(struct __sk_buff, cb[0]) + 2),
2215 			BPF_EXIT_INSN(),
2216 		},
2217 		.errstr = "misaligned context access",
2218 		.result = REJECT,
2219 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2220 	},
2221 	{
2222 		"check cb access: word, unaligned 2",
2223 		.insns = {
2224 			BPF_MOV64_IMM(BPF_REG_0, 0),
2225 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2226 				    offsetof(struct __sk_buff, cb[4]) + 1),
2227 			BPF_EXIT_INSN(),
2228 		},
2229 		.errstr = "misaligned context access",
2230 		.result = REJECT,
2231 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2232 	},
2233 	{
2234 		"check cb access: word, unaligned 3",
2235 		.insns = {
2236 			BPF_MOV64_IMM(BPF_REG_0, 0),
2237 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2238 				    offsetof(struct __sk_buff, cb[4]) + 2),
2239 			BPF_EXIT_INSN(),
2240 		},
2241 		.errstr = "misaligned context access",
2242 		.result = REJECT,
2243 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2244 	},
2245 	{
2246 		"check cb access: word, unaligned 4",
2247 		.insns = {
2248 			BPF_MOV64_IMM(BPF_REG_0, 0),
2249 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2250 				    offsetof(struct __sk_buff, cb[4]) + 3),
2251 			BPF_EXIT_INSN(),
2252 		},
2253 		.errstr = "misaligned context access",
2254 		.result = REJECT,
2255 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2256 	},
2257 	{
2258 		"check cb access: double",
2259 		.insns = {
2260 			BPF_MOV64_IMM(BPF_REG_0, 0),
2261 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262 				    offsetof(struct __sk_buff, cb[0])),
2263 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2264 				    offsetof(struct __sk_buff, cb[2])),
2265 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266 				    offsetof(struct __sk_buff, cb[0])),
2267 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2268 				    offsetof(struct __sk_buff, cb[2])),
2269 			BPF_EXIT_INSN(),
2270 		},
2271 		.result = ACCEPT,
2272 	},
2273 	{
2274 		"check cb access: double, unaligned 1",
2275 		.insns = {
2276 			BPF_MOV64_IMM(BPF_REG_0, 0),
2277 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2278 				    offsetof(struct __sk_buff, cb[1])),
2279 			BPF_EXIT_INSN(),
2280 		},
2281 		.errstr = "misaligned context access",
2282 		.result = REJECT,
2283 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2284 	},
2285 	{
2286 		"check cb access: double, unaligned 2",
2287 		.insns = {
2288 			BPF_MOV64_IMM(BPF_REG_0, 0),
2289 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2290 				    offsetof(struct __sk_buff, cb[3])),
2291 			BPF_EXIT_INSN(),
2292 		},
2293 		.errstr = "misaligned context access",
2294 		.result = REJECT,
2295 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2296 	},
2297 	{
2298 		"check cb access: double, oob 1",
2299 		.insns = {
2300 			BPF_MOV64_IMM(BPF_REG_0, 0),
2301 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2302 				    offsetof(struct __sk_buff, cb[4])),
2303 			BPF_EXIT_INSN(),
2304 		},
2305 		.errstr = "invalid bpf_context access",
2306 		.result = REJECT,
2307 	},
2308 	{
2309 		"check cb access: double, oob 2",
2310 		.insns = {
2311 			BPF_MOV64_IMM(BPF_REG_0, 0),
2312 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2313 				    offsetof(struct __sk_buff, cb[4])),
2314 			BPF_EXIT_INSN(),
2315 		},
2316 		.errstr = "invalid bpf_context access",
2317 		.result = REJECT,
2318 	},
2319 	{
2320 		"check __sk_buff->ifindex dw store not permitted",
2321 		.insns = {
2322 			BPF_MOV64_IMM(BPF_REG_0, 0),
2323 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324 				    offsetof(struct __sk_buff, ifindex)),
2325 			BPF_EXIT_INSN(),
2326 		},
2327 		.errstr = "invalid bpf_context access",
2328 		.result = REJECT,
2329 	},
2330 	{
2331 		"check __sk_buff->ifindex dw load not permitted",
2332 		.insns = {
2333 			BPF_MOV64_IMM(BPF_REG_0, 0),
2334 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335 				    offsetof(struct __sk_buff, ifindex)),
2336 			BPF_EXIT_INSN(),
2337 		},
2338 		.errstr = "invalid bpf_context access",
2339 		.result = REJECT,
2340 	},
2341 	{
2342 		"check cb access: double, wrong type",
2343 		.insns = {
2344 			BPF_MOV64_IMM(BPF_REG_0, 0),
2345 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346 				    offsetof(struct __sk_buff, cb[0])),
2347 			BPF_EXIT_INSN(),
2348 		},
2349 		.errstr = "invalid bpf_context access",
2350 		.result = REJECT,
2351 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2352 	},
2353 	{
2354 		"check out of range skb->cb access",
2355 		.insns = {
2356 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2357 				    offsetof(struct __sk_buff, cb[0]) + 256),
2358 			BPF_EXIT_INSN(),
2359 		},
2360 		.errstr = "invalid bpf_context access",
2361 		.errstr_unpriv = "",
2362 		.result = REJECT,
2363 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2364 	},
2365 	{
2366 		"write skb fields from socket prog",
2367 		.insns = {
2368 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2369 				    offsetof(struct __sk_buff, cb[4])),
2370 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2371 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372 				    offsetof(struct __sk_buff, mark)),
2373 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2374 				    offsetof(struct __sk_buff, tc_index)),
2375 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2376 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377 				    offsetof(struct __sk_buff, cb[0])),
2378 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2379 				    offsetof(struct __sk_buff, cb[2])),
2380 			BPF_EXIT_INSN(),
2381 		},
2382 		.result = ACCEPT,
2383 		.errstr_unpriv = "R1 leaks addr",
2384 		.result_unpriv = REJECT,
2385 	},
2386 	{
2387 		"write skb fields from tc_cls_act prog",
2388 		.insns = {
2389 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2390 				    offsetof(struct __sk_buff, cb[0])),
2391 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2392 				    offsetof(struct __sk_buff, mark)),
2393 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394 				    offsetof(struct __sk_buff, tc_index)),
2395 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396 				    offsetof(struct __sk_buff, tc_index)),
2397 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2398 				    offsetof(struct __sk_buff, cb[3])),
2399 			BPF_EXIT_INSN(),
2400 		},
2401 		.errstr_unpriv = "",
2402 		.result_unpriv = REJECT,
2403 		.result = ACCEPT,
2404 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2405 	},
2406 	{
2407 		"PTR_TO_STACK store/load",
2408 		.insns = {
2409 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2410 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2411 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2412 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2413 			BPF_EXIT_INSN(),
2414 		},
2415 		.result = ACCEPT,
2416 		.retval = 0xfaceb00c,
2417 	},
2418 	{
2419 		"PTR_TO_STACK store/load - bad alignment on off",
2420 		.insns = {
2421 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2422 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2423 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2424 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2425 			BPF_EXIT_INSN(),
2426 		},
2427 		.result = REJECT,
2428 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2429 	},
2430 	{
2431 		"PTR_TO_STACK store/load - bad alignment on reg",
2432 		.insns = {
2433 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2434 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2435 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2436 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2437 			BPF_EXIT_INSN(),
2438 		},
2439 		.result = REJECT,
2440 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2441 	},
2442 	{
2443 		"PTR_TO_STACK store/load - out of bounds low",
2444 		.insns = {
2445 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2446 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2447 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2448 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2449 			BPF_EXIT_INSN(),
2450 		},
2451 		.result = REJECT,
2452 		.errstr = "invalid stack off=-79992 size=8",
2453 	},
2454 	{
2455 		"PTR_TO_STACK store/load - out of bounds high",
2456 		.insns = {
2457 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2459 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2460 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2461 			BPF_EXIT_INSN(),
2462 		},
2463 		.result = REJECT,
2464 		.errstr = "invalid stack off=0 size=8",
2465 	},
2466 	{
2467 		"unpriv: return pointer",
2468 		.insns = {
2469 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2470 			BPF_EXIT_INSN(),
2471 		},
2472 		.result = ACCEPT,
2473 		.result_unpriv = REJECT,
2474 		.errstr_unpriv = "R0 leaks addr",
2475 		.retval = POINTER_VALUE,
2476 	},
2477 	{
2478 		"unpriv: add const to pointer",
2479 		.insns = {
2480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2481 			BPF_MOV64_IMM(BPF_REG_0, 0),
2482 			BPF_EXIT_INSN(),
2483 		},
2484 		.result = ACCEPT,
2485 	},
2486 	{
2487 		"unpriv: add pointer to pointer",
2488 		.insns = {
2489 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2490 			BPF_MOV64_IMM(BPF_REG_0, 0),
2491 			BPF_EXIT_INSN(),
2492 		},
2493 		.result = REJECT,
2494 		.errstr = "R1 pointer += pointer",
2495 	},
2496 	{
2497 		"unpriv: neg pointer",
2498 		.insns = {
2499 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2500 			BPF_MOV64_IMM(BPF_REG_0, 0),
2501 			BPF_EXIT_INSN(),
2502 		},
2503 		.result = ACCEPT,
2504 		.result_unpriv = REJECT,
2505 		.errstr_unpriv = "R1 pointer arithmetic",
2506 	},
2507 	{
2508 		"unpriv: cmp pointer with const",
2509 		.insns = {
2510 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2511 			BPF_MOV64_IMM(BPF_REG_0, 0),
2512 			BPF_EXIT_INSN(),
2513 		},
2514 		.result = ACCEPT,
2515 		.result_unpriv = REJECT,
2516 		.errstr_unpriv = "R1 pointer comparison",
2517 	},
2518 	{
2519 		"unpriv: cmp pointer with pointer",
2520 		.insns = {
2521 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2522 			BPF_MOV64_IMM(BPF_REG_0, 0),
2523 			BPF_EXIT_INSN(),
2524 		},
2525 		.result = ACCEPT,
2526 		.result_unpriv = REJECT,
2527 		.errstr_unpriv = "R10 pointer comparison",
2528 	},
2529 	{
2530 		"unpriv: check that printk is disallowed",
2531 		.insns = {
2532 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2533 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2534 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2535 			BPF_MOV64_IMM(BPF_REG_2, 8),
2536 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2537 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2538 				     BPF_FUNC_trace_printk),
2539 			BPF_MOV64_IMM(BPF_REG_0, 0),
2540 			BPF_EXIT_INSN(),
2541 		},
2542 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2543 		.result_unpriv = REJECT,
2544 		.result = ACCEPT,
2545 	},
2546 	{
2547 		"unpriv: pass pointer to helper function",
2548 		.insns = {
2549 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2550 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2551 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2552 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2553 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2554 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2555 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2556 				     BPF_FUNC_map_update_elem),
2557 			BPF_MOV64_IMM(BPF_REG_0, 0),
2558 			BPF_EXIT_INSN(),
2559 		},
2560 		.fixup_map1 = { 3 },
2561 		.errstr_unpriv = "R4 leaks addr",
2562 		.result_unpriv = REJECT,
2563 		.result = ACCEPT,
2564 	},
2565 	{
2566 		"unpriv: indirectly pass pointer on stack to helper function",
2567 		.insns = {
2568 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2569 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2570 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2571 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2572 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2573 				     BPF_FUNC_map_lookup_elem),
2574 			BPF_MOV64_IMM(BPF_REG_0, 0),
2575 			BPF_EXIT_INSN(),
2576 		},
2577 		.fixup_map1 = { 3 },
2578 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2579 		.result = REJECT,
2580 	},
2581 	{
2582 		"unpriv: mangle pointer on stack 1",
2583 		.insns = {
2584 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2585 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2586 			BPF_MOV64_IMM(BPF_REG_0, 0),
2587 			BPF_EXIT_INSN(),
2588 		},
2589 		.errstr_unpriv = "attempt to corrupt spilled",
2590 		.result_unpriv = REJECT,
2591 		.result = ACCEPT,
2592 	},
2593 	{
2594 		"unpriv: mangle pointer on stack 2",
2595 		.insns = {
2596 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2597 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2598 			BPF_MOV64_IMM(BPF_REG_0, 0),
2599 			BPF_EXIT_INSN(),
2600 		},
2601 		.errstr_unpriv = "attempt to corrupt spilled",
2602 		.result_unpriv = REJECT,
2603 		.result = ACCEPT,
2604 	},
2605 	{
2606 		"unpriv: read pointer from stack in small chunks",
2607 		.insns = {
2608 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2609 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2610 			BPF_MOV64_IMM(BPF_REG_0, 0),
2611 			BPF_EXIT_INSN(),
2612 		},
2613 		.errstr = "invalid size",
2614 		.result = REJECT,
2615 	},
2616 	{
2617 		"unpriv: write pointer into ctx",
2618 		.insns = {
2619 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2620 			BPF_MOV64_IMM(BPF_REG_0, 0),
2621 			BPF_EXIT_INSN(),
2622 		},
2623 		.errstr_unpriv = "R1 leaks addr",
2624 		.result_unpriv = REJECT,
2625 		.errstr = "invalid bpf_context access",
2626 		.result = REJECT,
2627 	},
2628 	{
2629 		"unpriv: spill/fill of ctx",
2630 		.insns = {
2631 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2632 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2633 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2634 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2635 			BPF_MOV64_IMM(BPF_REG_0, 0),
2636 			BPF_EXIT_INSN(),
2637 		},
2638 		.result = ACCEPT,
2639 	},
2640 	{
2641 		"unpriv: spill/fill of ctx 2",
2642 		.insns = {
2643 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2644 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2645 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2646 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2647 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2648 				     BPF_FUNC_get_hash_recalc),
2649 			BPF_MOV64_IMM(BPF_REG_0, 0),
2650 			BPF_EXIT_INSN(),
2651 		},
2652 		.result = ACCEPT,
2653 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2654 	},
2655 	{
2656 		"unpriv: spill/fill of ctx 3",
2657 		.insns = {
2658 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2660 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2661 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2662 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2663 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2664 				     BPF_FUNC_get_hash_recalc),
2665 			BPF_EXIT_INSN(),
2666 		},
2667 		.result = REJECT,
2668 		.errstr = "R1 type=fp expected=ctx",
2669 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2670 	},
2671 	{
2672 		"unpriv: spill/fill of ctx 4",
2673 		.insns = {
2674 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2675 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2676 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2677 			BPF_MOV64_IMM(BPF_REG_0, 1),
2678 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2679 				     BPF_REG_0, -8, 0),
2680 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2681 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2682 				     BPF_FUNC_get_hash_recalc),
2683 			BPF_EXIT_INSN(),
2684 		},
2685 		.result = REJECT,
2686 		.errstr = "R1 type=inv expected=ctx",
2687 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2688 	},
2689 	{
2690 		"unpriv: spill/fill of different pointers stx",
2691 		.insns = {
2692 			BPF_MOV64_IMM(BPF_REG_3, 42),
2693 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2694 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2695 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2698 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2699 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2700 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2701 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2702 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2703 				    offsetof(struct __sk_buff, mark)),
2704 			BPF_MOV64_IMM(BPF_REG_0, 0),
2705 			BPF_EXIT_INSN(),
2706 		},
2707 		.result = REJECT,
2708 		.errstr = "same insn cannot be used with different pointers",
2709 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2710 	},
2711 	{
2712 		"unpriv: spill/fill of different pointers ldx",
2713 		.insns = {
2714 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2715 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2716 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2717 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2718 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2719 				      -(__s32)offsetof(struct bpf_perf_event_data,
2720 						       sample_period) - 8),
2721 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2722 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2723 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2724 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2725 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2726 				    offsetof(struct bpf_perf_event_data,
2727 					     sample_period)),
2728 			BPF_MOV64_IMM(BPF_REG_0, 0),
2729 			BPF_EXIT_INSN(),
2730 		},
2731 		.result = REJECT,
2732 		.errstr = "same insn cannot be used with different pointers",
2733 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2734 	},
2735 	{
2736 		"unpriv: write pointer into map elem value",
2737 		.insns = {
2738 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2739 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2740 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2741 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2742 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2743 				     BPF_FUNC_map_lookup_elem),
2744 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2745 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2746 			BPF_EXIT_INSN(),
2747 		},
2748 		.fixup_map1 = { 3 },
2749 		.errstr_unpriv = "R0 leaks addr",
2750 		.result_unpriv = REJECT,
2751 		.result = ACCEPT,
2752 	},
2753 	{
2754 		"unpriv: partial copy of pointer",
2755 		.insns = {
2756 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2757 			BPF_MOV64_IMM(BPF_REG_0, 0),
2758 			BPF_EXIT_INSN(),
2759 		},
2760 		.errstr_unpriv = "R10 partial copy",
2761 		.result_unpriv = REJECT,
2762 		.result = ACCEPT,
2763 	},
2764 	{
2765 		"unpriv: pass pointer to tail_call",
2766 		.insns = {
2767 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2768 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2769 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2770 				     BPF_FUNC_tail_call),
2771 			BPF_MOV64_IMM(BPF_REG_0, 0),
2772 			BPF_EXIT_INSN(),
2773 		},
2774 		.fixup_prog1 = { 1 },
2775 		.errstr_unpriv = "R3 leaks addr into helper",
2776 		.result_unpriv = REJECT,
2777 		.result = ACCEPT,
2778 	},
2779 	{
2780 		"unpriv: cmp map pointer with zero",
2781 		.insns = {
2782 			BPF_MOV64_IMM(BPF_REG_1, 0),
2783 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2784 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2785 			BPF_MOV64_IMM(BPF_REG_0, 0),
2786 			BPF_EXIT_INSN(),
2787 		},
2788 		.fixup_map1 = { 1 },
2789 		.errstr_unpriv = "R1 pointer comparison",
2790 		.result_unpriv = REJECT,
2791 		.result = ACCEPT,
2792 	},
2793 	{
2794 		"unpriv: write into frame pointer",
2795 		.insns = {
2796 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2797 			BPF_MOV64_IMM(BPF_REG_0, 0),
2798 			BPF_EXIT_INSN(),
2799 		},
2800 		.errstr = "frame pointer is read only",
2801 		.result = REJECT,
2802 	},
2803 	{
2804 		"unpriv: spill/fill frame pointer",
2805 		.insns = {
2806 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2807 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2808 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2809 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2810 			BPF_MOV64_IMM(BPF_REG_0, 0),
2811 			BPF_EXIT_INSN(),
2812 		},
2813 		.errstr = "frame pointer is read only",
2814 		.result = REJECT,
2815 	},
2816 	{
2817 		"unpriv: cmp of frame pointer",
2818 		.insns = {
2819 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2820 			BPF_MOV64_IMM(BPF_REG_0, 0),
2821 			BPF_EXIT_INSN(),
2822 		},
2823 		.errstr_unpriv = "R10 pointer comparison",
2824 		.result_unpriv = REJECT,
2825 		.result = ACCEPT,
2826 	},
2827 	{
2828 		"unpriv: adding of fp",
2829 		.insns = {
2830 			BPF_MOV64_IMM(BPF_REG_0, 0),
2831 			BPF_MOV64_IMM(BPF_REG_1, 0),
2832 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2833 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2834 			BPF_EXIT_INSN(),
2835 		},
2836 		.result = ACCEPT,
2837 	},
2838 	{
2839 		"unpriv: cmp of stack pointer",
2840 		.insns = {
2841 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2842 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2843 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2844 			BPF_MOV64_IMM(BPF_REG_0, 0),
2845 			BPF_EXIT_INSN(),
2846 		},
2847 		.errstr_unpriv = "R2 pointer comparison",
2848 		.result_unpriv = REJECT,
2849 		.result = ACCEPT,
2850 	},
2851 	{
2852 		"runtime/jit: tail_call within bounds, prog once",
2853 		.insns = {
2854 			BPF_MOV64_IMM(BPF_REG_3, 0),
2855 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2856 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2857 				     BPF_FUNC_tail_call),
2858 			BPF_MOV64_IMM(BPF_REG_0, 1),
2859 			BPF_EXIT_INSN(),
2860 		},
2861 		.fixup_prog1 = { 1 },
2862 		.result = ACCEPT,
2863 		.retval = 42,
2864 	},
2865 	{
2866 		"runtime/jit: tail_call within bounds, prog loop",
2867 		.insns = {
2868 			BPF_MOV64_IMM(BPF_REG_3, 1),
2869 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2870 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2871 				     BPF_FUNC_tail_call),
2872 			BPF_MOV64_IMM(BPF_REG_0, 1),
2873 			BPF_EXIT_INSN(),
2874 		},
2875 		.fixup_prog1 = { 1 },
2876 		.result = ACCEPT,
2877 		.retval = 41,
2878 	},
2879 	{
2880 		"runtime/jit: tail_call within bounds, no prog",
2881 		.insns = {
2882 			BPF_MOV64_IMM(BPF_REG_3, 2),
2883 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2884 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2885 				     BPF_FUNC_tail_call),
2886 			BPF_MOV64_IMM(BPF_REG_0, 1),
2887 			BPF_EXIT_INSN(),
2888 		},
2889 		.fixup_prog1 = { 1 },
2890 		.result = ACCEPT,
2891 		.retval = 1,
2892 	},
2893 	{
2894 		"runtime/jit: tail_call out of bounds",
2895 		.insns = {
2896 			BPF_MOV64_IMM(BPF_REG_3, 256),
2897 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2898 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2899 				     BPF_FUNC_tail_call),
2900 			BPF_MOV64_IMM(BPF_REG_0, 2),
2901 			BPF_EXIT_INSN(),
2902 		},
2903 		.fixup_prog1 = { 1 },
2904 		.result = ACCEPT,
2905 		.retval = 2,
2906 	},
2907 	{
2908 		"runtime/jit: pass negative index to tail_call",
2909 		.insns = {
2910 			BPF_MOV64_IMM(BPF_REG_3, -1),
2911 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2913 				     BPF_FUNC_tail_call),
2914 			BPF_MOV64_IMM(BPF_REG_0, 2),
2915 			BPF_EXIT_INSN(),
2916 		},
2917 		.fixup_prog1 = { 1 },
2918 		.result = ACCEPT,
2919 		.retval = 2,
2920 	},
2921 	{
2922 		"runtime/jit: pass > 32bit index to tail_call",
2923 		.insns = {
2924 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2925 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2926 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2927 				     BPF_FUNC_tail_call),
2928 			BPF_MOV64_IMM(BPF_REG_0, 2),
2929 			BPF_EXIT_INSN(),
2930 		},
2931 		.fixup_prog1 = { 2 },
2932 		.result = ACCEPT,
2933 		.retval = 42,
2934 	},
2935 	{
2936 		"stack pointer arithmetic",
2937 		.insns = {
2938 			BPF_MOV64_IMM(BPF_REG_1, 4),
2939 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2940 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2943 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2944 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2945 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2946 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2948 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2949 			BPF_MOV64_IMM(BPF_REG_0, 0),
2950 			BPF_EXIT_INSN(),
2951 		},
2952 		.result = ACCEPT,
2953 	},
2954 	{
2955 		"raw_stack: no skb_load_bytes",
2956 		.insns = {
2957 			BPF_MOV64_IMM(BPF_REG_2, 4),
2958 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2959 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2960 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2961 			BPF_MOV64_IMM(BPF_REG_4, 8),
2962 			/* Call to skb_load_bytes() omitted. */
2963 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2964 			BPF_EXIT_INSN(),
2965 		},
2966 		.result = REJECT,
2967 		.errstr = "invalid read from stack off -8+0 size 8",
2968 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2969 	},
2970 	{
2971 		"raw_stack: skb_load_bytes, negative len",
2972 		.insns = {
2973 			BPF_MOV64_IMM(BPF_REG_2, 4),
2974 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2977 			BPF_MOV64_IMM(BPF_REG_4, -8),
2978 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2979 				     BPF_FUNC_skb_load_bytes),
2980 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2981 			BPF_EXIT_INSN(),
2982 		},
2983 		.result = REJECT,
2984 		.errstr = "R4 min value is negative",
2985 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2986 	},
2987 	{
2988 		"raw_stack: skb_load_bytes, negative len 2",
2989 		.insns = {
2990 			BPF_MOV64_IMM(BPF_REG_2, 4),
2991 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2992 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2993 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2994 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2995 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2996 				     BPF_FUNC_skb_load_bytes),
2997 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2998 			BPF_EXIT_INSN(),
2999 		},
3000 		.result = REJECT,
3001 		.errstr = "R4 min value is negative",
3002 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3003 	},
3004 	{
3005 		"raw_stack: skb_load_bytes, zero len",
3006 		.insns = {
3007 			BPF_MOV64_IMM(BPF_REG_2, 4),
3008 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3009 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3010 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3011 			BPF_MOV64_IMM(BPF_REG_4, 0),
3012 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3013 				     BPF_FUNC_skb_load_bytes),
3014 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3015 			BPF_EXIT_INSN(),
3016 		},
3017 		.result = REJECT,
3018 		.errstr = "invalid stack type R3",
3019 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3020 	},
3021 	{
3022 		"raw_stack: skb_load_bytes, no init",
3023 		.insns = {
3024 			BPF_MOV64_IMM(BPF_REG_2, 4),
3025 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3026 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3027 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3028 			BPF_MOV64_IMM(BPF_REG_4, 8),
3029 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3030 				     BPF_FUNC_skb_load_bytes),
3031 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3032 			BPF_EXIT_INSN(),
3033 		},
3034 		.result = ACCEPT,
3035 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3036 	},
3037 	{
3038 		"raw_stack: skb_load_bytes, init",
3039 		.insns = {
3040 			BPF_MOV64_IMM(BPF_REG_2, 4),
3041 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3042 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3043 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3044 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3045 			BPF_MOV64_IMM(BPF_REG_4, 8),
3046 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3047 				     BPF_FUNC_skb_load_bytes),
3048 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3049 			BPF_EXIT_INSN(),
3050 		},
3051 		.result = ACCEPT,
3052 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3053 	},
3054 	{
3055 		"raw_stack: skb_load_bytes, spilled regs around bounds",
3056 		.insns = {
3057 			BPF_MOV64_IMM(BPF_REG_2, 4),
3058 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3060 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3061 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3062 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3063 			BPF_MOV64_IMM(BPF_REG_4, 8),
3064 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3065 				     BPF_FUNC_skb_load_bytes),
3066 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3067 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3068 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3069 				    offsetof(struct __sk_buff, mark)),
3070 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3071 				    offsetof(struct __sk_buff, priority)),
3072 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3073 			BPF_EXIT_INSN(),
3074 		},
3075 		.result = ACCEPT,
3076 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3077 	},
3078 	{
3079 		"raw_stack: skb_load_bytes, spilled regs corruption",
3080 		.insns = {
3081 			BPF_MOV64_IMM(BPF_REG_2, 4),
3082 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3083 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3084 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3085 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3086 			BPF_MOV64_IMM(BPF_REG_4, 8),
3087 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3088 				     BPF_FUNC_skb_load_bytes),
3089 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3090 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3091 				    offsetof(struct __sk_buff, mark)),
3092 			BPF_EXIT_INSN(),
3093 		},
3094 		.result = REJECT,
3095 		.errstr = "R0 invalid mem access 'inv'",
3096 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3097 	},
3098 	{
3099 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
3100 		.insns = {
3101 			BPF_MOV64_IMM(BPF_REG_2, 4),
3102 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3104 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3105 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3106 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3107 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3108 			BPF_MOV64_IMM(BPF_REG_4, 8),
3109 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3110 				     BPF_FUNC_skb_load_bytes),
3111 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3112 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3113 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3114 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3115 				    offsetof(struct __sk_buff, mark)),
3116 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3117 				    offsetof(struct __sk_buff, priority)),
3118 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3119 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3120 				    offsetof(struct __sk_buff, pkt_type)),
3121 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3122 			BPF_EXIT_INSN(),
3123 		},
3124 		.result = REJECT,
3125 		.errstr = "R3 invalid mem access 'inv'",
3126 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3127 	},
3128 	{
3129 		"raw_stack: skb_load_bytes, spilled regs + data",
3130 		.insns = {
3131 			BPF_MOV64_IMM(BPF_REG_2, 4),
3132 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3133 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3134 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3135 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3136 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3137 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3138 			BPF_MOV64_IMM(BPF_REG_4, 8),
3139 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3140 				     BPF_FUNC_skb_load_bytes),
3141 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3142 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3143 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3144 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3145 				    offsetof(struct __sk_buff, mark)),
3146 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3147 				    offsetof(struct __sk_buff, priority)),
3148 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3149 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3150 			BPF_EXIT_INSN(),
3151 		},
3152 		.result = ACCEPT,
3153 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3154 	},
3155 	{
3156 		"raw_stack: skb_load_bytes, invalid access 1",
3157 		.insns = {
3158 			BPF_MOV64_IMM(BPF_REG_2, 4),
3159 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3160 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3161 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3162 			BPF_MOV64_IMM(BPF_REG_4, 8),
3163 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3164 				     BPF_FUNC_skb_load_bytes),
3165 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3166 			BPF_EXIT_INSN(),
3167 		},
3168 		.result = REJECT,
3169 		.errstr = "invalid stack type R3 off=-513 access_size=8",
3170 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3171 	},
3172 	{
3173 		"raw_stack: skb_load_bytes, invalid access 2",
3174 		.insns = {
3175 			BPF_MOV64_IMM(BPF_REG_2, 4),
3176 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3177 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3178 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3179 			BPF_MOV64_IMM(BPF_REG_4, 8),
3180 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3181 				     BPF_FUNC_skb_load_bytes),
3182 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3183 			BPF_EXIT_INSN(),
3184 		},
3185 		.result = REJECT,
3186 		.errstr = "invalid stack type R3 off=-1 access_size=8",
3187 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3188 	},
3189 	{
3190 		"raw_stack: skb_load_bytes, invalid access 3",
3191 		.insns = {
3192 			BPF_MOV64_IMM(BPF_REG_2, 4),
3193 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3195 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3196 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3197 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198 				     BPF_FUNC_skb_load_bytes),
3199 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3200 			BPF_EXIT_INSN(),
3201 		},
3202 		.result = REJECT,
3203 		.errstr = "R4 min value is negative",
3204 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3205 	},
3206 	{
3207 		"raw_stack: skb_load_bytes, invalid access 4",
3208 		.insns = {
3209 			BPF_MOV64_IMM(BPF_REG_2, 4),
3210 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3212 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3213 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3214 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3215 				     BPF_FUNC_skb_load_bytes),
3216 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3217 			BPF_EXIT_INSN(),
3218 		},
3219 		.result = REJECT,
3220 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3221 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3222 	},
3223 	{
3224 		"raw_stack: skb_load_bytes, invalid access 5",
3225 		.insns = {
3226 			BPF_MOV64_IMM(BPF_REG_2, 4),
3227 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3228 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3229 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3230 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3231 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3232 				     BPF_FUNC_skb_load_bytes),
3233 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3234 			BPF_EXIT_INSN(),
3235 		},
3236 		.result = REJECT,
3237 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3238 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3239 	},
3240 	{
3241 		"raw_stack: skb_load_bytes, invalid access 6",
3242 		.insns = {
3243 			BPF_MOV64_IMM(BPF_REG_2, 4),
3244 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3245 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3246 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3247 			BPF_MOV64_IMM(BPF_REG_4, 0),
3248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3249 				     BPF_FUNC_skb_load_bytes),
3250 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3251 			BPF_EXIT_INSN(),
3252 		},
3253 		.result = REJECT,
3254 		.errstr = "invalid stack type R3 off=-512 access_size=0",
3255 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3256 	},
3257 	{
3258 		"raw_stack: skb_load_bytes, large access",
3259 		.insns = {
3260 			BPF_MOV64_IMM(BPF_REG_2, 4),
3261 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3262 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3263 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3264 			BPF_MOV64_IMM(BPF_REG_4, 512),
3265 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3266 				     BPF_FUNC_skb_load_bytes),
3267 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3268 			BPF_EXIT_INSN(),
3269 		},
3270 		.result = ACCEPT,
3271 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3272 	},
3273 	{
3274 		"context stores via ST",
3275 		.insns = {
3276 			BPF_MOV64_IMM(BPF_REG_0, 0),
3277 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3278 			BPF_EXIT_INSN(),
3279 		},
3280 		.errstr = "BPF_ST stores into R1 context is not allowed",
3281 		.result = REJECT,
3282 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3283 	},
3284 	{
3285 		"context stores via XADD",
3286 		.insns = {
3287 			BPF_MOV64_IMM(BPF_REG_0, 0),
3288 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3289 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3290 			BPF_EXIT_INSN(),
3291 		},
3292 		.errstr = "BPF_XADD stores into R1 context is not allowed",
3293 		.result = REJECT,
3294 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3295 	},
3296 	{
3297 		"direct packet access: test1",
3298 		.insns = {
3299 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3300 				    offsetof(struct __sk_buff, data)),
3301 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3302 				    offsetof(struct __sk_buff, data_end)),
3303 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3305 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3306 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3307 			BPF_MOV64_IMM(BPF_REG_0, 0),
3308 			BPF_EXIT_INSN(),
3309 		},
3310 		.result = ACCEPT,
3311 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3312 	},
3313 	{
3314 		"direct packet access: test2",
3315 		.insns = {
3316 			BPF_MOV64_IMM(BPF_REG_0, 1),
3317 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3318 				    offsetof(struct __sk_buff, data_end)),
3319 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3320 				    offsetof(struct __sk_buff, data)),
3321 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3322 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3323 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3324 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3325 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3326 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3327 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3328 				    offsetof(struct __sk_buff, data)),
3329 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3330 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3331 				    offsetof(struct __sk_buff, len)),
3332 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3333 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3334 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3335 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3336 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3337 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3338 				    offsetof(struct __sk_buff, data_end)),
3339 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3340 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3341 			BPF_MOV64_IMM(BPF_REG_0, 0),
3342 			BPF_EXIT_INSN(),
3343 		},
3344 		.result = ACCEPT,
3345 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3346 	},
3347 	{
3348 		"direct packet access: test3",
3349 		.insns = {
3350 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3351 				    offsetof(struct __sk_buff, data)),
3352 			BPF_MOV64_IMM(BPF_REG_0, 0),
3353 			BPF_EXIT_INSN(),
3354 		},
3355 		.errstr = "invalid bpf_context access off=76",
3356 		.result = REJECT,
3357 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3358 	},
3359 	{
3360 		"direct packet access: test4 (write)",
3361 		.insns = {
3362 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3363 				    offsetof(struct __sk_buff, data)),
3364 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3365 				    offsetof(struct __sk_buff, data_end)),
3366 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3367 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3368 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3369 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3370 			BPF_MOV64_IMM(BPF_REG_0, 0),
3371 			BPF_EXIT_INSN(),
3372 		},
3373 		.result = ACCEPT,
3374 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3375 	},
3376 	{
3377 		"direct packet access: test5 (pkt_end >= reg, good access)",
3378 		.insns = {
3379 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3380 				    offsetof(struct __sk_buff, data)),
3381 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3382 				    offsetof(struct __sk_buff, data_end)),
3383 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3384 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3385 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3386 			BPF_MOV64_IMM(BPF_REG_0, 1),
3387 			BPF_EXIT_INSN(),
3388 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3389 			BPF_MOV64_IMM(BPF_REG_0, 0),
3390 			BPF_EXIT_INSN(),
3391 		},
3392 		.result = ACCEPT,
3393 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3394 	},
3395 	{
3396 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3397 		.insns = {
3398 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3399 				    offsetof(struct __sk_buff, data)),
3400 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3401 				    offsetof(struct __sk_buff, data_end)),
3402 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3403 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3404 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3405 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3406 			BPF_MOV64_IMM(BPF_REG_0, 1),
3407 			BPF_EXIT_INSN(),
3408 			BPF_MOV64_IMM(BPF_REG_0, 0),
3409 			BPF_EXIT_INSN(),
3410 		},
3411 		.errstr = "invalid access to packet",
3412 		.result = REJECT,
3413 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3414 	},
3415 	{
3416 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3417 		.insns = {
3418 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3419 				    offsetof(struct __sk_buff, data)),
3420 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3421 				    offsetof(struct __sk_buff, data_end)),
3422 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3423 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3424 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3425 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3426 			BPF_MOV64_IMM(BPF_REG_0, 1),
3427 			BPF_EXIT_INSN(),
3428 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3429 			BPF_MOV64_IMM(BPF_REG_0, 0),
3430 			BPF_EXIT_INSN(),
3431 		},
3432 		.errstr = "invalid access to packet",
3433 		.result = REJECT,
3434 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3435 	},
3436 	{
3437 		"direct packet access: test8 (double test, variant 1)",
3438 		.insns = {
3439 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3440 				    offsetof(struct __sk_buff, data)),
3441 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3442 				    offsetof(struct __sk_buff, data_end)),
3443 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3444 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3445 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3446 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3447 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3448 			BPF_MOV64_IMM(BPF_REG_0, 1),
3449 			BPF_EXIT_INSN(),
3450 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3451 			BPF_MOV64_IMM(BPF_REG_0, 0),
3452 			BPF_EXIT_INSN(),
3453 		},
3454 		.result = ACCEPT,
3455 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3456 	},
3457 	{
3458 		"direct packet access: test9 (double test, variant 2)",
3459 		.insns = {
3460 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3461 				    offsetof(struct __sk_buff, data)),
3462 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3463 				    offsetof(struct __sk_buff, data_end)),
3464 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3465 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3466 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3467 			BPF_MOV64_IMM(BPF_REG_0, 1),
3468 			BPF_EXIT_INSN(),
3469 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3470 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3471 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3472 			BPF_MOV64_IMM(BPF_REG_0, 0),
3473 			BPF_EXIT_INSN(),
3474 		},
3475 		.result = ACCEPT,
3476 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3477 	},
3478 	{
3479 		"direct packet access: test10 (write invalid)",
3480 		.insns = {
3481 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3482 				    offsetof(struct __sk_buff, data)),
3483 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3484 				    offsetof(struct __sk_buff, data_end)),
3485 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3486 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3487 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3488 			BPF_MOV64_IMM(BPF_REG_0, 0),
3489 			BPF_EXIT_INSN(),
3490 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3491 			BPF_MOV64_IMM(BPF_REG_0, 0),
3492 			BPF_EXIT_INSN(),
3493 		},
3494 		.errstr = "invalid access to packet",
3495 		.result = REJECT,
3496 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3497 	},
3498 	{
3499 		"direct packet access: test11 (shift, good access)",
3500 		.insns = {
3501 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3502 				    offsetof(struct __sk_buff, data)),
3503 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3504 				    offsetof(struct __sk_buff, data_end)),
3505 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3506 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3507 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3508 			BPF_MOV64_IMM(BPF_REG_3, 144),
3509 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3510 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3511 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3512 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3513 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3514 			BPF_MOV64_IMM(BPF_REG_0, 1),
3515 			BPF_EXIT_INSN(),
3516 			BPF_MOV64_IMM(BPF_REG_0, 0),
3517 			BPF_EXIT_INSN(),
3518 		},
3519 		.result = ACCEPT,
3520 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3521 		.retval = 1,
3522 	},
3523 	{
3524 		"direct packet access: test12 (and, good access)",
3525 		.insns = {
3526 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3527 				    offsetof(struct __sk_buff, data)),
3528 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3529 				    offsetof(struct __sk_buff, data_end)),
3530 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3531 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3532 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3533 			BPF_MOV64_IMM(BPF_REG_3, 144),
3534 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3535 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3536 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3537 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3538 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3539 			BPF_MOV64_IMM(BPF_REG_0, 1),
3540 			BPF_EXIT_INSN(),
3541 			BPF_MOV64_IMM(BPF_REG_0, 0),
3542 			BPF_EXIT_INSN(),
3543 		},
3544 		.result = ACCEPT,
3545 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3546 		.retval = 1,
3547 	},
3548 	{
3549 		"direct packet access: test13 (branches, good access)",
3550 		.insns = {
3551 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552 				    offsetof(struct __sk_buff, data)),
3553 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554 				    offsetof(struct __sk_buff, data_end)),
3555 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3557 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3558 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3559 				    offsetof(struct __sk_buff, mark)),
3560 			BPF_MOV64_IMM(BPF_REG_4, 1),
3561 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3562 			BPF_MOV64_IMM(BPF_REG_3, 14),
3563 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3564 			BPF_MOV64_IMM(BPF_REG_3, 24),
3565 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3566 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3567 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3568 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3569 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3570 			BPF_MOV64_IMM(BPF_REG_0, 1),
3571 			BPF_EXIT_INSN(),
3572 			BPF_MOV64_IMM(BPF_REG_0, 0),
3573 			BPF_EXIT_INSN(),
3574 		},
3575 		.result = ACCEPT,
3576 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3577 		.retval = 1,
3578 	},
3579 	{
3580 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3581 		.insns = {
3582 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3583 				    offsetof(struct __sk_buff, data)),
3584 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3585 				    offsetof(struct __sk_buff, data_end)),
3586 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3587 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3588 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3589 			BPF_MOV64_IMM(BPF_REG_5, 12),
3590 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3591 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3592 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3593 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3594 			BPF_MOV64_IMM(BPF_REG_0, 1),
3595 			BPF_EXIT_INSN(),
3596 			BPF_MOV64_IMM(BPF_REG_0, 0),
3597 			BPF_EXIT_INSN(),
3598 		},
3599 		.result = ACCEPT,
3600 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3601 		.retval = 1,
3602 	},
3603 	{
3604 		"direct packet access: test15 (spill with xadd)",
3605 		.insns = {
3606 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3607 				    offsetof(struct __sk_buff, data)),
3608 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3609 				    offsetof(struct __sk_buff, data_end)),
3610 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3611 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3612 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3613 			BPF_MOV64_IMM(BPF_REG_5, 4096),
3614 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3615 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3616 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3617 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3618 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3619 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3620 			BPF_MOV64_IMM(BPF_REG_0, 0),
3621 			BPF_EXIT_INSN(),
3622 		},
3623 		.errstr = "R2 invalid mem access 'inv'",
3624 		.result = REJECT,
3625 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3626 	},
3627 	{
3628 		"direct packet access: test16 (arith on data_end)",
3629 		.insns = {
3630 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3631 				    offsetof(struct __sk_buff, data)),
3632 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3633 				    offsetof(struct __sk_buff, data_end)),
3634 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3635 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3636 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3637 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3638 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3639 			BPF_MOV64_IMM(BPF_REG_0, 0),
3640 			BPF_EXIT_INSN(),
3641 		},
3642 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3643 		.result = REJECT,
3644 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3645 	},
3646 	{
3647 		"direct packet access: test17 (pruning, alignment)",
3648 		.insns = {
3649 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3650 				    offsetof(struct __sk_buff, data)),
3651 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3652 				    offsetof(struct __sk_buff, data_end)),
3653 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3654 				    offsetof(struct __sk_buff, mark)),
3655 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3656 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3657 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3658 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3659 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3660 			BPF_MOV64_IMM(BPF_REG_0, 0),
3661 			BPF_EXIT_INSN(),
3662 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3663 			BPF_JMP_A(-6),
3664 		},
3665 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3666 		.result = REJECT,
3667 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3668 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3669 	},
3670 	{
3671 		"direct packet access: test18 (imm += pkt_ptr, 1)",
3672 		.insns = {
3673 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3674 				    offsetof(struct __sk_buff, data)),
3675 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3676 				    offsetof(struct __sk_buff, data_end)),
3677 			BPF_MOV64_IMM(BPF_REG_0, 8),
3678 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3679 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3680 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3681 			BPF_MOV64_IMM(BPF_REG_0, 0),
3682 			BPF_EXIT_INSN(),
3683 		},
3684 		.result = ACCEPT,
3685 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3686 	},
3687 	{
3688 		"direct packet access: test19 (imm += pkt_ptr, 2)",
3689 		.insns = {
3690 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3691 				    offsetof(struct __sk_buff, data)),
3692 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3693 				    offsetof(struct __sk_buff, data_end)),
3694 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3695 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3696 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3697 			BPF_MOV64_IMM(BPF_REG_4, 4),
3698 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3699 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3700 			BPF_MOV64_IMM(BPF_REG_0, 0),
3701 			BPF_EXIT_INSN(),
3702 		},
3703 		.result = ACCEPT,
3704 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3705 	},
3706 	{
3707 		"direct packet access: test20 (x += pkt_ptr, 1)",
3708 		.insns = {
3709 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3710 				    offsetof(struct __sk_buff, data)),
3711 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3712 				    offsetof(struct __sk_buff, data_end)),
3713 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3714 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3715 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3716 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3717 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3718 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3719 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3720 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3721 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3722 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3723 			BPF_MOV64_IMM(BPF_REG_0, 0),
3724 			BPF_EXIT_INSN(),
3725 		},
3726 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3727 		.result = ACCEPT,
3728 	},
3729 	{
3730 		"direct packet access: test21 (x += pkt_ptr, 2)",
3731 		.insns = {
3732 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3733 				    offsetof(struct __sk_buff, data)),
3734 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3735 				    offsetof(struct __sk_buff, data_end)),
3736 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3737 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3738 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3739 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3740 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3741 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3742 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3743 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3744 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3745 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3746 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3747 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3748 			BPF_MOV64_IMM(BPF_REG_0, 0),
3749 			BPF_EXIT_INSN(),
3750 		},
3751 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3752 		.result = ACCEPT,
3753 	},
3754 	{
3755 		"direct packet access: test22 (x += pkt_ptr, 3)",
3756 		.insns = {
3757 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3758 				    offsetof(struct __sk_buff, data)),
3759 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3760 				    offsetof(struct __sk_buff, data_end)),
3761 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3762 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3763 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3764 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3765 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3766 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3767 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3768 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3769 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3770 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3771 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3772 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3773 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3775 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3776 			BPF_MOV64_IMM(BPF_REG_2, 1),
3777 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3778 			BPF_MOV64_IMM(BPF_REG_0, 0),
3779 			BPF_EXIT_INSN(),
3780 		},
3781 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3782 		.result = ACCEPT,
3783 	},
3784 	{
3785 		"direct packet access: test23 (x += pkt_ptr, 4)",
3786 		.insns = {
3787 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3788 				    offsetof(struct __sk_buff, data)),
3789 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3790 				    offsetof(struct __sk_buff, data_end)),
3791 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3792 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3793 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3794 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3795 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3796 			BPF_MOV64_IMM(BPF_REG_0, 31),
3797 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3798 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3799 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3800 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3801 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3802 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3803 			BPF_MOV64_IMM(BPF_REG_0, 0),
3804 			BPF_EXIT_INSN(),
3805 		},
3806 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3807 		.result = REJECT,
3808 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3809 	},
3810 	{
3811 		"direct packet access: test24 (x += pkt_ptr, 5)",
3812 		.insns = {
3813 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3814 				    offsetof(struct __sk_buff, data)),
3815 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3816 				    offsetof(struct __sk_buff, data_end)),
3817 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3818 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3819 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3820 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3821 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3822 			BPF_MOV64_IMM(BPF_REG_0, 64),
3823 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3824 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3825 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3827 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3828 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3829 			BPF_MOV64_IMM(BPF_REG_0, 0),
3830 			BPF_EXIT_INSN(),
3831 		},
3832 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3833 		.result = ACCEPT,
3834 	},
3835 	{
3836 		"direct packet access: test25 (marking on <, good access)",
3837 		.insns = {
3838 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3839 				    offsetof(struct __sk_buff, data)),
3840 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3841 				    offsetof(struct __sk_buff, data_end)),
3842 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3843 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3844 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3845 			BPF_MOV64_IMM(BPF_REG_0, 0),
3846 			BPF_EXIT_INSN(),
3847 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3848 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3849 		},
3850 		.result = ACCEPT,
3851 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3852 	},
3853 	{
3854 		"direct packet access: test26 (marking on <, bad access)",
3855 		.insns = {
3856 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3857 				    offsetof(struct __sk_buff, data)),
3858 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3859 				    offsetof(struct __sk_buff, data_end)),
3860 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3861 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3862 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3863 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3864 			BPF_MOV64_IMM(BPF_REG_0, 0),
3865 			BPF_EXIT_INSN(),
3866 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3867 		},
3868 		.result = REJECT,
3869 		.errstr = "invalid access to packet",
3870 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3871 	},
3872 	{
3873 		"direct packet access: test27 (marking on <=, good access)",
3874 		.insns = {
3875 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3876 				    offsetof(struct __sk_buff, data)),
3877 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3878 				    offsetof(struct __sk_buff, data_end)),
3879 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3880 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3881 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3882 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3883 			BPF_MOV64_IMM(BPF_REG_0, 1),
3884 			BPF_EXIT_INSN(),
3885 		},
3886 		.result = ACCEPT,
3887 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3888 		.retval = 1,
3889 	},
3890 	{
3891 		"direct packet access: test28 (marking on <=, bad access)",
3892 		.insns = {
3893 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3894 				    offsetof(struct __sk_buff, data)),
3895 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3896 				    offsetof(struct __sk_buff, data_end)),
3897 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3898 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3899 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3900 			BPF_MOV64_IMM(BPF_REG_0, 1),
3901 			BPF_EXIT_INSN(),
3902 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3903 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3904 		},
3905 		.result = REJECT,
3906 		.errstr = "invalid access to packet",
3907 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3908 	},
3909 	{
3910 		"helper access to packet: test1, valid packet_ptr range",
3911 		.insns = {
3912 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3913 				    offsetof(struct xdp_md, data)),
3914 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3915 				    offsetof(struct xdp_md, data_end)),
3916 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3918 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3919 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3920 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3921 			BPF_MOV64_IMM(BPF_REG_4, 0),
3922 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3923 				     BPF_FUNC_map_update_elem),
3924 			BPF_MOV64_IMM(BPF_REG_0, 0),
3925 			BPF_EXIT_INSN(),
3926 		},
3927 		.fixup_map1 = { 5 },
3928 		.result_unpriv = ACCEPT,
3929 		.result = ACCEPT,
3930 		.prog_type = BPF_PROG_TYPE_XDP,
3931 	},
3932 	{
3933 		"helper access to packet: test2, unchecked packet_ptr",
3934 		.insns = {
3935 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3936 				    offsetof(struct xdp_md, data)),
3937 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3938 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3939 				     BPF_FUNC_map_lookup_elem),
3940 			BPF_MOV64_IMM(BPF_REG_0, 0),
3941 			BPF_EXIT_INSN(),
3942 		},
3943 		.fixup_map1 = { 1 },
3944 		.result = REJECT,
3945 		.errstr = "invalid access to packet",
3946 		.prog_type = BPF_PROG_TYPE_XDP,
3947 	},
3948 	{
3949 		"helper access to packet: test3, variable add",
3950 		.insns = {
3951 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3952 					offsetof(struct xdp_md, data)),
3953 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3954 					offsetof(struct xdp_md, data_end)),
3955 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3956 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3957 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3958 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3959 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3960 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3961 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3963 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3964 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3965 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3966 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3967 				     BPF_FUNC_map_lookup_elem),
3968 			BPF_MOV64_IMM(BPF_REG_0, 0),
3969 			BPF_EXIT_INSN(),
3970 		},
3971 		.fixup_map1 = { 11 },
3972 		.result = ACCEPT,
3973 		.prog_type = BPF_PROG_TYPE_XDP,
3974 	},
3975 	{
3976 		"helper access to packet: test4, packet_ptr with bad range",
3977 		.insns = {
3978 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3979 				    offsetof(struct xdp_md, data)),
3980 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3981 				    offsetof(struct xdp_md, data_end)),
3982 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3983 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3984 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3985 			BPF_MOV64_IMM(BPF_REG_0, 0),
3986 			BPF_EXIT_INSN(),
3987 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3988 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3989 				     BPF_FUNC_map_lookup_elem),
3990 			BPF_MOV64_IMM(BPF_REG_0, 0),
3991 			BPF_EXIT_INSN(),
3992 		},
3993 		.fixup_map1 = { 7 },
3994 		.result = REJECT,
3995 		.errstr = "invalid access to packet",
3996 		.prog_type = BPF_PROG_TYPE_XDP,
3997 	},
3998 	{
3999 		"helper access to packet: test5, packet_ptr with too short range",
4000 		.insns = {
4001 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4002 				    offsetof(struct xdp_md, data)),
4003 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4004 				    offsetof(struct xdp_md, data_end)),
4005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4006 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4007 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4008 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4009 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4010 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4011 				     BPF_FUNC_map_lookup_elem),
4012 			BPF_MOV64_IMM(BPF_REG_0, 0),
4013 			BPF_EXIT_INSN(),
4014 		},
4015 		.fixup_map1 = { 6 },
4016 		.result = REJECT,
4017 		.errstr = "invalid access to packet",
4018 		.prog_type = BPF_PROG_TYPE_XDP,
4019 	},
4020 	{
4021 		"helper access to packet: test6, cls valid packet_ptr range",
4022 		.insns = {
4023 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4024 				    offsetof(struct __sk_buff, data)),
4025 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4026 				    offsetof(struct __sk_buff, data_end)),
4027 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4028 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4029 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4030 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4031 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4032 			BPF_MOV64_IMM(BPF_REG_4, 0),
4033 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4034 				     BPF_FUNC_map_update_elem),
4035 			BPF_MOV64_IMM(BPF_REG_0, 0),
4036 			BPF_EXIT_INSN(),
4037 		},
4038 		.fixup_map1 = { 5 },
4039 		.result = ACCEPT,
4040 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4041 	},
4042 	{
4043 		"helper access to packet: test7, cls unchecked packet_ptr",
4044 		.insns = {
4045 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4046 				    offsetof(struct __sk_buff, data)),
4047 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4049 				     BPF_FUNC_map_lookup_elem),
4050 			BPF_MOV64_IMM(BPF_REG_0, 0),
4051 			BPF_EXIT_INSN(),
4052 		},
4053 		.fixup_map1 = { 1 },
4054 		.result = REJECT,
4055 		.errstr = "invalid access to packet",
4056 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4057 	},
4058 	{
4059 		"helper access to packet: test8, cls variable add",
4060 		.insns = {
4061 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4062 					offsetof(struct __sk_buff, data)),
4063 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4064 					offsetof(struct __sk_buff, data_end)),
4065 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4066 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4067 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4068 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4069 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4070 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4071 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4073 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4074 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4075 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4076 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4077 				     BPF_FUNC_map_lookup_elem),
4078 			BPF_MOV64_IMM(BPF_REG_0, 0),
4079 			BPF_EXIT_INSN(),
4080 		},
4081 		.fixup_map1 = { 11 },
4082 		.result = ACCEPT,
4083 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4084 	},
4085 	{
4086 		"helper access to packet: test9, cls packet_ptr with bad range",
4087 		.insns = {
4088 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089 				    offsetof(struct __sk_buff, data)),
4090 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4091 				    offsetof(struct __sk_buff, data_end)),
4092 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4093 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4094 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4095 			BPF_MOV64_IMM(BPF_REG_0, 0),
4096 			BPF_EXIT_INSN(),
4097 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4098 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4099 				     BPF_FUNC_map_lookup_elem),
4100 			BPF_MOV64_IMM(BPF_REG_0, 0),
4101 			BPF_EXIT_INSN(),
4102 		},
4103 		.fixup_map1 = { 7 },
4104 		.result = REJECT,
4105 		.errstr = "invalid access to packet",
4106 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4107 	},
4108 	{
4109 		"helper access to packet: test10, cls packet_ptr with too short range",
4110 		.insns = {
4111 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4112 				    offsetof(struct __sk_buff, data)),
4113 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4114 				    offsetof(struct __sk_buff, data_end)),
4115 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4116 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4118 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4119 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4120 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4121 				     BPF_FUNC_map_lookup_elem),
4122 			BPF_MOV64_IMM(BPF_REG_0, 0),
4123 			BPF_EXIT_INSN(),
4124 		},
4125 		.fixup_map1 = { 6 },
4126 		.result = REJECT,
4127 		.errstr = "invalid access to packet",
4128 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4129 	},
4130 	{
4131 		"helper access to packet: test11, cls unsuitable helper 1",
4132 		.insns = {
4133 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4134 				    offsetof(struct __sk_buff, data)),
4135 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4136 				    offsetof(struct __sk_buff, data_end)),
4137 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4138 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4139 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4140 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4141 			BPF_MOV64_IMM(BPF_REG_2, 0),
4142 			BPF_MOV64_IMM(BPF_REG_4, 42),
4143 			BPF_MOV64_IMM(BPF_REG_5, 0),
4144 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4145 				     BPF_FUNC_skb_store_bytes),
4146 			BPF_MOV64_IMM(BPF_REG_0, 0),
4147 			BPF_EXIT_INSN(),
4148 		},
4149 		.result = REJECT,
4150 		.errstr = "helper access to the packet",
4151 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4152 	},
4153 	{
4154 		"helper access to packet: test12, cls unsuitable helper 2",
4155 		.insns = {
4156 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4157 				    offsetof(struct __sk_buff, data)),
4158 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4159 				    offsetof(struct __sk_buff, data_end)),
4160 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4161 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4162 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4163 			BPF_MOV64_IMM(BPF_REG_2, 0),
4164 			BPF_MOV64_IMM(BPF_REG_4, 4),
4165 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4166 				     BPF_FUNC_skb_load_bytes),
4167 			BPF_MOV64_IMM(BPF_REG_0, 0),
4168 			BPF_EXIT_INSN(),
4169 		},
4170 		.result = REJECT,
4171 		.errstr = "helper access to the packet",
4172 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4173 	},
4174 	{
4175 		"helper access to packet: test13, cls helper ok",
4176 		.insns = {
4177 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4178 				    offsetof(struct __sk_buff, data)),
4179 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4180 				    offsetof(struct __sk_buff, data_end)),
4181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4182 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4183 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4184 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4185 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4186 			BPF_MOV64_IMM(BPF_REG_2, 4),
4187 			BPF_MOV64_IMM(BPF_REG_3, 0),
4188 			BPF_MOV64_IMM(BPF_REG_4, 0),
4189 			BPF_MOV64_IMM(BPF_REG_5, 0),
4190 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4191 				     BPF_FUNC_csum_diff),
4192 			BPF_MOV64_IMM(BPF_REG_0, 0),
4193 			BPF_EXIT_INSN(),
4194 		},
4195 		.result = ACCEPT,
4196 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4197 	},
4198 	{
4199 		"helper access to packet: test14, cls helper ok sub",
4200 		.insns = {
4201 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4202 				    offsetof(struct __sk_buff, data)),
4203 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4204 				    offsetof(struct __sk_buff, data_end)),
4205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4206 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4207 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4208 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4209 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4210 			BPF_MOV64_IMM(BPF_REG_2, 4),
4211 			BPF_MOV64_IMM(BPF_REG_3, 0),
4212 			BPF_MOV64_IMM(BPF_REG_4, 0),
4213 			BPF_MOV64_IMM(BPF_REG_5, 0),
4214 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4215 				     BPF_FUNC_csum_diff),
4216 			BPF_MOV64_IMM(BPF_REG_0, 0),
4217 			BPF_EXIT_INSN(),
4218 		},
4219 		.result = ACCEPT,
4220 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4221 	},
4222 	{
4223 		"helper access to packet: test15, cls helper fail sub",
4224 		.insns = {
4225 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4226 				    offsetof(struct __sk_buff, data)),
4227 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4228 				    offsetof(struct __sk_buff, data_end)),
4229 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4230 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4231 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4232 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4233 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4234 			BPF_MOV64_IMM(BPF_REG_2, 4),
4235 			BPF_MOV64_IMM(BPF_REG_3, 0),
4236 			BPF_MOV64_IMM(BPF_REG_4, 0),
4237 			BPF_MOV64_IMM(BPF_REG_5, 0),
4238 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4239 				     BPF_FUNC_csum_diff),
4240 			BPF_MOV64_IMM(BPF_REG_0, 0),
4241 			BPF_EXIT_INSN(),
4242 		},
4243 		.result = REJECT,
4244 		.errstr = "invalid access to packet",
4245 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4246 	},
4247 	{
4248 		"helper access to packet: test16, cls helper fail range 1",
4249 		.insns = {
4250 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4251 				    offsetof(struct __sk_buff, data)),
4252 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4253 				    offsetof(struct __sk_buff, data_end)),
4254 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4255 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4256 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4257 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4258 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4259 			BPF_MOV64_IMM(BPF_REG_2, 8),
4260 			BPF_MOV64_IMM(BPF_REG_3, 0),
4261 			BPF_MOV64_IMM(BPF_REG_4, 0),
4262 			BPF_MOV64_IMM(BPF_REG_5, 0),
4263 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4264 				     BPF_FUNC_csum_diff),
4265 			BPF_MOV64_IMM(BPF_REG_0, 0),
4266 			BPF_EXIT_INSN(),
4267 		},
4268 		.result = REJECT,
4269 		.errstr = "invalid access to packet",
4270 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4271 	},
4272 	{
4273 		"helper access to packet: test17, cls helper fail range 2",
4274 		.insns = {
4275 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4276 				    offsetof(struct __sk_buff, data)),
4277 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4278 				    offsetof(struct __sk_buff, data_end)),
4279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4280 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4282 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4283 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4284 			BPF_MOV64_IMM(BPF_REG_2, -9),
4285 			BPF_MOV64_IMM(BPF_REG_3, 0),
4286 			BPF_MOV64_IMM(BPF_REG_4, 0),
4287 			BPF_MOV64_IMM(BPF_REG_5, 0),
4288 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4289 				     BPF_FUNC_csum_diff),
4290 			BPF_MOV64_IMM(BPF_REG_0, 0),
4291 			BPF_EXIT_INSN(),
4292 		},
4293 		.result = REJECT,
4294 		.errstr = "R2 min value is negative",
4295 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4296 	},
4297 	{
4298 		"helper access to packet: test18, cls helper fail range 3",
4299 		.insns = {
4300 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4301 				    offsetof(struct __sk_buff, data)),
4302 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4303 				    offsetof(struct __sk_buff, data_end)),
4304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4305 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4306 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4307 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4308 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4309 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4310 			BPF_MOV64_IMM(BPF_REG_3, 0),
4311 			BPF_MOV64_IMM(BPF_REG_4, 0),
4312 			BPF_MOV64_IMM(BPF_REG_5, 0),
4313 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4314 				     BPF_FUNC_csum_diff),
4315 			BPF_MOV64_IMM(BPF_REG_0, 0),
4316 			BPF_EXIT_INSN(),
4317 		},
4318 		.result = REJECT,
4319 		.errstr = "R2 min value is negative",
4320 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4321 	},
4322 	{
4323 		"helper access to packet: test19, cls helper range zero",
4324 		.insns = {
4325 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4326 				    offsetof(struct __sk_buff, data)),
4327 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4328 				    offsetof(struct __sk_buff, data_end)),
4329 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4330 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4331 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4332 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4333 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4334 			BPF_MOV64_IMM(BPF_REG_2, 0),
4335 			BPF_MOV64_IMM(BPF_REG_3, 0),
4336 			BPF_MOV64_IMM(BPF_REG_4, 0),
4337 			BPF_MOV64_IMM(BPF_REG_5, 0),
4338 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4339 				     BPF_FUNC_csum_diff),
4340 			BPF_MOV64_IMM(BPF_REG_0, 0),
4341 			BPF_EXIT_INSN(),
4342 		},
4343 		.result = ACCEPT,
4344 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4345 	},
4346 	{
4347 		"helper access to packet: test20, pkt end as input",
4348 		.insns = {
4349 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4350 				    offsetof(struct __sk_buff, data)),
4351 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4352 				    offsetof(struct __sk_buff, data_end)),
4353 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4354 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4356 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4357 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4358 			BPF_MOV64_IMM(BPF_REG_2, 4),
4359 			BPF_MOV64_IMM(BPF_REG_3, 0),
4360 			BPF_MOV64_IMM(BPF_REG_4, 0),
4361 			BPF_MOV64_IMM(BPF_REG_5, 0),
4362 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4363 				     BPF_FUNC_csum_diff),
4364 			BPF_MOV64_IMM(BPF_REG_0, 0),
4365 			BPF_EXIT_INSN(),
4366 		},
4367 		.result = REJECT,
4368 		.errstr = "R1 type=pkt_end expected=fp",
4369 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4370 	},
4371 	{
4372 		"helper access to packet: test21, wrong reg",
4373 		.insns = {
4374 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4375 				    offsetof(struct __sk_buff, data)),
4376 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4377 				    offsetof(struct __sk_buff, data_end)),
4378 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4379 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4380 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4381 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4382 			BPF_MOV64_IMM(BPF_REG_2, 4),
4383 			BPF_MOV64_IMM(BPF_REG_3, 0),
4384 			BPF_MOV64_IMM(BPF_REG_4, 0),
4385 			BPF_MOV64_IMM(BPF_REG_5, 0),
4386 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4387 				     BPF_FUNC_csum_diff),
4388 			BPF_MOV64_IMM(BPF_REG_0, 0),
4389 			BPF_EXIT_INSN(),
4390 		},
4391 		.result = REJECT,
4392 		.errstr = "invalid access to packet",
4393 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4394 	},
4395 	{
4396 		"valid map access into an array with a constant",
4397 		.insns = {
4398 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4399 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4400 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4401 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4402 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4403 				     BPF_FUNC_map_lookup_elem),
4404 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4405 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4406 				   offsetof(struct test_val, foo)),
4407 			BPF_EXIT_INSN(),
4408 		},
4409 		.fixup_map2 = { 3 },
4410 		.errstr_unpriv = "R0 leaks addr",
4411 		.result_unpriv = REJECT,
4412 		.result = ACCEPT,
4413 	},
4414 	{
4415 		"valid map access into an array with a register",
4416 		.insns = {
4417 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4418 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4419 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4420 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4421 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4422 				     BPF_FUNC_map_lookup_elem),
4423 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4424 			BPF_MOV64_IMM(BPF_REG_1, 4),
4425 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4426 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4427 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4428 				   offsetof(struct test_val, foo)),
4429 			BPF_EXIT_INSN(),
4430 		},
4431 		.fixup_map2 = { 3 },
4432 		.errstr_unpriv = "R0 leaks addr",
4433 		.result_unpriv = REJECT,
4434 		.result = ACCEPT,
4435 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4436 	},
4437 	{
4438 		"valid map access into an array with a variable",
4439 		.insns = {
4440 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4441 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4442 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4443 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4444 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445 				     BPF_FUNC_map_lookup_elem),
4446 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4447 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4448 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4449 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4450 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4451 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4452 				   offsetof(struct test_val, foo)),
4453 			BPF_EXIT_INSN(),
4454 		},
4455 		.fixup_map2 = { 3 },
4456 		.errstr_unpriv = "R0 leaks addr",
4457 		.result_unpriv = REJECT,
4458 		.result = ACCEPT,
4459 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4460 	},
4461 	{
4462 		"valid map access into an array with a signed variable",
4463 		.insns = {
4464 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4465 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4466 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4467 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4468 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469 				     BPF_FUNC_map_lookup_elem),
4470 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4471 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4472 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4473 			BPF_MOV32_IMM(BPF_REG_1, 0),
4474 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4475 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4476 			BPF_MOV32_IMM(BPF_REG_1, 0),
4477 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4478 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4479 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4480 				   offsetof(struct test_val, foo)),
4481 			BPF_EXIT_INSN(),
4482 		},
4483 		.fixup_map2 = { 3 },
4484 		.errstr_unpriv = "R0 leaks addr",
4485 		.result_unpriv = REJECT,
4486 		.result = ACCEPT,
4487 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4488 	},
4489 	{
4490 		"invalid map access into an array with a constant",
4491 		.insns = {
4492 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4493 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4495 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4496 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4497 				     BPF_FUNC_map_lookup_elem),
4498 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4499 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4500 				   offsetof(struct test_val, foo)),
4501 			BPF_EXIT_INSN(),
4502 		},
4503 		.fixup_map2 = { 3 },
4504 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
4505 		.result = REJECT,
4506 	},
4507 	{
4508 		"invalid map access into an array with a register",
4509 		.insns = {
4510 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4511 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4512 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4513 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4514 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4515 				     BPF_FUNC_map_lookup_elem),
4516 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4517 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4518 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4519 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4520 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4521 				   offsetof(struct test_val, foo)),
4522 			BPF_EXIT_INSN(),
4523 		},
4524 		.fixup_map2 = { 3 },
4525 		.errstr = "R0 min value is outside of the array range",
4526 		.result = REJECT,
4527 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4528 	},
4529 	{
4530 		"invalid map access into an array with a variable",
4531 		.insns = {
4532 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4533 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4534 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4535 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4536 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4537 				     BPF_FUNC_map_lookup_elem),
4538 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4539 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4540 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4541 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4542 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4543 				   offsetof(struct test_val, foo)),
4544 			BPF_EXIT_INSN(),
4545 		},
4546 		.fixup_map2 = { 3 },
4547 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4548 		.result = REJECT,
4549 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4550 	},
4551 	{
4552 		"invalid map access into an array with no floor check",
4553 		.insns = {
4554 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4555 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4557 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4558 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4559 				     BPF_FUNC_map_lookup_elem),
4560 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4561 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4562 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4563 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4564 			BPF_MOV32_IMM(BPF_REG_1, 0),
4565 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4566 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4567 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4568 				   offsetof(struct test_val, foo)),
4569 			BPF_EXIT_INSN(),
4570 		},
4571 		.fixup_map2 = { 3 },
4572 		.errstr_unpriv = "R0 leaks addr",
4573 		.errstr = "R0 unbounded memory access",
4574 		.result_unpriv = REJECT,
4575 		.result = REJECT,
4576 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4577 	},
4578 	{
4579 		"invalid map access into an array with a invalid max check",
4580 		.insns = {
4581 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4582 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4583 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4584 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4585 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4586 				     BPF_FUNC_map_lookup_elem),
4587 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4588 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4589 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4590 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4591 			BPF_MOV32_IMM(BPF_REG_1, 0),
4592 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4593 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4594 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4595 				   offsetof(struct test_val, foo)),
4596 			BPF_EXIT_INSN(),
4597 		},
4598 		.fixup_map2 = { 3 },
4599 		.errstr_unpriv = "R0 leaks addr",
4600 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
4601 		.result_unpriv = REJECT,
4602 		.result = REJECT,
4603 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4604 	},
4605 	{
4606 		"invalid map access into an array with a invalid max check",
4607 		.insns = {
4608 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4609 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4610 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4611 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4612 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4613 				     BPF_FUNC_map_lookup_elem),
4614 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4615 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4616 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4617 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4619 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4620 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621 				     BPF_FUNC_map_lookup_elem),
4622 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4623 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4624 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4625 				    offsetof(struct test_val, foo)),
4626 			BPF_EXIT_INSN(),
4627 		},
4628 		.fixup_map2 = { 3, 11 },
4629 		.errstr = "R0 pointer += pointer",
4630 		.result = REJECT,
4631 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4632 	},
4633 	{
4634 		"multiple registers share map_lookup_elem result",
4635 		.insns = {
4636 			BPF_MOV64_IMM(BPF_REG_1, 10),
4637 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4638 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4639 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4640 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4641 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4642 				     BPF_FUNC_map_lookup_elem),
4643 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4644 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4645 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4646 			BPF_EXIT_INSN(),
4647 		},
4648 		.fixup_map1 = { 4 },
4649 		.result = ACCEPT,
4650 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4651 	},
4652 	{
4653 		"alu ops on ptr_to_map_value_or_null, 1",
4654 		.insns = {
4655 			BPF_MOV64_IMM(BPF_REG_1, 10),
4656 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4657 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4658 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4659 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4660 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4661 				     BPF_FUNC_map_lookup_elem),
4662 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4665 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4666 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4667 			BPF_EXIT_INSN(),
4668 		},
4669 		.fixup_map1 = { 4 },
4670 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4671 		.result = REJECT,
4672 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4673 	},
4674 	{
4675 		"alu ops on ptr_to_map_value_or_null, 2",
4676 		.insns = {
4677 			BPF_MOV64_IMM(BPF_REG_1, 10),
4678 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4679 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4680 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4681 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4682 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4683 				     BPF_FUNC_map_lookup_elem),
4684 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4685 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4686 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4687 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4688 			BPF_EXIT_INSN(),
4689 		},
4690 		.fixup_map1 = { 4 },
4691 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4692 		.result = REJECT,
4693 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4694 	},
4695 	{
4696 		"alu ops on ptr_to_map_value_or_null, 3",
4697 		.insns = {
4698 			BPF_MOV64_IMM(BPF_REG_1, 10),
4699 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4700 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4702 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4703 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4704 				     BPF_FUNC_map_lookup_elem),
4705 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4706 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4707 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4708 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4709 			BPF_EXIT_INSN(),
4710 		},
4711 		.fixup_map1 = { 4 },
4712 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4713 		.result = REJECT,
4714 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4715 	},
4716 	{
4717 		"invalid memory access with multiple map_lookup_elem calls",
4718 		.insns = {
4719 			BPF_MOV64_IMM(BPF_REG_1, 10),
4720 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4721 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4723 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4724 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4725 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4726 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4727 				     BPF_FUNC_map_lookup_elem),
4728 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4729 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4730 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4731 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4732 				     BPF_FUNC_map_lookup_elem),
4733 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4734 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4735 			BPF_EXIT_INSN(),
4736 		},
4737 		.fixup_map1 = { 4 },
4738 		.result = REJECT,
4739 		.errstr = "R4 !read_ok",
4740 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4741 	},
4742 	{
4743 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
4744 		.insns = {
4745 			BPF_MOV64_IMM(BPF_REG_1, 10),
4746 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4747 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4748 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4749 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4750 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4751 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4752 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4753 				     BPF_FUNC_map_lookup_elem),
4754 			BPF_MOV64_IMM(BPF_REG_2, 10),
4755 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4756 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4757 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4758 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4759 				     BPF_FUNC_map_lookup_elem),
4760 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4761 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4762 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4763 			BPF_EXIT_INSN(),
4764 		},
4765 		.fixup_map1 = { 4 },
4766 		.result = ACCEPT,
4767 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4768 	},
4769 	{
4770 		"invalid map access from else condition",
4771 		.insns = {
4772 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4773 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4775 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4776 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4777 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4778 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4779 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4780 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4781 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4782 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4783 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4784 			BPF_EXIT_INSN(),
4785 		},
4786 		.fixup_map2 = { 3 },
4787 		.errstr = "R0 unbounded memory access",
4788 		.result = REJECT,
4789 		.errstr_unpriv = "R0 leaks addr",
4790 		.result_unpriv = REJECT,
4791 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4792 	},
4793 	{
4794 		"constant register |= constant should keep constant type",
4795 		.insns = {
4796 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4797 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4798 			BPF_MOV64_IMM(BPF_REG_2, 34),
4799 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4800 			BPF_MOV64_IMM(BPF_REG_3, 0),
4801 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4802 			BPF_EXIT_INSN(),
4803 		},
4804 		.result = ACCEPT,
4805 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4806 	},
4807 	{
4808 		"constant register |= constant should not bypass stack boundary checks",
4809 		.insns = {
4810 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4812 			BPF_MOV64_IMM(BPF_REG_2, 34),
4813 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4814 			BPF_MOV64_IMM(BPF_REG_3, 0),
4815 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4816 			BPF_EXIT_INSN(),
4817 		},
4818 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4819 		.result = REJECT,
4820 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4821 	},
4822 	{
4823 		"constant register |= constant register should keep constant type",
4824 		.insns = {
4825 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4827 			BPF_MOV64_IMM(BPF_REG_2, 34),
4828 			BPF_MOV64_IMM(BPF_REG_4, 13),
4829 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4830 			BPF_MOV64_IMM(BPF_REG_3, 0),
4831 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4832 			BPF_EXIT_INSN(),
4833 		},
4834 		.result = ACCEPT,
4835 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4836 	},
4837 	{
4838 		"constant register |= constant register should not bypass stack boundary checks",
4839 		.insns = {
4840 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4841 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4842 			BPF_MOV64_IMM(BPF_REG_2, 34),
4843 			BPF_MOV64_IMM(BPF_REG_4, 24),
4844 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4845 			BPF_MOV64_IMM(BPF_REG_3, 0),
4846 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4847 			BPF_EXIT_INSN(),
4848 		},
4849 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4850 		.result = REJECT,
4851 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4852 	},
4853 	{
4854 		"invalid direct packet write for LWT_IN",
4855 		.insns = {
4856 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4857 				    offsetof(struct __sk_buff, data)),
4858 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4859 				    offsetof(struct __sk_buff, data_end)),
4860 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4861 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4862 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4863 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4864 			BPF_MOV64_IMM(BPF_REG_0, 0),
4865 			BPF_EXIT_INSN(),
4866 		},
4867 		.errstr = "cannot write into packet",
4868 		.result = REJECT,
4869 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4870 	},
4871 	{
4872 		"invalid direct packet write for LWT_OUT",
4873 		.insns = {
4874 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4875 				    offsetof(struct __sk_buff, data)),
4876 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4877 				    offsetof(struct __sk_buff, data_end)),
4878 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4879 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4880 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4881 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4882 			BPF_MOV64_IMM(BPF_REG_0, 0),
4883 			BPF_EXIT_INSN(),
4884 		},
4885 		.errstr = "cannot write into packet",
4886 		.result = REJECT,
4887 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4888 	},
4889 	{
4890 		"direct packet write for LWT_XMIT",
4891 		.insns = {
4892 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4893 				    offsetof(struct __sk_buff, data)),
4894 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4895 				    offsetof(struct __sk_buff, data_end)),
4896 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4897 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4898 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4899 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4900 			BPF_MOV64_IMM(BPF_REG_0, 0),
4901 			BPF_EXIT_INSN(),
4902 		},
4903 		.result = ACCEPT,
4904 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4905 	},
4906 	{
4907 		"direct packet read for LWT_IN",
4908 		.insns = {
4909 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4910 				    offsetof(struct __sk_buff, data)),
4911 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4912 				    offsetof(struct __sk_buff, data_end)),
4913 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4914 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4915 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4916 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4917 			BPF_MOV64_IMM(BPF_REG_0, 0),
4918 			BPF_EXIT_INSN(),
4919 		},
4920 		.result = ACCEPT,
4921 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4922 	},
4923 	{
4924 		"direct packet read for LWT_OUT",
4925 		.insns = {
4926 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4927 				    offsetof(struct __sk_buff, data)),
4928 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4929 				    offsetof(struct __sk_buff, data_end)),
4930 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4931 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4932 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4933 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4934 			BPF_MOV64_IMM(BPF_REG_0, 0),
4935 			BPF_EXIT_INSN(),
4936 		},
4937 		.result = ACCEPT,
4938 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4939 	},
4940 	{
4941 		"direct packet read for LWT_XMIT",
4942 		.insns = {
4943 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4944 				    offsetof(struct __sk_buff, data)),
4945 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4946 				    offsetof(struct __sk_buff, data_end)),
4947 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4948 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4949 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4950 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4951 			BPF_MOV64_IMM(BPF_REG_0, 0),
4952 			BPF_EXIT_INSN(),
4953 		},
4954 		.result = ACCEPT,
4955 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4956 	},
4957 	{
4958 		"overlapping checks for direct packet access",
4959 		.insns = {
4960 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4961 				    offsetof(struct __sk_buff, data)),
4962 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4963 				    offsetof(struct __sk_buff, data_end)),
4964 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4965 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4966 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4967 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4969 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4970 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4971 			BPF_MOV64_IMM(BPF_REG_0, 0),
4972 			BPF_EXIT_INSN(),
4973 		},
4974 		.result = ACCEPT,
4975 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4976 	},
4977 	{
4978 		"invalid access of tc_classid for LWT_IN",
4979 		.insns = {
4980 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4981 				    offsetof(struct __sk_buff, tc_classid)),
4982 			BPF_EXIT_INSN(),
4983 		},
4984 		.result = REJECT,
4985 		.errstr = "invalid bpf_context access",
4986 	},
4987 	{
4988 		"invalid access of tc_classid for LWT_OUT",
4989 		.insns = {
4990 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4991 				    offsetof(struct __sk_buff, tc_classid)),
4992 			BPF_EXIT_INSN(),
4993 		},
4994 		.result = REJECT,
4995 		.errstr = "invalid bpf_context access",
4996 	},
4997 	{
4998 		"invalid access of tc_classid for LWT_XMIT",
4999 		.insns = {
5000 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5001 				    offsetof(struct __sk_buff, tc_classid)),
5002 			BPF_EXIT_INSN(),
5003 		},
5004 		.result = REJECT,
5005 		.errstr = "invalid bpf_context access",
5006 	},
5007 	{
5008 		"leak pointer into ctx 1",
5009 		.insns = {
5010 			BPF_MOV64_IMM(BPF_REG_0, 0),
5011 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5012 				    offsetof(struct __sk_buff, cb[0])),
5013 			BPF_LD_MAP_FD(BPF_REG_2, 0),
5014 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5015 				      offsetof(struct __sk_buff, cb[0])),
5016 			BPF_EXIT_INSN(),
5017 		},
5018 		.fixup_map1 = { 2 },
5019 		.errstr_unpriv = "R2 leaks addr into mem",
5020 		.result_unpriv = REJECT,
5021 		.result = REJECT,
5022 		.errstr = "BPF_XADD stores into R1 context is not allowed",
5023 	},
5024 	{
5025 		"leak pointer into ctx 2",
5026 		.insns = {
5027 			BPF_MOV64_IMM(BPF_REG_0, 0),
5028 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5029 				    offsetof(struct __sk_buff, cb[0])),
5030 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5031 				      offsetof(struct __sk_buff, cb[0])),
5032 			BPF_EXIT_INSN(),
5033 		},
5034 		.errstr_unpriv = "R10 leaks addr into mem",
5035 		.result_unpriv = REJECT,
5036 		.result = REJECT,
5037 		.errstr = "BPF_XADD stores into R1 context is not allowed",
5038 	},
5039 	{
5040 		"leak pointer into ctx 3",
5041 		.insns = {
5042 			BPF_MOV64_IMM(BPF_REG_0, 0),
5043 			BPF_LD_MAP_FD(BPF_REG_2, 0),
5044 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5045 				      offsetof(struct __sk_buff, cb[0])),
5046 			BPF_EXIT_INSN(),
5047 		},
5048 		.fixup_map1 = { 1 },
5049 		.errstr_unpriv = "R2 leaks addr into ctx",
5050 		.result_unpriv = REJECT,
5051 		.result = ACCEPT,
5052 	},
5053 	{
5054 		"leak pointer into map val",
5055 		.insns = {
5056 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5057 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5058 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5061 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5062 				     BPF_FUNC_map_lookup_elem),
5063 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5064 			BPF_MOV64_IMM(BPF_REG_3, 0),
5065 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5066 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5067 			BPF_MOV64_IMM(BPF_REG_0, 0),
5068 			BPF_EXIT_INSN(),
5069 		},
5070 		.fixup_map1 = { 4 },
5071 		.errstr_unpriv = "R6 leaks addr into mem",
5072 		.result_unpriv = REJECT,
5073 		.result = ACCEPT,
5074 	},
5075 	{
5076 		"helper access to map: full range",
5077 		.insns = {
5078 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5079 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5080 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5081 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5082 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5083 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5084 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5085 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5086 			BPF_MOV64_IMM(BPF_REG_3, 0),
5087 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5088 			BPF_EXIT_INSN(),
5089 		},
5090 		.fixup_map2 = { 3 },
5091 		.result = ACCEPT,
5092 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5093 	},
5094 	{
5095 		"helper access to map: partial range",
5096 		.insns = {
5097 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5098 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5099 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5100 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5101 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5102 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5103 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5104 			BPF_MOV64_IMM(BPF_REG_2, 8),
5105 			BPF_MOV64_IMM(BPF_REG_3, 0),
5106 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5107 			BPF_EXIT_INSN(),
5108 		},
5109 		.fixup_map2 = { 3 },
5110 		.result = ACCEPT,
5111 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5112 	},
5113 	{
5114 		"helper access to map: empty range",
5115 		.insns = {
5116 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5118 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5119 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5120 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5121 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5122 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5123 			BPF_MOV64_IMM(BPF_REG_2, 0),
5124 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5125 			BPF_EXIT_INSN(),
5126 		},
5127 		.fixup_map2 = { 3 },
5128 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
5129 		.result = REJECT,
5130 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5131 	},
5132 	{
5133 		"helper access to map: out-of-bound range",
5134 		.insns = {
5135 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5136 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5137 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5138 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5139 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5140 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5141 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5142 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5143 			BPF_MOV64_IMM(BPF_REG_3, 0),
5144 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5145 			BPF_EXIT_INSN(),
5146 		},
5147 		.fixup_map2 = { 3 },
5148 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
5149 		.result = REJECT,
5150 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5151 	},
5152 	{
5153 		"helper access to map: negative range",
5154 		.insns = {
5155 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5156 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5157 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5158 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5159 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5160 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5161 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5162 			BPF_MOV64_IMM(BPF_REG_2, -8),
5163 			BPF_MOV64_IMM(BPF_REG_3, 0),
5164 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5165 			BPF_EXIT_INSN(),
5166 		},
5167 		.fixup_map2 = { 3 },
5168 		.errstr = "R2 min value is negative",
5169 		.result = REJECT,
5170 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5171 	},
5172 	{
5173 		"helper access to adjusted map (via const imm): full range",
5174 		.insns = {
5175 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5177 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5178 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5179 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5180 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5181 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5182 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5183 				offsetof(struct test_val, foo)),
5184 			BPF_MOV64_IMM(BPF_REG_2,
5185 				sizeof(struct test_val) -
5186 				offsetof(struct test_val, foo)),
5187 			BPF_MOV64_IMM(BPF_REG_3, 0),
5188 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5189 			BPF_EXIT_INSN(),
5190 		},
5191 		.fixup_map2 = { 3 },
5192 		.result = ACCEPT,
5193 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5194 	},
5195 	{
5196 		"helper access to adjusted map (via const imm): partial range",
5197 		.insns = {
5198 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5199 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5200 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5201 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5202 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5203 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5204 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5206 				offsetof(struct test_val, foo)),
5207 			BPF_MOV64_IMM(BPF_REG_2, 8),
5208 			BPF_MOV64_IMM(BPF_REG_3, 0),
5209 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5210 			BPF_EXIT_INSN(),
5211 		},
5212 		.fixup_map2 = { 3 },
5213 		.result = ACCEPT,
5214 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5215 	},
5216 	{
5217 		"helper access to adjusted map (via const imm): empty range",
5218 		.insns = {
5219 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5220 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5221 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5222 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5223 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5224 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5225 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5226 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5227 				offsetof(struct test_val, foo)),
5228 			BPF_MOV64_IMM(BPF_REG_2, 0),
5229 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5230 			BPF_EXIT_INSN(),
5231 		},
5232 		.fixup_map2 = { 3 },
5233 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
5234 		.result = REJECT,
5235 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5236 	},
5237 	{
5238 		"helper access to adjusted map (via const imm): out-of-bound range",
5239 		.insns = {
5240 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5241 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5242 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5243 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5244 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5245 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5246 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5247 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5248 				offsetof(struct test_val, foo)),
5249 			BPF_MOV64_IMM(BPF_REG_2,
5250 				sizeof(struct test_val) -
5251 				offsetof(struct test_val, foo) + 8),
5252 			BPF_MOV64_IMM(BPF_REG_3, 0),
5253 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5254 			BPF_EXIT_INSN(),
5255 		},
5256 		.fixup_map2 = { 3 },
5257 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5258 		.result = REJECT,
5259 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5260 	},
5261 	{
5262 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
5263 		.insns = {
5264 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5265 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5266 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5267 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5268 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5269 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5270 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5271 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5272 				offsetof(struct test_val, foo)),
5273 			BPF_MOV64_IMM(BPF_REG_2, -8),
5274 			BPF_MOV64_IMM(BPF_REG_3, 0),
5275 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5276 			BPF_EXIT_INSN(),
5277 		},
5278 		.fixup_map2 = { 3 },
5279 		.errstr = "R2 min value is negative",
5280 		.result = REJECT,
5281 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5282 	},
5283 	{
5284 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
5285 		.insns = {
5286 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5287 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5288 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5289 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5290 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5291 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5292 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5293 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5294 				offsetof(struct test_val, foo)),
5295 			BPF_MOV64_IMM(BPF_REG_2, -1),
5296 			BPF_MOV64_IMM(BPF_REG_3, 0),
5297 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5298 			BPF_EXIT_INSN(),
5299 		},
5300 		.fixup_map2 = { 3 },
5301 		.errstr = "R2 min value is negative",
5302 		.result = REJECT,
5303 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5304 	},
5305 	{
5306 		"helper access to adjusted map (via const reg): full range",
5307 		.insns = {
5308 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5309 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5310 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5311 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5312 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5313 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5314 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5315 			BPF_MOV64_IMM(BPF_REG_3,
5316 				offsetof(struct test_val, foo)),
5317 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5318 			BPF_MOV64_IMM(BPF_REG_2,
5319 				sizeof(struct test_val) -
5320 				offsetof(struct test_val, foo)),
5321 			BPF_MOV64_IMM(BPF_REG_3, 0),
5322 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5323 			BPF_EXIT_INSN(),
5324 		},
5325 		.fixup_map2 = { 3 },
5326 		.result = ACCEPT,
5327 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5328 	},
5329 	{
5330 		"helper access to adjusted map (via const reg): partial range",
5331 		.insns = {
5332 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5333 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5334 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5335 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5336 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5337 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5338 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5339 			BPF_MOV64_IMM(BPF_REG_3,
5340 				offsetof(struct test_val, foo)),
5341 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5342 			BPF_MOV64_IMM(BPF_REG_2, 8),
5343 			BPF_MOV64_IMM(BPF_REG_3, 0),
5344 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5345 			BPF_EXIT_INSN(),
5346 		},
5347 		.fixup_map2 = { 3 },
5348 		.result = ACCEPT,
5349 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5350 	},
5351 	{
5352 		"helper access to adjusted map (via const reg): empty range",
5353 		.insns = {
5354 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5356 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5357 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5358 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5359 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5360 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5361 			BPF_MOV64_IMM(BPF_REG_3, 0),
5362 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5363 			BPF_MOV64_IMM(BPF_REG_2, 0),
5364 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5365 			BPF_EXIT_INSN(),
5366 		},
5367 		.fixup_map2 = { 3 },
5368 		.errstr = "R1 min value is outside of the array range",
5369 		.result = REJECT,
5370 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371 	},
5372 	{
5373 		"helper access to adjusted map (via const reg): out-of-bound range",
5374 		.insns = {
5375 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5377 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5378 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5379 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5380 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5381 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5382 			BPF_MOV64_IMM(BPF_REG_3,
5383 				offsetof(struct test_val, foo)),
5384 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5385 			BPF_MOV64_IMM(BPF_REG_2,
5386 				sizeof(struct test_val) -
5387 				offsetof(struct test_val, foo) + 8),
5388 			BPF_MOV64_IMM(BPF_REG_3, 0),
5389 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5390 			BPF_EXIT_INSN(),
5391 		},
5392 		.fixup_map2 = { 3 },
5393 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5394 		.result = REJECT,
5395 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5396 	},
5397 	{
5398 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
5399 		.insns = {
5400 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5402 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5403 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5404 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5405 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5406 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5407 			BPF_MOV64_IMM(BPF_REG_3,
5408 				offsetof(struct test_val, foo)),
5409 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5410 			BPF_MOV64_IMM(BPF_REG_2, -8),
5411 			BPF_MOV64_IMM(BPF_REG_3, 0),
5412 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5413 			BPF_EXIT_INSN(),
5414 		},
5415 		.fixup_map2 = { 3 },
5416 		.errstr = "R2 min value is negative",
5417 		.result = REJECT,
5418 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5419 	},
5420 	{
5421 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
5422 		.insns = {
5423 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5425 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5426 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5427 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5428 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5429 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5430 			BPF_MOV64_IMM(BPF_REG_3,
5431 				offsetof(struct test_val, foo)),
5432 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5433 			BPF_MOV64_IMM(BPF_REG_2, -1),
5434 			BPF_MOV64_IMM(BPF_REG_3, 0),
5435 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5436 			BPF_EXIT_INSN(),
5437 		},
5438 		.fixup_map2 = { 3 },
5439 		.errstr = "R2 min value is negative",
5440 		.result = REJECT,
5441 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5442 	},
5443 	{
5444 		"helper access to adjusted map (via variable): full range",
5445 		.insns = {
5446 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5447 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5448 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5449 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5450 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5451 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5452 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5453 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5454 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5455 				offsetof(struct test_val, foo), 4),
5456 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5457 			BPF_MOV64_IMM(BPF_REG_2,
5458 				sizeof(struct test_val) -
5459 				offsetof(struct test_val, foo)),
5460 			BPF_MOV64_IMM(BPF_REG_3, 0),
5461 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5462 			BPF_EXIT_INSN(),
5463 		},
5464 		.fixup_map2 = { 3 },
5465 		.result = ACCEPT,
5466 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5467 	},
5468 	{
5469 		"helper access to adjusted map (via variable): partial range",
5470 		.insns = {
5471 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5472 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5473 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5474 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5475 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5476 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5477 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5478 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5479 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5480 				offsetof(struct test_val, foo), 4),
5481 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5482 			BPF_MOV64_IMM(BPF_REG_2, 8),
5483 			BPF_MOV64_IMM(BPF_REG_3, 0),
5484 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5485 			BPF_EXIT_INSN(),
5486 		},
5487 		.fixup_map2 = { 3 },
5488 		.result = ACCEPT,
5489 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5490 	},
5491 	{
5492 		"helper access to adjusted map (via variable): empty range",
5493 		.insns = {
5494 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5495 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5496 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5497 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5498 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5499 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5500 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5501 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5502 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5503 				offsetof(struct test_val, foo), 3),
5504 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5505 			BPF_MOV64_IMM(BPF_REG_2, 0),
5506 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5507 			BPF_EXIT_INSN(),
5508 		},
5509 		.fixup_map2 = { 3 },
5510 		.errstr = "R1 min value is outside of the array range",
5511 		.result = REJECT,
5512 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5513 	},
5514 	{
5515 		"helper access to adjusted map (via variable): no max check",
5516 		.insns = {
5517 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5518 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5519 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5520 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5521 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5522 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5523 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5524 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5525 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5526 			BPF_MOV64_IMM(BPF_REG_2, 1),
5527 			BPF_MOV64_IMM(BPF_REG_3, 0),
5528 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5529 			BPF_EXIT_INSN(),
5530 		},
5531 		.fixup_map2 = { 3 },
5532 		.errstr = "R1 unbounded memory access",
5533 		.result = REJECT,
5534 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5535 	},
5536 	{
5537 		"helper access to adjusted map (via variable): wrong max check",
5538 		.insns = {
5539 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5540 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5541 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5542 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5543 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5544 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5545 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5546 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5547 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5548 				offsetof(struct test_val, foo), 4),
5549 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5550 			BPF_MOV64_IMM(BPF_REG_2,
5551 				sizeof(struct test_val) -
5552 				offsetof(struct test_val, foo) + 1),
5553 			BPF_MOV64_IMM(BPF_REG_3, 0),
5554 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5555 			BPF_EXIT_INSN(),
5556 		},
5557 		.fixup_map2 = { 3 },
5558 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
5559 		.result = REJECT,
5560 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5561 	},
5562 	{
5563 		"helper access to map: bounds check using <, good access",
5564 		.insns = {
5565 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5566 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5567 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5568 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5569 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5570 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5571 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5572 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5573 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5574 			BPF_MOV64_IMM(BPF_REG_0, 0),
5575 			BPF_EXIT_INSN(),
5576 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5577 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5578 			BPF_MOV64_IMM(BPF_REG_0, 0),
5579 			BPF_EXIT_INSN(),
5580 		},
5581 		.fixup_map2 = { 3 },
5582 		.result = ACCEPT,
5583 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5584 	},
5585 	{
5586 		"helper access to map: bounds check using <, bad access",
5587 		.insns = {
5588 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5589 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5590 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5591 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5592 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5593 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5594 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5595 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5596 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5597 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5598 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5599 			BPF_MOV64_IMM(BPF_REG_0, 0),
5600 			BPF_EXIT_INSN(),
5601 			BPF_MOV64_IMM(BPF_REG_0, 0),
5602 			BPF_EXIT_INSN(),
5603 		},
5604 		.fixup_map2 = { 3 },
5605 		.result = REJECT,
5606 		.errstr = "R1 unbounded memory access",
5607 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5608 	},
5609 	{
5610 		"helper access to map: bounds check using <=, good access",
5611 		.insns = {
5612 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5613 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5614 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5615 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5616 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5617 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5618 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5619 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5620 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5621 			BPF_MOV64_IMM(BPF_REG_0, 0),
5622 			BPF_EXIT_INSN(),
5623 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5624 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5625 			BPF_MOV64_IMM(BPF_REG_0, 0),
5626 			BPF_EXIT_INSN(),
5627 		},
5628 		.fixup_map2 = { 3 },
5629 		.result = ACCEPT,
5630 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5631 	},
5632 	{
5633 		"helper access to map: bounds check using <=, bad access",
5634 		.insns = {
5635 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5636 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5637 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5638 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5639 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5640 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5641 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5642 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5643 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5644 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5645 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5646 			BPF_MOV64_IMM(BPF_REG_0, 0),
5647 			BPF_EXIT_INSN(),
5648 			BPF_MOV64_IMM(BPF_REG_0, 0),
5649 			BPF_EXIT_INSN(),
5650 		},
5651 		.fixup_map2 = { 3 },
5652 		.result = REJECT,
5653 		.errstr = "R1 unbounded memory access",
5654 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5655 	},
5656 	{
5657 		"helper access to map: bounds check using s<, good access",
5658 		.insns = {
5659 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5660 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5661 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5662 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5663 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5664 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5665 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5666 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5667 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5668 			BPF_MOV64_IMM(BPF_REG_0, 0),
5669 			BPF_EXIT_INSN(),
5670 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5671 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5672 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5673 			BPF_MOV64_IMM(BPF_REG_0, 0),
5674 			BPF_EXIT_INSN(),
5675 		},
5676 		.fixup_map2 = { 3 },
5677 		.result = ACCEPT,
5678 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5679 	},
5680 	{
5681 		"helper access to map: bounds check using s<, good access 2",
5682 		.insns = {
5683 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5684 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5685 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5686 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5687 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5688 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5689 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5690 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5691 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5692 			BPF_MOV64_IMM(BPF_REG_0, 0),
5693 			BPF_EXIT_INSN(),
5694 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5695 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5696 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5697 			BPF_MOV64_IMM(BPF_REG_0, 0),
5698 			BPF_EXIT_INSN(),
5699 		},
5700 		.fixup_map2 = { 3 },
5701 		.result = ACCEPT,
5702 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5703 	},
5704 	{
5705 		"helper access to map: bounds check using s<, bad access",
5706 		.insns = {
5707 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5709 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5710 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5711 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5712 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5713 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5714 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5715 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5716 			BPF_MOV64_IMM(BPF_REG_0, 0),
5717 			BPF_EXIT_INSN(),
5718 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5719 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5720 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5721 			BPF_MOV64_IMM(BPF_REG_0, 0),
5722 			BPF_EXIT_INSN(),
5723 		},
5724 		.fixup_map2 = { 3 },
5725 		.result = REJECT,
5726 		.errstr = "R1 min value is negative",
5727 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5728 	},
5729 	{
5730 		"helper access to map: bounds check using s<=, good access",
5731 		.insns = {
5732 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5733 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5734 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5735 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5737 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5738 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5739 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5740 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5741 			BPF_MOV64_IMM(BPF_REG_0, 0),
5742 			BPF_EXIT_INSN(),
5743 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5744 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5745 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5746 			BPF_MOV64_IMM(BPF_REG_0, 0),
5747 			BPF_EXIT_INSN(),
5748 		},
5749 		.fixup_map2 = { 3 },
5750 		.result = ACCEPT,
5751 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5752 	},
5753 	{
5754 		"helper access to map: bounds check using s<=, good access 2",
5755 		.insns = {
5756 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5757 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5758 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5759 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5760 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5761 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5762 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5763 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5764 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5765 			BPF_MOV64_IMM(BPF_REG_0, 0),
5766 			BPF_EXIT_INSN(),
5767 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5768 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5769 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5770 			BPF_MOV64_IMM(BPF_REG_0, 0),
5771 			BPF_EXIT_INSN(),
5772 		},
5773 		.fixup_map2 = { 3 },
5774 		.result = ACCEPT,
5775 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5776 	},
5777 	{
5778 		"helper access to map: bounds check using s<=, bad access",
5779 		.insns = {
5780 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5781 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5782 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5783 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5784 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5785 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5786 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5787 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5788 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5789 			BPF_MOV64_IMM(BPF_REG_0, 0),
5790 			BPF_EXIT_INSN(),
5791 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5792 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5793 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5794 			BPF_MOV64_IMM(BPF_REG_0, 0),
5795 			BPF_EXIT_INSN(),
5796 		},
5797 		.fixup_map2 = { 3 },
5798 		.result = REJECT,
5799 		.errstr = "R1 min value is negative",
5800 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5801 	},
5802 	{
5803 		"map lookup helper access to map",
5804 		.insns = {
5805 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5807 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5808 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5809 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5810 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5811 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5812 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5813 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5814 			BPF_EXIT_INSN(),
5815 		},
5816 		.fixup_map3 = { 3, 8 },
5817 		.result = ACCEPT,
5818 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5819 	},
5820 	{
5821 		"map update helper access to map",
5822 		.insns = {
5823 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5825 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5826 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5827 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5828 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5829 			BPF_MOV64_IMM(BPF_REG_4, 0),
5830 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5831 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5832 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5833 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5834 			BPF_EXIT_INSN(),
5835 		},
5836 		.fixup_map3 = { 3, 10 },
5837 		.result = ACCEPT,
5838 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5839 	},
5840 	{
5841 		"map update helper access to map: wrong size",
5842 		.insns = {
5843 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5845 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5846 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5847 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5848 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5849 			BPF_MOV64_IMM(BPF_REG_4, 0),
5850 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5851 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5852 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5853 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5854 			BPF_EXIT_INSN(),
5855 		},
5856 		.fixup_map1 = { 3 },
5857 		.fixup_map3 = { 10 },
5858 		.result = REJECT,
5859 		.errstr = "invalid access to map value, value_size=8 off=0 size=16",
5860 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5861 	},
5862 	{
5863 		"map helper access to adjusted map (via const imm)",
5864 		.insns = {
5865 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5866 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5867 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5868 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5869 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5870 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5871 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5873 				      offsetof(struct other_val, bar)),
5874 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5875 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5876 			BPF_EXIT_INSN(),
5877 		},
5878 		.fixup_map3 = { 3, 9 },
5879 		.result = ACCEPT,
5880 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5881 	},
5882 	{
5883 		"map helper access to adjusted map (via const imm): out-of-bound 1",
5884 		.insns = {
5885 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5886 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5887 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5888 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5889 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5890 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5891 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5892 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5893 				      sizeof(struct other_val) - 4),
5894 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5895 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5896 			BPF_EXIT_INSN(),
5897 		},
5898 		.fixup_map3 = { 3, 9 },
5899 		.result = REJECT,
5900 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
5901 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5902 	},
5903 	{
5904 		"map helper access to adjusted map (via const imm): out-of-bound 2",
5905 		.insns = {
5906 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5907 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5908 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5909 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5910 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5911 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5912 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5913 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5914 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5915 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5916 			BPF_EXIT_INSN(),
5917 		},
5918 		.fixup_map3 = { 3, 9 },
5919 		.result = REJECT,
5920 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5921 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5922 	},
5923 	{
5924 		"map helper access to adjusted map (via const reg)",
5925 		.insns = {
5926 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5927 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5928 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5929 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5930 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5931 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5932 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5933 			BPF_MOV64_IMM(BPF_REG_3,
5934 				      offsetof(struct other_val, bar)),
5935 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5936 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5937 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5938 			BPF_EXIT_INSN(),
5939 		},
5940 		.fixup_map3 = { 3, 10 },
5941 		.result = ACCEPT,
5942 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5943 	},
5944 	{
5945 		"map helper access to adjusted map (via const reg): out-of-bound 1",
5946 		.insns = {
5947 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5948 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5949 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5950 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5951 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5952 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5953 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5954 			BPF_MOV64_IMM(BPF_REG_3,
5955 				      sizeof(struct other_val) - 4),
5956 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5957 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5958 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5959 			BPF_EXIT_INSN(),
5960 		},
5961 		.fixup_map3 = { 3, 10 },
5962 		.result = REJECT,
5963 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
5964 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5965 	},
5966 	{
5967 		"map helper access to adjusted map (via const reg): out-of-bound 2",
5968 		.insns = {
5969 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5971 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5972 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5973 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5974 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5975 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5976 			BPF_MOV64_IMM(BPF_REG_3, -4),
5977 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5978 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5979 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5980 			BPF_EXIT_INSN(),
5981 		},
5982 		.fixup_map3 = { 3, 10 },
5983 		.result = REJECT,
5984 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5985 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5986 	},
5987 	{
5988 		"map helper access to adjusted map (via variable)",
5989 		.insns = {
5990 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5992 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5993 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5994 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5995 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5996 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5997 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5998 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5999 				    offsetof(struct other_val, bar), 4),
6000 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6001 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6002 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6003 			BPF_EXIT_INSN(),
6004 		},
6005 		.fixup_map3 = { 3, 11 },
6006 		.result = ACCEPT,
6007 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6008 	},
6009 	{
6010 		"map helper access to adjusted map (via variable): no max check",
6011 		.insns = {
6012 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6014 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6015 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6016 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6017 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6018 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6019 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6020 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6021 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6022 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6023 			BPF_EXIT_INSN(),
6024 		},
6025 		.fixup_map3 = { 3, 10 },
6026 		.result = REJECT,
6027 		.errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6028 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6029 	},
6030 	{
6031 		"map helper access to adjusted map (via variable): wrong max check",
6032 		.insns = {
6033 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6034 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6035 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6036 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6037 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6038 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6039 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6040 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6041 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6042 				    offsetof(struct other_val, bar) + 1, 4),
6043 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6044 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6045 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6046 			BPF_EXIT_INSN(),
6047 		},
6048 		.fixup_map3 = { 3, 11 },
6049 		.result = REJECT,
6050 		.errstr = "invalid access to map value, value_size=16 off=9 size=8",
6051 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6052 	},
6053 	{
6054 		"map element value is preserved across register spilling",
6055 		.insns = {
6056 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6057 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6058 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6059 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6060 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6061 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6062 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6063 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6064 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6065 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6066 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6067 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6068 			BPF_EXIT_INSN(),
6069 		},
6070 		.fixup_map2 = { 3 },
6071 		.errstr_unpriv = "R0 leaks addr",
6072 		.result = ACCEPT,
6073 		.result_unpriv = REJECT,
6074 	},
6075 	{
6076 		"map element value or null is marked on register spilling",
6077 		.insns = {
6078 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6082 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6084 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6085 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6086 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6087 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6088 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6089 			BPF_EXIT_INSN(),
6090 		},
6091 		.fixup_map2 = { 3 },
6092 		.errstr_unpriv = "R0 leaks addr",
6093 		.result = ACCEPT,
6094 		.result_unpriv = REJECT,
6095 	},
6096 	{
6097 		"map element value store of cleared call register",
6098 		.insns = {
6099 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6100 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6101 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6102 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6103 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6104 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6105 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6106 			BPF_EXIT_INSN(),
6107 		},
6108 		.fixup_map2 = { 3 },
6109 		.errstr_unpriv = "R1 !read_ok",
6110 		.errstr = "R1 !read_ok",
6111 		.result = REJECT,
6112 		.result_unpriv = REJECT,
6113 	},
6114 	{
6115 		"map element value with unaligned store",
6116 		.insns = {
6117 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6118 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6119 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6120 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6121 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6122 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6123 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6124 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6125 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6126 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6127 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6128 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6129 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6130 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6132 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6133 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6134 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6135 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6136 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6137 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6138 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6139 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6140 			BPF_EXIT_INSN(),
6141 		},
6142 		.fixup_map2 = { 3 },
6143 		.errstr_unpriv = "R0 leaks addr",
6144 		.result = ACCEPT,
6145 		.result_unpriv = REJECT,
6146 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6147 	},
6148 	{
6149 		"map element value with unaligned load",
6150 		.insns = {
6151 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6152 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6153 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6154 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6155 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6156 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6157 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6158 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6159 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6160 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6161 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6162 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6163 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6164 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6165 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6166 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6167 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6168 			BPF_EXIT_INSN(),
6169 		},
6170 		.fixup_map2 = { 3 },
6171 		.errstr_unpriv = "R0 leaks addr",
6172 		.result = ACCEPT,
6173 		.result_unpriv = REJECT,
6174 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6175 	},
6176 	{
6177 		"map element value illegal alu op, 1",
6178 		.insns = {
6179 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6180 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6181 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6182 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6183 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6184 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6185 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6186 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6187 			BPF_EXIT_INSN(),
6188 		},
6189 		.fixup_map2 = { 3 },
6190 		.errstr = "R0 bitwise operator &= on pointer",
6191 		.result = REJECT,
6192 	},
6193 	{
6194 		"map element value illegal alu op, 2",
6195 		.insns = {
6196 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6197 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6198 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6199 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6200 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6201 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6202 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6203 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6204 			BPF_EXIT_INSN(),
6205 		},
6206 		.fixup_map2 = { 3 },
6207 		.errstr = "R0 32-bit pointer arithmetic prohibited",
6208 		.result = REJECT,
6209 	},
6210 	{
6211 		"map element value illegal alu op, 3",
6212 		.insns = {
6213 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6215 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6216 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6217 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6218 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6219 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6220 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6221 			BPF_EXIT_INSN(),
6222 		},
6223 		.fixup_map2 = { 3 },
6224 		.errstr = "R0 pointer arithmetic with /= operator",
6225 		.result = REJECT,
6226 	},
6227 	{
6228 		"map element value illegal alu op, 4",
6229 		.insns = {
6230 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6231 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6232 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6233 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6234 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6236 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6237 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6238 			BPF_EXIT_INSN(),
6239 		},
6240 		.fixup_map2 = { 3 },
6241 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
6242 		.errstr = "invalid mem access 'inv'",
6243 		.result = REJECT,
6244 		.result_unpriv = REJECT,
6245 	},
6246 	{
6247 		"map element value illegal alu op, 5",
6248 		.insns = {
6249 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6250 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6251 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6252 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6253 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6254 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6255 			BPF_MOV64_IMM(BPF_REG_3, 4096),
6256 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6257 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6258 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6259 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6260 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6261 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6262 			BPF_EXIT_INSN(),
6263 		},
6264 		.fixup_map2 = { 3 },
6265 		.errstr = "R0 invalid mem access 'inv'",
6266 		.result = REJECT,
6267 	},
6268 	{
6269 		"map element value is preserved across register spilling",
6270 		.insns = {
6271 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6272 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6273 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6274 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6275 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6276 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6277 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6278 				offsetof(struct test_val, foo)),
6279 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6280 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6282 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6283 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6284 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6285 			BPF_EXIT_INSN(),
6286 		},
6287 		.fixup_map2 = { 3 },
6288 		.errstr_unpriv = "R0 leaks addr",
6289 		.result = ACCEPT,
6290 		.result_unpriv = REJECT,
6291 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6292 	},
6293 	{
6294 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6295 		.insns = {
6296 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6298 			BPF_MOV64_IMM(BPF_REG_0, 0),
6299 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6300 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6301 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6302 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6303 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6304 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6305 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6306 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6307 			BPF_MOV64_IMM(BPF_REG_2, 16),
6308 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6309 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6310 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6311 			BPF_MOV64_IMM(BPF_REG_4, 0),
6312 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6313 			BPF_MOV64_IMM(BPF_REG_3, 0),
6314 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6315 			BPF_MOV64_IMM(BPF_REG_0, 0),
6316 			BPF_EXIT_INSN(),
6317 		},
6318 		.result = ACCEPT,
6319 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6320 	},
6321 	{
6322 		"helper access to variable memory: stack, bitwise AND, zero included",
6323 		.insns = {
6324 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6325 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6326 			BPF_MOV64_IMM(BPF_REG_2, 16),
6327 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6328 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6329 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6330 			BPF_MOV64_IMM(BPF_REG_3, 0),
6331 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6332 			BPF_EXIT_INSN(),
6333 		},
6334 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6335 		.result = REJECT,
6336 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6337 	},
6338 	{
6339 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6340 		.insns = {
6341 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6342 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6343 			BPF_MOV64_IMM(BPF_REG_2, 16),
6344 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6345 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6346 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6347 			BPF_MOV64_IMM(BPF_REG_4, 0),
6348 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6349 			BPF_MOV64_IMM(BPF_REG_3, 0),
6350 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6351 			BPF_MOV64_IMM(BPF_REG_0, 0),
6352 			BPF_EXIT_INSN(),
6353 		},
6354 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6355 		.result = REJECT,
6356 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6357 	},
6358 	{
6359 		"helper access to variable memory: stack, JMP, correct bounds",
6360 		.insns = {
6361 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6362 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6363 			BPF_MOV64_IMM(BPF_REG_0, 0),
6364 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6365 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6366 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6367 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6368 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6369 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6370 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6371 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6372 			BPF_MOV64_IMM(BPF_REG_2, 16),
6373 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6374 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6375 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6376 			BPF_MOV64_IMM(BPF_REG_4, 0),
6377 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6378 			BPF_MOV64_IMM(BPF_REG_3, 0),
6379 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6380 			BPF_MOV64_IMM(BPF_REG_0, 0),
6381 			BPF_EXIT_INSN(),
6382 		},
6383 		.result = ACCEPT,
6384 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6385 	},
6386 	{
6387 		"helper access to variable memory: stack, JMP (signed), correct bounds",
6388 		.insns = {
6389 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6390 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6391 			BPF_MOV64_IMM(BPF_REG_0, 0),
6392 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6393 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6394 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6395 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6396 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6397 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6398 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6399 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6400 			BPF_MOV64_IMM(BPF_REG_2, 16),
6401 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6402 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6403 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6404 			BPF_MOV64_IMM(BPF_REG_4, 0),
6405 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6406 			BPF_MOV64_IMM(BPF_REG_3, 0),
6407 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6408 			BPF_MOV64_IMM(BPF_REG_0, 0),
6409 			BPF_EXIT_INSN(),
6410 		},
6411 		.result = ACCEPT,
6412 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6413 	},
6414 	{
6415 		"helper access to variable memory: stack, JMP, bounds + offset",
6416 		.insns = {
6417 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6418 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6419 			BPF_MOV64_IMM(BPF_REG_2, 16),
6420 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6421 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6422 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6423 			BPF_MOV64_IMM(BPF_REG_4, 0),
6424 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6425 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6426 			BPF_MOV64_IMM(BPF_REG_3, 0),
6427 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6428 			BPF_MOV64_IMM(BPF_REG_0, 0),
6429 			BPF_EXIT_INSN(),
6430 		},
6431 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6432 		.result = REJECT,
6433 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6434 	},
6435 	{
6436 		"helper access to variable memory: stack, JMP, wrong max",
6437 		.insns = {
6438 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6439 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6440 			BPF_MOV64_IMM(BPF_REG_2, 16),
6441 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6442 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6443 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6444 			BPF_MOV64_IMM(BPF_REG_4, 0),
6445 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6446 			BPF_MOV64_IMM(BPF_REG_3, 0),
6447 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6448 			BPF_MOV64_IMM(BPF_REG_0, 0),
6449 			BPF_EXIT_INSN(),
6450 		},
6451 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6452 		.result = REJECT,
6453 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6454 	},
6455 	{
6456 		"helper access to variable memory: stack, JMP, no max check",
6457 		.insns = {
6458 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6460 			BPF_MOV64_IMM(BPF_REG_2, 16),
6461 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6462 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6463 			BPF_MOV64_IMM(BPF_REG_4, 0),
6464 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6465 			BPF_MOV64_IMM(BPF_REG_3, 0),
6466 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6467 			BPF_MOV64_IMM(BPF_REG_0, 0),
6468 			BPF_EXIT_INSN(),
6469 		},
6470 		/* because max wasn't checked, signed min is negative */
6471 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6472 		.result = REJECT,
6473 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6474 	},
6475 	{
6476 		"helper access to variable memory: stack, JMP, no min check",
6477 		.insns = {
6478 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6479 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6480 			BPF_MOV64_IMM(BPF_REG_2, 16),
6481 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6482 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6483 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6484 			BPF_MOV64_IMM(BPF_REG_3, 0),
6485 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6486 			BPF_MOV64_IMM(BPF_REG_0, 0),
6487 			BPF_EXIT_INSN(),
6488 		},
6489 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6490 		.result = REJECT,
6491 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6492 	},
6493 	{
6494 		"helper access to variable memory: stack, JMP (signed), no min check",
6495 		.insns = {
6496 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6497 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6498 			BPF_MOV64_IMM(BPF_REG_2, 16),
6499 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6500 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6501 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6502 			BPF_MOV64_IMM(BPF_REG_3, 0),
6503 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6504 			BPF_MOV64_IMM(BPF_REG_0, 0),
6505 			BPF_EXIT_INSN(),
6506 		},
6507 		.errstr = "R2 min value is negative",
6508 		.result = REJECT,
6509 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6510 	},
6511 	{
6512 		"helper access to variable memory: map, JMP, correct bounds",
6513 		.insns = {
6514 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6515 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6516 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6517 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6518 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6519 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6520 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6521 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6522 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6523 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6524 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6525 				sizeof(struct test_val), 4),
6526 			BPF_MOV64_IMM(BPF_REG_4, 0),
6527 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6528 			BPF_MOV64_IMM(BPF_REG_3, 0),
6529 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6530 			BPF_MOV64_IMM(BPF_REG_0, 0),
6531 			BPF_EXIT_INSN(),
6532 		},
6533 		.fixup_map2 = { 3 },
6534 		.result = ACCEPT,
6535 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6536 	},
6537 	{
6538 		"helper access to variable memory: map, JMP, wrong max",
6539 		.insns = {
6540 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6541 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6542 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6543 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6544 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6545 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6546 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6547 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6548 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6549 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6550 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6551 				sizeof(struct test_val) + 1, 4),
6552 			BPF_MOV64_IMM(BPF_REG_4, 0),
6553 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6554 			BPF_MOV64_IMM(BPF_REG_3, 0),
6555 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6556 			BPF_MOV64_IMM(BPF_REG_0, 0),
6557 			BPF_EXIT_INSN(),
6558 		},
6559 		.fixup_map2 = { 3 },
6560 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
6561 		.result = REJECT,
6562 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6563 	},
6564 	{
6565 		"helper access to variable memory: map adjusted, JMP, correct bounds",
6566 		.insns = {
6567 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6568 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6569 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6570 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6571 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6572 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6573 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6574 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6575 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6576 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6577 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6578 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6579 				sizeof(struct test_val) - 20, 4),
6580 			BPF_MOV64_IMM(BPF_REG_4, 0),
6581 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6582 			BPF_MOV64_IMM(BPF_REG_3, 0),
6583 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6584 			BPF_MOV64_IMM(BPF_REG_0, 0),
6585 			BPF_EXIT_INSN(),
6586 		},
6587 		.fixup_map2 = { 3 },
6588 		.result = ACCEPT,
6589 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6590 	},
6591 	{
6592 		"helper access to variable memory: map adjusted, JMP, wrong max",
6593 		.insns = {
6594 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6595 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6596 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6597 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6598 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6599 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6600 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6601 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6602 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6603 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6604 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6605 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6606 				sizeof(struct test_val) - 19, 4),
6607 			BPF_MOV64_IMM(BPF_REG_4, 0),
6608 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6609 			BPF_MOV64_IMM(BPF_REG_3, 0),
6610 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6611 			BPF_MOV64_IMM(BPF_REG_0, 0),
6612 			BPF_EXIT_INSN(),
6613 		},
6614 		.fixup_map2 = { 3 },
6615 		.errstr = "R1 min value is outside of the array range",
6616 		.result = REJECT,
6617 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6618 	},
6619 	{
6620 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6621 		.insns = {
6622 			BPF_MOV64_IMM(BPF_REG_1, 0),
6623 			BPF_MOV64_IMM(BPF_REG_2, 0),
6624 			BPF_MOV64_IMM(BPF_REG_3, 0),
6625 			BPF_MOV64_IMM(BPF_REG_4, 0),
6626 			BPF_MOV64_IMM(BPF_REG_5, 0),
6627 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6628 			BPF_EXIT_INSN(),
6629 		},
6630 		.result = ACCEPT,
6631 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6632 	},
6633 	{
6634 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6635 		.insns = {
6636 			BPF_MOV64_IMM(BPF_REG_1, 0),
6637 			BPF_MOV64_IMM(BPF_REG_2, 1),
6638 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6639 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6640 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6641 			BPF_MOV64_IMM(BPF_REG_3, 0),
6642 			BPF_MOV64_IMM(BPF_REG_4, 0),
6643 			BPF_MOV64_IMM(BPF_REG_5, 0),
6644 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6645 			BPF_EXIT_INSN(),
6646 		},
6647 		.errstr = "R1 type=inv expected=fp",
6648 		.result = REJECT,
6649 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6650 	},
6651 	{
6652 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6653 		.insns = {
6654 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6655 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6656 			BPF_MOV64_IMM(BPF_REG_2, 0),
6657 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6658 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6659 			BPF_MOV64_IMM(BPF_REG_3, 0),
6660 			BPF_MOV64_IMM(BPF_REG_4, 0),
6661 			BPF_MOV64_IMM(BPF_REG_5, 0),
6662 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6663 			BPF_EXIT_INSN(),
6664 		},
6665 		.result = ACCEPT,
6666 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6667 	},
6668 	{
6669 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6670 		.insns = {
6671 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6672 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6673 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6674 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6675 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6676 				     BPF_FUNC_map_lookup_elem),
6677 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6678 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6679 			BPF_MOV64_IMM(BPF_REG_2, 0),
6680 			BPF_MOV64_IMM(BPF_REG_3, 0),
6681 			BPF_MOV64_IMM(BPF_REG_4, 0),
6682 			BPF_MOV64_IMM(BPF_REG_5, 0),
6683 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6684 			BPF_EXIT_INSN(),
6685 		},
6686 		.fixup_map1 = { 3 },
6687 		.result = ACCEPT,
6688 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6689 	},
6690 	{
6691 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6692 		.insns = {
6693 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6694 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6695 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6696 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6697 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6698 				     BPF_FUNC_map_lookup_elem),
6699 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6700 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6701 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6702 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6703 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6704 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6705 			BPF_MOV64_IMM(BPF_REG_3, 0),
6706 			BPF_MOV64_IMM(BPF_REG_4, 0),
6707 			BPF_MOV64_IMM(BPF_REG_5, 0),
6708 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6709 			BPF_EXIT_INSN(),
6710 		},
6711 		.fixup_map1 = { 3 },
6712 		.result = ACCEPT,
6713 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6714 	},
6715 	{
6716 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6717 		.insns = {
6718 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6719 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6720 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6721 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6722 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6723 				     BPF_FUNC_map_lookup_elem),
6724 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6725 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6726 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6727 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6728 			BPF_MOV64_IMM(BPF_REG_3, 0),
6729 			BPF_MOV64_IMM(BPF_REG_4, 0),
6730 			BPF_MOV64_IMM(BPF_REG_5, 0),
6731 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6732 			BPF_EXIT_INSN(),
6733 		},
6734 		.fixup_map1 = { 3 },
6735 		.result = ACCEPT,
6736 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6737 	},
6738 	{
6739 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6740 		.insns = {
6741 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6742 				    offsetof(struct __sk_buff, data)),
6743 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6744 				    offsetof(struct __sk_buff, data_end)),
6745 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6746 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6747 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6748 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6749 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6750 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6751 			BPF_MOV64_IMM(BPF_REG_3, 0),
6752 			BPF_MOV64_IMM(BPF_REG_4, 0),
6753 			BPF_MOV64_IMM(BPF_REG_5, 0),
6754 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6755 			BPF_EXIT_INSN(),
6756 		},
6757 		.result = ACCEPT,
6758 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6759 		.retval = 0 /* csum_diff of 64-byte packet */,
6760 	},
6761 	{
6762 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6763 		.insns = {
6764 			BPF_MOV64_IMM(BPF_REG_1, 0),
6765 			BPF_MOV64_IMM(BPF_REG_2, 0),
6766 			BPF_MOV64_IMM(BPF_REG_3, 0),
6767 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6768 			BPF_EXIT_INSN(),
6769 		},
6770 		.errstr = "R1 type=inv expected=fp",
6771 		.result = REJECT,
6772 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6773 	},
6774 	{
6775 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6776 		.insns = {
6777 			BPF_MOV64_IMM(BPF_REG_1, 0),
6778 			BPF_MOV64_IMM(BPF_REG_2, 1),
6779 			BPF_MOV64_IMM(BPF_REG_3, 0),
6780 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6781 			BPF_EXIT_INSN(),
6782 		},
6783 		.errstr = "R1 type=inv expected=fp",
6784 		.result = REJECT,
6785 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6786 	},
6787 	{
6788 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6789 		.insns = {
6790 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6791 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6792 			BPF_MOV64_IMM(BPF_REG_2, 0),
6793 			BPF_MOV64_IMM(BPF_REG_3, 0),
6794 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6795 			BPF_EXIT_INSN(),
6796 		},
6797 		.result = ACCEPT,
6798 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6799 	},
6800 	{
6801 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6802 		.insns = {
6803 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6804 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6805 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6806 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6807 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6808 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6809 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6810 			BPF_MOV64_IMM(BPF_REG_2, 0),
6811 			BPF_MOV64_IMM(BPF_REG_3, 0),
6812 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6813 			BPF_EXIT_INSN(),
6814 		},
6815 		.fixup_map1 = { 3 },
6816 		.result = ACCEPT,
6817 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6818 	},
6819 	{
6820 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6821 		.insns = {
6822 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6823 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6825 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6826 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6827 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6828 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6829 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6830 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6832 			BPF_MOV64_IMM(BPF_REG_3, 0),
6833 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6834 			BPF_EXIT_INSN(),
6835 		},
6836 		.fixup_map1 = { 3 },
6837 		.result = ACCEPT,
6838 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6839 	},
6840 	{
6841 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6842 		.insns = {
6843 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6844 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6846 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6847 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6848 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6849 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6850 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6851 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6852 			BPF_MOV64_IMM(BPF_REG_3, 0),
6853 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6854 			BPF_EXIT_INSN(),
6855 		},
6856 		.fixup_map1 = { 3 },
6857 		.result = ACCEPT,
6858 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6859 	},
6860 	{
6861 		"helper access to variable memory: 8 bytes leak",
6862 		.insns = {
6863 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6864 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6865 			BPF_MOV64_IMM(BPF_REG_0, 0),
6866 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6867 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6868 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6869 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6870 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6871 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6872 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6873 			BPF_MOV64_IMM(BPF_REG_2, 1),
6874 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6875 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6876 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6878 			BPF_MOV64_IMM(BPF_REG_3, 0),
6879 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6880 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6881 			BPF_EXIT_INSN(),
6882 		},
6883 		.errstr = "invalid indirect read from stack off -64+32 size 64",
6884 		.result = REJECT,
6885 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6886 	},
6887 	{
6888 		"helper access to variable memory: 8 bytes no leak (init memory)",
6889 		.insns = {
6890 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6891 			BPF_MOV64_IMM(BPF_REG_0, 0),
6892 			BPF_MOV64_IMM(BPF_REG_0, 0),
6893 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6894 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6895 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6896 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6897 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6898 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6899 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6900 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6901 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6902 			BPF_MOV64_IMM(BPF_REG_2, 0),
6903 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6904 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6905 			BPF_MOV64_IMM(BPF_REG_3, 0),
6906 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6907 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6908 			BPF_EXIT_INSN(),
6909 		},
6910 		.result = ACCEPT,
6911 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6912 	},
6913 	{
6914 		"invalid and of negative number",
6915 		.insns = {
6916 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6917 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6919 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6920 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6921 				     BPF_FUNC_map_lookup_elem),
6922 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6923 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6924 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6925 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6926 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6927 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6928 				   offsetof(struct test_val, foo)),
6929 			BPF_EXIT_INSN(),
6930 		},
6931 		.fixup_map2 = { 3 },
6932 		.errstr = "R0 max value is outside of the array range",
6933 		.result = REJECT,
6934 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6935 	},
6936 	{
6937 		"invalid range check",
6938 		.insns = {
6939 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6940 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6941 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6942 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6943 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6944 				     BPF_FUNC_map_lookup_elem),
6945 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6946 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6947 			BPF_MOV64_IMM(BPF_REG_9, 1),
6948 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6949 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6950 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6951 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6952 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6953 			BPF_MOV32_IMM(BPF_REG_3, 1),
6954 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6955 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6956 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6957 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6958 			BPF_MOV64_REG(BPF_REG_0, 0),
6959 			BPF_EXIT_INSN(),
6960 		},
6961 		.fixup_map2 = { 3 },
6962 		.errstr = "R0 max value is outside of the array range",
6963 		.result = REJECT,
6964 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6965 	},
6966 	{
6967 		"map in map access",
6968 		.insns = {
6969 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6970 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6971 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6972 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6973 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6974 				     BPF_FUNC_map_lookup_elem),
6975 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6976 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6977 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6978 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6979 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6980 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6981 				     BPF_FUNC_map_lookup_elem),
6982 			BPF_MOV64_REG(BPF_REG_0, 0),
6983 			BPF_EXIT_INSN(),
6984 		},
6985 		.fixup_map_in_map = { 3 },
6986 		.result = ACCEPT,
6987 	},
6988 	{
6989 		"invalid inner map pointer",
6990 		.insns = {
6991 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6992 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6993 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6994 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6995 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6996 				     BPF_FUNC_map_lookup_elem),
6997 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6998 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6999 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7001 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7002 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7003 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7004 				     BPF_FUNC_map_lookup_elem),
7005 			BPF_MOV64_REG(BPF_REG_0, 0),
7006 			BPF_EXIT_INSN(),
7007 		},
7008 		.fixup_map_in_map = { 3 },
7009 		.errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7010 		.result = REJECT,
7011 	},
7012 	{
7013 		"forgot null checking on the inner map pointer",
7014 		.insns = {
7015 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7016 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7017 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7018 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7019 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7020 				     BPF_FUNC_map_lookup_elem),
7021 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7022 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7023 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7024 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7025 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7026 				     BPF_FUNC_map_lookup_elem),
7027 			BPF_MOV64_REG(BPF_REG_0, 0),
7028 			BPF_EXIT_INSN(),
7029 		},
7030 		.fixup_map_in_map = { 3 },
7031 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
7032 		.result = REJECT,
7033 	},
7034 	{
7035 		"ld_abs: check calling conv, r1",
7036 		.insns = {
7037 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7038 			BPF_MOV64_IMM(BPF_REG_1, 0),
7039 			BPF_LD_ABS(BPF_W, -0x200000),
7040 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7041 			BPF_EXIT_INSN(),
7042 		},
7043 		.errstr = "R1 !read_ok",
7044 		.result = REJECT,
7045 	},
7046 	{
7047 		"ld_abs: check calling conv, r2",
7048 		.insns = {
7049 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7050 			BPF_MOV64_IMM(BPF_REG_2, 0),
7051 			BPF_LD_ABS(BPF_W, -0x200000),
7052 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7053 			BPF_EXIT_INSN(),
7054 		},
7055 		.errstr = "R2 !read_ok",
7056 		.result = REJECT,
7057 	},
7058 	{
7059 		"ld_abs: check calling conv, r3",
7060 		.insns = {
7061 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7062 			BPF_MOV64_IMM(BPF_REG_3, 0),
7063 			BPF_LD_ABS(BPF_W, -0x200000),
7064 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7065 			BPF_EXIT_INSN(),
7066 		},
7067 		.errstr = "R3 !read_ok",
7068 		.result = REJECT,
7069 	},
7070 	{
7071 		"ld_abs: check calling conv, r4",
7072 		.insns = {
7073 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7074 			BPF_MOV64_IMM(BPF_REG_4, 0),
7075 			BPF_LD_ABS(BPF_W, -0x200000),
7076 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7077 			BPF_EXIT_INSN(),
7078 		},
7079 		.errstr = "R4 !read_ok",
7080 		.result = REJECT,
7081 	},
7082 	{
7083 		"ld_abs: check calling conv, r5",
7084 		.insns = {
7085 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7086 			BPF_MOV64_IMM(BPF_REG_5, 0),
7087 			BPF_LD_ABS(BPF_W, -0x200000),
7088 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7089 			BPF_EXIT_INSN(),
7090 		},
7091 		.errstr = "R5 !read_ok",
7092 		.result = REJECT,
7093 	},
7094 	{
7095 		"ld_abs: check calling conv, r7",
7096 		.insns = {
7097 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7098 			BPF_MOV64_IMM(BPF_REG_7, 0),
7099 			BPF_LD_ABS(BPF_W, -0x200000),
7100 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7101 			BPF_EXIT_INSN(),
7102 		},
7103 		.result = ACCEPT,
7104 	},
7105 	{
7106 		"ld_abs: tests on r6 and skb data reload helper",
7107 		.insns = {
7108 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7109 			BPF_LD_ABS(BPF_B, 0),
7110 			BPF_LD_ABS(BPF_H, 0),
7111 			BPF_LD_ABS(BPF_W, 0),
7112 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7113 			BPF_MOV64_IMM(BPF_REG_6, 0),
7114 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7115 			BPF_MOV64_IMM(BPF_REG_2, 1),
7116 			BPF_MOV64_IMM(BPF_REG_3, 2),
7117 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7118 				     BPF_FUNC_skb_vlan_push),
7119 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7120 			BPF_LD_ABS(BPF_B, 0),
7121 			BPF_LD_ABS(BPF_H, 0),
7122 			BPF_LD_ABS(BPF_W, 0),
7123 			BPF_MOV64_IMM(BPF_REG_0, 42),
7124 			BPF_EXIT_INSN(),
7125 		},
7126 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7127 		.result = ACCEPT,
7128 		.retval = 42 /* ultimate return value */,
7129 	},
7130 	{
7131 		"ld_ind: check calling conv, r1",
7132 		.insns = {
7133 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7134 			BPF_MOV64_IMM(BPF_REG_1, 1),
7135 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7136 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7137 			BPF_EXIT_INSN(),
7138 		},
7139 		.errstr = "R1 !read_ok",
7140 		.result = REJECT,
7141 	},
7142 	{
7143 		"ld_ind: check calling conv, r2",
7144 		.insns = {
7145 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7146 			BPF_MOV64_IMM(BPF_REG_2, 1),
7147 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7148 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7149 			BPF_EXIT_INSN(),
7150 		},
7151 		.errstr = "R2 !read_ok",
7152 		.result = REJECT,
7153 	},
7154 	{
7155 		"ld_ind: check calling conv, r3",
7156 		.insns = {
7157 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7158 			BPF_MOV64_IMM(BPF_REG_3, 1),
7159 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7160 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7161 			BPF_EXIT_INSN(),
7162 		},
7163 		.errstr = "R3 !read_ok",
7164 		.result = REJECT,
7165 	},
7166 	{
7167 		"ld_ind: check calling conv, r4",
7168 		.insns = {
7169 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7170 			BPF_MOV64_IMM(BPF_REG_4, 1),
7171 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7172 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7173 			BPF_EXIT_INSN(),
7174 		},
7175 		.errstr = "R4 !read_ok",
7176 		.result = REJECT,
7177 	},
7178 	{
7179 		"ld_ind: check calling conv, r5",
7180 		.insns = {
7181 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7182 			BPF_MOV64_IMM(BPF_REG_5, 1),
7183 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7184 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7185 			BPF_EXIT_INSN(),
7186 		},
7187 		.errstr = "R5 !read_ok",
7188 		.result = REJECT,
7189 	},
7190 	{
7191 		"ld_ind: check calling conv, r7",
7192 		.insns = {
7193 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7194 			BPF_MOV64_IMM(BPF_REG_7, 1),
7195 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7196 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7197 			BPF_EXIT_INSN(),
7198 		},
7199 		.result = ACCEPT,
7200 		.retval = 1,
7201 	},
7202 	{
7203 		"check bpf_perf_event_data->sample_period byte load permitted",
7204 		.insns = {
7205 			BPF_MOV64_IMM(BPF_REG_0, 0),
7206 #if __BYTE_ORDER == __LITTLE_ENDIAN
7207 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7208 				    offsetof(struct bpf_perf_event_data, sample_period)),
7209 #else
7210 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7211 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
7212 #endif
7213 			BPF_EXIT_INSN(),
7214 		},
7215 		.result = ACCEPT,
7216 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7217 	},
7218 	{
7219 		"check bpf_perf_event_data->sample_period half load permitted",
7220 		.insns = {
7221 			BPF_MOV64_IMM(BPF_REG_0, 0),
7222 #if __BYTE_ORDER == __LITTLE_ENDIAN
7223 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7224 				    offsetof(struct bpf_perf_event_data, sample_period)),
7225 #else
7226 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7227 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
7228 #endif
7229 			BPF_EXIT_INSN(),
7230 		},
7231 		.result = ACCEPT,
7232 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7233 	},
7234 	{
7235 		"check bpf_perf_event_data->sample_period word load permitted",
7236 		.insns = {
7237 			BPF_MOV64_IMM(BPF_REG_0, 0),
7238 #if __BYTE_ORDER == __LITTLE_ENDIAN
7239 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7240 				    offsetof(struct bpf_perf_event_data, sample_period)),
7241 #else
7242 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7243 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
7244 #endif
7245 			BPF_EXIT_INSN(),
7246 		},
7247 		.result = ACCEPT,
7248 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7249 	},
7250 	{
7251 		"check bpf_perf_event_data->sample_period dword load permitted",
7252 		.insns = {
7253 			BPF_MOV64_IMM(BPF_REG_0, 0),
7254 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7255 				    offsetof(struct bpf_perf_event_data, sample_period)),
7256 			BPF_EXIT_INSN(),
7257 		},
7258 		.result = ACCEPT,
7259 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7260 	},
7261 	{
7262 		"check skb->data half load not permitted",
7263 		.insns = {
7264 			BPF_MOV64_IMM(BPF_REG_0, 0),
7265 #if __BYTE_ORDER == __LITTLE_ENDIAN
7266 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7267 				    offsetof(struct __sk_buff, data)),
7268 #else
7269 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7270 				    offsetof(struct __sk_buff, data) + 2),
7271 #endif
7272 			BPF_EXIT_INSN(),
7273 		},
7274 		.result = REJECT,
7275 		.errstr = "invalid bpf_context access",
7276 	},
7277 	{
7278 		"check skb->tc_classid half load not permitted for lwt prog",
7279 		.insns = {
7280 			BPF_MOV64_IMM(BPF_REG_0, 0),
7281 #if __BYTE_ORDER == __LITTLE_ENDIAN
7282 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7283 				    offsetof(struct __sk_buff, tc_classid)),
7284 #else
7285 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7286 				    offsetof(struct __sk_buff, tc_classid) + 2),
7287 #endif
7288 			BPF_EXIT_INSN(),
7289 		},
7290 		.result = REJECT,
7291 		.errstr = "invalid bpf_context access",
7292 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7293 	},
7294 	{
7295 		"bounds checks mixing signed and unsigned, positive bounds",
7296 		.insns = {
7297 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7298 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7299 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7300 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7301 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7302 				     BPF_FUNC_map_lookup_elem),
7303 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7304 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7305 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7306 			BPF_MOV64_IMM(BPF_REG_2, 2),
7307 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7308 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7309 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7310 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7311 			BPF_MOV64_IMM(BPF_REG_0, 0),
7312 			BPF_EXIT_INSN(),
7313 		},
7314 		.fixup_map1 = { 3 },
7315 		.errstr = "unbounded min value",
7316 		.result = REJECT,
7317 	},
7318 	{
7319 		"bounds checks mixing signed and unsigned",
7320 		.insns = {
7321 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7322 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7323 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7324 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7325 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7326 				     BPF_FUNC_map_lookup_elem),
7327 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7328 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7329 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7330 			BPF_MOV64_IMM(BPF_REG_2, -1),
7331 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7332 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7333 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7334 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7335 			BPF_MOV64_IMM(BPF_REG_0, 0),
7336 			BPF_EXIT_INSN(),
7337 		},
7338 		.fixup_map1 = { 3 },
7339 		.errstr = "unbounded min value",
7340 		.result = REJECT,
7341 	},
7342 	{
7343 		"bounds checks mixing signed and unsigned, variant 2",
7344 		.insns = {
7345 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7346 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7347 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7348 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7349 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7350 				     BPF_FUNC_map_lookup_elem),
7351 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7352 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7353 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7354 			BPF_MOV64_IMM(BPF_REG_2, -1),
7355 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7356 			BPF_MOV64_IMM(BPF_REG_8, 0),
7357 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7358 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7359 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7360 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7361 			BPF_MOV64_IMM(BPF_REG_0, 0),
7362 			BPF_EXIT_INSN(),
7363 		},
7364 		.fixup_map1 = { 3 },
7365 		.errstr = "unbounded min value",
7366 		.result = REJECT,
7367 	},
7368 	{
7369 		"bounds checks mixing signed and unsigned, variant 3",
7370 		.insns = {
7371 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7372 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7373 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7374 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7375 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7376 				     BPF_FUNC_map_lookup_elem),
7377 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7378 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7379 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7380 			BPF_MOV64_IMM(BPF_REG_2, -1),
7381 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7382 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7383 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7384 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7385 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7386 			BPF_MOV64_IMM(BPF_REG_0, 0),
7387 			BPF_EXIT_INSN(),
7388 		},
7389 		.fixup_map1 = { 3 },
7390 		.errstr = "unbounded min value",
7391 		.result = REJECT,
7392 	},
7393 	{
7394 		"bounds checks mixing signed and unsigned, variant 4",
7395 		.insns = {
7396 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7397 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7399 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7400 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7401 				     BPF_FUNC_map_lookup_elem),
7402 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7403 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7404 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7405 			BPF_MOV64_IMM(BPF_REG_2, 1),
7406 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7407 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7408 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7409 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7410 			BPF_MOV64_IMM(BPF_REG_0, 0),
7411 			BPF_EXIT_INSN(),
7412 		},
7413 		.fixup_map1 = { 3 },
7414 		.result = ACCEPT,
7415 	},
7416 	{
7417 		"bounds checks mixing signed and unsigned, variant 5",
7418 		.insns = {
7419 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7420 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7421 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7422 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7423 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7424 				     BPF_FUNC_map_lookup_elem),
7425 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7426 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7427 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7428 			BPF_MOV64_IMM(BPF_REG_2, -1),
7429 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7430 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7431 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7432 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7433 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7434 			BPF_MOV64_IMM(BPF_REG_0, 0),
7435 			BPF_EXIT_INSN(),
7436 		},
7437 		.fixup_map1 = { 3 },
7438 		.errstr = "unbounded min value",
7439 		.result = REJECT,
7440 	},
7441 	{
7442 		"bounds checks mixing signed and unsigned, variant 6",
7443 		.insns = {
7444 			BPF_MOV64_IMM(BPF_REG_2, 0),
7445 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7446 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7447 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7448 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7449 			BPF_MOV64_IMM(BPF_REG_6, -1),
7450 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7451 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7452 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7453 			BPF_MOV64_IMM(BPF_REG_5, 0),
7454 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7455 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7456 				     BPF_FUNC_skb_load_bytes),
7457 			BPF_MOV64_IMM(BPF_REG_0, 0),
7458 			BPF_EXIT_INSN(),
7459 		},
7460 		.errstr = "R4 min value is negative, either use unsigned",
7461 		.result = REJECT,
7462 	},
7463 	{
7464 		"bounds checks mixing signed and unsigned, variant 7",
7465 		.insns = {
7466 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7467 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7468 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7469 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7470 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7471 				     BPF_FUNC_map_lookup_elem),
7472 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7473 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7474 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7475 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7476 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7477 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7478 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7479 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7480 			BPF_MOV64_IMM(BPF_REG_0, 0),
7481 			BPF_EXIT_INSN(),
7482 		},
7483 		.fixup_map1 = { 3 },
7484 		.result = ACCEPT,
7485 	},
7486 	{
7487 		"bounds checks mixing signed and unsigned, variant 8",
7488 		.insns = {
7489 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7490 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7491 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7492 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7493 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7494 				     BPF_FUNC_map_lookup_elem),
7495 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7496 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7497 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7498 			BPF_MOV64_IMM(BPF_REG_2, -1),
7499 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7500 			BPF_MOV64_IMM(BPF_REG_0, 0),
7501 			BPF_EXIT_INSN(),
7502 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7503 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7504 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7505 			BPF_MOV64_IMM(BPF_REG_0, 0),
7506 			BPF_EXIT_INSN(),
7507 		},
7508 		.fixup_map1 = { 3 },
7509 		.errstr = "unbounded min value",
7510 		.result = REJECT,
7511 	},
7512 	{
7513 		"bounds checks mixing signed and unsigned, variant 9",
7514 		.insns = {
7515 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7516 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7517 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7518 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7519 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7520 				     BPF_FUNC_map_lookup_elem),
7521 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7522 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7523 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7524 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7525 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7526 			BPF_MOV64_IMM(BPF_REG_0, 0),
7527 			BPF_EXIT_INSN(),
7528 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7529 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7530 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7531 			BPF_MOV64_IMM(BPF_REG_0, 0),
7532 			BPF_EXIT_INSN(),
7533 		},
7534 		.fixup_map1 = { 3 },
7535 		.result = ACCEPT,
7536 	},
7537 	{
7538 		"bounds checks mixing signed and unsigned, variant 10",
7539 		.insns = {
7540 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7541 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7542 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7543 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7544 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7545 				     BPF_FUNC_map_lookup_elem),
7546 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7547 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7548 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7549 			BPF_MOV64_IMM(BPF_REG_2, 0),
7550 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7551 			BPF_MOV64_IMM(BPF_REG_0, 0),
7552 			BPF_EXIT_INSN(),
7553 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7554 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7555 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7556 			BPF_MOV64_IMM(BPF_REG_0, 0),
7557 			BPF_EXIT_INSN(),
7558 		},
7559 		.fixup_map1 = { 3 },
7560 		.errstr = "unbounded min value",
7561 		.result = REJECT,
7562 	},
7563 	{
7564 		"bounds checks mixing signed and unsigned, variant 11",
7565 		.insns = {
7566 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7567 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7568 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7569 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7570 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7571 				     BPF_FUNC_map_lookup_elem),
7572 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7573 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7574 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7575 			BPF_MOV64_IMM(BPF_REG_2, -1),
7576 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7577 			/* Dead branch. */
7578 			BPF_MOV64_IMM(BPF_REG_0, 0),
7579 			BPF_EXIT_INSN(),
7580 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7581 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7582 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7583 			BPF_MOV64_IMM(BPF_REG_0, 0),
7584 			BPF_EXIT_INSN(),
7585 		},
7586 		.fixup_map1 = { 3 },
7587 		.errstr = "unbounded min value",
7588 		.result = REJECT,
7589 	},
7590 	{
7591 		"bounds checks mixing signed and unsigned, variant 12",
7592 		.insns = {
7593 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7594 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7595 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7596 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7597 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7598 				     BPF_FUNC_map_lookup_elem),
7599 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7600 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7601 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7602 			BPF_MOV64_IMM(BPF_REG_2, -6),
7603 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7604 			BPF_MOV64_IMM(BPF_REG_0, 0),
7605 			BPF_EXIT_INSN(),
7606 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7607 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7608 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7609 			BPF_MOV64_IMM(BPF_REG_0, 0),
7610 			BPF_EXIT_INSN(),
7611 		},
7612 		.fixup_map1 = { 3 },
7613 		.errstr = "unbounded min value",
7614 		.result = REJECT,
7615 	},
7616 	{
7617 		"bounds checks mixing signed and unsigned, variant 13",
7618 		.insns = {
7619 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7620 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7621 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7622 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7623 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7624 				     BPF_FUNC_map_lookup_elem),
7625 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7626 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7627 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7628 			BPF_MOV64_IMM(BPF_REG_2, 2),
7629 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7630 			BPF_MOV64_IMM(BPF_REG_7, 1),
7631 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7632 			BPF_MOV64_IMM(BPF_REG_0, 0),
7633 			BPF_EXIT_INSN(),
7634 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7635 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7636 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7637 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7638 			BPF_MOV64_IMM(BPF_REG_0, 0),
7639 			BPF_EXIT_INSN(),
7640 		},
7641 		.fixup_map1 = { 3 },
7642 		.errstr = "unbounded min value",
7643 		.result = REJECT,
7644 	},
7645 	{
7646 		"bounds checks mixing signed and unsigned, variant 14",
7647 		.insns = {
7648 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7649 				    offsetof(struct __sk_buff, mark)),
7650 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7651 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7652 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7653 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7654 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7655 				     BPF_FUNC_map_lookup_elem),
7656 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7657 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7658 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7659 			BPF_MOV64_IMM(BPF_REG_2, -1),
7660 			BPF_MOV64_IMM(BPF_REG_8, 2),
7661 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7662 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7663 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7664 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7665 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7666 			BPF_MOV64_IMM(BPF_REG_0, 0),
7667 			BPF_EXIT_INSN(),
7668 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7669 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7670 		},
7671 		.fixup_map1 = { 4 },
7672 		.errstr = "R0 invalid mem access 'inv'",
7673 		.result = REJECT,
7674 	},
7675 	{
7676 		"bounds checks mixing signed and unsigned, variant 15",
7677 		.insns = {
7678 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7679 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7680 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7681 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7682 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7683 				     BPF_FUNC_map_lookup_elem),
7684 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7685 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7686 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7687 			BPF_MOV64_IMM(BPF_REG_2, -6),
7688 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7689 			BPF_MOV64_IMM(BPF_REG_0, 0),
7690 			BPF_EXIT_INSN(),
7691 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7692 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7693 			BPF_MOV64_IMM(BPF_REG_0, 0),
7694 			BPF_EXIT_INSN(),
7695 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7696 			BPF_MOV64_IMM(BPF_REG_0, 0),
7697 			BPF_EXIT_INSN(),
7698 		},
7699 		.fixup_map1 = { 3 },
7700 		.errstr = "unbounded min value",
7701 		.result = REJECT,
7702 		.result_unpriv = REJECT,
7703 	},
7704 	{
7705 		"subtraction bounds (map value) variant 1",
7706 		.insns = {
7707 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7708 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7709 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7710 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7711 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7712 				     BPF_FUNC_map_lookup_elem),
7713 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7714 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7715 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7716 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7717 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7718 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7719 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7720 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7721 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7722 			BPF_EXIT_INSN(),
7723 			BPF_MOV64_IMM(BPF_REG_0, 0),
7724 			BPF_EXIT_INSN(),
7725 		},
7726 		.fixup_map1 = { 3 },
7727 		.errstr = "R0 max value is outside of the array range",
7728 		.result = REJECT,
7729 	},
7730 	{
7731 		"subtraction bounds (map value) variant 2",
7732 		.insns = {
7733 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7734 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7736 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7737 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7738 				     BPF_FUNC_map_lookup_elem),
7739 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7740 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7741 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7742 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7743 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7744 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7745 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7746 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7747 			BPF_EXIT_INSN(),
7748 			BPF_MOV64_IMM(BPF_REG_0, 0),
7749 			BPF_EXIT_INSN(),
7750 		},
7751 		.fixup_map1 = { 3 },
7752 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7753 		.result = REJECT,
7754 	},
7755 	{
7756 		"bounds check based on zero-extended MOV",
7757 		.insns = {
7758 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7759 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7760 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7761 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7762 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7763 				     BPF_FUNC_map_lookup_elem),
7764 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7765 			/* r2 = 0x0000'0000'ffff'ffff */
7766 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7767 			/* r2 = 0 */
7768 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7769 			/* no-op */
7770 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7771 			/* access at offset 0 */
7772 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7773 			/* exit */
7774 			BPF_MOV64_IMM(BPF_REG_0, 0),
7775 			BPF_EXIT_INSN(),
7776 		},
7777 		.fixup_map1 = { 3 },
7778 		.result = ACCEPT
7779 	},
7780 	{
7781 		"bounds check based on sign-extended MOV. test1",
7782 		.insns = {
7783 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7784 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7785 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7786 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7787 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7788 				     BPF_FUNC_map_lookup_elem),
7789 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7790 			/* r2 = 0xffff'ffff'ffff'ffff */
7791 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7792 			/* r2 = 0xffff'ffff */
7793 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7794 			/* r0 = <oob pointer> */
7795 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7796 			/* access to OOB pointer */
7797 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7798 			/* exit */
7799 			BPF_MOV64_IMM(BPF_REG_0, 0),
7800 			BPF_EXIT_INSN(),
7801 		},
7802 		.fixup_map1 = { 3 },
7803 		.errstr = "map_value pointer and 4294967295",
7804 		.result = REJECT
7805 	},
7806 	{
7807 		"bounds check based on sign-extended MOV. test2",
7808 		.insns = {
7809 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7810 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7812 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7813 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7814 				     BPF_FUNC_map_lookup_elem),
7815 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7816 			/* r2 = 0xffff'ffff'ffff'ffff */
7817 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7818 			/* r2 = 0xfff'ffff */
7819 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7820 			/* r0 = <oob pointer> */
7821 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7822 			/* access to OOB pointer */
7823 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7824 			/* exit */
7825 			BPF_MOV64_IMM(BPF_REG_0, 0),
7826 			BPF_EXIT_INSN(),
7827 		},
7828 		.fixup_map1 = { 3 },
7829 		.errstr = "R0 min value is outside of the array range",
7830 		.result = REJECT
7831 	},
7832 	{
7833 		"bounds check based on reg_off + var_off + insn_off. test1",
7834 		.insns = {
7835 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7836 				    offsetof(struct __sk_buff, mark)),
7837 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7838 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7839 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7840 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7841 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7842 				     BPF_FUNC_map_lookup_elem),
7843 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7844 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7846 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7848 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7849 			BPF_MOV64_IMM(BPF_REG_0, 0),
7850 			BPF_EXIT_INSN(),
7851 		},
7852 		.fixup_map1 = { 4 },
7853 		.errstr = "value_size=8 off=1073741825",
7854 		.result = REJECT,
7855 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7856 	},
7857 	{
7858 		"bounds check based on reg_off + var_off + insn_off. test2",
7859 		.insns = {
7860 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7861 				    offsetof(struct __sk_buff, mark)),
7862 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7863 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7864 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7865 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7866 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7867 				     BPF_FUNC_map_lookup_elem),
7868 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7869 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7870 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7871 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7873 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7874 			BPF_MOV64_IMM(BPF_REG_0, 0),
7875 			BPF_EXIT_INSN(),
7876 		},
7877 		.fixup_map1 = { 4 },
7878 		.errstr = "value 1073741823",
7879 		.result = REJECT,
7880 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7881 	},
7882 	{
7883 		"bounds check after truncation of non-boundary-crossing range",
7884 		.insns = {
7885 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7886 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7887 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7888 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7889 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7890 				     BPF_FUNC_map_lookup_elem),
7891 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7892 			/* r1 = [0x00, 0xff] */
7893 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7894 			BPF_MOV64_IMM(BPF_REG_2, 1),
7895 			/* r2 = 0x10'0000'0000 */
7896 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7897 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7898 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7899 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7901 			/* r1 = [0x00, 0xff] */
7902 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7903 			/* r1 = 0 */
7904 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7905 			/* no-op */
7906 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7907 			/* access at offset 0 */
7908 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7909 			/* exit */
7910 			BPF_MOV64_IMM(BPF_REG_0, 0),
7911 			BPF_EXIT_INSN(),
7912 		},
7913 		.fixup_map1 = { 3 },
7914 		.result = ACCEPT
7915 	},
7916 	{
7917 		"bounds check after truncation of boundary-crossing range (1)",
7918 		.insns = {
7919 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7920 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7921 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7922 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7923 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7924 				     BPF_FUNC_map_lookup_elem),
7925 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7926 			/* r1 = [0x00, 0xff] */
7927 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7928 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7929 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7930 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7931 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7932 			 *      [0x0000'0000, 0x0000'007f]
7933 			 */
7934 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7935 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7936 			/* r1 = [0x00, 0xff] or
7937 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7938 			 */
7939 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7940 			/* r1 = 0 or
7941 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7942 			 */
7943 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7944 			/* no-op or OOB pointer computation */
7945 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7946 			/* potentially OOB access */
7947 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7948 			/* exit */
7949 			BPF_MOV64_IMM(BPF_REG_0, 0),
7950 			BPF_EXIT_INSN(),
7951 		},
7952 		.fixup_map1 = { 3 },
7953 		/* not actually fully unbounded, but the bound is very high */
7954 		.errstr = "R0 unbounded memory access",
7955 		.result = REJECT
7956 	},
7957 	{
7958 		"bounds check after truncation of boundary-crossing range (2)",
7959 		.insns = {
7960 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7961 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7963 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7965 				     BPF_FUNC_map_lookup_elem),
7966 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7967 			/* r1 = [0x00, 0xff] */
7968 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7969 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7970 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7971 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7972 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7973 			 *      [0x0000'0000, 0x0000'007f]
7974 			 * difference to previous test: truncation via MOV32
7975 			 * instead of ALU32.
7976 			 */
7977 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7978 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7979 			/* r1 = [0x00, 0xff] or
7980 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7981 			 */
7982 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7983 			/* r1 = 0 or
7984 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7985 			 */
7986 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7987 			/* no-op or OOB pointer computation */
7988 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7989 			/* potentially OOB access */
7990 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7991 			/* exit */
7992 			BPF_MOV64_IMM(BPF_REG_0, 0),
7993 			BPF_EXIT_INSN(),
7994 		},
7995 		.fixup_map1 = { 3 },
7996 		/* not actually fully unbounded, but the bound is very high */
7997 		.errstr = "R0 unbounded memory access",
7998 		.result = REJECT
7999 	},
8000 	{
8001 		"bounds check after wrapping 32-bit addition",
8002 		.insns = {
8003 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8004 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8006 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8007 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8008 				     BPF_FUNC_map_lookup_elem),
8009 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8010 			/* r1 = 0x7fff'ffff */
8011 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8012 			/* r1 = 0xffff'fffe */
8013 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8014 			/* r1 = 0 */
8015 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8016 			/* no-op */
8017 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8018 			/* access at offset 0 */
8019 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8020 			/* exit */
8021 			BPF_MOV64_IMM(BPF_REG_0, 0),
8022 			BPF_EXIT_INSN(),
8023 		},
8024 		.fixup_map1 = { 3 },
8025 		.result = ACCEPT
8026 	},
8027 	{
8028 		"bounds check after shift with oversized count operand",
8029 		.insns = {
8030 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8031 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8032 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8033 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8034 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8035 				     BPF_FUNC_map_lookup_elem),
8036 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8037 			BPF_MOV64_IMM(BPF_REG_2, 32),
8038 			BPF_MOV64_IMM(BPF_REG_1, 1),
8039 			/* r1 = (u32)1 << (u32)32 = ? */
8040 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8041 			/* r1 = [0x0000, 0xffff] */
8042 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8043 			/* computes unknown pointer, potentially OOB */
8044 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8045 			/* potentially OOB access */
8046 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8047 			/* exit */
8048 			BPF_MOV64_IMM(BPF_REG_0, 0),
8049 			BPF_EXIT_INSN(),
8050 		},
8051 		.fixup_map1 = { 3 },
8052 		.errstr = "R0 max value is outside of the array range",
8053 		.result = REJECT
8054 	},
8055 	{
8056 		"bounds check after right shift of maybe-negative number",
8057 		.insns = {
8058 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8059 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8060 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8061 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8062 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8063 				     BPF_FUNC_map_lookup_elem),
8064 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8065 			/* r1 = [0x00, 0xff] */
8066 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8067 			/* r1 = [-0x01, 0xfe] */
8068 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8069 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
8070 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8071 			/* r1 = 0 or 0xffff'ffff'ffff */
8072 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8073 			/* computes unknown pointer, potentially OOB */
8074 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8075 			/* potentially OOB access */
8076 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8077 			/* exit */
8078 			BPF_MOV64_IMM(BPF_REG_0, 0),
8079 			BPF_EXIT_INSN(),
8080 		},
8081 		.fixup_map1 = { 3 },
8082 		.errstr = "R0 unbounded memory access",
8083 		.result = REJECT
8084 	},
8085 	{
8086 		"bounds check map access with off+size signed 32bit overflow. test1",
8087 		.insns = {
8088 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8089 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8090 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8091 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8092 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8093 				     BPF_FUNC_map_lookup_elem),
8094 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8095 			BPF_EXIT_INSN(),
8096 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8097 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8098 			BPF_JMP_A(0),
8099 			BPF_EXIT_INSN(),
8100 		},
8101 		.fixup_map1 = { 3 },
8102 		.errstr = "map_value pointer and 2147483646",
8103 		.result = REJECT
8104 	},
8105 	{
8106 		"bounds check map access with off+size signed 32bit overflow. test2",
8107 		.insns = {
8108 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8109 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8110 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8111 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8112 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8113 				     BPF_FUNC_map_lookup_elem),
8114 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8115 			BPF_EXIT_INSN(),
8116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8118 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8119 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8120 			BPF_JMP_A(0),
8121 			BPF_EXIT_INSN(),
8122 		},
8123 		.fixup_map1 = { 3 },
8124 		.errstr = "pointer offset 1073741822",
8125 		.result = REJECT
8126 	},
8127 	{
8128 		"bounds check map access with off+size signed 32bit overflow. test3",
8129 		.insns = {
8130 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8131 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8132 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8133 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8134 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8135 				     BPF_FUNC_map_lookup_elem),
8136 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8137 			BPF_EXIT_INSN(),
8138 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8139 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8140 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8141 			BPF_JMP_A(0),
8142 			BPF_EXIT_INSN(),
8143 		},
8144 		.fixup_map1 = { 3 },
8145 		.errstr = "pointer offset -1073741822",
8146 		.result = REJECT
8147 	},
8148 	{
8149 		"bounds check map access with off+size signed 32bit overflow. test4",
8150 		.insns = {
8151 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8152 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8153 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8154 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8155 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8156 				     BPF_FUNC_map_lookup_elem),
8157 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8158 			BPF_EXIT_INSN(),
8159 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
8160 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8161 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8162 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8163 			BPF_JMP_A(0),
8164 			BPF_EXIT_INSN(),
8165 		},
8166 		.fixup_map1 = { 3 },
8167 		.errstr = "map_value pointer and 1000000000000",
8168 		.result = REJECT
8169 	},
8170 	{
8171 		"pointer/scalar confusion in state equality check (way 1)",
8172 		.insns = {
8173 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8174 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8175 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8176 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8177 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8178 				     BPF_FUNC_map_lookup_elem),
8179 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8180 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8181 			BPF_JMP_A(1),
8182 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8183 			BPF_JMP_A(0),
8184 			BPF_EXIT_INSN(),
8185 		},
8186 		.fixup_map1 = { 3 },
8187 		.result = ACCEPT,
8188 		.retval = POINTER_VALUE,
8189 		.result_unpriv = REJECT,
8190 		.errstr_unpriv = "R0 leaks addr as return value"
8191 	},
8192 	{
8193 		"pointer/scalar confusion in state equality check (way 2)",
8194 		.insns = {
8195 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8196 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8197 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8198 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8199 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8200 				     BPF_FUNC_map_lookup_elem),
8201 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8202 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8203 			BPF_JMP_A(1),
8204 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8205 			BPF_EXIT_INSN(),
8206 		},
8207 		.fixup_map1 = { 3 },
8208 		.result = ACCEPT,
8209 		.retval = POINTER_VALUE,
8210 		.result_unpriv = REJECT,
8211 		.errstr_unpriv = "R0 leaks addr as return value"
8212 	},
8213 	{
8214 		"variable-offset ctx access",
8215 		.insns = {
8216 			/* Get an unknown value */
8217 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8218 			/* Make it small and 4-byte aligned */
8219 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8220 			/* add it to skb.  We now have either &skb->len or
8221 			 * &skb->pkt_type, but we don't know which
8222 			 */
8223 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8224 			/* dereference it */
8225 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8226 			BPF_EXIT_INSN(),
8227 		},
8228 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
8229 		.result = REJECT,
8230 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8231 	},
8232 	{
8233 		"variable-offset stack access",
8234 		.insns = {
8235 			/* Fill the top 8 bytes of the stack */
8236 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8237 			/* Get an unknown value */
8238 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8239 			/* Make it small and 4-byte aligned */
8240 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8241 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8242 			/* add it to fp.  We now have either fp-4 or fp-8, but
8243 			 * we don't know which
8244 			 */
8245 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8246 			/* dereference it */
8247 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8248 			BPF_EXIT_INSN(),
8249 		},
8250 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8251 		.result = REJECT,
8252 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8253 	},
8254 	{
8255 		"indirect variable-offset stack access",
8256 		.insns = {
8257 			/* Fill the top 8 bytes of the stack */
8258 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8259 			/* Get an unknown value */
8260 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8261 			/* Make it small and 4-byte aligned */
8262 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8263 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8264 			/* add it to fp.  We now have either fp-4 or fp-8, but
8265 			 * we don't know which
8266 			 */
8267 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8268 			/* dereference it indirectly */
8269 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8270 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8271 				     BPF_FUNC_map_lookup_elem),
8272 			BPF_MOV64_IMM(BPF_REG_0, 0),
8273 			BPF_EXIT_INSN(),
8274 		},
8275 		.fixup_map1 = { 5 },
8276 		.errstr = "variable stack read R2",
8277 		.result = REJECT,
8278 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8279 	},
8280 	{
8281 		"direct stack access with 32-bit wraparound. test1",
8282 		.insns = {
8283 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8284 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8285 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8286 			BPF_MOV32_IMM(BPF_REG_0, 0),
8287 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8288 			BPF_EXIT_INSN()
8289 		},
8290 		.errstr = "fp pointer and 2147483647",
8291 		.result = REJECT
8292 	},
8293 	{
8294 		"direct stack access with 32-bit wraparound. test2",
8295 		.insns = {
8296 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8297 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8298 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8299 			BPF_MOV32_IMM(BPF_REG_0, 0),
8300 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8301 			BPF_EXIT_INSN()
8302 		},
8303 		.errstr = "fp pointer and 1073741823",
8304 		.result = REJECT
8305 	},
8306 	{
8307 		"direct stack access with 32-bit wraparound. test3",
8308 		.insns = {
8309 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8310 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8311 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8312 			BPF_MOV32_IMM(BPF_REG_0, 0),
8313 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8314 			BPF_EXIT_INSN()
8315 		},
8316 		.errstr = "fp pointer offset 1073741822",
8317 		.result = REJECT
8318 	},
8319 	{
8320 		"liveness pruning and write screening",
8321 		.insns = {
8322 			/* Get an unknown value */
8323 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8324 			/* branch conditions teach us nothing about R2 */
8325 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8326 			BPF_MOV64_IMM(BPF_REG_0, 0),
8327 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8328 			BPF_MOV64_IMM(BPF_REG_0, 0),
8329 			BPF_EXIT_INSN(),
8330 		},
8331 		.errstr = "R0 !read_ok",
8332 		.result = REJECT,
8333 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8334 	},
8335 	{
8336 		"varlen_map_value_access pruning",
8337 		.insns = {
8338 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8339 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8340 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8341 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8342 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8343 				     BPF_FUNC_map_lookup_elem),
8344 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8345 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8346 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8347 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8348 			BPF_MOV32_IMM(BPF_REG_1, 0),
8349 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8350 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8351 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8352 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8353 				   offsetof(struct test_val, foo)),
8354 			BPF_EXIT_INSN(),
8355 		},
8356 		.fixup_map2 = { 3 },
8357 		.errstr_unpriv = "R0 leaks addr",
8358 		.errstr = "R0 unbounded memory access",
8359 		.result_unpriv = REJECT,
8360 		.result = REJECT,
8361 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8362 	},
8363 	{
8364 		"invalid 64-bit BPF_END",
8365 		.insns = {
8366 			BPF_MOV32_IMM(BPF_REG_0, 0),
8367 			{
8368 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
8369 				.dst_reg = BPF_REG_0,
8370 				.src_reg = 0,
8371 				.off   = 0,
8372 				.imm   = 32,
8373 			},
8374 			BPF_EXIT_INSN(),
8375 		},
8376 		.errstr = "unknown opcode d7",
8377 		.result = REJECT,
8378 	},
8379 	{
8380 		"XDP, using ifindex from netdev",
8381 		.insns = {
8382 			BPF_MOV64_IMM(BPF_REG_0, 0),
8383 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8384 				    offsetof(struct xdp_md, ingress_ifindex)),
8385 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8386 			BPF_MOV64_IMM(BPF_REG_0, 1),
8387 			BPF_EXIT_INSN(),
8388 		},
8389 		.result = ACCEPT,
8390 		.prog_type = BPF_PROG_TYPE_XDP,
8391 		.retval = 1,
8392 	},
8393 	{
8394 		"meta access, test1",
8395 		.insns = {
8396 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8397 				    offsetof(struct xdp_md, data_meta)),
8398 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8399 				    offsetof(struct xdp_md, data)),
8400 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8402 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8403 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8404 			BPF_MOV64_IMM(BPF_REG_0, 0),
8405 			BPF_EXIT_INSN(),
8406 		},
8407 		.result = ACCEPT,
8408 		.prog_type = BPF_PROG_TYPE_XDP,
8409 	},
8410 	{
8411 		"meta access, test2",
8412 		.insns = {
8413 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8414 				    offsetof(struct xdp_md, data_meta)),
8415 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8416 				    offsetof(struct xdp_md, data)),
8417 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8418 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8419 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8421 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8422 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8423 			BPF_MOV64_IMM(BPF_REG_0, 0),
8424 			BPF_EXIT_INSN(),
8425 		},
8426 		.result = REJECT,
8427 		.errstr = "invalid access to packet, off=-8",
8428 		.prog_type = BPF_PROG_TYPE_XDP,
8429 	},
8430 	{
8431 		"meta access, test3",
8432 		.insns = {
8433 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8434 				    offsetof(struct xdp_md, data_meta)),
8435 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8436 				    offsetof(struct xdp_md, data_end)),
8437 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8438 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8439 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8440 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8441 			BPF_MOV64_IMM(BPF_REG_0, 0),
8442 			BPF_EXIT_INSN(),
8443 		},
8444 		.result = REJECT,
8445 		.errstr = "invalid access to packet",
8446 		.prog_type = BPF_PROG_TYPE_XDP,
8447 	},
8448 	{
8449 		"meta access, test4",
8450 		.insns = {
8451 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8452 				    offsetof(struct xdp_md, data_meta)),
8453 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8454 				    offsetof(struct xdp_md, data_end)),
8455 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8456 				    offsetof(struct xdp_md, data)),
8457 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8459 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8460 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8461 			BPF_MOV64_IMM(BPF_REG_0, 0),
8462 			BPF_EXIT_INSN(),
8463 		},
8464 		.result = REJECT,
8465 		.errstr = "invalid access to packet",
8466 		.prog_type = BPF_PROG_TYPE_XDP,
8467 	},
8468 	{
8469 		"meta access, test5",
8470 		.insns = {
8471 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8472 				    offsetof(struct xdp_md, data_meta)),
8473 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8474 				    offsetof(struct xdp_md, data)),
8475 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8476 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8477 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8478 			BPF_MOV64_IMM(BPF_REG_2, -8),
8479 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8480 				     BPF_FUNC_xdp_adjust_meta),
8481 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8482 			BPF_MOV64_IMM(BPF_REG_0, 0),
8483 			BPF_EXIT_INSN(),
8484 		},
8485 		.result = REJECT,
8486 		.errstr = "R3 !read_ok",
8487 		.prog_type = BPF_PROG_TYPE_XDP,
8488 	},
8489 	{
8490 		"meta access, test6",
8491 		.insns = {
8492 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8493 				    offsetof(struct xdp_md, data_meta)),
8494 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8495 				    offsetof(struct xdp_md, data)),
8496 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8497 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8498 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8499 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8500 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8501 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8502 			BPF_MOV64_IMM(BPF_REG_0, 0),
8503 			BPF_EXIT_INSN(),
8504 		},
8505 		.result = REJECT,
8506 		.errstr = "invalid access to packet",
8507 		.prog_type = BPF_PROG_TYPE_XDP,
8508 	},
8509 	{
8510 		"meta access, test7",
8511 		.insns = {
8512 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8513 				    offsetof(struct xdp_md, data_meta)),
8514 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8515 				    offsetof(struct xdp_md, data)),
8516 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8517 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8518 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8520 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8521 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8522 			BPF_MOV64_IMM(BPF_REG_0, 0),
8523 			BPF_EXIT_INSN(),
8524 		},
8525 		.result = ACCEPT,
8526 		.prog_type = BPF_PROG_TYPE_XDP,
8527 	},
8528 	{
8529 		"meta access, test8",
8530 		.insns = {
8531 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8532 				    offsetof(struct xdp_md, data_meta)),
8533 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8534 				    offsetof(struct xdp_md, data)),
8535 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8536 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8537 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8538 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8539 			BPF_MOV64_IMM(BPF_REG_0, 0),
8540 			BPF_EXIT_INSN(),
8541 		},
8542 		.result = ACCEPT,
8543 		.prog_type = BPF_PROG_TYPE_XDP,
8544 	},
8545 	{
8546 		"meta access, test9",
8547 		.insns = {
8548 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8549 				    offsetof(struct xdp_md, data_meta)),
8550 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8551 				    offsetof(struct xdp_md, data)),
8552 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8553 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8554 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8555 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8556 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8557 			BPF_MOV64_IMM(BPF_REG_0, 0),
8558 			BPF_EXIT_INSN(),
8559 		},
8560 		.result = REJECT,
8561 		.errstr = "invalid access to packet",
8562 		.prog_type = BPF_PROG_TYPE_XDP,
8563 	},
8564 	{
8565 		"meta access, test10",
8566 		.insns = {
8567 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8568 				    offsetof(struct xdp_md, data_meta)),
8569 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8570 				    offsetof(struct xdp_md, data)),
8571 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8572 				    offsetof(struct xdp_md, data_end)),
8573 			BPF_MOV64_IMM(BPF_REG_5, 42),
8574 			BPF_MOV64_IMM(BPF_REG_6, 24),
8575 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8576 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8577 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8578 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8579 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8580 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8581 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8582 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8583 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8584 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8585 			BPF_MOV64_IMM(BPF_REG_0, 0),
8586 			BPF_EXIT_INSN(),
8587 		},
8588 		.result = REJECT,
8589 		.errstr = "invalid access to packet",
8590 		.prog_type = BPF_PROG_TYPE_XDP,
8591 	},
8592 	{
8593 		"meta access, test11",
8594 		.insns = {
8595 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8596 				    offsetof(struct xdp_md, data_meta)),
8597 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8598 				    offsetof(struct xdp_md, data)),
8599 			BPF_MOV64_IMM(BPF_REG_5, 42),
8600 			BPF_MOV64_IMM(BPF_REG_6, 24),
8601 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8602 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8603 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8604 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8605 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8606 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8607 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8609 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8610 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8611 			BPF_MOV64_IMM(BPF_REG_0, 0),
8612 			BPF_EXIT_INSN(),
8613 		},
8614 		.result = ACCEPT,
8615 		.prog_type = BPF_PROG_TYPE_XDP,
8616 	},
8617 	{
8618 		"meta access, test12",
8619 		.insns = {
8620 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8621 				    offsetof(struct xdp_md, data_meta)),
8622 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8623 				    offsetof(struct xdp_md, data)),
8624 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8625 				    offsetof(struct xdp_md, data_end)),
8626 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8627 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8628 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8629 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8630 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8631 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8632 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8633 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8634 			BPF_MOV64_IMM(BPF_REG_0, 0),
8635 			BPF_EXIT_INSN(),
8636 		},
8637 		.result = ACCEPT,
8638 		.prog_type = BPF_PROG_TYPE_XDP,
8639 	},
8640 	{
8641 		"arithmetic ops make PTR_TO_CTX unusable",
8642 		.insns = {
8643 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8644 				      offsetof(struct __sk_buff, data) -
8645 				      offsetof(struct __sk_buff, mark)),
8646 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8647 				    offsetof(struct __sk_buff, mark)),
8648 			BPF_EXIT_INSN(),
8649 		},
8650 		.errstr = "dereference of modified ctx ptr",
8651 		.result = REJECT,
8652 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8653 	},
8654 	{
8655 		"pkt_end - pkt_start is allowed",
8656 		.insns = {
8657 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8658 				    offsetof(struct __sk_buff, data_end)),
8659 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8660 				    offsetof(struct __sk_buff, data)),
8661 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8662 			BPF_EXIT_INSN(),
8663 		},
8664 		.result = ACCEPT,
8665 		.retval = TEST_DATA_LEN,
8666 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8667 	},
8668 	{
8669 		"XDP pkt read, pkt_end mangling, bad access 1",
8670 		.insns = {
8671 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8672 				    offsetof(struct xdp_md, data)),
8673 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8674 				    offsetof(struct xdp_md, data_end)),
8675 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8676 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8677 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8678 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8679 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8680 			BPF_MOV64_IMM(BPF_REG_0, 0),
8681 			BPF_EXIT_INSN(),
8682 		},
8683 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8684 		.result = REJECT,
8685 		.prog_type = BPF_PROG_TYPE_XDP,
8686 	},
8687 	{
8688 		"XDP pkt read, pkt_end mangling, bad access 2",
8689 		.insns = {
8690 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8691 				    offsetof(struct xdp_md, data)),
8692 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8693 				    offsetof(struct xdp_md, data_end)),
8694 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8695 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8696 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8697 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8698 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8699 			BPF_MOV64_IMM(BPF_REG_0, 0),
8700 			BPF_EXIT_INSN(),
8701 		},
8702 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8703 		.result = REJECT,
8704 		.prog_type = BPF_PROG_TYPE_XDP,
8705 	},
8706 	{
8707 		"XDP pkt read, pkt_data' > pkt_end, good access",
8708 		.insns = {
8709 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8710 				    offsetof(struct xdp_md, data)),
8711 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8712 				    offsetof(struct xdp_md, data_end)),
8713 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8714 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8715 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8716 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8717 			BPF_MOV64_IMM(BPF_REG_0, 0),
8718 			BPF_EXIT_INSN(),
8719 		},
8720 		.result = ACCEPT,
8721 		.prog_type = BPF_PROG_TYPE_XDP,
8722 	},
8723 	{
8724 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
8725 		.insns = {
8726 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8727 				    offsetof(struct xdp_md, data)),
8728 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8729 				    offsetof(struct xdp_md, data_end)),
8730 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8731 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8732 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8733 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8734 			BPF_MOV64_IMM(BPF_REG_0, 0),
8735 			BPF_EXIT_INSN(),
8736 		},
8737 		.errstr = "R1 offset is outside of the packet",
8738 		.result = REJECT,
8739 		.prog_type = BPF_PROG_TYPE_XDP,
8740 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8741 	},
8742 	{
8743 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
8744 		.insns = {
8745 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8746 				    offsetof(struct xdp_md, data)),
8747 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8748 				    offsetof(struct xdp_md, data_end)),
8749 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8751 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8752 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8753 			BPF_MOV64_IMM(BPF_REG_0, 0),
8754 			BPF_EXIT_INSN(),
8755 		},
8756 		.errstr = "R1 offset is outside of the packet",
8757 		.result = REJECT,
8758 		.prog_type = BPF_PROG_TYPE_XDP,
8759 	},
8760 	{
8761 		"XDP pkt read, pkt_end > pkt_data', good access",
8762 		.insns = {
8763 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8764 				    offsetof(struct xdp_md, data)),
8765 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8766 				    offsetof(struct xdp_md, data_end)),
8767 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8768 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8769 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8770 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8771 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8772 			BPF_MOV64_IMM(BPF_REG_0, 0),
8773 			BPF_EXIT_INSN(),
8774 		},
8775 		.result = ACCEPT,
8776 		.prog_type = BPF_PROG_TYPE_XDP,
8777 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8778 	},
8779 	{
8780 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
8781 		.insns = {
8782 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8783 				    offsetof(struct xdp_md, data)),
8784 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8785 				    offsetof(struct xdp_md, data_end)),
8786 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8787 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8788 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8789 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8790 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8791 			BPF_MOV64_IMM(BPF_REG_0, 0),
8792 			BPF_EXIT_INSN(),
8793 		},
8794 		.errstr = "R1 offset is outside of the packet",
8795 		.result = REJECT,
8796 		.prog_type = BPF_PROG_TYPE_XDP,
8797 	},
8798 	{
8799 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
8800 		.insns = {
8801 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8802 				    offsetof(struct xdp_md, data)),
8803 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8804 				    offsetof(struct xdp_md, data_end)),
8805 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8807 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8808 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8809 			BPF_MOV64_IMM(BPF_REG_0, 0),
8810 			BPF_EXIT_INSN(),
8811 		},
8812 		.errstr = "R1 offset is outside of the packet",
8813 		.result = REJECT,
8814 		.prog_type = BPF_PROG_TYPE_XDP,
8815 	},
8816 	{
8817 		"XDP pkt read, pkt_data' < pkt_end, good access",
8818 		.insns = {
8819 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8820 				    offsetof(struct xdp_md, data)),
8821 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8822 				    offsetof(struct xdp_md, data_end)),
8823 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8825 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8826 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8827 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8828 			BPF_MOV64_IMM(BPF_REG_0, 0),
8829 			BPF_EXIT_INSN(),
8830 		},
8831 		.result = ACCEPT,
8832 		.prog_type = BPF_PROG_TYPE_XDP,
8833 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8834 	},
8835 	{
8836 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
8837 		.insns = {
8838 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8839 				    offsetof(struct xdp_md, data)),
8840 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8841 				    offsetof(struct xdp_md, data_end)),
8842 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8843 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8844 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8845 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8846 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8847 			BPF_MOV64_IMM(BPF_REG_0, 0),
8848 			BPF_EXIT_INSN(),
8849 		},
8850 		.errstr = "R1 offset is outside of the packet",
8851 		.result = REJECT,
8852 		.prog_type = BPF_PROG_TYPE_XDP,
8853 	},
8854 	{
8855 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
8856 		.insns = {
8857 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8858 				    offsetof(struct xdp_md, data)),
8859 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8860 				    offsetof(struct xdp_md, data_end)),
8861 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8862 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8863 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8864 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8865 			BPF_MOV64_IMM(BPF_REG_0, 0),
8866 			BPF_EXIT_INSN(),
8867 		},
8868 		.errstr = "R1 offset is outside of the packet",
8869 		.result = REJECT,
8870 		.prog_type = BPF_PROG_TYPE_XDP,
8871 	},
8872 	{
8873 		"XDP pkt read, pkt_end < pkt_data', good access",
8874 		.insns = {
8875 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8876 				    offsetof(struct xdp_md, data)),
8877 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8878 				    offsetof(struct xdp_md, data_end)),
8879 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8880 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8881 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8882 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8883 			BPF_MOV64_IMM(BPF_REG_0, 0),
8884 			BPF_EXIT_INSN(),
8885 		},
8886 		.result = ACCEPT,
8887 		.prog_type = BPF_PROG_TYPE_XDP,
8888 	},
8889 	{
8890 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
8891 		.insns = {
8892 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8893 				    offsetof(struct xdp_md, data)),
8894 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8895 				    offsetof(struct xdp_md, data_end)),
8896 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8897 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8898 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8899 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8900 			BPF_MOV64_IMM(BPF_REG_0, 0),
8901 			BPF_EXIT_INSN(),
8902 		},
8903 		.errstr = "R1 offset is outside of the packet",
8904 		.result = REJECT,
8905 		.prog_type = BPF_PROG_TYPE_XDP,
8906 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8907 	},
8908 	{
8909 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
8910 		.insns = {
8911 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8912 				    offsetof(struct xdp_md, data)),
8913 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8914 				    offsetof(struct xdp_md, data_end)),
8915 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8917 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8918 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8919 			BPF_MOV64_IMM(BPF_REG_0, 0),
8920 			BPF_EXIT_INSN(),
8921 		},
8922 		.errstr = "R1 offset is outside of the packet",
8923 		.result = REJECT,
8924 		.prog_type = BPF_PROG_TYPE_XDP,
8925 	},
8926 	{
8927 		"XDP pkt read, pkt_data' >= pkt_end, good access",
8928 		.insns = {
8929 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8930 				    offsetof(struct xdp_md, data)),
8931 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8932 				    offsetof(struct xdp_md, data_end)),
8933 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8934 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8935 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8936 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8937 			BPF_MOV64_IMM(BPF_REG_0, 0),
8938 			BPF_EXIT_INSN(),
8939 		},
8940 		.result = ACCEPT,
8941 		.prog_type = BPF_PROG_TYPE_XDP,
8942 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8943 	},
8944 	{
8945 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8946 		.insns = {
8947 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8948 				    offsetof(struct xdp_md, data)),
8949 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8950 				    offsetof(struct xdp_md, data_end)),
8951 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8952 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8953 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8954 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8955 			BPF_MOV64_IMM(BPF_REG_0, 0),
8956 			BPF_EXIT_INSN(),
8957 		},
8958 		.errstr = "R1 offset is outside of the packet",
8959 		.result = REJECT,
8960 		.prog_type = BPF_PROG_TYPE_XDP,
8961 	},
8962 	{
8963 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8964 		.insns = {
8965 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8966 				    offsetof(struct xdp_md, data)),
8967 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8968 				    offsetof(struct xdp_md, data_end)),
8969 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8971 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8972 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8973 			BPF_MOV64_IMM(BPF_REG_0, 0),
8974 			BPF_EXIT_INSN(),
8975 		},
8976 		.errstr = "R1 offset is outside of the packet",
8977 		.result = REJECT,
8978 		.prog_type = BPF_PROG_TYPE_XDP,
8979 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8980 	},
8981 	{
8982 		"XDP pkt read, pkt_end >= pkt_data', good access",
8983 		.insns = {
8984 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8985 				    offsetof(struct xdp_md, data)),
8986 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8987 				    offsetof(struct xdp_md, data_end)),
8988 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8989 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8990 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8991 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8992 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8993 			BPF_MOV64_IMM(BPF_REG_0, 0),
8994 			BPF_EXIT_INSN(),
8995 		},
8996 		.result = ACCEPT,
8997 		.prog_type = BPF_PROG_TYPE_XDP,
8998 	},
8999 	{
9000 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
9001 		.insns = {
9002 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9003 				    offsetof(struct xdp_md, data)),
9004 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9005 				    offsetof(struct xdp_md, data_end)),
9006 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9007 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9008 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9009 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9010 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9011 			BPF_MOV64_IMM(BPF_REG_0, 0),
9012 			BPF_EXIT_INSN(),
9013 		},
9014 		.errstr = "R1 offset is outside of the packet",
9015 		.result = REJECT,
9016 		.prog_type = BPF_PROG_TYPE_XDP,
9017 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9018 	},
9019 	{
9020 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
9021 		.insns = {
9022 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9023 				    offsetof(struct xdp_md, data)),
9024 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9025 				    offsetof(struct xdp_md, data_end)),
9026 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9028 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9029 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9030 			BPF_MOV64_IMM(BPF_REG_0, 0),
9031 			BPF_EXIT_INSN(),
9032 		},
9033 		.errstr = "R1 offset is outside of the packet",
9034 		.result = REJECT,
9035 		.prog_type = BPF_PROG_TYPE_XDP,
9036 	},
9037 	{
9038 		"XDP pkt read, pkt_data' <= pkt_end, good access",
9039 		.insns = {
9040 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9041 				    offsetof(struct xdp_md, data)),
9042 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9043 				    offsetof(struct xdp_md, data_end)),
9044 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9045 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9046 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9047 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9048 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9049 			BPF_MOV64_IMM(BPF_REG_0, 0),
9050 			BPF_EXIT_INSN(),
9051 		},
9052 		.result = ACCEPT,
9053 		.prog_type = BPF_PROG_TYPE_XDP,
9054 	},
9055 	{
9056 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9057 		.insns = {
9058 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9059 				    offsetof(struct xdp_md, data)),
9060 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9061 				    offsetof(struct xdp_md, data_end)),
9062 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9063 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9064 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9065 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9066 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9067 			BPF_MOV64_IMM(BPF_REG_0, 0),
9068 			BPF_EXIT_INSN(),
9069 		},
9070 		.errstr = "R1 offset is outside of the packet",
9071 		.result = REJECT,
9072 		.prog_type = BPF_PROG_TYPE_XDP,
9073 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9074 	},
9075 	{
9076 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9077 		.insns = {
9078 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9079 				    offsetof(struct xdp_md, data)),
9080 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9081 				    offsetof(struct xdp_md, data_end)),
9082 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9083 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9084 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9085 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9086 			BPF_MOV64_IMM(BPF_REG_0, 0),
9087 			BPF_EXIT_INSN(),
9088 		},
9089 		.errstr = "R1 offset is outside of the packet",
9090 		.result = REJECT,
9091 		.prog_type = BPF_PROG_TYPE_XDP,
9092 	},
9093 	{
9094 		"XDP pkt read, pkt_end <= pkt_data', good access",
9095 		.insns = {
9096 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9097 				    offsetof(struct xdp_md, data)),
9098 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9099 				    offsetof(struct xdp_md, data_end)),
9100 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9101 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9102 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9103 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9104 			BPF_MOV64_IMM(BPF_REG_0, 0),
9105 			BPF_EXIT_INSN(),
9106 		},
9107 		.result = ACCEPT,
9108 		.prog_type = BPF_PROG_TYPE_XDP,
9109 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9110 	},
9111 	{
9112 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
9113 		.insns = {
9114 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9115 				    offsetof(struct xdp_md, data)),
9116 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9117 				    offsetof(struct xdp_md, data_end)),
9118 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9119 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9120 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9121 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9122 			BPF_MOV64_IMM(BPF_REG_0, 0),
9123 			BPF_EXIT_INSN(),
9124 		},
9125 		.errstr = "R1 offset is outside of the packet",
9126 		.result = REJECT,
9127 		.prog_type = BPF_PROG_TYPE_XDP,
9128 	},
9129 	{
9130 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
9131 		.insns = {
9132 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9133 				    offsetof(struct xdp_md, data)),
9134 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9135 				    offsetof(struct xdp_md, data_end)),
9136 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9137 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9138 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9139 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9140 			BPF_MOV64_IMM(BPF_REG_0, 0),
9141 			BPF_EXIT_INSN(),
9142 		},
9143 		.errstr = "R1 offset is outside of the packet",
9144 		.result = REJECT,
9145 		.prog_type = BPF_PROG_TYPE_XDP,
9146 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9147 	},
9148 	{
9149 		"XDP pkt read, pkt_meta' > pkt_data, good access",
9150 		.insns = {
9151 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9152 				    offsetof(struct xdp_md, data_meta)),
9153 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9154 				    offsetof(struct xdp_md, data)),
9155 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9156 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9157 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9158 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9159 			BPF_MOV64_IMM(BPF_REG_0, 0),
9160 			BPF_EXIT_INSN(),
9161 		},
9162 		.result = ACCEPT,
9163 		.prog_type = BPF_PROG_TYPE_XDP,
9164 	},
9165 	{
9166 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9167 		.insns = {
9168 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9169 				    offsetof(struct xdp_md, data_meta)),
9170 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9171 				    offsetof(struct xdp_md, data)),
9172 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9173 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9174 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9175 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9176 			BPF_MOV64_IMM(BPF_REG_0, 0),
9177 			BPF_EXIT_INSN(),
9178 		},
9179 		.errstr = "R1 offset is outside of the packet",
9180 		.result = REJECT,
9181 		.prog_type = BPF_PROG_TYPE_XDP,
9182 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9183 	},
9184 	{
9185 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9186 		.insns = {
9187 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9188 				    offsetof(struct xdp_md, data_meta)),
9189 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9190 				    offsetof(struct xdp_md, data)),
9191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9193 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9194 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9195 			BPF_MOV64_IMM(BPF_REG_0, 0),
9196 			BPF_EXIT_INSN(),
9197 		},
9198 		.errstr = "R1 offset is outside of the packet",
9199 		.result = REJECT,
9200 		.prog_type = BPF_PROG_TYPE_XDP,
9201 	},
9202 	{
9203 		"XDP pkt read, pkt_data > pkt_meta', good access",
9204 		.insns = {
9205 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9206 				    offsetof(struct xdp_md, data_meta)),
9207 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9208 				    offsetof(struct xdp_md, data)),
9209 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9211 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9212 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9213 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9214 			BPF_MOV64_IMM(BPF_REG_0, 0),
9215 			BPF_EXIT_INSN(),
9216 		},
9217 		.result = ACCEPT,
9218 		.prog_type = BPF_PROG_TYPE_XDP,
9219 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9220 	},
9221 	{
9222 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
9223 		.insns = {
9224 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9225 				    offsetof(struct xdp_md, data_meta)),
9226 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9227 				    offsetof(struct xdp_md, data)),
9228 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9229 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9230 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9231 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9232 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9233 			BPF_MOV64_IMM(BPF_REG_0, 0),
9234 			BPF_EXIT_INSN(),
9235 		},
9236 		.errstr = "R1 offset is outside of the packet",
9237 		.result = REJECT,
9238 		.prog_type = BPF_PROG_TYPE_XDP,
9239 	},
9240 	{
9241 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
9242 		.insns = {
9243 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9244 				    offsetof(struct xdp_md, data_meta)),
9245 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9246 				    offsetof(struct xdp_md, data)),
9247 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9249 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9250 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9251 			BPF_MOV64_IMM(BPF_REG_0, 0),
9252 			BPF_EXIT_INSN(),
9253 		},
9254 		.errstr = "R1 offset is outside of the packet",
9255 		.result = REJECT,
9256 		.prog_type = BPF_PROG_TYPE_XDP,
9257 	},
9258 	{
9259 		"XDP pkt read, pkt_meta' < pkt_data, good access",
9260 		.insns = {
9261 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9262 				    offsetof(struct xdp_md, data_meta)),
9263 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9264 				    offsetof(struct xdp_md, data)),
9265 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9266 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9267 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9268 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9269 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9270 			BPF_MOV64_IMM(BPF_REG_0, 0),
9271 			BPF_EXIT_INSN(),
9272 		},
9273 		.result = ACCEPT,
9274 		.prog_type = BPF_PROG_TYPE_XDP,
9275 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9276 	},
9277 	{
9278 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9279 		.insns = {
9280 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9281 				    offsetof(struct xdp_md, data_meta)),
9282 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9283 				    offsetof(struct xdp_md, data)),
9284 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9285 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9286 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9287 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9288 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9289 			BPF_MOV64_IMM(BPF_REG_0, 0),
9290 			BPF_EXIT_INSN(),
9291 		},
9292 		.errstr = "R1 offset is outside of the packet",
9293 		.result = REJECT,
9294 		.prog_type = BPF_PROG_TYPE_XDP,
9295 	},
9296 	{
9297 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9298 		.insns = {
9299 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9300 				    offsetof(struct xdp_md, data_meta)),
9301 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9302 				    offsetof(struct xdp_md, data)),
9303 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9305 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9306 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9307 			BPF_MOV64_IMM(BPF_REG_0, 0),
9308 			BPF_EXIT_INSN(),
9309 		},
9310 		.errstr = "R1 offset is outside of the packet",
9311 		.result = REJECT,
9312 		.prog_type = BPF_PROG_TYPE_XDP,
9313 	},
9314 	{
9315 		"XDP pkt read, pkt_data < pkt_meta', good access",
9316 		.insns = {
9317 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9318 				    offsetof(struct xdp_md, data_meta)),
9319 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9320 				    offsetof(struct xdp_md, data)),
9321 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9322 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9323 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9324 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9325 			BPF_MOV64_IMM(BPF_REG_0, 0),
9326 			BPF_EXIT_INSN(),
9327 		},
9328 		.result = ACCEPT,
9329 		.prog_type = BPF_PROG_TYPE_XDP,
9330 	},
9331 	{
9332 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
9333 		.insns = {
9334 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9335 				    offsetof(struct xdp_md, data_meta)),
9336 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9337 				    offsetof(struct xdp_md, data)),
9338 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9339 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9340 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9341 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9342 			BPF_MOV64_IMM(BPF_REG_0, 0),
9343 			BPF_EXIT_INSN(),
9344 		},
9345 		.errstr = "R1 offset is outside of the packet",
9346 		.result = REJECT,
9347 		.prog_type = BPF_PROG_TYPE_XDP,
9348 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9349 	},
9350 	{
9351 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
9352 		.insns = {
9353 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9354 				    offsetof(struct xdp_md, data_meta)),
9355 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9356 				    offsetof(struct xdp_md, data)),
9357 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9358 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9359 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9360 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9361 			BPF_MOV64_IMM(BPF_REG_0, 0),
9362 			BPF_EXIT_INSN(),
9363 		},
9364 		.errstr = "R1 offset is outside of the packet",
9365 		.result = REJECT,
9366 		.prog_type = BPF_PROG_TYPE_XDP,
9367 	},
9368 	{
9369 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
9370 		.insns = {
9371 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9372 				    offsetof(struct xdp_md, data_meta)),
9373 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9374 				    offsetof(struct xdp_md, data)),
9375 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9377 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9378 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9379 			BPF_MOV64_IMM(BPF_REG_0, 0),
9380 			BPF_EXIT_INSN(),
9381 		},
9382 		.result = ACCEPT,
9383 		.prog_type = BPF_PROG_TYPE_XDP,
9384 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9385 	},
9386 	{
9387 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9388 		.insns = {
9389 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9390 				    offsetof(struct xdp_md, data_meta)),
9391 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9392 				    offsetof(struct xdp_md, data)),
9393 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9394 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9395 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9396 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9397 			BPF_MOV64_IMM(BPF_REG_0, 0),
9398 			BPF_EXIT_INSN(),
9399 		},
9400 		.errstr = "R1 offset is outside of the packet",
9401 		.result = REJECT,
9402 		.prog_type = BPF_PROG_TYPE_XDP,
9403 	},
9404 	{
9405 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9406 		.insns = {
9407 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9408 				    offsetof(struct xdp_md, data_meta)),
9409 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9410 				    offsetof(struct xdp_md, data)),
9411 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9412 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9413 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9414 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9415 			BPF_MOV64_IMM(BPF_REG_0, 0),
9416 			BPF_EXIT_INSN(),
9417 		},
9418 		.errstr = "R1 offset is outside of the packet",
9419 		.result = REJECT,
9420 		.prog_type = BPF_PROG_TYPE_XDP,
9421 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9422 	},
9423 	{
9424 		"XDP pkt read, pkt_data >= pkt_meta', good access",
9425 		.insns = {
9426 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9427 				    offsetof(struct xdp_md, data_meta)),
9428 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9429 				    offsetof(struct xdp_md, data)),
9430 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9431 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9432 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9433 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9434 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9435 			BPF_MOV64_IMM(BPF_REG_0, 0),
9436 			BPF_EXIT_INSN(),
9437 		},
9438 		.result = ACCEPT,
9439 		.prog_type = BPF_PROG_TYPE_XDP,
9440 	},
9441 	{
9442 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9443 		.insns = {
9444 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9445 				    offsetof(struct xdp_md, data_meta)),
9446 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9447 				    offsetof(struct xdp_md, data)),
9448 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9449 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9450 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9451 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9452 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9453 			BPF_MOV64_IMM(BPF_REG_0, 0),
9454 			BPF_EXIT_INSN(),
9455 		},
9456 		.errstr = "R1 offset is outside of the packet",
9457 		.result = REJECT,
9458 		.prog_type = BPF_PROG_TYPE_XDP,
9459 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9460 	},
9461 	{
9462 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9463 		.insns = {
9464 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9465 				    offsetof(struct xdp_md, data_meta)),
9466 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9467 				    offsetof(struct xdp_md, data)),
9468 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9469 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9470 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9471 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9472 			BPF_MOV64_IMM(BPF_REG_0, 0),
9473 			BPF_EXIT_INSN(),
9474 		},
9475 		.errstr = "R1 offset is outside of the packet",
9476 		.result = REJECT,
9477 		.prog_type = BPF_PROG_TYPE_XDP,
9478 	},
9479 	{
9480 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
9481 		.insns = {
9482 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9483 				    offsetof(struct xdp_md, data_meta)),
9484 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9485 				    offsetof(struct xdp_md, data)),
9486 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9487 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9488 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9489 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9490 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9491 			BPF_MOV64_IMM(BPF_REG_0, 0),
9492 			BPF_EXIT_INSN(),
9493 		},
9494 		.result = ACCEPT,
9495 		.prog_type = BPF_PROG_TYPE_XDP,
9496 	},
9497 	{
9498 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9499 		.insns = {
9500 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9501 				    offsetof(struct xdp_md, data_meta)),
9502 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9503 				    offsetof(struct xdp_md, data)),
9504 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9505 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9506 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9507 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9508 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9509 			BPF_MOV64_IMM(BPF_REG_0, 0),
9510 			BPF_EXIT_INSN(),
9511 		},
9512 		.errstr = "R1 offset is outside of the packet",
9513 		.result = REJECT,
9514 		.prog_type = BPF_PROG_TYPE_XDP,
9515 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9516 	},
9517 	{
9518 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9519 		.insns = {
9520 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9521 				    offsetof(struct xdp_md, data_meta)),
9522 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9523 				    offsetof(struct xdp_md, data)),
9524 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9525 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9526 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9527 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9528 			BPF_MOV64_IMM(BPF_REG_0, 0),
9529 			BPF_EXIT_INSN(),
9530 		},
9531 		.errstr = "R1 offset is outside of the packet",
9532 		.result = REJECT,
9533 		.prog_type = BPF_PROG_TYPE_XDP,
9534 	},
9535 	{
9536 		"XDP pkt read, pkt_data <= pkt_meta', good access",
9537 		.insns = {
9538 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9539 				    offsetof(struct xdp_md, data_meta)),
9540 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9541 				    offsetof(struct xdp_md, data)),
9542 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9543 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9544 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9545 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9546 			BPF_MOV64_IMM(BPF_REG_0, 0),
9547 			BPF_EXIT_INSN(),
9548 		},
9549 		.result = ACCEPT,
9550 		.prog_type = BPF_PROG_TYPE_XDP,
9551 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9552 	},
9553 	{
9554 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9555 		.insns = {
9556 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9557 				    offsetof(struct xdp_md, data_meta)),
9558 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9559 				    offsetof(struct xdp_md, data)),
9560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9561 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9562 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9563 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9564 			BPF_MOV64_IMM(BPF_REG_0, 0),
9565 			BPF_EXIT_INSN(),
9566 		},
9567 		.errstr = "R1 offset is outside of the packet",
9568 		.result = REJECT,
9569 		.prog_type = BPF_PROG_TYPE_XDP,
9570 	},
9571 	{
9572 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9573 		.insns = {
9574 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9575 				    offsetof(struct xdp_md, data_meta)),
9576 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9577 				    offsetof(struct xdp_md, data)),
9578 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9579 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9580 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9581 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9582 			BPF_MOV64_IMM(BPF_REG_0, 0),
9583 			BPF_EXIT_INSN(),
9584 		},
9585 		.errstr = "R1 offset is outside of the packet",
9586 		.result = REJECT,
9587 		.prog_type = BPF_PROG_TYPE_XDP,
9588 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9589 	},
9590 	{
9591 		"check deducing bounds from const, 1",
9592 		.insns = {
9593 			BPF_MOV64_IMM(BPF_REG_0, 1),
9594 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9595 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9596 			BPF_EXIT_INSN(),
9597 		},
9598 		.result = REJECT,
9599 		.errstr = "R0 tried to subtract pointer from scalar",
9600 	},
9601 	{
9602 		"check deducing bounds from const, 2",
9603 		.insns = {
9604 			BPF_MOV64_IMM(BPF_REG_0, 1),
9605 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9606 			BPF_EXIT_INSN(),
9607 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9608 			BPF_EXIT_INSN(),
9609 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9610 			BPF_EXIT_INSN(),
9611 		},
9612 		.result = ACCEPT,
9613 		.retval = 1,
9614 	},
9615 	{
9616 		"check deducing bounds from const, 3",
9617 		.insns = {
9618 			BPF_MOV64_IMM(BPF_REG_0, 0),
9619 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9620 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9621 			BPF_EXIT_INSN(),
9622 		},
9623 		.result = REJECT,
9624 		.errstr = "R0 tried to subtract pointer from scalar",
9625 	},
9626 	{
9627 		"check deducing bounds from const, 4",
9628 		.insns = {
9629 			BPF_MOV64_IMM(BPF_REG_0, 0),
9630 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9631 			BPF_EXIT_INSN(),
9632 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9633 			BPF_EXIT_INSN(),
9634 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9635 			BPF_EXIT_INSN(),
9636 		},
9637 		.result = ACCEPT,
9638 	},
9639 	{
9640 		"check deducing bounds from const, 5",
9641 		.insns = {
9642 			BPF_MOV64_IMM(BPF_REG_0, 0),
9643 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9644 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9645 			BPF_EXIT_INSN(),
9646 		},
9647 		.result = REJECT,
9648 		.errstr = "R0 tried to subtract pointer from scalar",
9649 	},
9650 	{
9651 		"check deducing bounds from const, 6",
9652 		.insns = {
9653 			BPF_MOV64_IMM(BPF_REG_0, 0),
9654 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9655 			BPF_EXIT_INSN(),
9656 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9657 			BPF_EXIT_INSN(),
9658 		},
9659 		.result = REJECT,
9660 		.errstr = "R0 tried to subtract pointer from scalar",
9661 	},
9662 	{
9663 		"check deducing bounds from const, 7",
9664 		.insns = {
9665 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9666 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9667 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9668 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9669 				    offsetof(struct __sk_buff, mark)),
9670 			BPF_EXIT_INSN(),
9671 		},
9672 		.result = REJECT,
9673 		.errstr = "dereference of modified ctx ptr",
9674 	},
9675 	{
9676 		"check deducing bounds from const, 8",
9677 		.insns = {
9678 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9679 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9680 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9681 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9682 				    offsetof(struct __sk_buff, mark)),
9683 			BPF_EXIT_INSN(),
9684 		},
9685 		.result = REJECT,
9686 		.errstr = "dereference of modified ctx ptr",
9687 	},
9688 	{
9689 		"check deducing bounds from const, 9",
9690 		.insns = {
9691 			BPF_MOV64_IMM(BPF_REG_0, 0),
9692 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9693 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9694 			BPF_EXIT_INSN(),
9695 		},
9696 		.result = REJECT,
9697 		.errstr = "R0 tried to subtract pointer from scalar",
9698 	},
9699 	{
9700 		"check deducing bounds from const, 10",
9701 		.insns = {
9702 			BPF_MOV64_IMM(BPF_REG_0, 0),
9703 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9704 			/* Marks reg as unknown. */
9705 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9706 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9707 			BPF_EXIT_INSN(),
9708 		},
9709 		.result = REJECT,
9710 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9711 	},
9712 	{
9713 		"bpf_exit with invalid return code. test1",
9714 		.insns = {
9715 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9716 			BPF_EXIT_INSN(),
9717 		},
9718 		.errstr = "R0 has value (0x0; 0xffffffff)",
9719 		.result = REJECT,
9720 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9721 	},
9722 	{
9723 		"bpf_exit with invalid return code. test2",
9724 		.insns = {
9725 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9726 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9727 			BPF_EXIT_INSN(),
9728 		},
9729 		.result = ACCEPT,
9730 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9731 	},
9732 	{
9733 		"bpf_exit with invalid return code. test3",
9734 		.insns = {
9735 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9736 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9737 			BPF_EXIT_INSN(),
9738 		},
9739 		.errstr = "R0 has value (0x0; 0x3)",
9740 		.result = REJECT,
9741 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9742 	},
9743 	{
9744 		"bpf_exit with invalid return code. test4",
9745 		.insns = {
9746 			BPF_MOV64_IMM(BPF_REG_0, 1),
9747 			BPF_EXIT_INSN(),
9748 		},
9749 		.result = ACCEPT,
9750 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9751 	},
9752 	{
9753 		"bpf_exit with invalid return code. test5",
9754 		.insns = {
9755 			BPF_MOV64_IMM(BPF_REG_0, 2),
9756 			BPF_EXIT_INSN(),
9757 		},
9758 		.errstr = "R0 has value (0x2; 0x0)",
9759 		.result = REJECT,
9760 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9761 	},
9762 	{
9763 		"bpf_exit with invalid return code. test6",
9764 		.insns = {
9765 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9766 			BPF_EXIT_INSN(),
9767 		},
9768 		.errstr = "R0 is not a known value (ctx)",
9769 		.result = REJECT,
9770 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9771 	},
9772 	{
9773 		"bpf_exit with invalid return code. test7",
9774 		.insns = {
9775 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9776 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9777 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9778 			BPF_EXIT_INSN(),
9779 		},
9780 		.errstr = "R0 has unknown scalar value",
9781 		.result = REJECT,
9782 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9783 	},
9784 	{
9785 		"calls: basic sanity",
9786 		.insns = {
9787 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9788 			BPF_MOV64_IMM(BPF_REG_0, 1),
9789 			BPF_EXIT_INSN(),
9790 			BPF_MOV64_IMM(BPF_REG_0, 2),
9791 			BPF_EXIT_INSN(),
9792 		},
9793 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9794 		.result = ACCEPT,
9795 	},
9796 	{
9797 		"calls: not on unpriviledged",
9798 		.insns = {
9799 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9800 			BPF_MOV64_IMM(BPF_REG_0, 1),
9801 			BPF_EXIT_INSN(),
9802 			BPF_MOV64_IMM(BPF_REG_0, 2),
9803 			BPF_EXIT_INSN(),
9804 		},
9805 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9806 		.result_unpriv = REJECT,
9807 		.result = ACCEPT,
9808 		.retval = 1,
9809 	},
9810 	{
9811 		"calls: div by 0 in subprog",
9812 		.insns = {
9813 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9814 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9815 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9816 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9817 				    offsetof(struct __sk_buff, data_end)),
9818 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9819 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9820 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9821 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9822 			BPF_MOV64_IMM(BPF_REG_0, 1),
9823 			BPF_EXIT_INSN(),
9824 			BPF_MOV32_IMM(BPF_REG_2, 0),
9825 			BPF_MOV32_IMM(BPF_REG_3, 1),
9826 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9827 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9828 				    offsetof(struct __sk_buff, data)),
9829 			BPF_EXIT_INSN(),
9830 		},
9831 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9832 		.result = ACCEPT,
9833 		.retval = 1,
9834 	},
9835 	{
9836 		"calls: multiple ret types in subprog 1",
9837 		.insns = {
9838 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9839 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9840 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9841 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9842 				    offsetof(struct __sk_buff, data_end)),
9843 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9845 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9846 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9847 			BPF_MOV64_IMM(BPF_REG_0, 1),
9848 			BPF_EXIT_INSN(),
9849 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9850 				    offsetof(struct __sk_buff, data)),
9851 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9852 			BPF_MOV32_IMM(BPF_REG_0, 42),
9853 			BPF_EXIT_INSN(),
9854 		},
9855 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9856 		.result = REJECT,
9857 		.errstr = "R0 invalid mem access 'inv'",
9858 	},
9859 	{
9860 		"calls: multiple ret types in subprog 2",
9861 		.insns = {
9862 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9863 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9864 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9865 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9866 				    offsetof(struct __sk_buff, data_end)),
9867 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9868 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9869 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9870 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9871 			BPF_MOV64_IMM(BPF_REG_0, 1),
9872 			BPF_EXIT_INSN(),
9873 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9874 				    offsetof(struct __sk_buff, data)),
9875 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9876 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9877 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9878 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9879 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9880 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9881 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9882 				     BPF_FUNC_map_lookup_elem),
9883 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9884 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9885 				    offsetof(struct __sk_buff, data)),
9886 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9887 			BPF_EXIT_INSN(),
9888 		},
9889 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9890 		.fixup_map1 = { 16 },
9891 		.result = REJECT,
9892 		.errstr = "R0 min value is outside of the array range",
9893 	},
9894 	{
9895 		"calls: overlapping caller/callee",
9896 		.insns = {
9897 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9898 			BPF_MOV64_IMM(BPF_REG_0, 1),
9899 			BPF_EXIT_INSN(),
9900 		},
9901 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9902 		.errstr = "last insn is not an exit or jmp",
9903 		.result = REJECT,
9904 	},
9905 	{
9906 		"calls: wrong recursive calls",
9907 		.insns = {
9908 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9909 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9911 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9913 			BPF_MOV64_IMM(BPF_REG_0, 1),
9914 			BPF_EXIT_INSN(),
9915 		},
9916 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9917 		.errstr = "jump out of range",
9918 		.result = REJECT,
9919 	},
9920 	{
9921 		"calls: wrong src reg",
9922 		.insns = {
9923 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9924 			BPF_MOV64_IMM(BPF_REG_0, 1),
9925 			BPF_EXIT_INSN(),
9926 		},
9927 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9928 		.errstr = "BPF_CALL uses reserved fields",
9929 		.result = REJECT,
9930 	},
9931 	{
9932 		"calls: wrong off value",
9933 		.insns = {
9934 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9935 			BPF_MOV64_IMM(BPF_REG_0, 1),
9936 			BPF_EXIT_INSN(),
9937 			BPF_MOV64_IMM(BPF_REG_0, 2),
9938 			BPF_EXIT_INSN(),
9939 		},
9940 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9941 		.errstr = "BPF_CALL uses reserved fields",
9942 		.result = REJECT,
9943 	},
9944 	{
9945 		"calls: jump back loop",
9946 		.insns = {
9947 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9948 			BPF_MOV64_IMM(BPF_REG_0, 1),
9949 			BPF_EXIT_INSN(),
9950 		},
9951 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9952 		.errstr = "back-edge from insn 0 to 0",
9953 		.result = REJECT,
9954 	},
9955 	{
9956 		"calls: conditional call",
9957 		.insns = {
9958 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9959 				    offsetof(struct __sk_buff, mark)),
9960 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9961 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9962 			BPF_MOV64_IMM(BPF_REG_0, 1),
9963 			BPF_EXIT_INSN(),
9964 			BPF_MOV64_IMM(BPF_REG_0, 2),
9965 			BPF_EXIT_INSN(),
9966 		},
9967 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9968 		.errstr = "jump out of range",
9969 		.result = REJECT,
9970 	},
9971 	{
9972 		"calls: conditional call 2",
9973 		.insns = {
9974 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9975 				    offsetof(struct __sk_buff, mark)),
9976 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9977 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9978 			BPF_MOV64_IMM(BPF_REG_0, 1),
9979 			BPF_EXIT_INSN(),
9980 			BPF_MOV64_IMM(BPF_REG_0, 2),
9981 			BPF_EXIT_INSN(),
9982 			BPF_MOV64_IMM(BPF_REG_0, 3),
9983 			BPF_EXIT_INSN(),
9984 		},
9985 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9986 		.result = ACCEPT,
9987 	},
9988 	{
9989 		"calls: conditional call 3",
9990 		.insns = {
9991 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9992 				    offsetof(struct __sk_buff, mark)),
9993 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9994 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9995 			BPF_MOV64_IMM(BPF_REG_0, 1),
9996 			BPF_EXIT_INSN(),
9997 			BPF_MOV64_IMM(BPF_REG_0, 1),
9998 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9999 			BPF_MOV64_IMM(BPF_REG_0, 3),
10000 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10001 		},
10002 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10003 		.errstr = "back-edge from insn",
10004 		.result = REJECT,
10005 	},
10006 	{
10007 		"calls: conditional call 4",
10008 		.insns = {
10009 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10010 				    offsetof(struct __sk_buff, mark)),
10011 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10012 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10013 			BPF_MOV64_IMM(BPF_REG_0, 1),
10014 			BPF_EXIT_INSN(),
10015 			BPF_MOV64_IMM(BPF_REG_0, 1),
10016 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10017 			BPF_MOV64_IMM(BPF_REG_0, 3),
10018 			BPF_EXIT_INSN(),
10019 		},
10020 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10021 		.result = ACCEPT,
10022 	},
10023 	{
10024 		"calls: conditional call 5",
10025 		.insns = {
10026 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10027 				    offsetof(struct __sk_buff, mark)),
10028 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10029 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10030 			BPF_MOV64_IMM(BPF_REG_0, 1),
10031 			BPF_EXIT_INSN(),
10032 			BPF_MOV64_IMM(BPF_REG_0, 1),
10033 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10034 			BPF_MOV64_IMM(BPF_REG_0, 3),
10035 			BPF_EXIT_INSN(),
10036 		},
10037 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10038 		.errstr = "back-edge from insn",
10039 		.result = REJECT,
10040 	},
10041 	{
10042 		"calls: conditional call 6",
10043 		.insns = {
10044 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10045 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10046 			BPF_EXIT_INSN(),
10047 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10048 				    offsetof(struct __sk_buff, mark)),
10049 			BPF_EXIT_INSN(),
10050 		},
10051 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10052 		.errstr = "back-edge from insn",
10053 		.result = REJECT,
10054 	},
10055 	{
10056 		"calls: using r0 returned by callee",
10057 		.insns = {
10058 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10059 			BPF_EXIT_INSN(),
10060 			BPF_MOV64_IMM(BPF_REG_0, 2),
10061 			BPF_EXIT_INSN(),
10062 		},
10063 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10064 		.result = ACCEPT,
10065 	},
10066 	{
10067 		"calls: using uninit r0 from callee",
10068 		.insns = {
10069 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10070 			BPF_EXIT_INSN(),
10071 			BPF_EXIT_INSN(),
10072 		},
10073 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10074 		.errstr = "!read_ok",
10075 		.result = REJECT,
10076 	},
10077 	{
10078 		"calls: callee is using r1",
10079 		.insns = {
10080 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10081 			BPF_EXIT_INSN(),
10082 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10083 				    offsetof(struct __sk_buff, len)),
10084 			BPF_EXIT_INSN(),
10085 		},
10086 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
10087 		.result = ACCEPT,
10088 		.retval = TEST_DATA_LEN,
10089 	},
10090 	{
10091 		"calls: callee using args1",
10092 		.insns = {
10093 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10094 			BPF_EXIT_INSN(),
10095 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10096 			BPF_EXIT_INSN(),
10097 		},
10098 		.errstr_unpriv = "allowed for root only",
10099 		.result_unpriv = REJECT,
10100 		.result = ACCEPT,
10101 		.retval = POINTER_VALUE,
10102 	},
10103 	{
10104 		"calls: callee using wrong args2",
10105 		.insns = {
10106 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10107 			BPF_EXIT_INSN(),
10108 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10109 			BPF_EXIT_INSN(),
10110 		},
10111 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10112 		.errstr = "R2 !read_ok",
10113 		.result = REJECT,
10114 	},
10115 	{
10116 		"calls: callee using two args",
10117 		.insns = {
10118 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10119 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10120 				    offsetof(struct __sk_buff, len)),
10121 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10122 				    offsetof(struct __sk_buff, len)),
10123 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10124 			BPF_EXIT_INSN(),
10125 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10126 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10127 			BPF_EXIT_INSN(),
10128 		},
10129 		.errstr_unpriv = "allowed for root only",
10130 		.result_unpriv = REJECT,
10131 		.result = ACCEPT,
10132 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10133 	},
10134 	{
10135 		"calls: callee changing pkt pointers",
10136 		.insns = {
10137 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10138 				    offsetof(struct xdp_md, data)),
10139 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10140 				    offsetof(struct xdp_md, data_end)),
10141 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10142 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10143 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10144 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10145 			/* clear_all_pkt_pointers() has to walk all frames
10146 			 * to make sure that pkt pointers in the caller
10147 			 * are cleared when callee is calling a helper that
10148 			 * adjusts packet size
10149 			 */
10150 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10151 			BPF_MOV32_IMM(BPF_REG_0, 0),
10152 			BPF_EXIT_INSN(),
10153 			BPF_MOV64_IMM(BPF_REG_2, 0),
10154 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10155 				     BPF_FUNC_xdp_adjust_head),
10156 			BPF_EXIT_INSN(),
10157 		},
10158 		.result = REJECT,
10159 		.errstr = "R6 invalid mem access 'inv'",
10160 		.prog_type = BPF_PROG_TYPE_XDP,
10161 	},
10162 	{
10163 		"calls: two calls with args",
10164 		.insns = {
10165 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10166 			BPF_EXIT_INSN(),
10167 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10168 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10169 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10170 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10171 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10172 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10173 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10174 			BPF_EXIT_INSN(),
10175 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10176 				    offsetof(struct __sk_buff, len)),
10177 			BPF_EXIT_INSN(),
10178 		},
10179 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10180 		.result = ACCEPT,
10181 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
10182 	},
10183 	{
10184 		"calls: calls with stack arith",
10185 		.insns = {
10186 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10188 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10189 			BPF_EXIT_INSN(),
10190 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10191 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10192 			BPF_EXIT_INSN(),
10193 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10194 			BPF_MOV64_IMM(BPF_REG_0, 42),
10195 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10196 			BPF_EXIT_INSN(),
10197 		},
10198 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10199 		.result = ACCEPT,
10200 		.retval = 42,
10201 	},
10202 	{
10203 		"calls: calls with misaligned stack access",
10204 		.insns = {
10205 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10207 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10208 			BPF_EXIT_INSN(),
10209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10210 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10211 			BPF_EXIT_INSN(),
10212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10213 			BPF_MOV64_IMM(BPF_REG_0, 42),
10214 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10215 			BPF_EXIT_INSN(),
10216 		},
10217 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10218 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10219 		.errstr = "misaligned stack access",
10220 		.result = REJECT,
10221 	},
10222 	{
10223 		"calls: calls control flow, jump test",
10224 		.insns = {
10225 			BPF_MOV64_IMM(BPF_REG_0, 42),
10226 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10227 			BPF_MOV64_IMM(BPF_REG_0, 43),
10228 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10229 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10230 			BPF_EXIT_INSN(),
10231 		},
10232 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10233 		.result = ACCEPT,
10234 		.retval = 43,
10235 	},
10236 	{
10237 		"calls: calls control flow, jump test 2",
10238 		.insns = {
10239 			BPF_MOV64_IMM(BPF_REG_0, 42),
10240 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10241 			BPF_MOV64_IMM(BPF_REG_0, 43),
10242 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10243 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10244 			BPF_EXIT_INSN(),
10245 		},
10246 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10247 		.errstr = "jump out of range from insn 1 to 4",
10248 		.result = REJECT,
10249 	},
10250 	{
10251 		"calls: two calls with bad jump",
10252 		.insns = {
10253 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10254 			BPF_EXIT_INSN(),
10255 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10256 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10257 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10258 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10259 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10260 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10261 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10262 			BPF_EXIT_INSN(),
10263 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10264 				    offsetof(struct __sk_buff, len)),
10265 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10266 			BPF_EXIT_INSN(),
10267 		},
10268 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10269 		.errstr = "jump out of range from insn 11 to 9",
10270 		.result = REJECT,
10271 	},
10272 	{
10273 		"calls: recursive call. test1",
10274 		.insns = {
10275 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10276 			BPF_EXIT_INSN(),
10277 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10278 			BPF_EXIT_INSN(),
10279 		},
10280 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10281 		.errstr = "back-edge",
10282 		.result = REJECT,
10283 	},
10284 	{
10285 		"calls: recursive call. test2",
10286 		.insns = {
10287 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10288 			BPF_EXIT_INSN(),
10289 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10290 			BPF_EXIT_INSN(),
10291 		},
10292 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10293 		.errstr = "back-edge",
10294 		.result = REJECT,
10295 	},
10296 	{
10297 		"calls: unreachable code",
10298 		.insns = {
10299 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10300 			BPF_EXIT_INSN(),
10301 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10302 			BPF_EXIT_INSN(),
10303 			BPF_MOV64_IMM(BPF_REG_0, 0),
10304 			BPF_EXIT_INSN(),
10305 			BPF_MOV64_IMM(BPF_REG_0, 0),
10306 			BPF_EXIT_INSN(),
10307 		},
10308 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10309 		.errstr = "unreachable insn 6",
10310 		.result = REJECT,
10311 	},
10312 	{
10313 		"calls: invalid call",
10314 		.insns = {
10315 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10316 			BPF_EXIT_INSN(),
10317 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10318 			BPF_EXIT_INSN(),
10319 		},
10320 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10321 		.errstr = "invalid destination",
10322 		.result = REJECT,
10323 	},
10324 	{
10325 		"calls: invalid call 2",
10326 		.insns = {
10327 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10328 			BPF_EXIT_INSN(),
10329 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10330 			BPF_EXIT_INSN(),
10331 		},
10332 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10333 		.errstr = "invalid destination",
10334 		.result = REJECT,
10335 	},
10336 	{
10337 		"calls: jumping across function bodies. test1",
10338 		.insns = {
10339 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10340 			BPF_MOV64_IMM(BPF_REG_0, 0),
10341 			BPF_EXIT_INSN(),
10342 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10343 			BPF_EXIT_INSN(),
10344 		},
10345 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10346 		.errstr = "jump out of range",
10347 		.result = REJECT,
10348 	},
10349 	{
10350 		"calls: jumping across function bodies. test2",
10351 		.insns = {
10352 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10353 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10354 			BPF_MOV64_IMM(BPF_REG_0, 0),
10355 			BPF_EXIT_INSN(),
10356 			BPF_EXIT_INSN(),
10357 		},
10358 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10359 		.errstr = "jump out of range",
10360 		.result = REJECT,
10361 	},
10362 	{
10363 		"calls: call without exit",
10364 		.insns = {
10365 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10366 			BPF_EXIT_INSN(),
10367 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10368 			BPF_EXIT_INSN(),
10369 			BPF_MOV64_IMM(BPF_REG_0, 0),
10370 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10371 		},
10372 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10373 		.errstr = "not an exit",
10374 		.result = REJECT,
10375 	},
10376 	{
10377 		"calls: call into middle of ld_imm64",
10378 		.insns = {
10379 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10380 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10381 			BPF_MOV64_IMM(BPF_REG_0, 0),
10382 			BPF_EXIT_INSN(),
10383 			BPF_LD_IMM64(BPF_REG_0, 0),
10384 			BPF_EXIT_INSN(),
10385 		},
10386 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10387 		.errstr = "last insn",
10388 		.result = REJECT,
10389 	},
10390 	{
10391 		"calls: call into middle of other call",
10392 		.insns = {
10393 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10394 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10395 			BPF_MOV64_IMM(BPF_REG_0, 0),
10396 			BPF_EXIT_INSN(),
10397 			BPF_MOV64_IMM(BPF_REG_0, 0),
10398 			BPF_MOV64_IMM(BPF_REG_0, 0),
10399 			BPF_EXIT_INSN(),
10400 		},
10401 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10402 		.errstr = "last insn",
10403 		.result = REJECT,
10404 	},
10405 	{
10406 		"calls: ld_abs with changing ctx data in callee",
10407 		.insns = {
10408 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10409 			BPF_LD_ABS(BPF_B, 0),
10410 			BPF_LD_ABS(BPF_H, 0),
10411 			BPF_LD_ABS(BPF_W, 0),
10412 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10413 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10414 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10415 			BPF_LD_ABS(BPF_B, 0),
10416 			BPF_LD_ABS(BPF_H, 0),
10417 			BPF_LD_ABS(BPF_W, 0),
10418 			BPF_EXIT_INSN(),
10419 			BPF_MOV64_IMM(BPF_REG_2, 1),
10420 			BPF_MOV64_IMM(BPF_REG_3, 2),
10421 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10422 				     BPF_FUNC_skb_vlan_push),
10423 			BPF_EXIT_INSN(),
10424 		},
10425 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10426 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10427 		.result = REJECT,
10428 	},
10429 	{
10430 		"calls: two calls with bad fallthrough",
10431 		.insns = {
10432 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10433 			BPF_EXIT_INSN(),
10434 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10435 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10436 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10437 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10438 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10439 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10440 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10441 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10442 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10443 				    offsetof(struct __sk_buff, len)),
10444 			BPF_EXIT_INSN(),
10445 		},
10446 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10447 		.errstr = "not an exit",
10448 		.result = REJECT,
10449 	},
10450 	{
10451 		"calls: two calls with stack read",
10452 		.insns = {
10453 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10454 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10455 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10456 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10457 			BPF_EXIT_INSN(),
10458 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10459 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10460 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10461 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10462 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10463 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10464 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10465 			BPF_EXIT_INSN(),
10466 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10467 			BPF_EXIT_INSN(),
10468 		},
10469 		.prog_type = BPF_PROG_TYPE_XDP,
10470 		.result = ACCEPT,
10471 	},
10472 	{
10473 		"calls: two calls with stack write",
10474 		.insns = {
10475 			/* main prog */
10476 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10477 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10479 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10481 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10482 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10483 			BPF_EXIT_INSN(),
10484 
10485 			/* subprog 1 */
10486 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10487 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10488 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10489 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10490 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10491 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10492 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10493 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10494 			/* write into stack frame of main prog */
10495 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10496 			BPF_EXIT_INSN(),
10497 
10498 			/* subprog 2 */
10499 			/* read from stack frame of main prog */
10500 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10501 			BPF_EXIT_INSN(),
10502 		},
10503 		.prog_type = BPF_PROG_TYPE_XDP,
10504 		.result = ACCEPT,
10505 	},
10506 	{
10507 		"calls: stack overflow using two frames (pre-call access)",
10508 		.insns = {
10509 			/* prog 1 */
10510 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10511 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10512 			BPF_EXIT_INSN(),
10513 
10514 			/* prog 2 */
10515 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10516 			BPF_MOV64_IMM(BPF_REG_0, 0),
10517 			BPF_EXIT_INSN(),
10518 		},
10519 		.prog_type = BPF_PROG_TYPE_XDP,
10520 		.errstr = "combined stack size",
10521 		.result = REJECT,
10522 	},
10523 	{
10524 		"calls: stack overflow using two frames (post-call access)",
10525 		.insns = {
10526 			/* prog 1 */
10527 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10528 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10529 			BPF_EXIT_INSN(),
10530 
10531 			/* prog 2 */
10532 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10533 			BPF_MOV64_IMM(BPF_REG_0, 0),
10534 			BPF_EXIT_INSN(),
10535 		},
10536 		.prog_type = BPF_PROG_TYPE_XDP,
10537 		.errstr = "combined stack size",
10538 		.result = REJECT,
10539 	},
10540 	{
10541 		"calls: stack depth check using three frames. test1",
10542 		.insns = {
10543 			/* main */
10544 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10545 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10546 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10547 			BPF_MOV64_IMM(BPF_REG_0, 0),
10548 			BPF_EXIT_INSN(),
10549 			/* A */
10550 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10551 			BPF_EXIT_INSN(),
10552 			/* B */
10553 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10554 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10555 			BPF_EXIT_INSN(),
10556 		},
10557 		.prog_type = BPF_PROG_TYPE_XDP,
10558 		/* stack_main=32, stack_A=256, stack_B=64
10559 		 * and max(main+A, main+A+B) < 512
10560 		 */
10561 		.result = ACCEPT,
10562 	},
10563 	{
10564 		"calls: stack depth check using three frames. test2",
10565 		.insns = {
10566 			/* main */
10567 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10568 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10569 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10570 			BPF_MOV64_IMM(BPF_REG_0, 0),
10571 			BPF_EXIT_INSN(),
10572 			/* A */
10573 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10574 			BPF_EXIT_INSN(),
10575 			/* B */
10576 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10577 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10578 			BPF_EXIT_INSN(),
10579 		},
10580 		.prog_type = BPF_PROG_TYPE_XDP,
10581 		/* stack_main=32, stack_A=64, stack_B=256
10582 		 * and max(main+A, main+A+B) < 512
10583 		 */
10584 		.result = ACCEPT,
10585 	},
10586 	{
10587 		"calls: stack depth check using three frames. test3",
10588 		.insns = {
10589 			/* main */
10590 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10591 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10592 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10593 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10594 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10595 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10596 			BPF_MOV64_IMM(BPF_REG_0, 0),
10597 			BPF_EXIT_INSN(),
10598 			/* A */
10599 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10600 			BPF_EXIT_INSN(),
10601 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10602 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10603 			/* B */
10604 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10605 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10606 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10607 			BPF_EXIT_INSN(),
10608 		},
10609 		.prog_type = BPF_PROG_TYPE_XDP,
10610 		/* stack_main=64, stack_A=224, stack_B=256
10611 		 * and max(main+A, main+A+B) > 512
10612 		 */
10613 		.errstr = "combined stack",
10614 		.result = REJECT,
10615 	},
10616 	{
10617 		"calls: stack depth check using three frames. test4",
10618 		/* void main(void) {
10619 		 *   func1(0);
10620 		 *   func1(1);
10621 		 *   func2(1);
10622 		 * }
10623 		 * void func1(int alloc_or_recurse) {
10624 		 *   if (alloc_or_recurse) {
10625 		 *     frame_pointer[-300] = 1;
10626 		 *   } else {
10627 		 *     func2(alloc_or_recurse);
10628 		 *   }
10629 		 * }
10630 		 * void func2(int alloc_or_recurse) {
10631 		 *   if (alloc_or_recurse) {
10632 		 *     frame_pointer[-300] = 1;
10633 		 *   }
10634 		 * }
10635 		 */
10636 		.insns = {
10637 			/* main */
10638 			BPF_MOV64_IMM(BPF_REG_1, 0),
10639 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10640 			BPF_MOV64_IMM(BPF_REG_1, 1),
10641 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10642 			BPF_MOV64_IMM(BPF_REG_1, 1),
10643 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10644 			BPF_MOV64_IMM(BPF_REG_0, 0),
10645 			BPF_EXIT_INSN(),
10646 			/* A */
10647 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10648 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10649 			BPF_EXIT_INSN(),
10650 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10651 			BPF_EXIT_INSN(),
10652 			/* B */
10653 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10654 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10655 			BPF_EXIT_INSN(),
10656 		},
10657 		.prog_type = BPF_PROG_TYPE_XDP,
10658 		.result = REJECT,
10659 		.errstr = "combined stack",
10660 	},
10661 	{
10662 		"calls: stack depth check using three frames. test5",
10663 		.insns = {
10664 			/* main */
10665 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10666 			BPF_EXIT_INSN(),
10667 			/* A */
10668 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10669 			BPF_EXIT_INSN(),
10670 			/* B */
10671 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10672 			BPF_EXIT_INSN(),
10673 			/* C */
10674 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10675 			BPF_EXIT_INSN(),
10676 			/* D */
10677 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10678 			BPF_EXIT_INSN(),
10679 			/* E */
10680 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10681 			BPF_EXIT_INSN(),
10682 			/* F */
10683 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10684 			BPF_EXIT_INSN(),
10685 			/* G */
10686 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10687 			BPF_EXIT_INSN(),
10688 			/* H */
10689 			BPF_MOV64_IMM(BPF_REG_0, 0),
10690 			BPF_EXIT_INSN(),
10691 		},
10692 		.prog_type = BPF_PROG_TYPE_XDP,
10693 		.errstr = "call stack",
10694 		.result = REJECT,
10695 	},
10696 	{
10697 		"calls: spill into caller stack frame",
10698 		.insns = {
10699 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10700 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10701 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10702 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10703 			BPF_EXIT_INSN(),
10704 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10705 			BPF_MOV64_IMM(BPF_REG_0, 0),
10706 			BPF_EXIT_INSN(),
10707 		},
10708 		.prog_type = BPF_PROG_TYPE_XDP,
10709 		.errstr = "cannot spill",
10710 		.result = REJECT,
10711 	},
10712 	{
10713 		"calls: write into caller stack frame",
10714 		.insns = {
10715 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10716 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10717 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10718 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10719 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10720 			BPF_EXIT_INSN(),
10721 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10722 			BPF_MOV64_IMM(BPF_REG_0, 0),
10723 			BPF_EXIT_INSN(),
10724 		},
10725 		.prog_type = BPF_PROG_TYPE_XDP,
10726 		.result = ACCEPT,
10727 		.retval = 42,
10728 	},
10729 	{
10730 		"calls: write into callee stack frame",
10731 		.insns = {
10732 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10733 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10734 			BPF_EXIT_INSN(),
10735 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10736 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10737 			BPF_EXIT_INSN(),
10738 		},
10739 		.prog_type = BPF_PROG_TYPE_XDP,
10740 		.errstr = "cannot return stack pointer",
10741 		.result = REJECT,
10742 	},
10743 	{
10744 		"calls: two calls with stack write and void return",
10745 		.insns = {
10746 			/* main prog */
10747 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10748 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10749 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10750 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10751 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10752 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10753 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10754 			BPF_EXIT_INSN(),
10755 
10756 			/* subprog 1 */
10757 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10758 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10759 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10760 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10761 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10762 			BPF_EXIT_INSN(),
10763 
10764 			/* subprog 2 */
10765 			/* write into stack frame of main prog */
10766 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10767 			BPF_EXIT_INSN(), /* void return */
10768 		},
10769 		.prog_type = BPF_PROG_TYPE_XDP,
10770 		.result = ACCEPT,
10771 	},
10772 	{
10773 		"calls: ambiguous return value",
10774 		.insns = {
10775 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10776 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10777 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10778 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10779 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10780 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10781 			BPF_EXIT_INSN(),
10782 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10783 			BPF_MOV64_IMM(BPF_REG_0, 0),
10784 			BPF_EXIT_INSN(),
10785 		},
10786 		.errstr_unpriv = "allowed for root only",
10787 		.result_unpriv = REJECT,
10788 		.errstr = "R0 !read_ok",
10789 		.result = REJECT,
10790 	},
10791 	{
10792 		"calls: two calls that return map_value",
10793 		.insns = {
10794 			/* main prog */
10795 			/* pass fp-16, fp-8 into a function */
10796 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10797 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10798 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10800 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10801 
10802 			/* fetch map_value_ptr from the stack of this function */
10803 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10804 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10805 			/* write into map value */
10806 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10807 			/* fetch secound map_value_ptr from the stack */
10808 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10809 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10810 			/* write into map value */
10811 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10812 			BPF_MOV64_IMM(BPF_REG_0, 0),
10813 			BPF_EXIT_INSN(),
10814 
10815 			/* subprog 1 */
10816 			/* call 3rd function twice */
10817 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10818 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10819 			/* first time with fp-8 */
10820 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10821 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10822 			/* second time with fp-16 */
10823 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10824 			BPF_EXIT_INSN(),
10825 
10826 			/* subprog 2 */
10827 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10828 			/* lookup from map */
10829 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10830 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10832 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10833 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10834 				     BPF_FUNC_map_lookup_elem),
10835 			/* write map_value_ptr into stack frame of main prog */
10836 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10837 			BPF_MOV64_IMM(BPF_REG_0, 0),
10838 			BPF_EXIT_INSN(), /* return 0 */
10839 		},
10840 		.prog_type = BPF_PROG_TYPE_XDP,
10841 		.fixup_map1 = { 23 },
10842 		.result = ACCEPT,
10843 	},
10844 	{
10845 		"calls: two calls that return map_value with bool condition",
10846 		.insns = {
10847 			/* main prog */
10848 			/* pass fp-16, fp-8 into a function */
10849 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10850 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10851 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10852 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10853 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10854 			BPF_MOV64_IMM(BPF_REG_0, 0),
10855 			BPF_EXIT_INSN(),
10856 
10857 			/* subprog 1 */
10858 			/* call 3rd function twice */
10859 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10860 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10861 			/* first time with fp-8 */
10862 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10863 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10864 			/* fetch map_value_ptr from the stack of this function */
10865 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10866 			/* write into map value */
10867 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10868 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10869 			/* second time with fp-16 */
10870 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10871 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10872 			/* fetch secound map_value_ptr from the stack */
10873 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10874 			/* write into map value */
10875 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10876 			BPF_EXIT_INSN(),
10877 
10878 			/* subprog 2 */
10879 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10880 			/* lookup from map */
10881 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10882 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10883 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10884 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10885 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10886 				     BPF_FUNC_map_lookup_elem),
10887 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10888 			BPF_MOV64_IMM(BPF_REG_0, 0),
10889 			BPF_EXIT_INSN(), /* return 0 */
10890 			/* write map_value_ptr into stack frame of main prog */
10891 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10892 			BPF_MOV64_IMM(BPF_REG_0, 1),
10893 			BPF_EXIT_INSN(), /* return 1 */
10894 		},
10895 		.prog_type = BPF_PROG_TYPE_XDP,
10896 		.fixup_map1 = { 23 },
10897 		.result = ACCEPT,
10898 	},
10899 	{
10900 		"calls: two calls that return map_value with incorrect bool check",
10901 		.insns = {
10902 			/* main prog */
10903 			/* pass fp-16, fp-8 into a function */
10904 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10905 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10906 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10907 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10908 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10909 			BPF_MOV64_IMM(BPF_REG_0, 0),
10910 			BPF_EXIT_INSN(),
10911 
10912 			/* subprog 1 */
10913 			/* call 3rd function twice */
10914 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10915 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10916 			/* first time with fp-8 */
10917 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10918 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10919 			/* fetch map_value_ptr from the stack of this function */
10920 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10921 			/* write into map value */
10922 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10923 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10924 			/* second time with fp-16 */
10925 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10926 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10927 			/* fetch secound map_value_ptr from the stack */
10928 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10929 			/* write into map value */
10930 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10931 			BPF_EXIT_INSN(),
10932 
10933 			/* subprog 2 */
10934 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10935 			/* lookup from map */
10936 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10937 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10938 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10940 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10941 				     BPF_FUNC_map_lookup_elem),
10942 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10943 			BPF_MOV64_IMM(BPF_REG_0, 0),
10944 			BPF_EXIT_INSN(), /* return 0 */
10945 			/* write map_value_ptr into stack frame of main prog */
10946 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10947 			BPF_MOV64_IMM(BPF_REG_0, 1),
10948 			BPF_EXIT_INSN(), /* return 1 */
10949 		},
10950 		.prog_type = BPF_PROG_TYPE_XDP,
10951 		.fixup_map1 = { 23 },
10952 		.result = REJECT,
10953 		.errstr = "invalid read from stack off -16+0 size 8",
10954 	},
10955 	{
10956 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10957 		.insns = {
10958 			/* main prog */
10959 			/* pass fp-16, fp-8 into a function */
10960 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10961 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10962 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10963 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10965 			BPF_MOV64_IMM(BPF_REG_0, 0),
10966 			BPF_EXIT_INSN(),
10967 
10968 			/* subprog 1 */
10969 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10970 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10971 			/* 1st lookup from map */
10972 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10973 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10974 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10975 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10976 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10977 				     BPF_FUNC_map_lookup_elem),
10978 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10979 			BPF_MOV64_IMM(BPF_REG_8, 0),
10980 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10981 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10982 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10983 			BPF_MOV64_IMM(BPF_REG_8, 1),
10984 
10985 			/* 2nd lookup from map */
10986 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10987 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10988 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10989 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10990 				     BPF_FUNC_map_lookup_elem),
10991 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10992 			BPF_MOV64_IMM(BPF_REG_9, 0),
10993 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10994 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10995 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10996 			BPF_MOV64_IMM(BPF_REG_9, 1),
10997 
10998 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10999 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11000 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11001 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11002 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11003 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
11004 			BPF_EXIT_INSN(),
11005 
11006 			/* subprog 2 */
11007 			/* if arg2 == 1 do *arg1 = 0 */
11008 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11009 			/* fetch map_value_ptr from the stack of this function */
11010 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11011 			/* write into map value */
11012 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11013 
11014 			/* if arg4 == 1 do *arg3 = 0 */
11015 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11016 			/* fetch map_value_ptr from the stack of this function */
11017 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11018 			/* write into map value */
11019 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11020 			BPF_EXIT_INSN(),
11021 		},
11022 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11023 		.fixup_map1 = { 12, 22 },
11024 		.result = REJECT,
11025 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11026 	},
11027 	{
11028 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11029 		.insns = {
11030 			/* main prog */
11031 			/* pass fp-16, fp-8 into a function */
11032 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11033 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11034 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11035 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11036 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11037 			BPF_MOV64_IMM(BPF_REG_0, 0),
11038 			BPF_EXIT_INSN(),
11039 
11040 			/* subprog 1 */
11041 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11042 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11043 			/* 1st lookup from map */
11044 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11045 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11046 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11047 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11049 				     BPF_FUNC_map_lookup_elem),
11050 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11051 			BPF_MOV64_IMM(BPF_REG_8, 0),
11052 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11053 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11054 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11055 			BPF_MOV64_IMM(BPF_REG_8, 1),
11056 
11057 			/* 2nd lookup from map */
11058 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11060 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11061 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11062 				     BPF_FUNC_map_lookup_elem),
11063 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11064 			BPF_MOV64_IMM(BPF_REG_9, 0),
11065 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11066 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11067 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11068 			BPF_MOV64_IMM(BPF_REG_9, 1),
11069 
11070 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11071 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11072 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11073 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11074 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11075 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
11076 			BPF_EXIT_INSN(),
11077 
11078 			/* subprog 2 */
11079 			/* if arg2 == 1 do *arg1 = 0 */
11080 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11081 			/* fetch map_value_ptr from the stack of this function */
11082 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11083 			/* write into map value */
11084 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11085 
11086 			/* if arg4 == 1 do *arg3 = 0 */
11087 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11088 			/* fetch map_value_ptr from the stack of this function */
11089 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11090 			/* write into map value */
11091 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11092 			BPF_EXIT_INSN(),
11093 		},
11094 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11095 		.fixup_map1 = { 12, 22 },
11096 		.result = ACCEPT,
11097 	},
11098 	{
11099 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11100 		.insns = {
11101 			/* main prog */
11102 			/* pass fp-16, fp-8 into a function */
11103 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11104 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11105 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11106 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11107 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11108 			BPF_MOV64_IMM(BPF_REG_0, 0),
11109 			BPF_EXIT_INSN(),
11110 
11111 			/* subprog 1 */
11112 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11113 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11114 			/* 1st lookup from map */
11115 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11116 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11118 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11119 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11120 				     BPF_FUNC_map_lookup_elem),
11121 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11122 			BPF_MOV64_IMM(BPF_REG_8, 0),
11123 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11124 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11125 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11126 			BPF_MOV64_IMM(BPF_REG_8, 1),
11127 
11128 			/* 2nd lookup from map */
11129 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11130 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11131 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11132 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11133 				     BPF_FUNC_map_lookup_elem),
11134 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11135 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
11136 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11137 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11138 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11139 			BPF_MOV64_IMM(BPF_REG_9, 1),
11140 
11141 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11142 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11143 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11144 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11145 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11146 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11147 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11148 
11149 			/* subprog 2 */
11150 			/* if arg2 == 1 do *arg1 = 0 */
11151 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11152 			/* fetch map_value_ptr from the stack of this function */
11153 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11154 			/* write into map value */
11155 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11156 
11157 			/* if arg4 == 1 do *arg3 = 0 */
11158 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11159 			/* fetch map_value_ptr from the stack of this function */
11160 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11161 			/* write into map value */
11162 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11163 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11164 		},
11165 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11166 		.fixup_map1 = { 12, 22 },
11167 		.result = REJECT,
11168 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11169 	},
11170 	{
11171 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
11172 		.insns = {
11173 			/* main prog */
11174 			/* pass fp-16, fp-8 into a function */
11175 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11177 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11178 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11179 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11180 			BPF_MOV64_IMM(BPF_REG_0, 0),
11181 			BPF_EXIT_INSN(),
11182 
11183 			/* subprog 1 */
11184 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11185 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11186 			/* 1st lookup from map */
11187 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11188 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11189 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11190 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11191 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11192 				     BPF_FUNC_map_lookup_elem),
11193 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11194 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11195 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11196 			BPF_MOV64_IMM(BPF_REG_8, 0),
11197 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11198 			BPF_MOV64_IMM(BPF_REG_8, 1),
11199 
11200 			/* 2nd lookup from map */
11201 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11202 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11203 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11204 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11205 				     BPF_FUNC_map_lookup_elem),
11206 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11207 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11208 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11209 			BPF_MOV64_IMM(BPF_REG_9, 0),
11210 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11211 			BPF_MOV64_IMM(BPF_REG_9, 1),
11212 
11213 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11214 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11215 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11216 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11217 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11218 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11219 			BPF_EXIT_INSN(),
11220 
11221 			/* subprog 2 */
11222 			/* if arg2 == 1 do *arg1 = 0 */
11223 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11224 			/* fetch map_value_ptr from the stack of this function */
11225 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11226 			/* write into map value */
11227 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11228 
11229 			/* if arg4 == 1 do *arg3 = 0 */
11230 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11231 			/* fetch map_value_ptr from the stack of this function */
11232 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11233 			/* write into map value */
11234 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11235 			BPF_EXIT_INSN(),
11236 		},
11237 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11238 		.fixup_map1 = { 12, 22 },
11239 		.result = ACCEPT,
11240 	},
11241 	{
11242 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
11243 		.insns = {
11244 			/* main prog */
11245 			/* pass fp-16, fp-8 into a function */
11246 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11247 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11248 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11249 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11250 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11251 			BPF_MOV64_IMM(BPF_REG_0, 0),
11252 			BPF_EXIT_INSN(),
11253 
11254 			/* subprog 1 */
11255 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11256 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11257 			/* 1st lookup from map */
11258 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11259 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11260 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11261 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11262 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11263 				     BPF_FUNC_map_lookup_elem),
11264 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11265 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11266 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11267 			BPF_MOV64_IMM(BPF_REG_8, 0),
11268 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11269 			BPF_MOV64_IMM(BPF_REG_8, 1),
11270 
11271 			/* 2nd lookup from map */
11272 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11273 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11274 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11275 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11276 				     BPF_FUNC_map_lookup_elem),
11277 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11278 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11279 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11280 			BPF_MOV64_IMM(BPF_REG_9, 0),
11281 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11282 			BPF_MOV64_IMM(BPF_REG_9, 1),
11283 
11284 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11285 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11286 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11287 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11288 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11289 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11290 			BPF_EXIT_INSN(),
11291 
11292 			/* subprog 2 */
11293 			/* if arg2 == 1 do *arg1 = 0 */
11294 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11295 			/* fetch map_value_ptr from the stack of this function */
11296 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11297 			/* write into map value */
11298 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11299 
11300 			/* if arg4 == 0 do *arg3 = 0 */
11301 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11302 			/* fetch map_value_ptr from the stack of this function */
11303 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11304 			/* write into map value */
11305 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11306 			BPF_EXIT_INSN(),
11307 		},
11308 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11309 		.fixup_map1 = { 12, 22 },
11310 		.result = REJECT,
11311 		.errstr = "R0 invalid mem access 'inv'",
11312 	},
11313 	{
11314 		"calls: pkt_ptr spill into caller stack",
11315 		.insns = {
11316 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11317 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11318 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11319 			BPF_EXIT_INSN(),
11320 
11321 			/* subprog 1 */
11322 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11323 				    offsetof(struct __sk_buff, data)),
11324 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11325 				    offsetof(struct __sk_buff, data_end)),
11326 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11328 			/* spill unchecked pkt_ptr into stack of caller */
11329 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11330 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11331 			/* now the pkt range is verified, read pkt_ptr from stack */
11332 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11333 			/* write 4 bytes into packet */
11334 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11335 			BPF_EXIT_INSN(),
11336 		},
11337 		.result = ACCEPT,
11338 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11339 		.retval = POINTER_VALUE,
11340 	},
11341 	{
11342 		"calls: pkt_ptr spill into caller stack 2",
11343 		.insns = {
11344 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11345 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11346 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11347 			/* Marking is still kept, but not in all cases safe. */
11348 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11349 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11350 			BPF_EXIT_INSN(),
11351 
11352 			/* subprog 1 */
11353 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11354 				    offsetof(struct __sk_buff, data)),
11355 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11356 				    offsetof(struct __sk_buff, data_end)),
11357 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11358 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11359 			/* spill unchecked pkt_ptr into stack of caller */
11360 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11361 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11362 			/* now the pkt range is verified, read pkt_ptr from stack */
11363 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11364 			/* write 4 bytes into packet */
11365 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11366 			BPF_EXIT_INSN(),
11367 		},
11368 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11369 		.errstr = "invalid access to packet",
11370 		.result = REJECT,
11371 	},
11372 	{
11373 		"calls: pkt_ptr spill into caller stack 3",
11374 		.insns = {
11375 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11377 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11378 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11379 			/* Marking is still kept and safe here. */
11380 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11381 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11382 			BPF_EXIT_INSN(),
11383 
11384 			/* subprog 1 */
11385 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11386 				    offsetof(struct __sk_buff, data)),
11387 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11388 				    offsetof(struct __sk_buff, data_end)),
11389 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11390 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11391 			/* spill unchecked pkt_ptr into stack of caller */
11392 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11393 			BPF_MOV64_IMM(BPF_REG_5, 0),
11394 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11395 			BPF_MOV64_IMM(BPF_REG_5, 1),
11396 			/* now the pkt range is verified, read pkt_ptr from stack */
11397 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11398 			/* write 4 bytes into packet */
11399 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11400 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11401 			BPF_EXIT_INSN(),
11402 		},
11403 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11404 		.result = ACCEPT,
11405 		.retval = 1,
11406 	},
11407 	{
11408 		"calls: pkt_ptr spill into caller stack 4",
11409 		.insns = {
11410 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11411 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11412 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11413 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11414 			/* Check marking propagated. */
11415 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11416 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11417 			BPF_EXIT_INSN(),
11418 
11419 			/* subprog 1 */
11420 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11421 				    offsetof(struct __sk_buff, data)),
11422 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11423 				    offsetof(struct __sk_buff, data_end)),
11424 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11425 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11426 			/* spill unchecked pkt_ptr into stack of caller */
11427 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11428 			BPF_MOV64_IMM(BPF_REG_5, 0),
11429 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11430 			BPF_MOV64_IMM(BPF_REG_5, 1),
11431 			/* don't read back pkt_ptr from stack here */
11432 			/* write 4 bytes into packet */
11433 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11434 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11435 			BPF_EXIT_INSN(),
11436 		},
11437 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11438 		.result = ACCEPT,
11439 		.retval = 1,
11440 	},
11441 	{
11442 		"calls: pkt_ptr spill into caller stack 5",
11443 		.insns = {
11444 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11445 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11446 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11447 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11448 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11449 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11450 			BPF_EXIT_INSN(),
11451 
11452 			/* subprog 1 */
11453 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11454 				    offsetof(struct __sk_buff, data)),
11455 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11456 				    offsetof(struct __sk_buff, data_end)),
11457 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11459 			BPF_MOV64_IMM(BPF_REG_5, 0),
11460 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11461 			/* spill checked pkt_ptr into stack of caller */
11462 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11463 			BPF_MOV64_IMM(BPF_REG_5, 1),
11464 			/* don't read back pkt_ptr from stack here */
11465 			/* write 4 bytes into packet */
11466 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11467 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11468 			BPF_EXIT_INSN(),
11469 		},
11470 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11471 		.errstr = "same insn cannot be used with different",
11472 		.result = REJECT,
11473 	},
11474 	{
11475 		"calls: pkt_ptr spill into caller stack 6",
11476 		.insns = {
11477 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11478 				    offsetof(struct __sk_buff, data_end)),
11479 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11481 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11482 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11483 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11484 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11485 			BPF_EXIT_INSN(),
11486 
11487 			/* subprog 1 */
11488 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11489 				    offsetof(struct __sk_buff, data)),
11490 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11491 				    offsetof(struct __sk_buff, data_end)),
11492 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11493 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11494 			BPF_MOV64_IMM(BPF_REG_5, 0),
11495 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11496 			/* spill checked pkt_ptr into stack of caller */
11497 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11498 			BPF_MOV64_IMM(BPF_REG_5, 1),
11499 			/* don't read back pkt_ptr from stack here */
11500 			/* write 4 bytes into packet */
11501 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11502 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11503 			BPF_EXIT_INSN(),
11504 		},
11505 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11506 		.errstr = "R4 invalid mem access",
11507 		.result = REJECT,
11508 	},
11509 	{
11510 		"calls: pkt_ptr spill into caller stack 7",
11511 		.insns = {
11512 			BPF_MOV64_IMM(BPF_REG_2, 0),
11513 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11514 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11515 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11516 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11517 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11518 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11519 			BPF_EXIT_INSN(),
11520 
11521 			/* subprog 1 */
11522 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11523 				    offsetof(struct __sk_buff, data)),
11524 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11525 				    offsetof(struct __sk_buff, data_end)),
11526 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11527 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11528 			BPF_MOV64_IMM(BPF_REG_5, 0),
11529 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11530 			/* spill checked pkt_ptr into stack of caller */
11531 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11532 			BPF_MOV64_IMM(BPF_REG_5, 1),
11533 			/* don't read back pkt_ptr from stack here */
11534 			/* write 4 bytes into packet */
11535 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11536 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11537 			BPF_EXIT_INSN(),
11538 		},
11539 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11540 		.errstr = "R4 invalid mem access",
11541 		.result = REJECT,
11542 	},
11543 	{
11544 		"calls: pkt_ptr spill into caller stack 8",
11545 		.insns = {
11546 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11547 				    offsetof(struct __sk_buff, data)),
11548 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11549 				    offsetof(struct __sk_buff, data_end)),
11550 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11551 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11552 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11553 			BPF_EXIT_INSN(),
11554 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11555 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11556 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11557 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11558 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11559 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11560 			BPF_EXIT_INSN(),
11561 
11562 			/* subprog 1 */
11563 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11564 				    offsetof(struct __sk_buff, data)),
11565 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11566 				    offsetof(struct __sk_buff, data_end)),
11567 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11568 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11569 			BPF_MOV64_IMM(BPF_REG_5, 0),
11570 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11571 			/* spill checked pkt_ptr into stack of caller */
11572 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11573 			BPF_MOV64_IMM(BPF_REG_5, 1),
11574 			/* don't read back pkt_ptr from stack here */
11575 			/* write 4 bytes into packet */
11576 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11577 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11578 			BPF_EXIT_INSN(),
11579 		},
11580 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11581 		.result = ACCEPT,
11582 	},
11583 	{
11584 		"calls: pkt_ptr spill into caller stack 9",
11585 		.insns = {
11586 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11587 				    offsetof(struct __sk_buff, data)),
11588 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11589 				    offsetof(struct __sk_buff, data_end)),
11590 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11591 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11592 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11593 			BPF_EXIT_INSN(),
11594 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11595 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11596 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11597 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11598 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11599 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11600 			BPF_EXIT_INSN(),
11601 
11602 			/* subprog 1 */
11603 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11604 				    offsetof(struct __sk_buff, data)),
11605 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11606 				    offsetof(struct __sk_buff, data_end)),
11607 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11609 			BPF_MOV64_IMM(BPF_REG_5, 0),
11610 			/* spill unchecked pkt_ptr into stack of caller */
11611 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11612 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11613 			BPF_MOV64_IMM(BPF_REG_5, 1),
11614 			/* don't read back pkt_ptr from stack here */
11615 			/* write 4 bytes into packet */
11616 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11617 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11618 			BPF_EXIT_INSN(),
11619 		},
11620 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11621 		.errstr = "invalid access to packet",
11622 		.result = REJECT,
11623 	},
11624 	{
11625 		"calls: caller stack init to zero or map_value_or_null",
11626 		.insns = {
11627 			BPF_MOV64_IMM(BPF_REG_0, 0),
11628 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11629 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11630 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11631 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11632 			/* fetch map_value_or_null or const_zero from stack */
11633 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11634 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11635 			/* store into map_value */
11636 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11637 			BPF_EXIT_INSN(),
11638 
11639 			/* subprog 1 */
11640 			/* if (ctx == 0) return; */
11641 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11642 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
11643 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11644 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11645 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11646 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11647 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11648 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11649 				     BPF_FUNC_map_lookup_elem),
11650 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11651 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11652 			BPF_EXIT_INSN(),
11653 		},
11654 		.fixup_map1 = { 13 },
11655 		.result = ACCEPT,
11656 		.prog_type = BPF_PROG_TYPE_XDP,
11657 	},
11658 	{
11659 		"calls: stack init to zero and pruning",
11660 		.insns = {
11661 			/* first make allocated_stack 16 byte */
11662 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11663 			/* now fork the execution such that the false branch
11664 			 * of JGT insn will be verified second and it skisp zero
11665 			 * init of fp-8 stack slot. If stack liveness marking
11666 			 * is missing live_read marks from call map_lookup
11667 			 * processing then pruning will incorrectly assume
11668 			 * that fp-8 stack slot was unused in the fall-through
11669 			 * branch and will accept the program incorrectly
11670 			 */
11671 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11672 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11673 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11674 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11675 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11676 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11677 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11678 				     BPF_FUNC_map_lookup_elem),
11679 			BPF_EXIT_INSN(),
11680 		},
11681 		.fixup_map2 = { 6 },
11682 		.errstr = "invalid indirect read from stack off -8+0 size 8",
11683 		.result = REJECT,
11684 		.prog_type = BPF_PROG_TYPE_XDP,
11685 	},
11686 	{
11687 		"calls: two calls returning different map pointers for lookup (hash, array)",
11688 		.insns = {
11689 			/* main prog */
11690 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11691 			BPF_CALL_REL(11),
11692 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11693 			BPF_CALL_REL(12),
11694 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11695 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11698 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11699 				     BPF_FUNC_map_lookup_elem),
11700 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11701 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11702 				   offsetof(struct test_val, foo)),
11703 			BPF_MOV64_IMM(BPF_REG_0, 1),
11704 			BPF_EXIT_INSN(),
11705 			/* subprog 1 */
11706 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11707 			BPF_EXIT_INSN(),
11708 			/* subprog 2 */
11709 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11710 			BPF_EXIT_INSN(),
11711 		},
11712 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11713 		.fixup_map2 = { 13 },
11714 		.fixup_map4 = { 16 },
11715 		.result = ACCEPT,
11716 		.retval = 1,
11717 	},
11718 	{
11719 		"calls: two calls returning different map pointers for lookup (hash, map in map)",
11720 		.insns = {
11721 			/* main prog */
11722 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11723 			BPF_CALL_REL(11),
11724 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11725 			BPF_CALL_REL(12),
11726 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11727 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11728 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11729 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11730 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11731 				     BPF_FUNC_map_lookup_elem),
11732 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11733 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11734 				   offsetof(struct test_val, foo)),
11735 			BPF_MOV64_IMM(BPF_REG_0, 1),
11736 			BPF_EXIT_INSN(),
11737 			/* subprog 1 */
11738 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11739 			BPF_EXIT_INSN(),
11740 			/* subprog 2 */
11741 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11742 			BPF_EXIT_INSN(),
11743 		},
11744 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11745 		.fixup_map_in_map = { 16 },
11746 		.fixup_map4 = { 13 },
11747 		.result = REJECT,
11748 		.errstr = "R0 invalid mem access 'map_ptr'",
11749 	},
11750 	{
11751 		"cond: two branches returning different map pointers for lookup (tail, tail)",
11752 		.insns = {
11753 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11754 				    offsetof(struct __sk_buff, mark)),
11755 			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11756 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11757 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11758 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11759 			BPF_MOV64_IMM(BPF_REG_3, 7),
11760 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11761 				     BPF_FUNC_tail_call),
11762 			BPF_MOV64_IMM(BPF_REG_0, 1),
11763 			BPF_EXIT_INSN(),
11764 		},
11765 		.fixup_prog1 = { 5 },
11766 		.fixup_prog2 = { 2 },
11767 		.result_unpriv = REJECT,
11768 		.errstr_unpriv = "tail_call abusing map_ptr",
11769 		.result = ACCEPT,
11770 		.retval = 42,
11771 	},
11772 	{
11773 		"cond: two branches returning same map pointers for lookup (tail, tail)",
11774 		.insns = {
11775 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11776 				    offsetof(struct __sk_buff, mark)),
11777 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11778 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11779 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11780 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11781 			BPF_MOV64_IMM(BPF_REG_3, 7),
11782 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11783 				     BPF_FUNC_tail_call),
11784 			BPF_MOV64_IMM(BPF_REG_0, 1),
11785 			BPF_EXIT_INSN(),
11786 		},
11787 		.fixup_prog2 = { 2, 5 },
11788 		.result_unpriv = ACCEPT,
11789 		.result = ACCEPT,
11790 		.retval = 42,
11791 	},
11792 	{
11793 		"search pruning: all branches should be verified (nop operation)",
11794 		.insns = {
11795 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11796 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11797 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11798 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11799 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11800 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11801 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11802 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11803 			BPF_MOV64_IMM(BPF_REG_4, 0),
11804 			BPF_JMP_A(1),
11805 			BPF_MOV64_IMM(BPF_REG_4, 1),
11806 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11807 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11808 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11809 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11810 			BPF_MOV64_IMM(BPF_REG_6, 0),
11811 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11812 			BPF_EXIT_INSN(),
11813 		},
11814 		.fixup_map1 = { 3 },
11815 		.errstr = "R6 invalid mem access 'inv'",
11816 		.result = REJECT,
11817 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11818 	},
11819 	{
11820 		"search pruning: all branches should be verified (invalid stack access)",
11821 		.insns = {
11822 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11823 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11824 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11825 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11826 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11827 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11828 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11829 			BPF_MOV64_IMM(BPF_REG_4, 0),
11830 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11831 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11832 			BPF_JMP_A(1),
11833 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11834 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11835 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11836 			BPF_EXIT_INSN(),
11837 		},
11838 		.fixup_map1 = { 3 },
11839 		.errstr = "invalid read from stack off -16+0 size 8",
11840 		.result = REJECT,
11841 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11842 	},
11843 	{
11844 		"jit: lsh, rsh, arsh by 1",
11845 		.insns = {
11846 			BPF_MOV64_IMM(BPF_REG_0, 1),
11847 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
11848 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11849 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11850 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11851 			BPF_EXIT_INSN(),
11852 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11853 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11854 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11855 			BPF_EXIT_INSN(),
11856 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11857 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11858 			BPF_EXIT_INSN(),
11859 			BPF_MOV64_IMM(BPF_REG_0, 2),
11860 			BPF_EXIT_INSN(),
11861 		},
11862 		.result = ACCEPT,
11863 		.retval = 2,
11864 	},
11865 	{
11866 		"jit: mov32 for ldimm64, 1",
11867 		.insns = {
11868 			BPF_MOV64_IMM(BPF_REG_0, 2),
11869 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11870 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11871 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11872 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11873 			BPF_MOV64_IMM(BPF_REG_0, 1),
11874 			BPF_EXIT_INSN(),
11875 		},
11876 		.result = ACCEPT,
11877 		.retval = 2,
11878 	},
11879 	{
11880 		"jit: mov32 for ldimm64, 2",
11881 		.insns = {
11882 			BPF_MOV64_IMM(BPF_REG_0, 1),
11883 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11884 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11885 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11886 			BPF_MOV64_IMM(BPF_REG_0, 2),
11887 			BPF_EXIT_INSN(),
11888 		},
11889 		.result = ACCEPT,
11890 		.retval = 2,
11891 	},
11892 	{
11893 		"jit: various mul tests",
11894 		.insns = {
11895 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11896 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11897 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11898 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11899 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11900 			BPF_MOV64_IMM(BPF_REG_0, 1),
11901 			BPF_EXIT_INSN(),
11902 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11903 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11904 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11905 			BPF_MOV64_IMM(BPF_REG_0, 1),
11906 			BPF_EXIT_INSN(),
11907 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11908 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11909 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11910 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11911 			BPF_MOV64_IMM(BPF_REG_0, 1),
11912 			BPF_EXIT_INSN(),
11913 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11914 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11915 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11916 			BPF_MOV64_IMM(BPF_REG_0, 1),
11917 			BPF_EXIT_INSN(),
11918 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11919 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11920 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11921 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11922 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11923 			BPF_MOV64_IMM(BPF_REG_0, 1),
11924 			BPF_EXIT_INSN(),
11925 			BPF_MOV64_IMM(BPF_REG_0, 2),
11926 			BPF_EXIT_INSN(),
11927 		},
11928 		.result = ACCEPT,
11929 		.retval = 2,
11930 	},
11931 	{
11932 		"xadd/w check unaligned stack",
11933 		.insns = {
11934 			BPF_MOV64_IMM(BPF_REG_0, 1),
11935 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11936 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11937 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11938 			BPF_EXIT_INSN(),
11939 		},
11940 		.result = REJECT,
11941 		.errstr = "misaligned stack access off",
11942 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11943 	},
11944 	{
11945 		"xadd/w check unaligned map",
11946 		.insns = {
11947 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11948 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11949 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11950 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11951 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11952 				     BPF_FUNC_map_lookup_elem),
11953 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11954 			BPF_EXIT_INSN(),
11955 			BPF_MOV64_IMM(BPF_REG_1, 1),
11956 			BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11957 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11958 			BPF_EXIT_INSN(),
11959 		},
11960 		.fixup_map1 = { 3 },
11961 		.result = REJECT,
11962 		.errstr = "misaligned value access off",
11963 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11964 	},
11965 	{
11966 		"xadd/w check unaligned pkt",
11967 		.insns = {
11968 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11969 				    offsetof(struct xdp_md, data)),
11970 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11971 				    offsetof(struct xdp_md, data_end)),
11972 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11973 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11974 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11975 			BPF_MOV64_IMM(BPF_REG_0, 99),
11976 			BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11977 			BPF_MOV64_IMM(BPF_REG_0, 1),
11978 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11979 			BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11980 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11981 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11982 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11983 			BPF_EXIT_INSN(),
11984 		},
11985 		.result = REJECT,
11986 		.errstr = "BPF_XADD stores into R2 packet",
11987 		.prog_type = BPF_PROG_TYPE_XDP,
11988 	},
11989 	{
11990 		"bpf_get_stack return R0 within range",
11991 		.insns = {
11992 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11993 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11994 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11996 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11997 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11998 				     BPF_FUNC_map_lookup_elem),
11999 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12000 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12001 			BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12002 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12003 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12004 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12005 			BPF_MOV64_IMM(BPF_REG_4, 256),
12006 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
12007 			BPF_MOV64_IMM(BPF_REG_1, 0),
12008 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12009 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12010 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12011 			BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12012 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12013 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12014 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12015 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12016 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12017 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12018 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12019 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12020 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12021 			BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12022 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12023 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12024 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12025 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12026 			BPF_MOV64_IMM(BPF_REG_4, 0),
12027 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
12028 			BPF_EXIT_INSN(),
12029 		},
12030 		.fixup_map2 = { 4 },
12031 		.result = ACCEPT,
12032 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12033 	},
12034 	{
12035 		"ld_abs: invalid op 1",
12036 		.insns = {
12037 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12038 			BPF_LD_ABS(BPF_DW, 0),
12039 			BPF_EXIT_INSN(),
12040 		},
12041 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12042 		.result = REJECT,
12043 		.errstr = "unknown opcode",
12044 	},
12045 	{
12046 		"ld_abs: invalid op 2",
12047 		.insns = {
12048 			BPF_MOV32_IMM(BPF_REG_0, 256),
12049 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12050 			BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12051 			BPF_EXIT_INSN(),
12052 		},
12053 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12054 		.result = REJECT,
12055 		.errstr = "unknown opcode",
12056 	},
12057 	{
12058 		"ld_abs: nmap reduced",
12059 		.insns = {
12060 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12061 			BPF_LD_ABS(BPF_H, 12),
12062 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12063 			BPF_LD_ABS(BPF_H, 12),
12064 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12065 			BPF_MOV32_IMM(BPF_REG_0, 18),
12066 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12067 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12068 			BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12069 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12070 			BPF_MOV32_IMM(BPF_REG_0, 280971478),
12071 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12072 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12073 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12074 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12075 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12076 			BPF_LD_ABS(BPF_H, 12),
12077 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12078 			BPF_MOV32_IMM(BPF_REG_0, 22),
12079 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12080 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12081 			BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12082 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12083 			BPF_MOV32_IMM(BPF_REG_0, 17366),
12084 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12085 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12086 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12087 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12088 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12089 			BPF_MOV32_IMM(BPF_REG_0, 256),
12090 			BPF_EXIT_INSN(),
12091 			BPF_MOV32_IMM(BPF_REG_0, 0),
12092 			BPF_EXIT_INSN(),
12093 		},
12094 		.data = {
12095 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12096 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12097 			0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12098 		},
12099 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12100 		.result = ACCEPT,
12101 		.retval = 256,
12102 	},
12103 	{
12104 		"ld_abs: div + abs, test 1",
12105 		.insns = {
12106 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12107 			BPF_LD_ABS(BPF_B, 3),
12108 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12109 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12110 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12111 			BPF_LD_ABS(BPF_B, 4),
12112 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12113 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12114 			BPF_EXIT_INSN(),
12115 		},
12116 		.data = {
12117 			10, 20, 30, 40, 50,
12118 		},
12119 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12120 		.result = ACCEPT,
12121 		.retval = 10,
12122 	},
12123 	{
12124 		"ld_abs: div + abs, test 2",
12125 		.insns = {
12126 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12127 			BPF_LD_ABS(BPF_B, 3),
12128 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12129 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12130 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12131 			BPF_LD_ABS(BPF_B, 128),
12132 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12133 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12134 			BPF_EXIT_INSN(),
12135 		},
12136 		.data = {
12137 			10, 20, 30, 40, 50,
12138 		},
12139 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12140 		.result = ACCEPT,
12141 		.retval = 0,
12142 	},
12143 	{
12144 		"ld_abs: div + abs, test 3",
12145 		.insns = {
12146 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12147 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12148 			BPF_LD_ABS(BPF_B, 3),
12149 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12150 			BPF_EXIT_INSN(),
12151 		},
12152 		.data = {
12153 			10, 20, 30, 40, 50,
12154 		},
12155 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12156 		.result = ACCEPT,
12157 		.retval = 0,
12158 	},
12159 	{
12160 		"ld_abs: div + abs, test 4",
12161 		.insns = {
12162 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12163 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12164 			BPF_LD_ABS(BPF_B, 256),
12165 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12166 			BPF_EXIT_INSN(),
12167 		},
12168 		.data = {
12169 			10, 20, 30, 40, 50,
12170 		},
12171 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12172 		.result = ACCEPT,
12173 		.retval = 0,
12174 	},
12175 	{
12176 		"ld_abs: vlan + abs, test 1",
12177 		.insns = { },
12178 		.data = {
12179 			0x34,
12180 		},
12181 		.fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12182 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12183 		.result = ACCEPT,
12184 		.retval = 0xbef,
12185 	},
12186 	{
12187 		"ld_abs: vlan + abs, test 2",
12188 		.insns = {
12189 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12190 			BPF_LD_ABS(BPF_B, 0),
12191 			BPF_LD_ABS(BPF_H, 0),
12192 			BPF_LD_ABS(BPF_W, 0),
12193 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12194 			BPF_MOV64_IMM(BPF_REG_6, 0),
12195 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12196 			BPF_MOV64_IMM(BPF_REG_2, 1),
12197 			BPF_MOV64_IMM(BPF_REG_3, 2),
12198 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12199 				     BPF_FUNC_skb_vlan_push),
12200 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12201 			BPF_LD_ABS(BPF_B, 0),
12202 			BPF_LD_ABS(BPF_H, 0),
12203 			BPF_LD_ABS(BPF_W, 0),
12204 			BPF_MOV64_IMM(BPF_REG_0, 42),
12205 			BPF_EXIT_INSN(),
12206 		},
12207 		.data = {
12208 			0x34,
12209 		},
12210 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12211 		.result = ACCEPT,
12212 		.retval = 42,
12213 	},
12214 	{
12215 		"ld_abs: jump around ld_abs",
12216 		.insns = { },
12217 		.data = {
12218 			10, 11,
12219 		},
12220 		.fill_helper = bpf_fill_jump_around_ld_abs,
12221 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12222 		.result = ACCEPT,
12223 		.retval = 10,
12224 	},
12225 	{
12226 		"ld_dw: xor semi-random 64 bit imms, test 1",
12227 		.insns = { },
12228 		.data = { },
12229 		.fill_helper = bpf_fill_rand_ld_dw,
12230 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12231 		.result = ACCEPT,
12232 		.retval = 4090,
12233 	},
12234 	{
12235 		"ld_dw: xor semi-random 64 bit imms, test 2",
12236 		.insns = { },
12237 		.data = { },
12238 		.fill_helper = bpf_fill_rand_ld_dw,
12239 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12240 		.result = ACCEPT,
12241 		.retval = 2047,
12242 	},
12243 	{
12244 		"ld_dw: xor semi-random 64 bit imms, test 3",
12245 		.insns = { },
12246 		.data = { },
12247 		.fill_helper = bpf_fill_rand_ld_dw,
12248 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12249 		.result = ACCEPT,
12250 		.retval = 511,
12251 	},
12252 	{
12253 		"ld_dw: xor semi-random 64 bit imms, test 4",
12254 		.insns = { },
12255 		.data = { },
12256 		.fill_helper = bpf_fill_rand_ld_dw,
12257 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12258 		.result = ACCEPT,
12259 		.retval = 5,
12260 	},
12261 	{
12262 		"pass unmodified ctx pointer to helper",
12263 		.insns = {
12264 			BPF_MOV64_IMM(BPF_REG_2, 0),
12265 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12266 				     BPF_FUNC_csum_update),
12267 			BPF_MOV64_IMM(BPF_REG_0, 0),
12268 			BPF_EXIT_INSN(),
12269 		},
12270 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12271 		.result = ACCEPT,
12272 	},
12273 	{
12274 		"pass modified ctx pointer to helper, 1",
12275 		.insns = {
12276 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12277 			BPF_MOV64_IMM(BPF_REG_2, 0),
12278 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12279 				     BPF_FUNC_csum_update),
12280 			BPF_MOV64_IMM(BPF_REG_0, 0),
12281 			BPF_EXIT_INSN(),
12282 		},
12283 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12284 		.result = REJECT,
12285 		.errstr = "dereference of modified ctx ptr",
12286 	},
12287 	{
12288 		"pass modified ctx pointer to helper, 2",
12289 		.insns = {
12290 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12291 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12292 				     BPF_FUNC_get_socket_cookie),
12293 			BPF_MOV64_IMM(BPF_REG_0, 0),
12294 			BPF_EXIT_INSN(),
12295 		},
12296 		.result_unpriv = REJECT,
12297 		.result = REJECT,
12298 		.errstr_unpriv = "dereference of modified ctx ptr",
12299 		.errstr = "dereference of modified ctx ptr",
12300 	},
12301 	{
12302 		"pass modified ctx pointer to helper, 3",
12303 		.insns = {
12304 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12305 			BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12306 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12307 			BPF_MOV64_IMM(BPF_REG_2, 0),
12308 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12309 				     BPF_FUNC_csum_update),
12310 			BPF_MOV64_IMM(BPF_REG_0, 0),
12311 			BPF_EXIT_INSN(),
12312 		},
12313 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12314 		.result = REJECT,
12315 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
12316 	},
12317 };
12318 
12319 static int probe_filter_length(const struct bpf_insn *fp)
12320 {
12321 	int len;
12322 
12323 	for (len = MAX_INSNS - 1; len > 0; --len)
12324 		if (fp[len].code != 0 || fp[len].imm != 0)
12325 			break;
12326 	return len + 1;
12327 }
12328 
12329 static int create_map(uint32_t type, uint32_t size_key,
12330 		      uint32_t size_value, uint32_t max_elem)
12331 {
12332 	int fd;
12333 
12334 	fd = bpf_create_map(type, size_key, size_value, max_elem,
12335 			    type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12336 	if (fd < 0)
12337 		printf("Failed to create hash map '%s'!\n", strerror(errno));
12338 
12339 	return fd;
12340 }
12341 
12342 static int create_prog_dummy1(void)
12343 {
12344 	struct bpf_insn prog[] = {
12345 		BPF_MOV64_IMM(BPF_REG_0, 42),
12346 		BPF_EXIT_INSN(),
12347 	};
12348 
12349 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12350 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12351 }
12352 
12353 static int create_prog_dummy2(int mfd, int idx)
12354 {
12355 	struct bpf_insn prog[] = {
12356 		BPF_MOV64_IMM(BPF_REG_3, idx),
12357 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
12358 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12359 			     BPF_FUNC_tail_call),
12360 		BPF_MOV64_IMM(BPF_REG_0, 41),
12361 		BPF_EXIT_INSN(),
12362 	};
12363 
12364 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12365 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12366 }
12367 
12368 static int create_prog_array(uint32_t max_elem, int p1key)
12369 {
12370 	int p2key = 1;
12371 	int mfd, p1fd, p2fd;
12372 
12373 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12374 			     sizeof(int), max_elem, 0);
12375 	if (mfd < 0) {
12376 		printf("Failed to create prog array '%s'!\n", strerror(errno));
12377 		return -1;
12378 	}
12379 
12380 	p1fd = create_prog_dummy1();
12381 	p2fd = create_prog_dummy2(mfd, p2key);
12382 	if (p1fd < 0 || p2fd < 0)
12383 		goto out;
12384 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12385 		goto out;
12386 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12387 		goto out;
12388 	close(p2fd);
12389 	close(p1fd);
12390 
12391 	return mfd;
12392 out:
12393 	close(p2fd);
12394 	close(p1fd);
12395 	close(mfd);
12396 	return -1;
12397 }
12398 
12399 static int create_map_in_map(void)
12400 {
12401 	int inner_map_fd, outer_map_fd;
12402 
12403 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12404 				      sizeof(int), 1, 0);
12405 	if (inner_map_fd < 0) {
12406 		printf("Failed to create array '%s'!\n", strerror(errno));
12407 		return inner_map_fd;
12408 	}
12409 
12410 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12411 					     sizeof(int), inner_map_fd, 1, 0);
12412 	if (outer_map_fd < 0)
12413 		printf("Failed to create array of maps '%s'!\n",
12414 		       strerror(errno));
12415 
12416 	close(inner_map_fd);
12417 
12418 	return outer_map_fd;
12419 }
12420 
12421 static char bpf_vlog[UINT_MAX >> 8];
12422 
12423 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12424 			  int *map_fds)
12425 {
12426 	int *fixup_map1 = test->fixup_map1;
12427 	int *fixup_map2 = test->fixup_map2;
12428 	int *fixup_map3 = test->fixup_map3;
12429 	int *fixup_map4 = test->fixup_map4;
12430 	int *fixup_prog1 = test->fixup_prog1;
12431 	int *fixup_prog2 = test->fixup_prog2;
12432 	int *fixup_map_in_map = test->fixup_map_in_map;
12433 
12434 	if (test->fill_helper)
12435 		test->fill_helper(test);
12436 
12437 	/* Allocating HTs with 1 elem is fine here, since we only test
12438 	 * for verifier and not do a runtime lookup, so the only thing
12439 	 * that really matters is value size in this case.
12440 	 */
12441 	if (*fixup_map1) {
12442 		map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12443 					sizeof(long long), 1);
12444 		do {
12445 			prog[*fixup_map1].imm = map_fds[0];
12446 			fixup_map1++;
12447 		} while (*fixup_map1);
12448 	}
12449 
12450 	if (*fixup_map2) {
12451 		map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12452 					sizeof(struct test_val), 1);
12453 		do {
12454 			prog[*fixup_map2].imm = map_fds[1];
12455 			fixup_map2++;
12456 		} while (*fixup_map2);
12457 	}
12458 
12459 	if (*fixup_map3) {
12460 		map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12461 					sizeof(struct other_val), 1);
12462 		do {
12463 			prog[*fixup_map3].imm = map_fds[2];
12464 			fixup_map3++;
12465 		} while (*fixup_map3);
12466 	}
12467 
12468 	if (*fixup_map4) {
12469 		map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12470 					sizeof(struct test_val), 1);
12471 		do {
12472 			prog[*fixup_map4].imm = map_fds[3];
12473 			fixup_map4++;
12474 		} while (*fixup_map4);
12475 	}
12476 
12477 	if (*fixup_prog1) {
12478 		map_fds[4] = create_prog_array(4, 0);
12479 		do {
12480 			prog[*fixup_prog1].imm = map_fds[4];
12481 			fixup_prog1++;
12482 		} while (*fixup_prog1);
12483 	}
12484 
12485 	if (*fixup_prog2) {
12486 		map_fds[5] = create_prog_array(8, 7);
12487 		do {
12488 			prog[*fixup_prog2].imm = map_fds[5];
12489 			fixup_prog2++;
12490 		} while (*fixup_prog2);
12491 	}
12492 
12493 	if (*fixup_map_in_map) {
12494 		map_fds[6] = create_map_in_map();
12495 		do {
12496 			prog[*fixup_map_in_map].imm = map_fds[6];
12497 			fixup_map_in_map++;
12498 		} while (*fixup_map_in_map);
12499 	}
12500 }
12501 
12502 static void do_test_single(struct bpf_test *test, bool unpriv,
12503 			   int *passes, int *errors)
12504 {
12505 	int fd_prog, expected_ret, reject_from_alignment;
12506 	int prog_len, prog_type = test->prog_type;
12507 	struct bpf_insn *prog = test->insns;
12508 	int map_fds[MAX_NR_MAPS];
12509 	const char *expected_err;
12510 	uint32_t retval;
12511 	int i, err;
12512 
12513 	for (i = 0; i < MAX_NR_MAPS; i++)
12514 		map_fds[i] = -1;
12515 
12516 	do_test_fixup(test, prog, map_fds);
12517 	prog_len = probe_filter_length(prog);
12518 
12519 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12520 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12521 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12522 
12523 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
12524 		       test->result_unpriv : test->result;
12525 	expected_err = unpriv && test->errstr_unpriv ?
12526 		       test->errstr_unpriv : test->errstr;
12527 
12528 	reject_from_alignment = fd_prog < 0 &&
12529 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12530 				strstr(bpf_vlog, "Unknown alignment.");
12531 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12532 	if (reject_from_alignment) {
12533 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12534 		       strerror(errno));
12535 		goto fail_log;
12536 	}
12537 #endif
12538 	if (expected_ret == ACCEPT) {
12539 		if (fd_prog < 0 && !reject_from_alignment) {
12540 			printf("FAIL\nFailed to load prog '%s'!\n",
12541 			       strerror(errno));
12542 			goto fail_log;
12543 		}
12544 	} else {
12545 		if (fd_prog >= 0) {
12546 			printf("FAIL\nUnexpected success to load!\n");
12547 			goto fail_log;
12548 		}
12549 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12550 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12551 			      expected_err, bpf_vlog);
12552 			goto fail_log;
12553 		}
12554 	}
12555 
12556 	if (fd_prog >= 0) {
12557 		err = bpf_prog_test_run(fd_prog, 1, test->data,
12558 					sizeof(test->data), NULL, NULL,
12559 					&retval, NULL);
12560 		if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12561 			printf("Unexpected bpf_prog_test_run error\n");
12562 			goto fail_log;
12563 		}
12564 		if (!err && retval != test->retval &&
12565 		    test->retval != POINTER_VALUE) {
12566 			printf("FAIL retval %d != %d\n", retval, test->retval);
12567 			goto fail_log;
12568 		}
12569 	}
12570 	(*passes)++;
12571 	printf("OK%s\n", reject_from_alignment ?
12572 	       " (NOTE: reject due to unknown alignment)" : "");
12573 close_fds:
12574 	close(fd_prog);
12575 	for (i = 0; i < MAX_NR_MAPS; i++)
12576 		close(map_fds[i]);
12577 	sched_yield();
12578 	return;
12579 fail_log:
12580 	(*errors)++;
12581 	printf("%s", bpf_vlog);
12582 	goto close_fds;
12583 }
12584 
12585 static bool is_admin(void)
12586 {
12587 	cap_t caps;
12588 	cap_flag_value_t sysadmin = CAP_CLEAR;
12589 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12590 
12591 #ifdef CAP_IS_SUPPORTED
12592 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12593 		perror("cap_get_flag");
12594 		return false;
12595 	}
12596 #endif
12597 	caps = cap_get_proc();
12598 	if (!caps) {
12599 		perror("cap_get_proc");
12600 		return false;
12601 	}
12602 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12603 		perror("cap_get_flag");
12604 	if (cap_free(caps))
12605 		perror("cap_free");
12606 	return (sysadmin == CAP_SET);
12607 }
12608 
12609 static int set_admin(bool admin)
12610 {
12611 	cap_t caps;
12612 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12613 	int ret = -1;
12614 
12615 	caps = cap_get_proc();
12616 	if (!caps) {
12617 		perror("cap_get_proc");
12618 		return -1;
12619 	}
12620 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12621 				admin ? CAP_SET : CAP_CLEAR)) {
12622 		perror("cap_set_flag");
12623 		goto out;
12624 	}
12625 	if (cap_set_proc(caps)) {
12626 		perror("cap_set_proc");
12627 		goto out;
12628 	}
12629 	ret = 0;
12630 out:
12631 	if (cap_free(caps))
12632 		perror("cap_free");
12633 	return ret;
12634 }
12635 
12636 static void get_unpriv_disabled()
12637 {
12638 	char buf[2];
12639 	FILE *fd;
12640 
12641 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12642 	if (!fd) {
12643 		perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12644 		unpriv_disabled = true;
12645 		return;
12646 	}
12647 	if (fgets(buf, 2, fd) == buf && atoi(buf))
12648 		unpriv_disabled = true;
12649 	fclose(fd);
12650 }
12651 
12652 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12653 {
12654 	int i, passes = 0, errors = 0, skips = 0;
12655 
12656 	for (i = from; i < to; i++) {
12657 		struct bpf_test *test = &tests[i];
12658 
12659 		/* Program types that are not supported by non-root we
12660 		 * skip right away.
12661 		 */
12662 		if (!test->prog_type && unpriv_disabled) {
12663 			printf("#%d/u %s SKIP\n", i, test->descr);
12664 			skips++;
12665 		} else if (!test->prog_type) {
12666 			if (!unpriv)
12667 				set_admin(false);
12668 			printf("#%d/u %s ", i, test->descr);
12669 			do_test_single(test, true, &passes, &errors);
12670 			if (!unpriv)
12671 				set_admin(true);
12672 		}
12673 
12674 		if (unpriv) {
12675 			printf("#%d/p %s SKIP\n", i, test->descr);
12676 			skips++;
12677 		} else {
12678 			printf("#%d/p %s ", i, test->descr);
12679 			do_test_single(test, false, &passes, &errors);
12680 		}
12681 	}
12682 
12683 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12684 	       skips, errors);
12685 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12686 }
12687 
12688 int main(int argc, char **argv)
12689 {
12690 	unsigned int from = 0, to = ARRAY_SIZE(tests);
12691 	bool unpriv = !is_admin();
12692 
12693 	if (argc == 3) {
12694 		unsigned int l = atoi(argv[argc - 2]);
12695 		unsigned int u = atoi(argv[argc - 1]);
12696 
12697 		if (l < to && u < to) {
12698 			from = l;
12699 			to   = u + 1;
12700 		}
12701 	} else if (argc == 2) {
12702 		unsigned int t = atoi(argv[argc - 1]);
12703 
12704 		if (t < to) {
12705 			from = t;
12706 			to   = t + 1;
12707 		}
12708 	}
12709 
12710 	get_unpriv_disabled();
12711 	if (unpriv && unpriv_disabled) {
12712 		printf("Cannot run as unprivileged user with sysctl %s.\n",
12713 		       UNPRIV_SYSCTL);
12714 		return EXIT_FAILURE;
12715 	}
12716 
12717 	bpf_semi_rand_init();
12718 	return do_test(unpriv, from, to);
12719 }
12720