xref: /openbmc/linux/tools/testing/selftests/bpf/test_verifier.c (revision 9dae47aba0a055f761176d9297371d5bb24289ec) 
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of version 2 of the GNU General Public
9  * License as published by the Free Software Foundation.
10  */
11 
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 
25 #include <sys/capability.h>
26 #include <sys/resource.h>
27 
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 
33 #include <bpf/bpf.h>
34 
35 #ifdef HAVE_GENHDR
36 # include "autoconf.h"
37 #else
38 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
39 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
40 # endif
41 #endif
42 
43 #include "../../../include/linux/filter.h"
44 
45 #ifndef ARRAY_SIZE
46 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
47 #endif
48 
49 #define MAX_INSNS	512
50 #define MAX_FIXUPS	8
51 #define MAX_NR_MAPS	4
52 
53 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
54 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
55 
56 struct bpf_test {
57 	const char *descr;
58 	struct bpf_insn	insns[MAX_INSNS];
59 	int fixup_map1[MAX_FIXUPS];
60 	int fixup_map2[MAX_FIXUPS];
61 	int fixup_prog[MAX_FIXUPS];
62 	int fixup_map_in_map[MAX_FIXUPS];
63 	const char *errstr;
64 	const char *errstr_unpriv;
65 	enum {
66 		UNDEF,
67 		ACCEPT,
68 		REJECT
69 	} result, result_unpriv;
70 	enum bpf_prog_type prog_type;
71 	uint8_t flags;
72 };
73 
74 /* Note we want this to be 64 bit aligned so that the end of our array is
75  * actually the end of the structure.
76  */
77 #define MAX_ENTRIES 11
78 
79 struct test_val {
80 	unsigned int index;
81 	int foo[MAX_ENTRIES];
82 };
83 
84 static struct bpf_test tests[] = {
85 	{
86 		"add+sub+mul",
87 		.insns = {
88 			BPF_MOV64_IMM(BPF_REG_1, 1),
89 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
90 			BPF_MOV64_IMM(BPF_REG_2, 3),
91 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
92 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
93 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
94 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
95 			BPF_EXIT_INSN(),
96 		},
97 		.result = ACCEPT,
98 	},
99 	{
100 		"unreachable",
101 		.insns = {
102 			BPF_EXIT_INSN(),
103 			BPF_EXIT_INSN(),
104 		},
105 		.errstr = "unreachable",
106 		.result = REJECT,
107 	},
108 	{
109 		"unreachable2",
110 		.insns = {
111 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
112 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
113 			BPF_EXIT_INSN(),
114 		},
115 		.errstr = "unreachable",
116 		.result = REJECT,
117 	},
118 	{
119 		"out of range jump",
120 		.insns = {
121 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
122 			BPF_EXIT_INSN(),
123 		},
124 		.errstr = "jump out of range",
125 		.result = REJECT,
126 	},
127 	{
128 		"out of range jump2",
129 		.insns = {
130 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
131 			BPF_EXIT_INSN(),
132 		},
133 		.errstr = "jump out of range",
134 		.result = REJECT,
135 	},
136 	{
137 		"test1 ld_imm64",
138 		.insns = {
139 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
140 			BPF_LD_IMM64(BPF_REG_0, 0),
141 			BPF_LD_IMM64(BPF_REG_0, 0),
142 			BPF_LD_IMM64(BPF_REG_0, 1),
143 			BPF_LD_IMM64(BPF_REG_0, 1),
144 			BPF_MOV64_IMM(BPF_REG_0, 2),
145 			BPF_EXIT_INSN(),
146 		},
147 		.errstr = "invalid BPF_LD_IMM insn",
148 		.errstr_unpriv = "R1 pointer comparison",
149 		.result = REJECT,
150 	},
151 	{
152 		"test2 ld_imm64",
153 		.insns = {
154 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
155 			BPF_LD_IMM64(BPF_REG_0, 0),
156 			BPF_LD_IMM64(BPF_REG_0, 0),
157 			BPF_LD_IMM64(BPF_REG_0, 1),
158 			BPF_LD_IMM64(BPF_REG_0, 1),
159 			BPF_EXIT_INSN(),
160 		},
161 		.errstr = "invalid BPF_LD_IMM insn",
162 		.errstr_unpriv = "R1 pointer comparison",
163 		.result = REJECT,
164 	},
165 	{
166 		"test3 ld_imm64",
167 		.insns = {
168 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
169 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
170 			BPF_LD_IMM64(BPF_REG_0, 0),
171 			BPF_LD_IMM64(BPF_REG_0, 0),
172 			BPF_LD_IMM64(BPF_REG_0, 1),
173 			BPF_LD_IMM64(BPF_REG_0, 1),
174 			BPF_EXIT_INSN(),
175 		},
176 		.errstr = "invalid bpf_ld_imm64 insn",
177 		.result = REJECT,
178 	},
179 	{
180 		"test4 ld_imm64",
181 		.insns = {
182 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
183 			BPF_EXIT_INSN(),
184 		},
185 		.errstr = "invalid bpf_ld_imm64 insn",
186 		.result = REJECT,
187 	},
188 	{
189 		"test5 ld_imm64",
190 		.insns = {
191 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
192 		},
193 		.errstr = "invalid bpf_ld_imm64 insn",
194 		.result = REJECT,
195 	},
196 	{
197 		"test6 ld_imm64",
198 		.insns = {
199 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
200 			BPF_RAW_INSN(0, 0, 0, 0, 0),
201 			BPF_EXIT_INSN(),
202 		},
203 		.result = ACCEPT,
204 	},
205 	{
206 		"test7 ld_imm64",
207 		.insns = {
208 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
209 			BPF_RAW_INSN(0, 0, 0, 0, 1),
210 			BPF_EXIT_INSN(),
211 		},
212 		.result = ACCEPT,
213 	},
214 	{
215 		"test8 ld_imm64",
216 		.insns = {
217 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
218 			BPF_RAW_INSN(0, 0, 0, 0, 1),
219 			BPF_EXIT_INSN(),
220 		},
221 		.errstr = "uses reserved fields",
222 		.result = REJECT,
223 	},
224 	{
225 		"test9 ld_imm64",
226 		.insns = {
227 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
228 			BPF_RAW_INSN(0, 0, 0, 1, 1),
229 			BPF_EXIT_INSN(),
230 		},
231 		.errstr = "invalid bpf_ld_imm64 insn",
232 		.result = REJECT,
233 	},
234 	{
235 		"test10 ld_imm64",
236 		.insns = {
237 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
238 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
239 			BPF_EXIT_INSN(),
240 		},
241 		.errstr = "invalid bpf_ld_imm64 insn",
242 		.result = REJECT,
243 	},
244 	{
245 		"test11 ld_imm64",
246 		.insns = {
247 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
248 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
249 			BPF_EXIT_INSN(),
250 		},
251 		.errstr = "invalid bpf_ld_imm64 insn",
252 		.result = REJECT,
253 	},
254 	{
255 		"test12 ld_imm64",
256 		.insns = {
257 			BPF_MOV64_IMM(BPF_REG_1, 0),
258 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
259 			BPF_RAW_INSN(0, 0, 0, 0, 1),
260 			BPF_EXIT_INSN(),
261 		},
262 		.errstr = "not pointing to valid bpf_map",
263 		.result = REJECT,
264 	},
265 	{
266 		"test13 ld_imm64",
267 		.insns = {
268 			BPF_MOV64_IMM(BPF_REG_1, 0),
269 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
270 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
271 			BPF_EXIT_INSN(),
272 		},
273 		.errstr = "invalid bpf_ld_imm64 insn",
274 		.result = REJECT,
275 	},
276 	{
277 		"no bpf_exit",
278 		.insns = {
279 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
280 		},
281 		.errstr = "not an exit",
282 		.result = REJECT,
283 	},
284 	{
285 		"loop (back-edge)",
286 		.insns = {
287 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
288 			BPF_EXIT_INSN(),
289 		},
290 		.errstr = "back-edge",
291 		.result = REJECT,
292 	},
293 	{
294 		"loop2 (back-edge)",
295 		.insns = {
296 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
297 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
298 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
299 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
300 			BPF_EXIT_INSN(),
301 		},
302 		.errstr = "back-edge",
303 		.result = REJECT,
304 	},
305 	{
306 		"conditional loop",
307 		.insns = {
308 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
309 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
310 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
311 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
312 			BPF_EXIT_INSN(),
313 		},
314 		.errstr = "back-edge",
315 		.result = REJECT,
316 	},
317 	{
318 		"read uninitialized register",
319 		.insns = {
320 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
321 			BPF_EXIT_INSN(),
322 		},
323 		.errstr = "R2 !read_ok",
324 		.result = REJECT,
325 	},
326 	{
327 		"read invalid register",
328 		.insns = {
329 			BPF_MOV64_REG(BPF_REG_0, -1),
330 			BPF_EXIT_INSN(),
331 		},
332 		.errstr = "R15 is invalid",
333 		.result = REJECT,
334 	},
335 	{
336 		"program doesn't init R0 before exit",
337 		.insns = {
338 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
339 			BPF_EXIT_INSN(),
340 		},
341 		.errstr = "R0 !read_ok",
342 		.result = REJECT,
343 	},
344 	{
345 		"program doesn't init R0 before exit in all branches",
346 		.insns = {
347 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
348 			BPF_MOV64_IMM(BPF_REG_0, 1),
349 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
350 			BPF_EXIT_INSN(),
351 		},
352 		.errstr = "R0 !read_ok",
353 		.errstr_unpriv = "R1 pointer comparison",
354 		.result = REJECT,
355 	},
356 	{
357 		"stack out of bounds",
358 		.insns = {
359 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
360 			BPF_EXIT_INSN(),
361 		},
362 		.errstr = "invalid stack",
363 		.result = REJECT,
364 	},
365 	{
366 		"invalid call insn1",
367 		.insns = {
368 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
369 			BPF_EXIT_INSN(),
370 		},
371 		.errstr = "BPF_CALL uses reserved",
372 		.result = REJECT,
373 	},
374 	{
375 		"invalid call insn2",
376 		.insns = {
377 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
378 			BPF_EXIT_INSN(),
379 		},
380 		.errstr = "BPF_CALL uses reserved",
381 		.result = REJECT,
382 	},
383 	{
384 		"invalid function call",
385 		.insns = {
386 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
387 			BPF_EXIT_INSN(),
388 		},
389 		.errstr = "invalid func unknown#1234567",
390 		.result = REJECT,
391 	},
392 	{
393 		"uninitialized stack1",
394 		.insns = {
395 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
396 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
397 			BPF_LD_MAP_FD(BPF_REG_1, 0),
398 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
399 				     BPF_FUNC_map_lookup_elem),
400 			BPF_EXIT_INSN(),
401 		},
402 		.fixup_map1 = { 2 },
403 		.errstr = "invalid indirect read from stack",
404 		.result = REJECT,
405 	},
406 	{
407 		"uninitialized stack2",
408 		.insns = {
409 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
410 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
411 			BPF_EXIT_INSN(),
412 		},
413 		.errstr = "invalid read from stack",
414 		.result = REJECT,
415 	},
416 	{
417 		"invalid fp arithmetic",
418 		/* If this gets ever changed, make sure JITs can deal with it. */
419 		.insns = {
420 			BPF_MOV64_IMM(BPF_REG_0, 0),
421 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
422 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
423 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
424 			BPF_EXIT_INSN(),
425 		},
426 		.errstr = "R1 subtraction from stack pointer",
427 		.result = REJECT,
428 	},
429 	{
430 		"non-invalid fp arithmetic",
431 		.insns = {
432 			BPF_MOV64_IMM(BPF_REG_0, 0),
433 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
434 			BPF_EXIT_INSN(),
435 		},
436 		.result = ACCEPT,
437 	},
438 	{
439 		"invalid argument register",
440 		.insns = {
441 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
442 				     BPF_FUNC_get_cgroup_classid),
443 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
444 				     BPF_FUNC_get_cgroup_classid),
445 			BPF_EXIT_INSN(),
446 		},
447 		.errstr = "R1 !read_ok",
448 		.result = REJECT,
449 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
450 	},
451 	{
452 		"non-invalid argument register",
453 		.insns = {
454 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
455 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
456 				     BPF_FUNC_get_cgroup_classid),
457 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
458 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
459 				     BPF_FUNC_get_cgroup_classid),
460 			BPF_EXIT_INSN(),
461 		},
462 		.result = ACCEPT,
463 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
464 	},
465 	{
466 		"check valid spill/fill",
467 		.insns = {
468 			/* spill R1(ctx) into stack */
469 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
470 			/* fill it back into R2 */
471 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
472 			/* should be able to access R0 = *(R2 + 8) */
473 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
474 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
475 			BPF_EXIT_INSN(),
476 		},
477 		.errstr_unpriv = "R0 leaks addr",
478 		.result = ACCEPT,
479 		.result_unpriv = REJECT,
480 	},
481 	{
482 		"check valid spill/fill, skb mark",
483 		.insns = {
484 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
485 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
486 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
487 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
488 				    offsetof(struct __sk_buff, mark)),
489 			BPF_EXIT_INSN(),
490 		},
491 		.result = ACCEPT,
492 		.result_unpriv = ACCEPT,
493 	},
494 	{
495 		"check corrupted spill/fill",
496 		.insns = {
497 			/* spill R1(ctx) into stack */
498 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
499 			/* mess up with R1 pointer on stack */
500 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
501 			/* fill back into R0 should fail */
502 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
503 			BPF_EXIT_INSN(),
504 		},
505 		.errstr_unpriv = "attempt to corrupt spilled",
506 		.errstr = "corrupted spill",
507 		.result = REJECT,
508 	},
509 	{
510 		"invalid src register in STX",
511 		.insns = {
512 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
513 			BPF_EXIT_INSN(),
514 		},
515 		.errstr = "R15 is invalid",
516 		.result = REJECT,
517 	},
518 	{
519 		"invalid dst register in STX",
520 		.insns = {
521 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
522 			BPF_EXIT_INSN(),
523 		},
524 		.errstr = "R14 is invalid",
525 		.result = REJECT,
526 	},
527 	{
528 		"invalid dst register in ST",
529 		.insns = {
530 			BPF_ST_MEM(BPF_B, 14, -1, -1),
531 			BPF_EXIT_INSN(),
532 		},
533 		.errstr = "R14 is invalid",
534 		.result = REJECT,
535 	},
536 	{
537 		"invalid src register in LDX",
538 		.insns = {
539 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
540 			BPF_EXIT_INSN(),
541 		},
542 		.errstr = "R12 is invalid",
543 		.result = REJECT,
544 	},
545 	{
546 		"invalid dst register in LDX",
547 		.insns = {
548 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
549 			BPF_EXIT_INSN(),
550 		},
551 		.errstr = "R11 is invalid",
552 		.result = REJECT,
553 	},
554 	{
555 		"junk insn",
556 		.insns = {
557 			BPF_RAW_INSN(0, 0, 0, 0, 0),
558 			BPF_EXIT_INSN(),
559 		},
560 		.errstr = "invalid BPF_LD_IMM",
561 		.result = REJECT,
562 	},
563 	{
564 		"junk insn2",
565 		.insns = {
566 			BPF_RAW_INSN(1, 0, 0, 0, 0),
567 			BPF_EXIT_INSN(),
568 		},
569 		.errstr = "BPF_LDX uses reserved fields",
570 		.result = REJECT,
571 	},
572 	{
573 		"junk insn3",
574 		.insns = {
575 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
576 			BPF_EXIT_INSN(),
577 		},
578 		.errstr = "invalid BPF_ALU opcode f0",
579 		.result = REJECT,
580 	},
581 	{
582 		"junk insn4",
583 		.insns = {
584 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
585 			BPF_EXIT_INSN(),
586 		},
587 		.errstr = "invalid BPF_ALU opcode f0",
588 		.result = REJECT,
589 	},
590 	{
591 		"junk insn5",
592 		.insns = {
593 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
594 			BPF_EXIT_INSN(),
595 		},
596 		.errstr = "BPF_ALU uses reserved fields",
597 		.result = REJECT,
598 	},
599 	{
600 		"misaligned read from stack",
601 		.insns = {
602 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
603 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
604 			BPF_EXIT_INSN(),
605 		},
606 		.errstr = "misaligned stack access",
607 		.result = REJECT,
608 	},
609 	{
610 		"invalid map_fd for function call",
611 		.insns = {
612 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
613 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
615 			BPF_LD_MAP_FD(BPF_REG_1, 0),
616 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
617 				     BPF_FUNC_map_delete_elem),
618 			BPF_EXIT_INSN(),
619 		},
620 		.errstr = "fd 0 is not pointing to valid bpf_map",
621 		.result = REJECT,
622 	},
623 	{
624 		"don't check return value before access",
625 		.insns = {
626 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
627 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
628 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
629 			BPF_LD_MAP_FD(BPF_REG_1, 0),
630 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
631 				     BPF_FUNC_map_lookup_elem),
632 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
633 			BPF_EXIT_INSN(),
634 		},
635 		.fixup_map1 = { 3 },
636 		.errstr = "R0 invalid mem access 'map_value_or_null'",
637 		.result = REJECT,
638 	},
639 	{
640 		"access memory with incorrect alignment",
641 		.insns = {
642 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
643 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
644 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
645 			BPF_LD_MAP_FD(BPF_REG_1, 0),
646 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
647 				     BPF_FUNC_map_lookup_elem),
648 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
649 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
650 			BPF_EXIT_INSN(),
651 		},
652 		.fixup_map1 = { 3 },
653 		.errstr = "misaligned value access",
654 		.result = REJECT,
655 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
656 	},
657 	{
658 		"sometimes access memory with incorrect alignment",
659 		.insns = {
660 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
661 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
662 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
663 			BPF_LD_MAP_FD(BPF_REG_1, 0),
664 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
665 				     BPF_FUNC_map_lookup_elem),
666 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
667 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
668 			BPF_EXIT_INSN(),
669 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
670 			BPF_EXIT_INSN(),
671 		},
672 		.fixup_map1 = { 3 },
673 		.errstr = "R0 invalid mem access",
674 		.errstr_unpriv = "R0 leaks addr",
675 		.result = REJECT,
676 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
677 	},
678 	{
679 		"jump test 1",
680 		.insns = {
681 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
682 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
683 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
684 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
685 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
686 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
687 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
688 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
689 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
690 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
691 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
692 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
693 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
694 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
695 			BPF_MOV64_IMM(BPF_REG_0, 0),
696 			BPF_EXIT_INSN(),
697 		},
698 		.errstr_unpriv = "R1 pointer comparison",
699 		.result_unpriv = REJECT,
700 		.result = ACCEPT,
701 	},
702 	{
703 		"jump test 2",
704 		.insns = {
705 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
706 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
707 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
708 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
709 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
710 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
711 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
712 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
713 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
714 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
715 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
716 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
717 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
718 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
719 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
720 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
721 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
722 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
723 			BPF_MOV64_IMM(BPF_REG_0, 0),
724 			BPF_EXIT_INSN(),
725 		},
726 		.errstr_unpriv = "R1 pointer comparison",
727 		.result_unpriv = REJECT,
728 		.result = ACCEPT,
729 	},
730 	{
731 		"jump test 3",
732 		.insns = {
733 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
734 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
735 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
736 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
737 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
738 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
739 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
740 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
741 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
742 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
743 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
745 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
746 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
747 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
748 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
749 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
750 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
751 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
752 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
753 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
754 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
755 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
756 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
757 			BPF_LD_MAP_FD(BPF_REG_1, 0),
758 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
759 				     BPF_FUNC_map_delete_elem),
760 			BPF_EXIT_INSN(),
761 		},
762 		.fixup_map1 = { 24 },
763 		.errstr_unpriv = "R1 pointer comparison",
764 		.result_unpriv = REJECT,
765 		.result = ACCEPT,
766 	},
767 	{
768 		"jump test 4",
769 		.insns = {
770 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
771 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
772 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
773 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
774 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
775 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
776 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
777 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
778 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
779 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
780 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
781 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
782 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
783 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
784 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
785 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
786 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
787 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
788 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
789 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
790 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
791 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
793 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
794 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
795 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
796 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
797 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
798 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
799 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
800 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
801 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
802 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
803 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
804 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
805 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
806 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
807 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
808 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
809 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
810 			BPF_MOV64_IMM(BPF_REG_0, 0),
811 			BPF_EXIT_INSN(),
812 		},
813 		.errstr_unpriv = "R1 pointer comparison",
814 		.result_unpriv = REJECT,
815 		.result = ACCEPT,
816 	},
817 	{
818 		"jump test 5",
819 		.insns = {
820 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
821 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
822 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
823 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
824 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
825 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
826 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
827 			BPF_MOV64_IMM(BPF_REG_0, 0),
828 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
830 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
831 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
832 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
833 			BPF_MOV64_IMM(BPF_REG_0, 0),
834 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
835 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
836 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
837 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
838 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
839 			BPF_MOV64_IMM(BPF_REG_0, 0),
840 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
841 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
842 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
843 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
844 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
845 			BPF_MOV64_IMM(BPF_REG_0, 0),
846 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
847 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
848 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
849 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
850 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
851 			BPF_MOV64_IMM(BPF_REG_0, 0),
852 			BPF_EXIT_INSN(),
853 		},
854 		.errstr_unpriv = "R1 pointer comparison",
855 		.result_unpriv = REJECT,
856 		.result = ACCEPT,
857 	},
858 	{
859 		"access skb fields ok",
860 		.insns = {
861 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
862 				    offsetof(struct __sk_buff, len)),
863 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
864 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
865 				    offsetof(struct __sk_buff, mark)),
866 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
867 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
868 				    offsetof(struct __sk_buff, pkt_type)),
869 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
870 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
871 				    offsetof(struct __sk_buff, queue_mapping)),
872 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
873 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
874 				    offsetof(struct __sk_buff, protocol)),
875 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
876 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
877 				    offsetof(struct __sk_buff, vlan_present)),
878 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
879 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
880 				    offsetof(struct __sk_buff, vlan_tci)),
881 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
882 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
883 				    offsetof(struct __sk_buff, napi_id)),
884 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
885 			BPF_EXIT_INSN(),
886 		},
887 		.result = ACCEPT,
888 	},
889 	{
890 		"access skb fields bad1",
891 		.insns = {
892 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
893 			BPF_EXIT_INSN(),
894 		},
895 		.errstr = "invalid bpf_context access",
896 		.result = REJECT,
897 	},
898 	{
899 		"access skb fields bad2",
900 		.insns = {
901 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
902 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
903 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
904 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
905 			BPF_LD_MAP_FD(BPF_REG_1, 0),
906 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
907 				     BPF_FUNC_map_lookup_elem),
908 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
909 			BPF_EXIT_INSN(),
910 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
911 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
912 				    offsetof(struct __sk_buff, pkt_type)),
913 			BPF_EXIT_INSN(),
914 		},
915 		.fixup_map1 = { 4 },
916 		.errstr = "different pointers",
917 		.errstr_unpriv = "R1 pointer comparison",
918 		.result = REJECT,
919 	},
920 	{
921 		"access skb fields bad3",
922 		.insns = {
923 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
924 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
925 				    offsetof(struct __sk_buff, pkt_type)),
926 			BPF_EXIT_INSN(),
927 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
928 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
929 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
930 			BPF_LD_MAP_FD(BPF_REG_1, 0),
931 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
932 				     BPF_FUNC_map_lookup_elem),
933 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
934 			BPF_EXIT_INSN(),
935 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
936 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
937 		},
938 		.fixup_map1 = { 6 },
939 		.errstr = "different pointers",
940 		.errstr_unpriv = "R1 pointer comparison",
941 		.result = REJECT,
942 	},
943 	{
944 		"access skb fields bad4",
945 		.insns = {
946 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
947 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
948 				    offsetof(struct __sk_buff, len)),
949 			BPF_MOV64_IMM(BPF_REG_0, 0),
950 			BPF_EXIT_INSN(),
951 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
952 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
953 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
954 			BPF_LD_MAP_FD(BPF_REG_1, 0),
955 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
956 				     BPF_FUNC_map_lookup_elem),
957 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
958 			BPF_EXIT_INSN(),
959 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
960 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
961 		},
962 		.fixup_map1 = { 7 },
963 		.errstr = "different pointers",
964 		.errstr_unpriv = "R1 pointer comparison",
965 		.result = REJECT,
966 	},
967 	{
968 		"invalid access __sk_buff family",
969 		.insns = {
970 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
971 				    offsetof(struct __sk_buff, family)),
972 			BPF_EXIT_INSN(),
973 		},
974 		.errstr = "invalid bpf_context access",
975 		.result = REJECT,
976 	},
977 	{
978 		"invalid access __sk_buff remote_ip4",
979 		.insns = {
980 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
981 				    offsetof(struct __sk_buff, remote_ip4)),
982 			BPF_EXIT_INSN(),
983 		},
984 		.errstr = "invalid bpf_context access",
985 		.result = REJECT,
986 	},
987 	{
988 		"invalid access __sk_buff local_ip4",
989 		.insns = {
990 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
991 				    offsetof(struct __sk_buff, local_ip4)),
992 			BPF_EXIT_INSN(),
993 		},
994 		.errstr = "invalid bpf_context access",
995 		.result = REJECT,
996 	},
997 	{
998 		"invalid access __sk_buff remote_ip6",
999 		.insns = {
1000 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1001 				    offsetof(struct __sk_buff, remote_ip6)),
1002 			BPF_EXIT_INSN(),
1003 		},
1004 		.errstr = "invalid bpf_context access",
1005 		.result = REJECT,
1006 	},
1007 	{
1008 		"invalid access __sk_buff local_ip6",
1009 		.insns = {
1010 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1011 				    offsetof(struct __sk_buff, local_ip6)),
1012 			BPF_EXIT_INSN(),
1013 		},
1014 		.errstr = "invalid bpf_context access",
1015 		.result = REJECT,
1016 	},
1017 	{
1018 		"invalid access __sk_buff remote_port",
1019 		.insns = {
1020 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1021 				    offsetof(struct __sk_buff, remote_port)),
1022 			BPF_EXIT_INSN(),
1023 		},
1024 		.errstr = "invalid bpf_context access",
1025 		.result = REJECT,
1026 	},
1027 	{
1028 		"invalid access __sk_buff remote_port",
1029 		.insns = {
1030 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1031 				    offsetof(struct __sk_buff, local_port)),
1032 			BPF_EXIT_INSN(),
1033 		},
1034 		.errstr = "invalid bpf_context access",
1035 		.result = REJECT,
1036 	},
1037 	{
1038 		"valid access __sk_buff family",
1039 		.insns = {
1040 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1041 				    offsetof(struct __sk_buff, family)),
1042 			BPF_EXIT_INSN(),
1043 		},
1044 		.result = ACCEPT,
1045 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1046 	},
1047 	{
1048 		"valid access __sk_buff remote_ip4",
1049 		.insns = {
1050 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1051 				    offsetof(struct __sk_buff, remote_ip4)),
1052 			BPF_EXIT_INSN(),
1053 		},
1054 		.result = ACCEPT,
1055 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1056 	},
1057 	{
1058 		"valid access __sk_buff local_ip4",
1059 		.insns = {
1060 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1061 				    offsetof(struct __sk_buff, local_ip4)),
1062 			BPF_EXIT_INSN(),
1063 		},
1064 		.result = ACCEPT,
1065 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1066 	},
1067 	{
1068 		"valid access __sk_buff remote_ip6",
1069 		.insns = {
1070 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1071 				    offsetof(struct __sk_buff, remote_ip6[0])),
1072 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1073 				    offsetof(struct __sk_buff, remote_ip6[1])),
1074 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1075 				    offsetof(struct __sk_buff, remote_ip6[2])),
1076 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1077 				    offsetof(struct __sk_buff, remote_ip6[3])),
1078 			BPF_EXIT_INSN(),
1079 		},
1080 		.result = ACCEPT,
1081 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1082 	},
1083 	{
1084 		"valid access __sk_buff local_ip6",
1085 		.insns = {
1086 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1087 				    offsetof(struct __sk_buff, local_ip6[0])),
1088 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1089 				    offsetof(struct __sk_buff, local_ip6[1])),
1090 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1091 				    offsetof(struct __sk_buff, local_ip6[2])),
1092 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1093 				    offsetof(struct __sk_buff, local_ip6[3])),
1094 			BPF_EXIT_INSN(),
1095 		},
1096 		.result = ACCEPT,
1097 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1098 	},
1099 	{
1100 		"valid access __sk_buff remote_port",
1101 		.insns = {
1102 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1103 				    offsetof(struct __sk_buff, remote_port)),
1104 			BPF_EXIT_INSN(),
1105 		},
1106 		.result = ACCEPT,
1107 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1108 	},
1109 	{
1110 		"valid access __sk_buff remote_port",
1111 		.insns = {
1112 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1113 				    offsetof(struct __sk_buff, local_port)),
1114 			BPF_EXIT_INSN(),
1115 		},
1116 		.result = ACCEPT,
1117 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1118 	},
1119 	{
1120 		"invalid access of tc_classid for SK_SKB",
1121 		.insns = {
1122 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1123 				    offsetof(struct __sk_buff, tc_classid)),
1124 			BPF_EXIT_INSN(),
1125 		},
1126 		.result = REJECT,
1127 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1128 		.errstr = "invalid bpf_context access",
1129 	},
1130 	{
1131 		"invalid access of skb->mark for SK_SKB",
1132 		.insns = {
1133 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1134 				    offsetof(struct __sk_buff, mark)),
1135 			BPF_EXIT_INSN(),
1136 		},
1137 		.result =  REJECT,
1138 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1139 		.errstr = "invalid bpf_context access",
1140 	},
1141 	{
1142 		"check skb->mark is not writeable by SK_SKB",
1143 		.insns = {
1144 			BPF_MOV64_IMM(BPF_REG_0, 0),
1145 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1146 				    offsetof(struct __sk_buff, mark)),
1147 			BPF_EXIT_INSN(),
1148 		},
1149 		.result =  REJECT,
1150 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1151 		.errstr = "invalid bpf_context access",
1152 	},
1153 	{
1154 		"check skb->tc_index is writeable by SK_SKB",
1155 		.insns = {
1156 			BPF_MOV64_IMM(BPF_REG_0, 0),
1157 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1158 				    offsetof(struct __sk_buff, tc_index)),
1159 			BPF_EXIT_INSN(),
1160 		},
1161 		.result = ACCEPT,
1162 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1163 	},
1164 	{
1165 		"check skb->priority is writeable by SK_SKB",
1166 		.insns = {
1167 			BPF_MOV64_IMM(BPF_REG_0, 0),
1168 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1169 				    offsetof(struct __sk_buff, priority)),
1170 			BPF_EXIT_INSN(),
1171 		},
1172 		.result = ACCEPT,
1173 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1174 	},
1175 	{
1176 		"direct packet read for SK_SKB",
1177 		.insns = {
1178 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1179 				    offsetof(struct __sk_buff, data)),
1180 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1181 				    offsetof(struct __sk_buff, data_end)),
1182 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1183 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1184 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1185 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1186 			BPF_MOV64_IMM(BPF_REG_0, 0),
1187 			BPF_EXIT_INSN(),
1188 		},
1189 		.result = ACCEPT,
1190 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1191 	},
1192 	{
1193 		"direct packet write for SK_SKB",
1194 		.insns = {
1195 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1196 				    offsetof(struct __sk_buff, data)),
1197 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1198 				    offsetof(struct __sk_buff, data_end)),
1199 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1200 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1201 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1202 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1203 			BPF_MOV64_IMM(BPF_REG_0, 0),
1204 			BPF_EXIT_INSN(),
1205 		},
1206 		.result = ACCEPT,
1207 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1208 	},
1209 	{
1210 		"overlapping checks for direct packet access SK_SKB",
1211 		.insns = {
1212 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1213 				    offsetof(struct __sk_buff, data)),
1214 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1215 				    offsetof(struct __sk_buff, data_end)),
1216 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1217 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1218 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1219 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1220 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1221 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1222 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1223 			BPF_MOV64_IMM(BPF_REG_0, 0),
1224 			BPF_EXIT_INSN(),
1225 		},
1226 		.result = ACCEPT,
1227 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1228 	},
1229 	{
1230 		"check skb->mark is not writeable by sockets",
1231 		.insns = {
1232 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1233 				    offsetof(struct __sk_buff, mark)),
1234 			BPF_EXIT_INSN(),
1235 		},
1236 		.errstr = "invalid bpf_context access",
1237 		.errstr_unpriv = "R1 leaks addr",
1238 		.result = REJECT,
1239 	},
1240 	{
1241 		"check skb->tc_index is not writeable by sockets",
1242 		.insns = {
1243 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1244 				    offsetof(struct __sk_buff, tc_index)),
1245 			BPF_EXIT_INSN(),
1246 		},
1247 		.errstr = "invalid bpf_context access",
1248 		.errstr_unpriv = "R1 leaks addr",
1249 		.result = REJECT,
1250 	},
1251 	{
1252 		"check cb access: byte",
1253 		.insns = {
1254 			BPF_MOV64_IMM(BPF_REG_0, 0),
1255 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1256 				    offsetof(struct __sk_buff, cb[0])),
1257 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1258 				    offsetof(struct __sk_buff, cb[0]) + 1),
1259 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1260 				    offsetof(struct __sk_buff, cb[0]) + 2),
1261 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1262 				    offsetof(struct __sk_buff, cb[0]) + 3),
1263 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1264 				    offsetof(struct __sk_buff, cb[1])),
1265 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1266 				    offsetof(struct __sk_buff, cb[1]) + 1),
1267 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1268 				    offsetof(struct __sk_buff, cb[1]) + 2),
1269 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1270 				    offsetof(struct __sk_buff, cb[1]) + 3),
1271 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1272 				    offsetof(struct __sk_buff, cb[2])),
1273 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1274 				    offsetof(struct __sk_buff, cb[2]) + 1),
1275 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1276 				    offsetof(struct __sk_buff, cb[2]) + 2),
1277 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1278 				    offsetof(struct __sk_buff, cb[2]) + 3),
1279 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1280 				    offsetof(struct __sk_buff, cb[3])),
1281 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1282 				    offsetof(struct __sk_buff, cb[3]) + 1),
1283 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1284 				    offsetof(struct __sk_buff, cb[3]) + 2),
1285 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1286 				    offsetof(struct __sk_buff, cb[3]) + 3),
1287 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1288 				    offsetof(struct __sk_buff, cb[4])),
1289 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1290 				    offsetof(struct __sk_buff, cb[4]) + 1),
1291 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1292 				    offsetof(struct __sk_buff, cb[4]) + 2),
1293 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1294 				    offsetof(struct __sk_buff, cb[4]) + 3),
1295 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1296 				    offsetof(struct __sk_buff, cb[0])),
1297 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1298 				    offsetof(struct __sk_buff, cb[0]) + 1),
1299 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1300 				    offsetof(struct __sk_buff, cb[0]) + 2),
1301 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1302 				    offsetof(struct __sk_buff, cb[0]) + 3),
1303 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1304 				    offsetof(struct __sk_buff, cb[1])),
1305 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1306 				    offsetof(struct __sk_buff, cb[1]) + 1),
1307 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1308 				    offsetof(struct __sk_buff, cb[1]) + 2),
1309 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1310 				    offsetof(struct __sk_buff, cb[1]) + 3),
1311 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1312 				    offsetof(struct __sk_buff, cb[2])),
1313 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1314 				    offsetof(struct __sk_buff, cb[2]) + 1),
1315 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1316 				    offsetof(struct __sk_buff, cb[2]) + 2),
1317 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1318 				    offsetof(struct __sk_buff, cb[2]) + 3),
1319 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1320 				    offsetof(struct __sk_buff, cb[3])),
1321 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1322 				    offsetof(struct __sk_buff, cb[3]) + 1),
1323 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1324 				    offsetof(struct __sk_buff, cb[3]) + 2),
1325 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1326 				    offsetof(struct __sk_buff, cb[3]) + 3),
1327 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1328 				    offsetof(struct __sk_buff, cb[4])),
1329 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1330 				    offsetof(struct __sk_buff, cb[4]) + 1),
1331 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1332 				    offsetof(struct __sk_buff, cb[4]) + 2),
1333 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1334 				    offsetof(struct __sk_buff, cb[4]) + 3),
1335 			BPF_EXIT_INSN(),
1336 		},
1337 		.result = ACCEPT,
1338 	},
1339 	{
1340 		"__sk_buff->hash, offset 0, byte store not permitted",
1341 		.insns = {
1342 			BPF_MOV64_IMM(BPF_REG_0, 0),
1343 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1344 				    offsetof(struct __sk_buff, hash)),
1345 			BPF_EXIT_INSN(),
1346 		},
1347 		.errstr = "invalid bpf_context access",
1348 		.result = REJECT,
1349 	},
1350 	{
1351 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1352 		.insns = {
1353 			BPF_MOV64_IMM(BPF_REG_0, 0),
1354 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1355 				    offsetof(struct __sk_buff, tc_index) + 3),
1356 			BPF_EXIT_INSN(),
1357 		},
1358 		.errstr = "invalid bpf_context access",
1359 		.result = REJECT,
1360 	},
1361 	{
1362 		"check skb->hash byte load permitted",
1363 		.insns = {
1364 			BPF_MOV64_IMM(BPF_REG_0, 0),
1365 #if __BYTE_ORDER == __LITTLE_ENDIAN
1366 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1367 				    offsetof(struct __sk_buff, hash)),
1368 #else
1369 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1370 				    offsetof(struct __sk_buff, hash) + 3),
1371 #endif
1372 			BPF_EXIT_INSN(),
1373 		},
1374 		.result = ACCEPT,
1375 	},
1376 	{
1377 		"check skb->hash byte load not permitted 1",
1378 		.insns = {
1379 			BPF_MOV64_IMM(BPF_REG_0, 0),
1380 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1381 				    offsetof(struct __sk_buff, hash) + 1),
1382 			BPF_EXIT_INSN(),
1383 		},
1384 		.errstr = "invalid bpf_context access",
1385 		.result = REJECT,
1386 	},
1387 	{
1388 		"check skb->hash byte load not permitted 2",
1389 		.insns = {
1390 			BPF_MOV64_IMM(BPF_REG_0, 0),
1391 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1392 				    offsetof(struct __sk_buff, hash) + 2),
1393 			BPF_EXIT_INSN(),
1394 		},
1395 		.errstr = "invalid bpf_context access",
1396 		.result = REJECT,
1397 	},
1398 	{
1399 		"check skb->hash byte load not permitted 3",
1400 		.insns = {
1401 			BPF_MOV64_IMM(BPF_REG_0, 0),
1402 #if __BYTE_ORDER == __LITTLE_ENDIAN
1403 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1404 				    offsetof(struct __sk_buff, hash) + 3),
1405 #else
1406 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1407 				    offsetof(struct __sk_buff, hash)),
1408 #endif
1409 			BPF_EXIT_INSN(),
1410 		},
1411 		.errstr = "invalid bpf_context access",
1412 		.result = REJECT,
1413 	},
1414 	{
1415 		"check cb access: byte, wrong type",
1416 		.insns = {
1417 			BPF_MOV64_IMM(BPF_REG_0, 0),
1418 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1419 				    offsetof(struct __sk_buff, cb[0])),
1420 			BPF_EXIT_INSN(),
1421 		},
1422 		.errstr = "invalid bpf_context access",
1423 		.result = REJECT,
1424 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1425 	},
1426 	{
1427 		"check cb access: half",
1428 		.insns = {
1429 			BPF_MOV64_IMM(BPF_REG_0, 0),
1430 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1431 				    offsetof(struct __sk_buff, cb[0])),
1432 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1433 				    offsetof(struct __sk_buff, cb[0]) + 2),
1434 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1435 				    offsetof(struct __sk_buff, cb[1])),
1436 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1437 				    offsetof(struct __sk_buff, cb[1]) + 2),
1438 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1439 				    offsetof(struct __sk_buff, cb[2])),
1440 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1441 				    offsetof(struct __sk_buff, cb[2]) + 2),
1442 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1443 				    offsetof(struct __sk_buff, cb[3])),
1444 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1445 				    offsetof(struct __sk_buff, cb[3]) + 2),
1446 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1447 				    offsetof(struct __sk_buff, cb[4])),
1448 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1449 				    offsetof(struct __sk_buff, cb[4]) + 2),
1450 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1451 				    offsetof(struct __sk_buff, cb[0])),
1452 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1453 				    offsetof(struct __sk_buff, cb[0]) + 2),
1454 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1455 				    offsetof(struct __sk_buff, cb[1])),
1456 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1457 				    offsetof(struct __sk_buff, cb[1]) + 2),
1458 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1459 				    offsetof(struct __sk_buff, cb[2])),
1460 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1461 				    offsetof(struct __sk_buff, cb[2]) + 2),
1462 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1463 				    offsetof(struct __sk_buff, cb[3])),
1464 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1465 				    offsetof(struct __sk_buff, cb[3]) + 2),
1466 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1467 				    offsetof(struct __sk_buff, cb[4])),
1468 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1469 				    offsetof(struct __sk_buff, cb[4]) + 2),
1470 			BPF_EXIT_INSN(),
1471 		},
1472 		.result = ACCEPT,
1473 	},
1474 	{
1475 		"check cb access: half, unaligned",
1476 		.insns = {
1477 			BPF_MOV64_IMM(BPF_REG_0, 0),
1478 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1479 				    offsetof(struct __sk_buff, cb[0]) + 1),
1480 			BPF_EXIT_INSN(),
1481 		},
1482 		.errstr = "misaligned context access",
1483 		.result = REJECT,
1484 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1485 	},
1486 	{
1487 		"check __sk_buff->hash, offset 0, half store not permitted",
1488 		.insns = {
1489 			BPF_MOV64_IMM(BPF_REG_0, 0),
1490 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1491 				    offsetof(struct __sk_buff, hash)),
1492 			BPF_EXIT_INSN(),
1493 		},
1494 		.errstr = "invalid bpf_context access",
1495 		.result = REJECT,
1496 	},
1497 	{
1498 		"check __sk_buff->tc_index, offset 2, half store not permitted",
1499 		.insns = {
1500 			BPF_MOV64_IMM(BPF_REG_0, 0),
1501 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1502 				    offsetof(struct __sk_buff, tc_index) + 2),
1503 			BPF_EXIT_INSN(),
1504 		},
1505 		.errstr = "invalid bpf_context access",
1506 		.result = REJECT,
1507 	},
1508 	{
1509 		"check skb->hash half load permitted",
1510 		.insns = {
1511 			BPF_MOV64_IMM(BPF_REG_0, 0),
1512 #if __BYTE_ORDER == __LITTLE_ENDIAN
1513 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1514 				    offsetof(struct __sk_buff, hash)),
1515 #else
1516 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1517 				    offsetof(struct __sk_buff, hash) + 2),
1518 #endif
1519 			BPF_EXIT_INSN(),
1520 		},
1521 		.result = ACCEPT,
1522 	},
1523 	{
1524 		"check skb->hash half load not permitted",
1525 		.insns = {
1526 			BPF_MOV64_IMM(BPF_REG_0, 0),
1527 #if __BYTE_ORDER == __LITTLE_ENDIAN
1528 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1529 				    offsetof(struct __sk_buff, hash) + 2),
1530 #else
1531 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1532 				    offsetof(struct __sk_buff, hash)),
1533 #endif
1534 			BPF_EXIT_INSN(),
1535 		},
1536 		.errstr = "invalid bpf_context access",
1537 		.result = REJECT,
1538 	},
1539 	{
1540 		"check cb access: half, wrong type",
1541 		.insns = {
1542 			BPF_MOV64_IMM(BPF_REG_0, 0),
1543 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1544 				    offsetof(struct __sk_buff, cb[0])),
1545 			BPF_EXIT_INSN(),
1546 		},
1547 		.errstr = "invalid bpf_context access",
1548 		.result = REJECT,
1549 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1550 	},
1551 	{
1552 		"check cb access: word",
1553 		.insns = {
1554 			BPF_MOV64_IMM(BPF_REG_0, 0),
1555 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1556 				    offsetof(struct __sk_buff, cb[0])),
1557 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1558 				    offsetof(struct __sk_buff, cb[1])),
1559 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1560 				    offsetof(struct __sk_buff, cb[2])),
1561 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1562 				    offsetof(struct __sk_buff, cb[3])),
1563 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1564 				    offsetof(struct __sk_buff, cb[4])),
1565 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1566 				    offsetof(struct __sk_buff, cb[0])),
1567 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1568 				    offsetof(struct __sk_buff, cb[1])),
1569 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570 				    offsetof(struct __sk_buff, cb[2])),
1571 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 				    offsetof(struct __sk_buff, cb[3])),
1573 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574 				    offsetof(struct __sk_buff, cb[4])),
1575 			BPF_EXIT_INSN(),
1576 		},
1577 		.result = ACCEPT,
1578 	},
1579 	{
1580 		"check cb access: word, unaligned 1",
1581 		.insns = {
1582 			BPF_MOV64_IMM(BPF_REG_0, 0),
1583 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1584 				    offsetof(struct __sk_buff, cb[0]) + 2),
1585 			BPF_EXIT_INSN(),
1586 		},
1587 		.errstr = "misaligned context access",
1588 		.result = REJECT,
1589 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1590 	},
1591 	{
1592 		"check cb access: word, unaligned 2",
1593 		.insns = {
1594 			BPF_MOV64_IMM(BPF_REG_0, 0),
1595 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1596 				    offsetof(struct __sk_buff, cb[4]) + 1),
1597 			BPF_EXIT_INSN(),
1598 		},
1599 		.errstr = "misaligned context access",
1600 		.result = REJECT,
1601 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1602 	},
1603 	{
1604 		"check cb access: word, unaligned 3",
1605 		.insns = {
1606 			BPF_MOV64_IMM(BPF_REG_0, 0),
1607 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1608 				    offsetof(struct __sk_buff, cb[4]) + 2),
1609 			BPF_EXIT_INSN(),
1610 		},
1611 		.errstr = "misaligned context access",
1612 		.result = REJECT,
1613 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1614 	},
1615 	{
1616 		"check cb access: word, unaligned 4",
1617 		.insns = {
1618 			BPF_MOV64_IMM(BPF_REG_0, 0),
1619 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1620 				    offsetof(struct __sk_buff, cb[4]) + 3),
1621 			BPF_EXIT_INSN(),
1622 		},
1623 		.errstr = "misaligned context access",
1624 		.result = REJECT,
1625 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1626 	},
1627 	{
1628 		"check cb access: double",
1629 		.insns = {
1630 			BPF_MOV64_IMM(BPF_REG_0, 0),
1631 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1632 				    offsetof(struct __sk_buff, cb[0])),
1633 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1634 				    offsetof(struct __sk_buff, cb[2])),
1635 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1636 				    offsetof(struct __sk_buff, cb[0])),
1637 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1638 				    offsetof(struct __sk_buff, cb[2])),
1639 			BPF_EXIT_INSN(),
1640 		},
1641 		.result = ACCEPT,
1642 	},
1643 	{
1644 		"check cb access: double, unaligned 1",
1645 		.insns = {
1646 			BPF_MOV64_IMM(BPF_REG_0, 0),
1647 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1648 				    offsetof(struct __sk_buff, cb[1])),
1649 			BPF_EXIT_INSN(),
1650 		},
1651 		.errstr = "misaligned context access",
1652 		.result = REJECT,
1653 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1654 	},
1655 	{
1656 		"check cb access: double, unaligned 2",
1657 		.insns = {
1658 			BPF_MOV64_IMM(BPF_REG_0, 0),
1659 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1660 				    offsetof(struct __sk_buff, cb[3])),
1661 			BPF_EXIT_INSN(),
1662 		},
1663 		.errstr = "misaligned context access",
1664 		.result = REJECT,
1665 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1666 	},
1667 	{
1668 		"check cb access: double, oob 1",
1669 		.insns = {
1670 			BPF_MOV64_IMM(BPF_REG_0, 0),
1671 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1672 				    offsetof(struct __sk_buff, cb[4])),
1673 			BPF_EXIT_INSN(),
1674 		},
1675 		.errstr = "invalid bpf_context access",
1676 		.result = REJECT,
1677 	},
1678 	{
1679 		"check cb access: double, oob 2",
1680 		.insns = {
1681 			BPF_MOV64_IMM(BPF_REG_0, 0),
1682 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1683 				    offsetof(struct __sk_buff, cb[4])),
1684 			BPF_EXIT_INSN(),
1685 		},
1686 		.errstr = "invalid bpf_context access",
1687 		.result = REJECT,
1688 	},
1689 	{
1690 		"check __sk_buff->ifindex dw store not permitted",
1691 		.insns = {
1692 			BPF_MOV64_IMM(BPF_REG_0, 0),
1693 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1694 				    offsetof(struct __sk_buff, ifindex)),
1695 			BPF_EXIT_INSN(),
1696 		},
1697 		.errstr = "invalid bpf_context access",
1698 		.result = REJECT,
1699 	},
1700 	{
1701 		"check __sk_buff->ifindex dw load not permitted",
1702 		.insns = {
1703 			BPF_MOV64_IMM(BPF_REG_0, 0),
1704 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1705 				    offsetof(struct __sk_buff, ifindex)),
1706 			BPF_EXIT_INSN(),
1707 		},
1708 		.errstr = "invalid bpf_context access",
1709 		.result = REJECT,
1710 	},
1711 	{
1712 		"check cb access: double, wrong type",
1713 		.insns = {
1714 			BPF_MOV64_IMM(BPF_REG_0, 0),
1715 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1716 				    offsetof(struct __sk_buff, cb[0])),
1717 			BPF_EXIT_INSN(),
1718 		},
1719 		.errstr = "invalid bpf_context access",
1720 		.result = REJECT,
1721 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1722 	},
1723 	{
1724 		"check out of range skb->cb access",
1725 		.insns = {
1726 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1727 				    offsetof(struct __sk_buff, cb[0]) + 256),
1728 			BPF_EXIT_INSN(),
1729 		},
1730 		.errstr = "invalid bpf_context access",
1731 		.errstr_unpriv = "",
1732 		.result = REJECT,
1733 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
1734 	},
1735 	{
1736 		"write skb fields from socket prog",
1737 		.insns = {
1738 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1739 				    offsetof(struct __sk_buff, cb[4])),
1740 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1741 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1742 				    offsetof(struct __sk_buff, mark)),
1743 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 				    offsetof(struct __sk_buff, tc_index)),
1745 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1746 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1747 				    offsetof(struct __sk_buff, cb[0])),
1748 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1749 				    offsetof(struct __sk_buff, cb[2])),
1750 			BPF_EXIT_INSN(),
1751 		},
1752 		.result = ACCEPT,
1753 		.errstr_unpriv = "R1 leaks addr",
1754 		.result_unpriv = REJECT,
1755 	},
1756 	{
1757 		"write skb fields from tc_cls_act prog",
1758 		.insns = {
1759 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 				    offsetof(struct __sk_buff, cb[0])),
1761 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1762 				    offsetof(struct __sk_buff, mark)),
1763 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 				    offsetof(struct __sk_buff, tc_index)),
1765 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1766 				    offsetof(struct __sk_buff, tc_index)),
1767 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1768 				    offsetof(struct __sk_buff, cb[3])),
1769 			BPF_EXIT_INSN(),
1770 		},
1771 		.errstr_unpriv = "",
1772 		.result_unpriv = REJECT,
1773 		.result = ACCEPT,
1774 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
1775 	},
1776 	{
1777 		"PTR_TO_STACK store/load",
1778 		.insns = {
1779 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1780 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1781 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1782 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1783 			BPF_EXIT_INSN(),
1784 		},
1785 		.result = ACCEPT,
1786 	},
1787 	{
1788 		"PTR_TO_STACK store/load - bad alignment on off",
1789 		.insns = {
1790 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1791 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1792 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1793 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1794 			BPF_EXIT_INSN(),
1795 		},
1796 		.result = REJECT,
1797 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
1798 	},
1799 	{
1800 		"PTR_TO_STACK store/load - bad alignment on reg",
1801 		.insns = {
1802 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1803 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1804 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1805 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1806 			BPF_EXIT_INSN(),
1807 		},
1808 		.result = REJECT,
1809 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
1810 	},
1811 	{
1812 		"PTR_TO_STACK store/load - out of bounds low",
1813 		.insns = {
1814 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1815 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1816 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1817 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1818 			BPF_EXIT_INSN(),
1819 		},
1820 		.result = REJECT,
1821 		.errstr = "invalid stack off=-79992 size=8",
1822 	},
1823 	{
1824 		"PTR_TO_STACK store/load - out of bounds high",
1825 		.insns = {
1826 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1827 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1828 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1829 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1830 			BPF_EXIT_INSN(),
1831 		},
1832 		.result = REJECT,
1833 		.errstr = "invalid stack off=0 size=8",
1834 	},
1835 	{
1836 		"unpriv: return pointer",
1837 		.insns = {
1838 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1839 			BPF_EXIT_INSN(),
1840 		},
1841 		.result = ACCEPT,
1842 		.result_unpriv = REJECT,
1843 		.errstr_unpriv = "R0 leaks addr",
1844 	},
1845 	{
1846 		"unpriv: add const to pointer",
1847 		.insns = {
1848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1849 			BPF_MOV64_IMM(BPF_REG_0, 0),
1850 			BPF_EXIT_INSN(),
1851 		},
1852 		.result = ACCEPT,
1853 	},
1854 	{
1855 		"unpriv: add pointer to pointer",
1856 		.insns = {
1857 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1858 			BPF_MOV64_IMM(BPF_REG_0, 0),
1859 			BPF_EXIT_INSN(),
1860 		},
1861 		.result = REJECT,
1862 		.errstr = "R1 pointer += pointer",
1863 	},
1864 	{
1865 		"unpriv: neg pointer",
1866 		.insns = {
1867 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1868 			BPF_MOV64_IMM(BPF_REG_0, 0),
1869 			BPF_EXIT_INSN(),
1870 		},
1871 		.result = ACCEPT,
1872 		.result_unpriv = REJECT,
1873 		.errstr_unpriv = "R1 pointer arithmetic",
1874 	},
1875 	{
1876 		"unpriv: cmp pointer with const",
1877 		.insns = {
1878 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1879 			BPF_MOV64_IMM(BPF_REG_0, 0),
1880 			BPF_EXIT_INSN(),
1881 		},
1882 		.result = ACCEPT,
1883 		.result_unpriv = REJECT,
1884 		.errstr_unpriv = "R1 pointer comparison",
1885 	},
1886 	{
1887 		"unpriv: cmp pointer with pointer",
1888 		.insns = {
1889 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1890 			BPF_MOV64_IMM(BPF_REG_0, 0),
1891 			BPF_EXIT_INSN(),
1892 		},
1893 		.result = ACCEPT,
1894 		.result_unpriv = REJECT,
1895 		.errstr_unpriv = "R10 pointer comparison",
1896 	},
1897 	{
1898 		"unpriv: check that printk is disallowed",
1899 		.insns = {
1900 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1901 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1902 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1903 			BPF_MOV64_IMM(BPF_REG_2, 8),
1904 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1905 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1906 				     BPF_FUNC_trace_printk),
1907 			BPF_MOV64_IMM(BPF_REG_0, 0),
1908 			BPF_EXIT_INSN(),
1909 		},
1910 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
1911 		.result_unpriv = REJECT,
1912 		.result = ACCEPT,
1913 	},
1914 	{
1915 		"unpriv: pass pointer to helper function",
1916 		.insns = {
1917 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1918 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1920 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1921 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1922 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1923 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1924 				     BPF_FUNC_map_update_elem),
1925 			BPF_MOV64_IMM(BPF_REG_0, 0),
1926 			BPF_EXIT_INSN(),
1927 		},
1928 		.fixup_map1 = { 3 },
1929 		.errstr_unpriv = "R4 leaks addr",
1930 		.result_unpriv = REJECT,
1931 		.result = ACCEPT,
1932 	},
1933 	{
1934 		"unpriv: indirectly pass pointer on stack to helper function",
1935 		.insns = {
1936 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1937 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1938 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1940 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1941 				     BPF_FUNC_map_lookup_elem),
1942 			BPF_MOV64_IMM(BPF_REG_0, 0),
1943 			BPF_EXIT_INSN(),
1944 		},
1945 		.fixup_map1 = { 3 },
1946 		.errstr = "invalid indirect read from stack off -8+0 size 8",
1947 		.result = REJECT,
1948 	},
1949 	{
1950 		"unpriv: mangle pointer on stack 1",
1951 		.insns = {
1952 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1953 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1954 			BPF_MOV64_IMM(BPF_REG_0, 0),
1955 			BPF_EXIT_INSN(),
1956 		},
1957 		.errstr_unpriv = "attempt to corrupt spilled",
1958 		.result_unpriv = REJECT,
1959 		.result = ACCEPT,
1960 	},
1961 	{
1962 		"unpriv: mangle pointer on stack 2",
1963 		.insns = {
1964 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1965 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1966 			BPF_MOV64_IMM(BPF_REG_0, 0),
1967 			BPF_EXIT_INSN(),
1968 		},
1969 		.errstr_unpriv = "attempt to corrupt spilled",
1970 		.result_unpriv = REJECT,
1971 		.result = ACCEPT,
1972 	},
1973 	{
1974 		"unpriv: read pointer from stack in small chunks",
1975 		.insns = {
1976 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1977 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1978 			BPF_MOV64_IMM(BPF_REG_0, 0),
1979 			BPF_EXIT_INSN(),
1980 		},
1981 		.errstr = "invalid size",
1982 		.result = REJECT,
1983 	},
1984 	{
1985 		"unpriv: write pointer into ctx",
1986 		.insns = {
1987 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1988 			BPF_MOV64_IMM(BPF_REG_0, 0),
1989 			BPF_EXIT_INSN(),
1990 		},
1991 		.errstr_unpriv = "R1 leaks addr",
1992 		.result_unpriv = REJECT,
1993 		.errstr = "invalid bpf_context access",
1994 		.result = REJECT,
1995 	},
1996 	{
1997 		"unpriv: spill/fill of ctx",
1998 		.insns = {
1999 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2001 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2002 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2003 			BPF_MOV64_IMM(BPF_REG_0, 0),
2004 			BPF_EXIT_INSN(),
2005 		},
2006 		.result = ACCEPT,
2007 	},
2008 	{
2009 		"unpriv: spill/fill of ctx 2",
2010 		.insns = {
2011 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2012 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2013 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2014 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2015 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2016 				     BPF_FUNC_get_hash_recalc),
2017 			BPF_EXIT_INSN(),
2018 		},
2019 		.result = ACCEPT,
2020 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2021 	},
2022 	{
2023 		"unpriv: spill/fill of ctx 3",
2024 		.insns = {
2025 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2026 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2027 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2028 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2029 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2030 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2031 				     BPF_FUNC_get_hash_recalc),
2032 			BPF_EXIT_INSN(),
2033 		},
2034 		.result = REJECT,
2035 		.errstr = "R1 type=fp expected=ctx",
2036 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2037 	},
2038 	{
2039 		"unpriv: spill/fill of ctx 4",
2040 		.insns = {
2041 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2042 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2043 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2044 			BPF_MOV64_IMM(BPF_REG_0, 1),
2045 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2046 				     BPF_REG_0, -8, 0),
2047 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2049 				     BPF_FUNC_get_hash_recalc),
2050 			BPF_EXIT_INSN(),
2051 		},
2052 		.result = REJECT,
2053 		.errstr = "R1 type=inv expected=ctx",
2054 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2055 	},
2056 	{
2057 		"unpriv: spill/fill of different pointers stx",
2058 		.insns = {
2059 			BPF_MOV64_IMM(BPF_REG_3, 42),
2060 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2061 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2062 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2063 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2064 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2065 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2066 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2067 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2068 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2069 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2070 				    offsetof(struct __sk_buff, mark)),
2071 			BPF_MOV64_IMM(BPF_REG_0, 0),
2072 			BPF_EXIT_INSN(),
2073 		},
2074 		.result = REJECT,
2075 		.errstr = "same insn cannot be used with different pointers",
2076 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2077 	},
2078 	{
2079 		"unpriv: spill/fill of different pointers ldx",
2080 		.insns = {
2081 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2082 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2083 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2084 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2085 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2086 				      -(__s32)offsetof(struct bpf_perf_event_data,
2087 						       sample_period) - 8),
2088 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2089 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2090 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2091 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2092 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2093 				    offsetof(struct bpf_perf_event_data,
2094 					     sample_period)),
2095 			BPF_MOV64_IMM(BPF_REG_0, 0),
2096 			BPF_EXIT_INSN(),
2097 		},
2098 		.result = REJECT,
2099 		.errstr = "same insn cannot be used with different pointers",
2100 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2101 	},
2102 	{
2103 		"unpriv: write pointer into map elem value",
2104 		.insns = {
2105 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2106 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2107 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2108 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2109 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2110 				     BPF_FUNC_map_lookup_elem),
2111 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2112 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2113 			BPF_EXIT_INSN(),
2114 		},
2115 		.fixup_map1 = { 3 },
2116 		.errstr_unpriv = "R0 leaks addr",
2117 		.result_unpriv = REJECT,
2118 		.result = ACCEPT,
2119 	},
2120 	{
2121 		"unpriv: partial copy of pointer",
2122 		.insns = {
2123 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2124 			BPF_MOV64_IMM(BPF_REG_0, 0),
2125 			BPF_EXIT_INSN(),
2126 		},
2127 		.errstr_unpriv = "R10 partial copy",
2128 		.result_unpriv = REJECT,
2129 		.result = ACCEPT,
2130 	},
2131 	{
2132 		"unpriv: pass pointer to tail_call",
2133 		.insns = {
2134 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2135 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2136 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2137 				     BPF_FUNC_tail_call),
2138 			BPF_MOV64_IMM(BPF_REG_0, 0),
2139 			BPF_EXIT_INSN(),
2140 		},
2141 		.fixup_prog = { 1 },
2142 		.errstr_unpriv = "R3 leaks addr into helper",
2143 		.result_unpriv = REJECT,
2144 		.result = ACCEPT,
2145 	},
2146 	{
2147 		"unpriv: cmp map pointer with zero",
2148 		.insns = {
2149 			BPF_MOV64_IMM(BPF_REG_1, 0),
2150 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2151 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2152 			BPF_MOV64_IMM(BPF_REG_0, 0),
2153 			BPF_EXIT_INSN(),
2154 		},
2155 		.fixup_map1 = { 1 },
2156 		.errstr_unpriv = "R1 pointer comparison",
2157 		.result_unpriv = REJECT,
2158 		.result = ACCEPT,
2159 	},
2160 	{
2161 		"unpriv: write into frame pointer",
2162 		.insns = {
2163 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2164 			BPF_MOV64_IMM(BPF_REG_0, 0),
2165 			BPF_EXIT_INSN(),
2166 		},
2167 		.errstr = "frame pointer is read only",
2168 		.result = REJECT,
2169 	},
2170 	{
2171 		"unpriv: spill/fill frame pointer",
2172 		.insns = {
2173 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2174 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2175 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2176 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2177 			BPF_MOV64_IMM(BPF_REG_0, 0),
2178 			BPF_EXIT_INSN(),
2179 		},
2180 		.errstr = "frame pointer is read only",
2181 		.result = REJECT,
2182 	},
2183 	{
2184 		"unpriv: cmp of frame pointer",
2185 		.insns = {
2186 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2187 			BPF_MOV64_IMM(BPF_REG_0, 0),
2188 			BPF_EXIT_INSN(),
2189 		},
2190 		.errstr_unpriv = "R10 pointer comparison",
2191 		.result_unpriv = REJECT,
2192 		.result = ACCEPT,
2193 	},
2194 	{
2195 		"unpriv: adding of fp",
2196 		.insns = {
2197 			BPF_MOV64_IMM(BPF_REG_0, 0),
2198 			BPF_MOV64_IMM(BPF_REG_1, 0),
2199 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2200 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2201 			BPF_EXIT_INSN(),
2202 		},
2203 		.result = ACCEPT,
2204 	},
2205 	{
2206 		"unpriv: cmp of stack pointer",
2207 		.insns = {
2208 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2211 			BPF_MOV64_IMM(BPF_REG_0, 0),
2212 			BPF_EXIT_INSN(),
2213 		},
2214 		.errstr_unpriv = "R2 pointer comparison",
2215 		.result_unpriv = REJECT,
2216 		.result = ACCEPT,
2217 	},
2218 	{
2219 		"stack pointer arithmetic",
2220 		.insns = {
2221 			BPF_MOV64_IMM(BPF_REG_1, 4),
2222 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2223 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2224 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2225 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2226 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2227 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2228 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2229 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2231 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2232 			BPF_MOV64_IMM(BPF_REG_0, 0),
2233 			BPF_EXIT_INSN(),
2234 		},
2235 		.result = ACCEPT,
2236 	},
2237 	{
2238 		"raw_stack: no skb_load_bytes",
2239 		.insns = {
2240 			BPF_MOV64_IMM(BPF_REG_2, 4),
2241 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2242 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2243 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2244 			BPF_MOV64_IMM(BPF_REG_4, 8),
2245 			/* Call to skb_load_bytes() omitted. */
2246 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2247 			BPF_EXIT_INSN(),
2248 		},
2249 		.result = REJECT,
2250 		.errstr = "invalid read from stack off -8+0 size 8",
2251 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2252 	},
2253 	{
2254 		"raw_stack: skb_load_bytes, negative len",
2255 		.insns = {
2256 			BPF_MOV64_IMM(BPF_REG_2, 4),
2257 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2258 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2259 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2260 			BPF_MOV64_IMM(BPF_REG_4, -8),
2261 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2262 				     BPF_FUNC_skb_load_bytes),
2263 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2264 			BPF_EXIT_INSN(),
2265 		},
2266 		.result = REJECT,
2267 		.errstr = "R4 min value is negative",
2268 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2269 	},
2270 	{
2271 		"raw_stack: skb_load_bytes, negative len 2",
2272 		.insns = {
2273 			BPF_MOV64_IMM(BPF_REG_2, 4),
2274 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2275 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2276 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2277 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2278 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2279 				     BPF_FUNC_skb_load_bytes),
2280 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2281 			BPF_EXIT_INSN(),
2282 		},
2283 		.result = REJECT,
2284 		.errstr = "R4 min value is negative",
2285 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2286 	},
2287 	{
2288 		"raw_stack: skb_load_bytes, zero len",
2289 		.insns = {
2290 			BPF_MOV64_IMM(BPF_REG_2, 4),
2291 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2292 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2293 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2294 			BPF_MOV64_IMM(BPF_REG_4, 0),
2295 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2296 				     BPF_FUNC_skb_load_bytes),
2297 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2298 			BPF_EXIT_INSN(),
2299 		},
2300 		.result = REJECT,
2301 		.errstr = "invalid stack type R3",
2302 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2303 	},
2304 	{
2305 		"raw_stack: skb_load_bytes, no init",
2306 		.insns = {
2307 			BPF_MOV64_IMM(BPF_REG_2, 4),
2308 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2309 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2310 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2311 			BPF_MOV64_IMM(BPF_REG_4, 8),
2312 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2313 				     BPF_FUNC_skb_load_bytes),
2314 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2315 			BPF_EXIT_INSN(),
2316 		},
2317 		.result = ACCEPT,
2318 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2319 	},
2320 	{
2321 		"raw_stack: skb_load_bytes, init",
2322 		.insns = {
2323 			BPF_MOV64_IMM(BPF_REG_2, 4),
2324 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2325 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2326 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2327 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2328 			BPF_MOV64_IMM(BPF_REG_4, 8),
2329 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2330 				     BPF_FUNC_skb_load_bytes),
2331 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2332 			BPF_EXIT_INSN(),
2333 		},
2334 		.result = ACCEPT,
2335 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2336 	},
2337 	{
2338 		"raw_stack: skb_load_bytes, spilled regs around bounds",
2339 		.insns = {
2340 			BPF_MOV64_IMM(BPF_REG_2, 4),
2341 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2342 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2343 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2344 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2345 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2346 			BPF_MOV64_IMM(BPF_REG_4, 8),
2347 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2348 				     BPF_FUNC_skb_load_bytes),
2349 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2350 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2351 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2352 				    offsetof(struct __sk_buff, mark)),
2353 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2354 				    offsetof(struct __sk_buff, priority)),
2355 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2356 			BPF_EXIT_INSN(),
2357 		},
2358 		.result = ACCEPT,
2359 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2360 	},
2361 	{
2362 		"raw_stack: skb_load_bytes, spilled regs corruption",
2363 		.insns = {
2364 			BPF_MOV64_IMM(BPF_REG_2, 4),
2365 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2366 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2367 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2368 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2369 			BPF_MOV64_IMM(BPF_REG_4, 8),
2370 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2371 				     BPF_FUNC_skb_load_bytes),
2372 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2373 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2374 				    offsetof(struct __sk_buff, mark)),
2375 			BPF_EXIT_INSN(),
2376 		},
2377 		.result = REJECT,
2378 		.errstr = "R0 invalid mem access 'inv'",
2379 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2380 	},
2381 	{
2382 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
2383 		.insns = {
2384 			BPF_MOV64_IMM(BPF_REG_2, 4),
2385 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2386 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2387 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2388 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2389 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2390 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2391 			BPF_MOV64_IMM(BPF_REG_4, 8),
2392 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2393 				     BPF_FUNC_skb_load_bytes),
2394 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2395 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2396 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2397 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2398 				    offsetof(struct __sk_buff, mark)),
2399 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2400 				    offsetof(struct __sk_buff, priority)),
2401 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2402 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2403 				    offsetof(struct __sk_buff, pkt_type)),
2404 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2405 			BPF_EXIT_INSN(),
2406 		},
2407 		.result = REJECT,
2408 		.errstr = "R3 invalid mem access 'inv'",
2409 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2410 	},
2411 	{
2412 		"raw_stack: skb_load_bytes, spilled regs + data",
2413 		.insns = {
2414 			BPF_MOV64_IMM(BPF_REG_2, 4),
2415 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2416 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2417 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2418 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2419 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2420 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2421 			BPF_MOV64_IMM(BPF_REG_4, 8),
2422 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2423 				     BPF_FUNC_skb_load_bytes),
2424 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2425 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2426 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2427 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2428 				    offsetof(struct __sk_buff, mark)),
2429 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2430 				    offsetof(struct __sk_buff, priority)),
2431 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2432 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2433 			BPF_EXIT_INSN(),
2434 		},
2435 		.result = ACCEPT,
2436 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2437 	},
2438 	{
2439 		"raw_stack: skb_load_bytes, invalid access 1",
2440 		.insns = {
2441 			BPF_MOV64_IMM(BPF_REG_2, 4),
2442 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2443 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2444 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2445 			BPF_MOV64_IMM(BPF_REG_4, 8),
2446 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2447 				     BPF_FUNC_skb_load_bytes),
2448 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2449 			BPF_EXIT_INSN(),
2450 		},
2451 		.result = REJECT,
2452 		.errstr = "invalid stack type R3 off=-513 access_size=8",
2453 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2454 	},
2455 	{
2456 		"raw_stack: skb_load_bytes, invalid access 2",
2457 		.insns = {
2458 			BPF_MOV64_IMM(BPF_REG_2, 4),
2459 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2460 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2461 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2462 			BPF_MOV64_IMM(BPF_REG_4, 8),
2463 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2464 				     BPF_FUNC_skb_load_bytes),
2465 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2466 			BPF_EXIT_INSN(),
2467 		},
2468 		.result = REJECT,
2469 		.errstr = "invalid stack type R3 off=-1 access_size=8",
2470 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2471 	},
2472 	{
2473 		"raw_stack: skb_load_bytes, invalid access 3",
2474 		.insns = {
2475 			BPF_MOV64_IMM(BPF_REG_2, 4),
2476 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2477 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2478 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2479 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2480 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2481 				     BPF_FUNC_skb_load_bytes),
2482 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2483 			BPF_EXIT_INSN(),
2484 		},
2485 		.result = REJECT,
2486 		.errstr = "R4 min value is negative",
2487 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2488 	},
2489 	{
2490 		"raw_stack: skb_load_bytes, invalid access 4",
2491 		.insns = {
2492 			BPF_MOV64_IMM(BPF_REG_2, 4),
2493 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2495 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2496 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2497 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2498 				     BPF_FUNC_skb_load_bytes),
2499 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2500 			BPF_EXIT_INSN(),
2501 		},
2502 		.result = REJECT,
2503 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2504 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2505 	},
2506 	{
2507 		"raw_stack: skb_load_bytes, invalid access 5",
2508 		.insns = {
2509 			BPF_MOV64_IMM(BPF_REG_2, 4),
2510 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2511 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2512 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2513 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2514 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2515 				     BPF_FUNC_skb_load_bytes),
2516 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2517 			BPF_EXIT_INSN(),
2518 		},
2519 		.result = REJECT,
2520 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2521 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2522 	},
2523 	{
2524 		"raw_stack: skb_load_bytes, invalid access 6",
2525 		.insns = {
2526 			BPF_MOV64_IMM(BPF_REG_2, 4),
2527 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2528 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2529 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2530 			BPF_MOV64_IMM(BPF_REG_4, 0),
2531 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2532 				     BPF_FUNC_skb_load_bytes),
2533 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2534 			BPF_EXIT_INSN(),
2535 		},
2536 		.result = REJECT,
2537 		.errstr = "invalid stack type R3 off=-512 access_size=0",
2538 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2539 	},
2540 	{
2541 		"raw_stack: skb_load_bytes, large access",
2542 		.insns = {
2543 			BPF_MOV64_IMM(BPF_REG_2, 4),
2544 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2545 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2546 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2547 			BPF_MOV64_IMM(BPF_REG_4, 512),
2548 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2549 				     BPF_FUNC_skb_load_bytes),
2550 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2551 			BPF_EXIT_INSN(),
2552 		},
2553 		.result = ACCEPT,
2554 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2555 	},
2556 	{
2557 		"direct packet access: test1",
2558 		.insns = {
2559 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2560 				    offsetof(struct __sk_buff, data)),
2561 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2562 				    offsetof(struct __sk_buff, data_end)),
2563 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2564 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2565 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2566 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2567 			BPF_MOV64_IMM(BPF_REG_0, 0),
2568 			BPF_EXIT_INSN(),
2569 		},
2570 		.result = ACCEPT,
2571 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2572 	},
2573 	{
2574 		"direct packet access: test2",
2575 		.insns = {
2576 			BPF_MOV64_IMM(BPF_REG_0, 1),
2577 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2578 				    offsetof(struct __sk_buff, data_end)),
2579 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2580 				    offsetof(struct __sk_buff, data)),
2581 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2582 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2583 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2584 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2585 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2586 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2587 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2588 				    offsetof(struct __sk_buff, data)),
2589 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2590 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2591 				    offsetof(struct __sk_buff, len)),
2592 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
2593 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
2594 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2595 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2596 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2597 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2598 				    offsetof(struct __sk_buff, data_end)),
2599 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2600 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2601 			BPF_MOV64_IMM(BPF_REG_0, 0),
2602 			BPF_EXIT_INSN(),
2603 		},
2604 		.result = ACCEPT,
2605 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2606 	},
2607 	{
2608 		"direct packet access: test3",
2609 		.insns = {
2610 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2611 				    offsetof(struct __sk_buff, data)),
2612 			BPF_MOV64_IMM(BPF_REG_0, 0),
2613 			BPF_EXIT_INSN(),
2614 		},
2615 		.errstr = "invalid bpf_context access off=76",
2616 		.result = REJECT,
2617 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2618 	},
2619 	{
2620 		"direct packet access: test4 (write)",
2621 		.insns = {
2622 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2623 				    offsetof(struct __sk_buff, data)),
2624 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2625 				    offsetof(struct __sk_buff, data_end)),
2626 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2627 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2628 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2629 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2630 			BPF_MOV64_IMM(BPF_REG_0, 0),
2631 			BPF_EXIT_INSN(),
2632 		},
2633 		.result = ACCEPT,
2634 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2635 	},
2636 	{
2637 		"direct packet access: test5 (pkt_end >= reg, good access)",
2638 		.insns = {
2639 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2640 				    offsetof(struct __sk_buff, data)),
2641 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2642 				    offsetof(struct __sk_buff, data_end)),
2643 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2644 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2645 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2646 			BPF_MOV64_IMM(BPF_REG_0, 1),
2647 			BPF_EXIT_INSN(),
2648 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2649 			BPF_MOV64_IMM(BPF_REG_0, 0),
2650 			BPF_EXIT_INSN(),
2651 		},
2652 		.result = ACCEPT,
2653 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2654 	},
2655 	{
2656 		"direct packet access: test6 (pkt_end >= reg, bad access)",
2657 		.insns = {
2658 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2659 				    offsetof(struct __sk_buff, data)),
2660 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2661 				    offsetof(struct __sk_buff, data_end)),
2662 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2664 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2665 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2666 			BPF_MOV64_IMM(BPF_REG_0, 1),
2667 			BPF_EXIT_INSN(),
2668 			BPF_MOV64_IMM(BPF_REG_0, 0),
2669 			BPF_EXIT_INSN(),
2670 		},
2671 		.errstr = "invalid access to packet",
2672 		.result = REJECT,
2673 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2674 	},
2675 	{
2676 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
2677 		.insns = {
2678 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2679 				    offsetof(struct __sk_buff, data)),
2680 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2681 				    offsetof(struct __sk_buff, data_end)),
2682 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2683 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2684 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2685 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2686 			BPF_MOV64_IMM(BPF_REG_0, 1),
2687 			BPF_EXIT_INSN(),
2688 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2689 			BPF_MOV64_IMM(BPF_REG_0, 0),
2690 			BPF_EXIT_INSN(),
2691 		},
2692 		.errstr = "invalid access to packet",
2693 		.result = REJECT,
2694 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2695 	},
2696 	{
2697 		"direct packet access: test8 (double test, variant 1)",
2698 		.insns = {
2699 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2700 				    offsetof(struct __sk_buff, data)),
2701 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2702 				    offsetof(struct __sk_buff, data_end)),
2703 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2704 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2705 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2706 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2707 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2708 			BPF_MOV64_IMM(BPF_REG_0, 1),
2709 			BPF_EXIT_INSN(),
2710 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2711 			BPF_MOV64_IMM(BPF_REG_0, 0),
2712 			BPF_EXIT_INSN(),
2713 		},
2714 		.result = ACCEPT,
2715 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2716 	},
2717 	{
2718 		"direct packet access: test9 (double test, variant 2)",
2719 		.insns = {
2720 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2721 				    offsetof(struct __sk_buff, data)),
2722 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2723 				    offsetof(struct __sk_buff, data_end)),
2724 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2725 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2726 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2727 			BPF_MOV64_IMM(BPF_REG_0, 1),
2728 			BPF_EXIT_INSN(),
2729 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2730 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2731 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2732 			BPF_MOV64_IMM(BPF_REG_0, 0),
2733 			BPF_EXIT_INSN(),
2734 		},
2735 		.result = ACCEPT,
2736 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2737 	},
2738 	{
2739 		"direct packet access: test10 (write invalid)",
2740 		.insns = {
2741 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2742 				    offsetof(struct __sk_buff, data)),
2743 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2744 				    offsetof(struct __sk_buff, data_end)),
2745 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2746 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2747 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2748 			BPF_MOV64_IMM(BPF_REG_0, 0),
2749 			BPF_EXIT_INSN(),
2750 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2751 			BPF_MOV64_IMM(BPF_REG_0, 0),
2752 			BPF_EXIT_INSN(),
2753 		},
2754 		.errstr = "invalid access to packet",
2755 		.result = REJECT,
2756 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2757 	},
2758 	{
2759 		"direct packet access: test11 (shift, good access)",
2760 		.insns = {
2761 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2762 				    offsetof(struct __sk_buff, data)),
2763 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2764 				    offsetof(struct __sk_buff, data_end)),
2765 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2766 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2767 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2768 			BPF_MOV64_IMM(BPF_REG_3, 144),
2769 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2771 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2772 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2773 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2774 			BPF_MOV64_IMM(BPF_REG_0, 1),
2775 			BPF_EXIT_INSN(),
2776 			BPF_MOV64_IMM(BPF_REG_0, 0),
2777 			BPF_EXIT_INSN(),
2778 		},
2779 		.result = ACCEPT,
2780 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2781 	},
2782 	{
2783 		"direct packet access: test12 (and, good access)",
2784 		.insns = {
2785 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2786 				    offsetof(struct __sk_buff, data)),
2787 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2788 				    offsetof(struct __sk_buff, data_end)),
2789 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2790 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2791 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2792 			BPF_MOV64_IMM(BPF_REG_3, 144),
2793 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2794 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2795 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2796 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2797 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2798 			BPF_MOV64_IMM(BPF_REG_0, 1),
2799 			BPF_EXIT_INSN(),
2800 			BPF_MOV64_IMM(BPF_REG_0, 0),
2801 			BPF_EXIT_INSN(),
2802 		},
2803 		.result = ACCEPT,
2804 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2805 	},
2806 	{
2807 		"direct packet access: test13 (branches, good access)",
2808 		.insns = {
2809 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2810 				    offsetof(struct __sk_buff, data)),
2811 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2812 				    offsetof(struct __sk_buff, data_end)),
2813 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2814 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2815 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2816 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2817 				    offsetof(struct __sk_buff, mark)),
2818 			BPF_MOV64_IMM(BPF_REG_4, 1),
2819 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2820 			BPF_MOV64_IMM(BPF_REG_3, 14),
2821 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2822 			BPF_MOV64_IMM(BPF_REG_3, 24),
2823 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2825 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2826 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2827 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2828 			BPF_MOV64_IMM(BPF_REG_0, 1),
2829 			BPF_EXIT_INSN(),
2830 			BPF_MOV64_IMM(BPF_REG_0, 0),
2831 			BPF_EXIT_INSN(),
2832 		},
2833 		.result = ACCEPT,
2834 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2835 	},
2836 	{
2837 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2838 		.insns = {
2839 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2840 				    offsetof(struct __sk_buff, data)),
2841 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2842 				    offsetof(struct __sk_buff, data_end)),
2843 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2845 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2846 			BPF_MOV64_IMM(BPF_REG_5, 12),
2847 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2848 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2849 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2850 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2851 			BPF_MOV64_IMM(BPF_REG_0, 1),
2852 			BPF_EXIT_INSN(),
2853 			BPF_MOV64_IMM(BPF_REG_0, 0),
2854 			BPF_EXIT_INSN(),
2855 		},
2856 		.result = ACCEPT,
2857 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2858 	},
2859 	{
2860 		"direct packet access: test15 (spill with xadd)",
2861 		.insns = {
2862 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2863 				    offsetof(struct __sk_buff, data)),
2864 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2865 				    offsetof(struct __sk_buff, data_end)),
2866 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2867 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2868 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2869 			BPF_MOV64_IMM(BPF_REG_5, 4096),
2870 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2872 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2873 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2874 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2875 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2876 			BPF_MOV64_IMM(BPF_REG_0, 0),
2877 			BPF_EXIT_INSN(),
2878 		},
2879 		.errstr = "R2 invalid mem access 'inv'",
2880 		.result = REJECT,
2881 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2882 	},
2883 	{
2884 		"direct packet access: test16 (arith on data_end)",
2885 		.insns = {
2886 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2887 				    offsetof(struct __sk_buff, data)),
2888 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2889 				    offsetof(struct __sk_buff, data_end)),
2890 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2891 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2892 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
2893 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2894 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2895 			BPF_MOV64_IMM(BPF_REG_0, 0),
2896 			BPF_EXIT_INSN(),
2897 		},
2898 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
2899 		.result = REJECT,
2900 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2901 	},
2902 	{
2903 		"direct packet access: test17 (pruning, alignment)",
2904 		.insns = {
2905 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2906 				    offsetof(struct __sk_buff, data)),
2907 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2908 				    offsetof(struct __sk_buff, data_end)),
2909 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2910 				    offsetof(struct __sk_buff, mark)),
2911 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2912 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
2913 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
2914 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2915 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
2916 			BPF_MOV64_IMM(BPF_REG_0, 0),
2917 			BPF_EXIT_INSN(),
2918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
2919 			BPF_JMP_A(-6),
2920 		},
2921 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
2922 		.result = REJECT,
2923 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2924 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2925 	},
2926 	{
2927 		"direct packet access: test18 (imm += pkt_ptr, 1)",
2928 		.insns = {
2929 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2930 				    offsetof(struct __sk_buff, data)),
2931 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2932 				    offsetof(struct __sk_buff, data_end)),
2933 			BPF_MOV64_IMM(BPF_REG_0, 8),
2934 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2935 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2936 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2937 			BPF_MOV64_IMM(BPF_REG_0, 0),
2938 			BPF_EXIT_INSN(),
2939 		},
2940 		.result = ACCEPT,
2941 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2942 	},
2943 	{
2944 		"direct packet access: test19 (imm += pkt_ptr, 2)",
2945 		.insns = {
2946 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2947 				    offsetof(struct __sk_buff, data)),
2948 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2949 				    offsetof(struct __sk_buff, data_end)),
2950 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2951 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2952 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
2953 			BPF_MOV64_IMM(BPF_REG_4, 4),
2954 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2955 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
2956 			BPF_MOV64_IMM(BPF_REG_0, 0),
2957 			BPF_EXIT_INSN(),
2958 		},
2959 		.result = ACCEPT,
2960 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2961 	},
2962 	{
2963 		"direct packet access: test20 (x += pkt_ptr, 1)",
2964 		.insns = {
2965 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2966 				    offsetof(struct __sk_buff, data)),
2967 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2968 				    offsetof(struct __sk_buff, data_end)),
2969 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
2970 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
2971 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
2972 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
2973 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
2974 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
2975 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
2977 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
2978 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
2979 			BPF_MOV64_IMM(BPF_REG_0, 0),
2980 			BPF_EXIT_INSN(),
2981 		},
2982 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2983 		.result = ACCEPT,
2984 	},
2985 	{
2986 		"direct packet access: test21 (x += pkt_ptr, 2)",
2987 		.insns = {
2988 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2989 				    offsetof(struct __sk_buff, data)),
2990 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2991 				    offsetof(struct __sk_buff, data_end)),
2992 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2993 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2994 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
2995 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2996 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
2997 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
2998 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
2999 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3000 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3002 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3003 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3004 			BPF_MOV64_IMM(BPF_REG_0, 0),
3005 			BPF_EXIT_INSN(),
3006 		},
3007 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3008 		.result = ACCEPT,
3009 	},
3010 	{
3011 		"direct packet access: test22 (x += pkt_ptr, 3)",
3012 		.insns = {
3013 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3014 				    offsetof(struct __sk_buff, data)),
3015 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3016 				    offsetof(struct __sk_buff, data_end)),
3017 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3018 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3019 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3020 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3021 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3022 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3023 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3024 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3025 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3026 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3027 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3028 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3029 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3030 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3031 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3032 			BPF_MOV64_IMM(BPF_REG_2, 1),
3033 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3034 			BPF_MOV64_IMM(BPF_REG_0, 0),
3035 			BPF_EXIT_INSN(),
3036 		},
3037 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3038 		.result = ACCEPT,
3039 	},
3040 	{
3041 		"direct packet access: test23 (x += pkt_ptr, 4)",
3042 		.insns = {
3043 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3044 				    offsetof(struct __sk_buff, data)),
3045 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3046 				    offsetof(struct __sk_buff, data_end)),
3047 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3048 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3049 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3050 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3051 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3052 			BPF_MOV64_IMM(BPF_REG_0, 31),
3053 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3054 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3055 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3056 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3057 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3058 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3059 			BPF_MOV64_IMM(BPF_REG_0, 0),
3060 			BPF_EXIT_INSN(),
3061 		},
3062 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3063 		.result = REJECT,
3064 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3065 	},
3066 	{
3067 		"direct packet access: test24 (x += pkt_ptr, 5)",
3068 		.insns = {
3069 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3070 				    offsetof(struct __sk_buff, data)),
3071 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3072 				    offsetof(struct __sk_buff, data_end)),
3073 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3074 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3075 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3076 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3077 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3078 			BPF_MOV64_IMM(BPF_REG_0, 64),
3079 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3080 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3081 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3082 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3083 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3084 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3085 			BPF_MOV64_IMM(BPF_REG_0, 0),
3086 			BPF_EXIT_INSN(),
3087 		},
3088 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3089 		.result = ACCEPT,
3090 	},
3091 	{
3092 		"direct packet access: test25 (marking on <, good access)",
3093 		.insns = {
3094 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3095 				    offsetof(struct __sk_buff, data)),
3096 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3097 				    offsetof(struct __sk_buff, data_end)),
3098 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3099 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3100 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3101 			BPF_MOV64_IMM(BPF_REG_0, 0),
3102 			BPF_EXIT_INSN(),
3103 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3104 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3105 		},
3106 		.result = ACCEPT,
3107 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3108 	},
3109 	{
3110 		"direct packet access: test26 (marking on <, bad access)",
3111 		.insns = {
3112 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3113 				    offsetof(struct __sk_buff, data)),
3114 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3115 				    offsetof(struct __sk_buff, data_end)),
3116 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3118 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3119 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3120 			BPF_MOV64_IMM(BPF_REG_0, 0),
3121 			BPF_EXIT_INSN(),
3122 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3123 		},
3124 		.result = REJECT,
3125 		.errstr = "invalid access to packet",
3126 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3127 	},
3128 	{
3129 		"direct packet access: test27 (marking on <=, good access)",
3130 		.insns = {
3131 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3132 				    offsetof(struct __sk_buff, data)),
3133 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3134 				    offsetof(struct __sk_buff, data_end)),
3135 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3136 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3137 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3138 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3139 			BPF_MOV64_IMM(BPF_REG_0, 1),
3140 			BPF_EXIT_INSN(),
3141 		},
3142 		.result = ACCEPT,
3143 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3144 	},
3145 	{
3146 		"direct packet access: test28 (marking on <=, bad access)",
3147 		.insns = {
3148 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3149 				    offsetof(struct __sk_buff, data)),
3150 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3151 				    offsetof(struct __sk_buff, data_end)),
3152 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3153 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3154 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3155 			BPF_MOV64_IMM(BPF_REG_0, 1),
3156 			BPF_EXIT_INSN(),
3157 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3158 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3159 		},
3160 		.result = REJECT,
3161 		.errstr = "invalid access to packet",
3162 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3163 	},
3164 	{
3165 		"helper access to packet: test1, valid packet_ptr range",
3166 		.insns = {
3167 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3168 				    offsetof(struct xdp_md, data)),
3169 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3170 				    offsetof(struct xdp_md, data_end)),
3171 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3172 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3173 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3174 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3175 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3176 			BPF_MOV64_IMM(BPF_REG_4, 0),
3177 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3178 				     BPF_FUNC_map_update_elem),
3179 			BPF_MOV64_IMM(BPF_REG_0, 0),
3180 			BPF_EXIT_INSN(),
3181 		},
3182 		.fixup_map1 = { 5 },
3183 		.result_unpriv = ACCEPT,
3184 		.result = ACCEPT,
3185 		.prog_type = BPF_PROG_TYPE_XDP,
3186 	},
3187 	{
3188 		"helper access to packet: test2, unchecked packet_ptr",
3189 		.insns = {
3190 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3191 				    offsetof(struct xdp_md, data)),
3192 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3193 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3194 				     BPF_FUNC_map_lookup_elem),
3195 			BPF_MOV64_IMM(BPF_REG_0, 0),
3196 			BPF_EXIT_INSN(),
3197 		},
3198 		.fixup_map1 = { 1 },
3199 		.result = REJECT,
3200 		.errstr = "invalid access to packet",
3201 		.prog_type = BPF_PROG_TYPE_XDP,
3202 	},
3203 	{
3204 		"helper access to packet: test3, variable add",
3205 		.insns = {
3206 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3207 					offsetof(struct xdp_md, data)),
3208 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3209 					offsetof(struct xdp_md, data_end)),
3210 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3212 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3213 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3214 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3215 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3216 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3217 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3218 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3219 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3220 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3221 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3222 				     BPF_FUNC_map_lookup_elem),
3223 			BPF_MOV64_IMM(BPF_REG_0, 0),
3224 			BPF_EXIT_INSN(),
3225 		},
3226 		.fixup_map1 = { 11 },
3227 		.result = ACCEPT,
3228 		.prog_type = BPF_PROG_TYPE_XDP,
3229 	},
3230 	{
3231 		"helper access to packet: test4, packet_ptr with bad range",
3232 		.insns = {
3233 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3234 				    offsetof(struct xdp_md, data)),
3235 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3236 				    offsetof(struct xdp_md, data_end)),
3237 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3238 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3239 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3240 			BPF_MOV64_IMM(BPF_REG_0, 0),
3241 			BPF_EXIT_INSN(),
3242 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3243 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3244 				     BPF_FUNC_map_lookup_elem),
3245 			BPF_MOV64_IMM(BPF_REG_0, 0),
3246 			BPF_EXIT_INSN(),
3247 		},
3248 		.fixup_map1 = { 7 },
3249 		.result = REJECT,
3250 		.errstr = "invalid access to packet",
3251 		.prog_type = BPF_PROG_TYPE_XDP,
3252 	},
3253 	{
3254 		"helper access to packet: test5, packet_ptr with too short range",
3255 		.insns = {
3256 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3257 				    offsetof(struct xdp_md, data)),
3258 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3259 				    offsetof(struct xdp_md, data_end)),
3260 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3261 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3262 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3263 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3264 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3265 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3266 				     BPF_FUNC_map_lookup_elem),
3267 			BPF_MOV64_IMM(BPF_REG_0, 0),
3268 			BPF_EXIT_INSN(),
3269 		},
3270 		.fixup_map1 = { 6 },
3271 		.result = REJECT,
3272 		.errstr = "invalid access to packet",
3273 		.prog_type = BPF_PROG_TYPE_XDP,
3274 	},
3275 	{
3276 		"helper access to packet: test6, cls valid packet_ptr range",
3277 		.insns = {
3278 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3279 				    offsetof(struct __sk_buff, data)),
3280 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3281 				    offsetof(struct __sk_buff, data_end)),
3282 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3284 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3285 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3286 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3287 			BPF_MOV64_IMM(BPF_REG_4, 0),
3288 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3289 				     BPF_FUNC_map_update_elem),
3290 			BPF_MOV64_IMM(BPF_REG_0, 0),
3291 			BPF_EXIT_INSN(),
3292 		},
3293 		.fixup_map1 = { 5 },
3294 		.result = ACCEPT,
3295 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3296 	},
3297 	{
3298 		"helper access to packet: test7, cls unchecked packet_ptr",
3299 		.insns = {
3300 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3301 				    offsetof(struct __sk_buff, data)),
3302 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3303 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3304 				     BPF_FUNC_map_lookup_elem),
3305 			BPF_MOV64_IMM(BPF_REG_0, 0),
3306 			BPF_EXIT_INSN(),
3307 		},
3308 		.fixup_map1 = { 1 },
3309 		.result = REJECT,
3310 		.errstr = "invalid access to packet",
3311 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3312 	},
3313 	{
3314 		"helper access to packet: test8, cls variable add",
3315 		.insns = {
3316 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3317 					offsetof(struct __sk_buff, data)),
3318 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3319 					offsetof(struct __sk_buff, data_end)),
3320 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3321 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3322 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3323 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3324 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3325 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3326 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3328 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3329 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3330 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3331 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3332 				     BPF_FUNC_map_lookup_elem),
3333 			BPF_MOV64_IMM(BPF_REG_0, 0),
3334 			BPF_EXIT_INSN(),
3335 		},
3336 		.fixup_map1 = { 11 },
3337 		.result = ACCEPT,
3338 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3339 	},
3340 	{
3341 		"helper access to packet: test9, cls packet_ptr with bad range",
3342 		.insns = {
3343 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3344 				    offsetof(struct __sk_buff, data)),
3345 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3346 				    offsetof(struct __sk_buff, data_end)),
3347 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3348 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3349 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3350 			BPF_MOV64_IMM(BPF_REG_0, 0),
3351 			BPF_EXIT_INSN(),
3352 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3353 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3354 				     BPF_FUNC_map_lookup_elem),
3355 			BPF_MOV64_IMM(BPF_REG_0, 0),
3356 			BPF_EXIT_INSN(),
3357 		},
3358 		.fixup_map1 = { 7 },
3359 		.result = REJECT,
3360 		.errstr = "invalid access to packet",
3361 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3362 	},
3363 	{
3364 		"helper access to packet: test10, cls packet_ptr with too short range",
3365 		.insns = {
3366 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3367 				    offsetof(struct __sk_buff, data)),
3368 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3369 				    offsetof(struct __sk_buff, data_end)),
3370 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3371 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3372 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3373 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3374 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3375 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3376 				     BPF_FUNC_map_lookup_elem),
3377 			BPF_MOV64_IMM(BPF_REG_0, 0),
3378 			BPF_EXIT_INSN(),
3379 		},
3380 		.fixup_map1 = { 6 },
3381 		.result = REJECT,
3382 		.errstr = "invalid access to packet",
3383 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3384 	},
3385 	{
3386 		"helper access to packet: test11, cls unsuitable helper 1",
3387 		.insns = {
3388 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3389 				    offsetof(struct __sk_buff, data)),
3390 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3391 				    offsetof(struct __sk_buff, data_end)),
3392 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3393 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3394 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3395 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3396 			BPF_MOV64_IMM(BPF_REG_2, 0),
3397 			BPF_MOV64_IMM(BPF_REG_4, 42),
3398 			BPF_MOV64_IMM(BPF_REG_5, 0),
3399 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3400 				     BPF_FUNC_skb_store_bytes),
3401 			BPF_MOV64_IMM(BPF_REG_0, 0),
3402 			BPF_EXIT_INSN(),
3403 		},
3404 		.result = REJECT,
3405 		.errstr = "helper access to the packet",
3406 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3407 	},
3408 	{
3409 		"helper access to packet: test12, cls unsuitable helper 2",
3410 		.insns = {
3411 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3412 				    offsetof(struct __sk_buff, data)),
3413 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3414 				    offsetof(struct __sk_buff, data_end)),
3415 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3416 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3417 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3418 			BPF_MOV64_IMM(BPF_REG_2, 0),
3419 			BPF_MOV64_IMM(BPF_REG_4, 4),
3420 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3421 				     BPF_FUNC_skb_load_bytes),
3422 			BPF_MOV64_IMM(BPF_REG_0, 0),
3423 			BPF_EXIT_INSN(),
3424 		},
3425 		.result = REJECT,
3426 		.errstr = "helper access to the packet",
3427 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3428 	},
3429 	{
3430 		"helper access to packet: test13, cls helper ok",
3431 		.insns = {
3432 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3433 				    offsetof(struct __sk_buff, data)),
3434 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3435 				    offsetof(struct __sk_buff, data_end)),
3436 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3437 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3438 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3439 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3440 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3441 			BPF_MOV64_IMM(BPF_REG_2, 4),
3442 			BPF_MOV64_IMM(BPF_REG_3, 0),
3443 			BPF_MOV64_IMM(BPF_REG_4, 0),
3444 			BPF_MOV64_IMM(BPF_REG_5, 0),
3445 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3446 				     BPF_FUNC_csum_diff),
3447 			BPF_MOV64_IMM(BPF_REG_0, 0),
3448 			BPF_EXIT_INSN(),
3449 		},
3450 		.result = ACCEPT,
3451 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3452 	},
3453 	{
3454 		"helper access to packet: test14, cls helper ok sub",
3455 		.insns = {
3456 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3457 				    offsetof(struct __sk_buff, data)),
3458 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3459 				    offsetof(struct __sk_buff, data_end)),
3460 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3461 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3462 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3463 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3464 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3465 			BPF_MOV64_IMM(BPF_REG_2, 4),
3466 			BPF_MOV64_IMM(BPF_REG_3, 0),
3467 			BPF_MOV64_IMM(BPF_REG_4, 0),
3468 			BPF_MOV64_IMM(BPF_REG_5, 0),
3469 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3470 				     BPF_FUNC_csum_diff),
3471 			BPF_MOV64_IMM(BPF_REG_0, 0),
3472 			BPF_EXIT_INSN(),
3473 		},
3474 		.result = ACCEPT,
3475 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3476 	},
3477 	{
3478 		"helper access to packet: test15, cls helper fail sub",
3479 		.insns = {
3480 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3481 				    offsetof(struct __sk_buff, data)),
3482 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3483 				    offsetof(struct __sk_buff, data_end)),
3484 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3485 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3486 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3487 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3488 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3489 			BPF_MOV64_IMM(BPF_REG_2, 4),
3490 			BPF_MOV64_IMM(BPF_REG_3, 0),
3491 			BPF_MOV64_IMM(BPF_REG_4, 0),
3492 			BPF_MOV64_IMM(BPF_REG_5, 0),
3493 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3494 				     BPF_FUNC_csum_diff),
3495 			BPF_MOV64_IMM(BPF_REG_0, 0),
3496 			BPF_EXIT_INSN(),
3497 		},
3498 		.result = REJECT,
3499 		.errstr = "invalid access to packet",
3500 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3501 	},
3502 	{
3503 		"helper access to packet: test16, cls helper fail range 1",
3504 		.insns = {
3505 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3506 				    offsetof(struct __sk_buff, data)),
3507 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3508 				    offsetof(struct __sk_buff, data_end)),
3509 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3510 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3511 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3512 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3513 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3514 			BPF_MOV64_IMM(BPF_REG_2, 8),
3515 			BPF_MOV64_IMM(BPF_REG_3, 0),
3516 			BPF_MOV64_IMM(BPF_REG_4, 0),
3517 			BPF_MOV64_IMM(BPF_REG_5, 0),
3518 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3519 				     BPF_FUNC_csum_diff),
3520 			BPF_MOV64_IMM(BPF_REG_0, 0),
3521 			BPF_EXIT_INSN(),
3522 		},
3523 		.result = REJECT,
3524 		.errstr = "invalid access to packet",
3525 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3526 	},
3527 	{
3528 		"helper access to packet: test17, cls helper fail range 2",
3529 		.insns = {
3530 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3531 				    offsetof(struct __sk_buff, data)),
3532 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3533 				    offsetof(struct __sk_buff, data_end)),
3534 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3535 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3536 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3537 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3538 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3539 			BPF_MOV64_IMM(BPF_REG_2, -9),
3540 			BPF_MOV64_IMM(BPF_REG_3, 0),
3541 			BPF_MOV64_IMM(BPF_REG_4, 0),
3542 			BPF_MOV64_IMM(BPF_REG_5, 0),
3543 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3544 				     BPF_FUNC_csum_diff),
3545 			BPF_MOV64_IMM(BPF_REG_0, 0),
3546 			BPF_EXIT_INSN(),
3547 		},
3548 		.result = REJECT,
3549 		.errstr = "R2 min value is negative",
3550 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3551 	},
3552 	{
3553 		"helper access to packet: test18, cls helper fail range 3",
3554 		.insns = {
3555 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3556 				    offsetof(struct __sk_buff, data)),
3557 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3558 				    offsetof(struct __sk_buff, data_end)),
3559 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3561 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3562 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3563 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3564 			BPF_MOV64_IMM(BPF_REG_2, ~0),
3565 			BPF_MOV64_IMM(BPF_REG_3, 0),
3566 			BPF_MOV64_IMM(BPF_REG_4, 0),
3567 			BPF_MOV64_IMM(BPF_REG_5, 0),
3568 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3569 				     BPF_FUNC_csum_diff),
3570 			BPF_MOV64_IMM(BPF_REG_0, 0),
3571 			BPF_EXIT_INSN(),
3572 		},
3573 		.result = REJECT,
3574 		.errstr = "R2 min value is negative",
3575 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3576 	},
3577 	{
3578 		"helper access to packet: test19, cls helper range zero",
3579 		.insns = {
3580 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3581 				    offsetof(struct __sk_buff, data)),
3582 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3583 				    offsetof(struct __sk_buff, data_end)),
3584 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3585 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3586 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3587 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3588 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3589 			BPF_MOV64_IMM(BPF_REG_2, 0),
3590 			BPF_MOV64_IMM(BPF_REG_3, 0),
3591 			BPF_MOV64_IMM(BPF_REG_4, 0),
3592 			BPF_MOV64_IMM(BPF_REG_5, 0),
3593 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3594 				     BPF_FUNC_csum_diff),
3595 			BPF_MOV64_IMM(BPF_REG_0, 0),
3596 			BPF_EXIT_INSN(),
3597 		},
3598 		.result = ACCEPT,
3599 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3600 	},
3601 	{
3602 		"helper access to packet: test20, pkt end as input",
3603 		.insns = {
3604 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3605 				    offsetof(struct __sk_buff, data)),
3606 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3607 				    offsetof(struct __sk_buff, data_end)),
3608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3609 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3610 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3611 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3612 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
3613 			BPF_MOV64_IMM(BPF_REG_2, 4),
3614 			BPF_MOV64_IMM(BPF_REG_3, 0),
3615 			BPF_MOV64_IMM(BPF_REG_4, 0),
3616 			BPF_MOV64_IMM(BPF_REG_5, 0),
3617 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3618 				     BPF_FUNC_csum_diff),
3619 			BPF_MOV64_IMM(BPF_REG_0, 0),
3620 			BPF_EXIT_INSN(),
3621 		},
3622 		.result = REJECT,
3623 		.errstr = "R1 type=pkt_end expected=fp",
3624 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3625 	},
3626 	{
3627 		"helper access to packet: test21, wrong reg",
3628 		.insns = {
3629 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3630 				    offsetof(struct __sk_buff, data)),
3631 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3632 				    offsetof(struct __sk_buff, data_end)),
3633 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3634 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3635 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3636 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3637 			BPF_MOV64_IMM(BPF_REG_2, 4),
3638 			BPF_MOV64_IMM(BPF_REG_3, 0),
3639 			BPF_MOV64_IMM(BPF_REG_4, 0),
3640 			BPF_MOV64_IMM(BPF_REG_5, 0),
3641 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3642 				     BPF_FUNC_csum_diff),
3643 			BPF_MOV64_IMM(BPF_REG_0, 0),
3644 			BPF_EXIT_INSN(),
3645 		},
3646 		.result = REJECT,
3647 		.errstr = "invalid access to packet",
3648 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3649 	},
3650 	{
3651 		"valid map access into an array with a constant",
3652 		.insns = {
3653 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3654 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3655 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3656 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3657 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3658 				     BPF_FUNC_map_lookup_elem),
3659 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3660 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3661 				   offsetof(struct test_val, foo)),
3662 			BPF_EXIT_INSN(),
3663 		},
3664 		.fixup_map2 = { 3 },
3665 		.errstr_unpriv = "R0 leaks addr",
3666 		.result_unpriv = REJECT,
3667 		.result = ACCEPT,
3668 	},
3669 	{
3670 		"valid map access into an array with a register",
3671 		.insns = {
3672 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3673 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3674 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3675 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3676 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3677 				     BPF_FUNC_map_lookup_elem),
3678 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3679 			BPF_MOV64_IMM(BPF_REG_1, 4),
3680 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3681 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3682 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3683 				   offsetof(struct test_val, foo)),
3684 			BPF_EXIT_INSN(),
3685 		},
3686 		.fixup_map2 = { 3 },
3687 		.errstr_unpriv = "R0 leaks addr",
3688 		.result_unpriv = REJECT,
3689 		.result = ACCEPT,
3690 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3691 	},
3692 	{
3693 		"valid map access into an array with a variable",
3694 		.insns = {
3695 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3698 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3699 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3700 				     BPF_FUNC_map_lookup_elem),
3701 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3702 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3703 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
3704 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3705 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3706 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3707 				   offsetof(struct test_val, foo)),
3708 			BPF_EXIT_INSN(),
3709 		},
3710 		.fixup_map2 = { 3 },
3711 		.errstr_unpriv = "R0 leaks addr",
3712 		.result_unpriv = REJECT,
3713 		.result = ACCEPT,
3714 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3715 	},
3716 	{
3717 		"valid map access into an array with a signed variable",
3718 		.insns = {
3719 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3720 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3721 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3722 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3723 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3724 				     BPF_FUNC_map_lookup_elem),
3725 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3726 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3727 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3728 			BPF_MOV32_IMM(BPF_REG_1, 0),
3729 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3730 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3731 			BPF_MOV32_IMM(BPF_REG_1, 0),
3732 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3733 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3734 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3735 				   offsetof(struct test_val, foo)),
3736 			BPF_EXIT_INSN(),
3737 		},
3738 		.fixup_map2 = { 3 },
3739 		.errstr_unpriv = "R0 leaks addr",
3740 		.result_unpriv = REJECT,
3741 		.result = ACCEPT,
3742 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3743 	},
3744 	{
3745 		"invalid map access into an array with a constant",
3746 		.insns = {
3747 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3748 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3749 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3750 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3751 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3752 				     BPF_FUNC_map_lookup_elem),
3753 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3754 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3755 				   offsetof(struct test_val, foo)),
3756 			BPF_EXIT_INSN(),
3757 		},
3758 		.fixup_map2 = { 3 },
3759 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
3760 		.result = REJECT,
3761 	},
3762 	{
3763 		"invalid map access into an array with a register",
3764 		.insns = {
3765 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3766 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3767 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3768 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3769 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3770 				     BPF_FUNC_map_lookup_elem),
3771 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3772 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3773 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3774 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3775 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3776 				   offsetof(struct test_val, foo)),
3777 			BPF_EXIT_INSN(),
3778 		},
3779 		.fixup_map2 = { 3 },
3780 		.errstr = "R0 min value is outside of the array range",
3781 		.result = REJECT,
3782 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3783 	},
3784 	{
3785 		"invalid map access into an array with a variable",
3786 		.insns = {
3787 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3788 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3789 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3790 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3791 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3792 				     BPF_FUNC_map_lookup_elem),
3793 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3794 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3795 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3796 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3797 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3798 				   offsetof(struct test_val, foo)),
3799 			BPF_EXIT_INSN(),
3800 		},
3801 		.fixup_map2 = { 3 },
3802 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3803 		.result = REJECT,
3804 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3805 	},
3806 	{
3807 		"invalid map access into an array with no floor check",
3808 		.insns = {
3809 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3810 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3812 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3813 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3814 				     BPF_FUNC_map_lookup_elem),
3815 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3816 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
3817 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3818 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3819 			BPF_MOV32_IMM(BPF_REG_1, 0),
3820 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3821 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3822 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3823 				   offsetof(struct test_val, foo)),
3824 			BPF_EXIT_INSN(),
3825 		},
3826 		.fixup_map2 = { 3 },
3827 		.errstr_unpriv = "R0 leaks addr",
3828 		.errstr = "R0 unbounded memory access",
3829 		.result_unpriv = REJECT,
3830 		.result = REJECT,
3831 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3832 	},
3833 	{
3834 		"invalid map access into an array with a invalid max check",
3835 		.insns = {
3836 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3837 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3839 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3840 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3841 				     BPF_FUNC_map_lookup_elem),
3842 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3843 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3844 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3845 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3846 			BPF_MOV32_IMM(BPF_REG_1, 0),
3847 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3848 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3849 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3850 				   offsetof(struct test_val, foo)),
3851 			BPF_EXIT_INSN(),
3852 		},
3853 		.fixup_map2 = { 3 },
3854 		.errstr_unpriv = "R0 leaks addr",
3855 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
3856 		.result_unpriv = REJECT,
3857 		.result = REJECT,
3858 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3859 	},
3860 	{
3861 		"invalid map access into an array with a invalid max check",
3862 		.insns = {
3863 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3864 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3866 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3867 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3868 				     BPF_FUNC_map_lookup_elem),
3869 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3870 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3871 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3872 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3873 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3874 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3875 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3876 				     BPF_FUNC_map_lookup_elem),
3877 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3878 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3879 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3880 				    offsetof(struct test_val, foo)),
3881 			BPF_EXIT_INSN(),
3882 		},
3883 		.fixup_map2 = { 3, 11 },
3884 		.errstr = "R0 pointer += pointer",
3885 		.result = REJECT,
3886 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3887 	},
3888 	{
3889 		"multiple registers share map_lookup_elem result",
3890 		.insns = {
3891 			BPF_MOV64_IMM(BPF_REG_1, 10),
3892 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3893 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3894 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3895 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3896 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3897 				     BPF_FUNC_map_lookup_elem),
3898 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3899 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3900 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3901 			BPF_EXIT_INSN(),
3902 		},
3903 		.fixup_map1 = { 4 },
3904 		.result = ACCEPT,
3905 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3906 	},
3907 	{
3908 		"alu ops on ptr_to_map_value_or_null, 1",
3909 		.insns = {
3910 			BPF_MOV64_IMM(BPF_REG_1, 10),
3911 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3912 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3913 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3914 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3915 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3916 				     BPF_FUNC_map_lookup_elem),
3917 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
3919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
3920 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3921 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3922 			BPF_EXIT_INSN(),
3923 		},
3924 		.fixup_map1 = { 4 },
3925 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
3926 		.result = REJECT,
3927 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3928 	},
3929 	{
3930 		"alu ops on ptr_to_map_value_or_null, 2",
3931 		.insns = {
3932 			BPF_MOV64_IMM(BPF_REG_1, 10),
3933 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3934 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3935 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3936 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3937 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3938 				     BPF_FUNC_map_lookup_elem),
3939 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3940 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
3941 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3942 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3943 			BPF_EXIT_INSN(),
3944 		},
3945 		.fixup_map1 = { 4 },
3946 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
3947 		.result = REJECT,
3948 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3949 	},
3950 	{
3951 		"alu ops on ptr_to_map_value_or_null, 3",
3952 		.insns = {
3953 			BPF_MOV64_IMM(BPF_REG_1, 10),
3954 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3955 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3956 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3957 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3958 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3959 				     BPF_FUNC_map_lookup_elem),
3960 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3961 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
3962 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3963 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3964 			BPF_EXIT_INSN(),
3965 		},
3966 		.fixup_map1 = { 4 },
3967 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
3968 		.result = REJECT,
3969 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3970 	},
3971 	{
3972 		"invalid memory access with multiple map_lookup_elem calls",
3973 		.insns = {
3974 			BPF_MOV64_IMM(BPF_REG_1, 10),
3975 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3976 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3977 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3978 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3979 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3980 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3981 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3982 				     BPF_FUNC_map_lookup_elem),
3983 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3984 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3985 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3986 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3987 				     BPF_FUNC_map_lookup_elem),
3988 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3989 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3990 			BPF_EXIT_INSN(),
3991 		},
3992 		.fixup_map1 = { 4 },
3993 		.result = REJECT,
3994 		.errstr = "R4 !read_ok",
3995 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
3996 	},
3997 	{
3998 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
3999 		.insns = {
4000 			BPF_MOV64_IMM(BPF_REG_1, 10),
4001 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4002 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4003 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4004 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4005 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4006 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4007 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4008 				     BPF_FUNC_map_lookup_elem),
4009 			BPF_MOV64_IMM(BPF_REG_2, 10),
4010 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4011 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4012 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4013 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4014 				     BPF_FUNC_map_lookup_elem),
4015 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4016 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4017 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4018 			BPF_EXIT_INSN(),
4019 		},
4020 		.fixup_map1 = { 4 },
4021 		.result = ACCEPT,
4022 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4023 	},
4024 	{
4025 		"invalid map access from else condition",
4026 		.insns = {
4027 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4028 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4029 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4030 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4031 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4032 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4033 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4034 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4035 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4036 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4037 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4038 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4039 			BPF_EXIT_INSN(),
4040 		},
4041 		.fixup_map2 = { 3 },
4042 		.errstr = "R0 unbounded memory access",
4043 		.result = REJECT,
4044 		.errstr_unpriv = "R0 leaks addr",
4045 		.result_unpriv = REJECT,
4046 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4047 	},
4048 	{
4049 		"constant register |= constant should keep constant type",
4050 		.insns = {
4051 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4052 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4053 			BPF_MOV64_IMM(BPF_REG_2, 34),
4054 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4055 			BPF_MOV64_IMM(BPF_REG_3, 0),
4056 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4057 			BPF_EXIT_INSN(),
4058 		},
4059 		.result = ACCEPT,
4060 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4061 	},
4062 	{
4063 		"constant register |= constant should not bypass stack boundary checks",
4064 		.insns = {
4065 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4066 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4067 			BPF_MOV64_IMM(BPF_REG_2, 34),
4068 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4069 			BPF_MOV64_IMM(BPF_REG_3, 0),
4070 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4071 			BPF_EXIT_INSN(),
4072 		},
4073 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4074 		.result = REJECT,
4075 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4076 	},
4077 	{
4078 		"constant register |= constant register should keep constant type",
4079 		.insns = {
4080 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4081 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4082 			BPF_MOV64_IMM(BPF_REG_2, 34),
4083 			BPF_MOV64_IMM(BPF_REG_4, 13),
4084 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4085 			BPF_MOV64_IMM(BPF_REG_3, 0),
4086 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4087 			BPF_EXIT_INSN(),
4088 		},
4089 		.result = ACCEPT,
4090 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4091 	},
4092 	{
4093 		"constant register |= constant register should not bypass stack boundary checks",
4094 		.insns = {
4095 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4096 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4097 			BPF_MOV64_IMM(BPF_REG_2, 34),
4098 			BPF_MOV64_IMM(BPF_REG_4, 24),
4099 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4100 			BPF_MOV64_IMM(BPF_REG_3, 0),
4101 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4102 			BPF_EXIT_INSN(),
4103 		},
4104 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4105 		.result = REJECT,
4106 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4107 	},
4108 	{
4109 		"invalid direct packet write for LWT_IN",
4110 		.insns = {
4111 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4112 				    offsetof(struct __sk_buff, data)),
4113 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4114 				    offsetof(struct __sk_buff, data_end)),
4115 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4117 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4118 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4119 			BPF_MOV64_IMM(BPF_REG_0, 0),
4120 			BPF_EXIT_INSN(),
4121 		},
4122 		.errstr = "cannot write into packet",
4123 		.result = REJECT,
4124 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4125 	},
4126 	{
4127 		"invalid direct packet write for LWT_OUT",
4128 		.insns = {
4129 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4130 				    offsetof(struct __sk_buff, data)),
4131 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4132 				    offsetof(struct __sk_buff, data_end)),
4133 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4134 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4135 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4136 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4137 			BPF_MOV64_IMM(BPF_REG_0, 0),
4138 			BPF_EXIT_INSN(),
4139 		},
4140 		.errstr = "cannot write into packet",
4141 		.result = REJECT,
4142 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4143 	},
4144 	{
4145 		"direct packet write for LWT_XMIT",
4146 		.insns = {
4147 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4148 				    offsetof(struct __sk_buff, data)),
4149 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4150 				    offsetof(struct __sk_buff, data_end)),
4151 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4152 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4153 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4154 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4155 			BPF_MOV64_IMM(BPF_REG_0, 0),
4156 			BPF_EXIT_INSN(),
4157 		},
4158 		.result = ACCEPT,
4159 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4160 	},
4161 	{
4162 		"direct packet read for LWT_IN",
4163 		.insns = {
4164 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4165 				    offsetof(struct __sk_buff, data)),
4166 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4167 				    offsetof(struct __sk_buff, data_end)),
4168 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4169 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4170 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4171 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4172 			BPF_MOV64_IMM(BPF_REG_0, 0),
4173 			BPF_EXIT_INSN(),
4174 		},
4175 		.result = ACCEPT,
4176 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4177 	},
4178 	{
4179 		"direct packet read for LWT_OUT",
4180 		.insns = {
4181 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4182 				    offsetof(struct __sk_buff, data)),
4183 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4184 				    offsetof(struct __sk_buff, data_end)),
4185 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4186 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4187 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4188 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4189 			BPF_MOV64_IMM(BPF_REG_0, 0),
4190 			BPF_EXIT_INSN(),
4191 		},
4192 		.result = ACCEPT,
4193 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4194 	},
4195 	{
4196 		"direct packet read for LWT_XMIT",
4197 		.insns = {
4198 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4199 				    offsetof(struct __sk_buff, data)),
4200 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4201 				    offsetof(struct __sk_buff, data_end)),
4202 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4203 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4204 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4205 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4206 			BPF_MOV64_IMM(BPF_REG_0, 0),
4207 			BPF_EXIT_INSN(),
4208 		},
4209 		.result = ACCEPT,
4210 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4211 	},
4212 	{
4213 		"overlapping checks for direct packet access",
4214 		.insns = {
4215 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4216 				    offsetof(struct __sk_buff, data)),
4217 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4218 				    offsetof(struct __sk_buff, data_end)),
4219 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4220 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4221 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4222 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4223 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4224 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4225 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4226 			BPF_MOV64_IMM(BPF_REG_0, 0),
4227 			BPF_EXIT_INSN(),
4228 		},
4229 		.result = ACCEPT,
4230 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4231 	},
4232 	{
4233 		"invalid access of tc_classid for LWT_IN",
4234 		.insns = {
4235 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4236 				    offsetof(struct __sk_buff, tc_classid)),
4237 			BPF_EXIT_INSN(),
4238 		},
4239 		.result = REJECT,
4240 		.errstr = "invalid bpf_context access",
4241 	},
4242 	{
4243 		"invalid access of tc_classid for LWT_OUT",
4244 		.insns = {
4245 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4246 				    offsetof(struct __sk_buff, tc_classid)),
4247 			BPF_EXIT_INSN(),
4248 		},
4249 		.result = REJECT,
4250 		.errstr = "invalid bpf_context access",
4251 	},
4252 	{
4253 		"invalid access of tc_classid for LWT_XMIT",
4254 		.insns = {
4255 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4256 				    offsetof(struct __sk_buff, tc_classid)),
4257 			BPF_EXIT_INSN(),
4258 		},
4259 		.result = REJECT,
4260 		.errstr = "invalid bpf_context access",
4261 	},
4262 	{
4263 		"leak pointer into ctx 1",
4264 		.insns = {
4265 			BPF_MOV64_IMM(BPF_REG_0, 0),
4266 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4267 				    offsetof(struct __sk_buff, cb[0])),
4268 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4269 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4270 				      offsetof(struct __sk_buff, cb[0])),
4271 			BPF_EXIT_INSN(),
4272 		},
4273 		.fixup_map1 = { 2 },
4274 		.errstr_unpriv = "R2 leaks addr into mem",
4275 		.result_unpriv = REJECT,
4276 		.result = ACCEPT,
4277 	},
4278 	{
4279 		"leak pointer into ctx 2",
4280 		.insns = {
4281 			BPF_MOV64_IMM(BPF_REG_0, 0),
4282 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4283 				    offsetof(struct __sk_buff, cb[0])),
4284 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4285 				      offsetof(struct __sk_buff, cb[0])),
4286 			BPF_EXIT_INSN(),
4287 		},
4288 		.errstr_unpriv = "R10 leaks addr into mem",
4289 		.result_unpriv = REJECT,
4290 		.result = ACCEPT,
4291 	},
4292 	{
4293 		"leak pointer into ctx 3",
4294 		.insns = {
4295 			BPF_MOV64_IMM(BPF_REG_0, 0),
4296 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4297 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4298 				      offsetof(struct __sk_buff, cb[0])),
4299 			BPF_EXIT_INSN(),
4300 		},
4301 		.fixup_map1 = { 1 },
4302 		.errstr_unpriv = "R2 leaks addr into ctx",
4303 		.result_unpriv = REJECT,
4304 		.result = ACCEPT,
4305 	},
4306 	{
4307 		"leak pointer into map val",
4308 		.insns = {
4309 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4310 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4311 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4312 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4313 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4314 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4315 				     BPF_FUNC_map_lookup_elem),
4316 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4317 			BPF_MOV64_IMM(BPF_REG_3, 0),
4318 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4319 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4320 			BPF_MOV64_IMM(BPF_REG_0, 0),
4321 			BPF_EXIT_INSN(),
4322 		},
4323 		.fixup_map1 = { 4 },
4324 		.errstr_unpriv = "R6 leaks addr into mem",
4325 		.result_unpriv = REJECT,
4326 		.result = ACCEPT,
4327 	},
4328 	{
4329 		"helper access to map: full range",
4330 		.insns = {
4331 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4332 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4333 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4334 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4335 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4336 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4337 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4338 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4339 			BPF_MOV64_IMM(BPF_REG_3, 0),
4340 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4341 			BPF_EXIT_INSN(),
4342 		},
4343 		.fixup_map2 = { 3 },
4344 		.result = ACCEPT,
4345 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4346 	},
4347 	{
4348 		"helper access to map: partial range",
4349 		.insns = {
4350 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4352 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4353 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4354 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4355 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4356 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4357 			BPF_MOV64_IMM(BPF_REG_2, 8),
4358 			BPF_MOV64_IMM(BPF_REG_3, 0),
4359 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4360 			BPF_EXIT_INSN(),
4361 		},
4362 		.fixup_map2 = { 3 },
4363 		.result = ACCEPT,
4364 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4365 	},
4366 	{
4367 		"helper access to map: empty range",
4368 		.insns = {
4369 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4370 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4371 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4372 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4373 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4374 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4375 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4376 			BPF_MOV64_IMM(BPF_REG_2, 0),
4377 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4378 			BPF_EXIT_INSN(),
4379 		},
4380 		.fixup_map2 = { 3 },
4381 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
4382 		.result = REJECT,
4383 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4384 	},
4385 	{
4386 		"helper access to map: out-of-bound range",
4387 		.insns = {
4388 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4389 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4390 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4391 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4392 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4393 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4394 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4395 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4396 			BPF_MOV64_IMM(BPF_REG_3, 0),
4397 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4398 			BPF_EXIT_INSN(),
4399 		},
4400 		.fixup_map2 = { 3 },
4401 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
4402 		.result = REJECT,
4403 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4404 	},
4405 	{
4406 		"helper access to map: negative range",
4407 		.insns = {
4408 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4409 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4410 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4411 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4412 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4413 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4414 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4415 			BPF_MOV64_IMM(BPF_REG_2, -8),
4416 			BPF_MOV64_IMM(BPF_REG_3, 0),
4417 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4418 			BPF_EXIT_INSN(),
4419 		},
4420 		.fixup_map2 = { 3 },
4421 		.errstr = "R2 min value is negative",
4422 		.result = REJECT,
4423 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4424 	},
4425 	{
4426 		"helper access to adjusted map (via const imm): full range",
4427 		.insns = {
4428 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4429 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4430 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4431 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4432 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4433 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4434 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4435 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4436 				offsetof(struct test_val, foo)),
4437 			BPF_MOV64_IMM(BPF_REG_2,
4438 				sizeof(struct test_val) -
4439 				offsetof(struct test_val, foo)),
4440 			BPF_MOV64_IMM(BPF_REG_3, 0),
4441 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4442 			BPF_EXIT_INSN(),
4443 		},
4444 		.fixup_map2 = { 3 },
4445 		.result = ACCEPT,
4446 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4447 	},
4448 	{
4449 		"helper access to adjusted map (via const imm): partial range",
4450 		.insns = {
4451 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4452 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4453 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4454 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4455 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4456 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4457 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4459 				offsetof(struct test_val, foo)),
4460 			BPF_MOV64_IMM(BPF_REG_2, 8),
4461 			BPF_MOV64_IMM(BPF_REG_3, 0),
4462 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4463 			BPF_EXIT_INSN(),
4464 		},
4465 		.fixup_map2 = { 3 },
4466 		.result = ACCEPT,
4467 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4468 	},
4469 	{
4470 		"helper access to adjusted map (via const imm): empty range",
4471 		.insns = {
4472 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4474 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4475 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4476 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4477 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4478 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4479 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4480 				offsetof(struct test_val, foo)),
4481 			BPF_MOV64_IMM(BPF_REG_2, 0),
4482 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4483 			BPF_EXIT_INSN(),
4484 		},
4485 		.fixup_map2 = { 3 },
4486 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
4487 		.result = REJECT,
4488 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4489 	},
4490 	{
4491 		"helper access to adjusted map (via const imm): out-of-bound range",
4492 		.insns = {
4493 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4495 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4496 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4497 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4498 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4499 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4500 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4501 				offsetof(struct test_val, foo)),
4502 			BPF_MOV64_IMM(BPF_REG_2,
4503 				sizeof(struct test_val) -
4504 				offsetof(struct test_val, foo) + 8),
4505 			BPF_MOV64_IMM(BPF_REG_3, 0),
4506 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4507 			BPF_EXIT_INSN(),
4508 		},
4509 		.fixup_map2 = { 3 },
4510 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
4511 		.result = REJECT,
4512 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4513 	},
4514 	{
4515 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
4516 		.insns = {
4517 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4518 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4519 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4520 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4521 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4522 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4523 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4524 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4525 				offsetof(struct test_val, foo)),
4526 			BPF_MOV64_IMM(BPF_REG_2, -8),
4527 			BPF_MOV64_IMM(BPF_REG_3, 0),
4528 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4529 			BPF_EXIT_INSN(),
4530 		},
4531 		.fixup_map2 = { 3 },
4532 		.errstr = "R2 min value is negative",
4533 		.result = REJECT,
4534 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4535 	},
4536 	{
4537 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
4538 		.insns = {
4539 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4540 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4541 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4542 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4543 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4544 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4545 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4546 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4547 				offsetof(struct test_val, foo)),
4548 			BPF_MOV64_IMM(BPF_REG_2, -1),
4549 			BPF_MOV64_IMM(BPF_REG_3, 0),
4550 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4551 			BPF_EXIT_INSN(),
4552 		},
4553 		.fixup_map2 = { 3 },
4554 		.errstr = "R2 min value is negative",
4555 		.result = REJECT,
4556 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4557 	},
4558 	{
4559 		"helper access to adjusted map (via const reg): full range",
4560 		.insns = {
4561 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4562 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4563 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4564 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4565 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4566 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4567 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4568 			BPF_MOV64_IMM(BPF_REG_3,
4569 				offsetof(struct test_val, foo)),
4570 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4571 			BPF_MOV64_IMM(BPF_REG_2,
4572 				sizeof(struct test_val) -
4573 				offsetof(struct test_val, foo)),
4574 			BPF_MOV64_IMM(BPF_REG_3, 0),
4575 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4576 			BPF_EXIT_INSN(),
4577 		},
4578 		.fixup_map2 = { 3 },
4579 		.result = ACCEPT,
4580 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4581 	},
4582 	{
4583 		"helper access to adjusted map (via const reg): partial range",
4584 		.insns = {
4585 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4586 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4587 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4588 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4589 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4590 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4591 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4592 			BPF_MOV64_IMM(BPF_REG_3,
4593 				offsetof(struct test_val, foo)),
4594 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4595 			BPF_MOV64_IMM(BPF_REG_2, 8),
4596 			BPF_MOV64_IMM(BPF_REG_3, 0),
4597 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4598 			BPF_EXIT_INSN(),
4599 		},
4600 		.fixup_map2 = { 3 },
4601 		.result = ACCEPT,
4602 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4603 	},
4604 	{
4605 		"helper access to adjusted map (via const reg): empty range",
4606 		.insns = {
4607 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4609 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4610 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4611 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4612 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4613 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4614 			BPF_MOV64_IMM(BPF_REG_3, 0),
4615 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4616 			BPF_MOV64_IMM(BPF_REG_2, 0),
4617 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4618 			BPF_EXIT_INSN(),
4619 		},
4620 		.fixup_map2 = { 3 },
4621 		.errstr = "R1 min value is outside of the array range",
4622 		.result = REJECT,
4623 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4624 	},
4625 	{
4626 		"helper access to adjusted map (via const reg): out-of-bound range",
4627 		.insns = {
4628 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4629 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4630 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4631 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4632 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4633 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4634 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4635 			BPF_MOV64_IMM(BPF_REG_3,
4636 				offsetof(struct test_val, foo)),
4637 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4638 			BPF_MOV64_IMM(BPF_REG_2,
4639 				sizeof(struct test_val) -
4640 				offsetof(struct test_val, foo) + 8),
4641 			BPF_MOV64_IMM(BPF_REG_3, 0),
4642 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4643 			BPF_EXIT_INSN(),
4644 		},
4645 		.fixup_map2 = { 3 },
4646 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
4647 		.result = REJECT,
4648 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4649 	},
4650 	{
4651 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
4652 		.insns = {
4653 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4655 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4656 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4657 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4658 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4659 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4660 			BPF_MOV64_IMM(BPF_REG_3,
4661 				offsetof(struct test_val, foo)),
4662 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4663 			BPF_MOV64_IMM(BPF_REG_2, -8),
4664 			BPF_MOV64_IMM(BPF_REG_3, 0),
4665 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4666 			BPF_EXIT_INSN(),
4667 		},
4668 		.fixup_map2 = { 3 },
4669 		.errstr = "R2 min value is negative",
4670 		.result = REJECT,
4671 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4672 	},
4673 	{
4674 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
4675 		.insns = {
4676 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4677 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4678 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4679 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4680 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4681 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4682 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4683 			BPF_MOV64_IMM(BPF_REG_3,
4684 				offsetof(struct test_val, foo)),
4685 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4686 			BPF_MOV64_IMM(BPF_REG_2, -1),
4687 			BPF_MOV64_IMM(BPF_REG_3, 0),
4688 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4689 			BPF_EXIT_INSN(),
4690 		},
4691 		.fixup_map2 = { 3 },
4692 		.errstr = "R2 min value is negative",
4693 		.result = REJECT,
4694 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4695 	},
4696 	{
4697 		"helper access to adjusted map (via variable): full range",
4698 		.insns = {
4699 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4700 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4701 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4702 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4703 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4704 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4705 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4706 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4707 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4708 				offsetof(struct test_val, foo), 4),
4709 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4710 			BPF_MOV64_IMM(BPF_REG_2,
4711 				sizeof(struct test_val) -
4712 				offsetof(struct test_val, foo)),
4713 			BPF_MOV64_IMM(BPF_REG_3, 0),
4714 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4715 			BPF_EXIT_INSN(),
4716 		},
4717 		.fixup_map2 = { 3 },
4718 		.result = ACCEPT,
4719 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4720 	},
4721 	{
4722 		"helper access to adjusted map (via variable): partial range",
4723 		.insns = {
4724 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4725 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4726 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4727 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4728 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4729 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4730 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4731 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4732 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4733 				offsetof(struct test_val, foo), 4),
4734 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4735 			BPF_MOV64_IMM(BPF_REG_2, 8),
4736 			BPF_MOV64_IMM(BPF_REG_3, 0),
4737 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4738 			BPF_EXIT_INSN(),
4739 		},
4740 		.fixup_map2 = { 3 },
4741 		.result = ACCEPT,
4742 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4743 	},
4744 	{
4745 		"helper access to adjusted map (via variable): empty range",
4746 		.insns = {
4747 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4748 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4749 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4750 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4751 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4752 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4753 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4754 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4755 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4756 				offsetof(struct test_val, foo), 3),
4757 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4758 			BPF_MOV64_IMM(BPF_REG_2, 0),
4759 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4760 			BPF_EXIT_INSN(),
4761 		},
4762 		.fixup_map2 = { 3 },
4763 		.errstr = "R1 min value is outside of the array range",
4764 		.result = REJECT,
4765 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4766 	},
4767 	{
4768 		"helper access to adjusted map (via variable): no max check",
4769 		.insns = {
4770 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4771 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4772 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4773 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4774 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4775 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4776 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4777 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4778 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4779 			BPF_MOV64_IMM(BPF_REG_2, 1),
4780 			BPF_MOV64_IMM(BPF_REG_3, 0),
4781 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4782 			BPF_EXIT_INSN(),
4783 		},
4784 		.fixup_map2 = { 3 },
4785 		.errstr = "R1 unbounded memory access",
4786 		.result = REJECT,
4787 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4788 	},
4789 	{
4790 		"helper access to adjusted map (via variable): wrong max check",
4791 		.insns = {
4792 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4793 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4794 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4795 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4796 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4797 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4798 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4799 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4800 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4801 				offsetof(struct test_val, foo), 4),
4802 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4803 			BPF_MOV64_IMM(BPF_REG_2,
4804 				sizeof(struct test_val) -
4805 				offsetof(struct test_val, foo) + 1),
4806 			BPF_MOV64_IMM(BPF_REG_3, 0),
4807 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4808 			BPF_EXIT_INSN(),
4809 		},
4810 		.fixup_map2 = { 3 },
4811 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
4812 		.result = REJECT,
4813 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4814 	},
4815 	{
4816 		"helper access to map: bounds check using <, good access",
4817 		.insns = {
4818 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4819 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4820 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4821 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4822 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4823 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4824 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4825 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4826 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
4827 			BPF_MOV64_IMM(BPF_REG_0, 0),
4828 			BPF_EXIT_INSN(),
4829 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4830 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4831 			BPF_MOV64_IMM(BPF_REG_0, 0),
4832 			BPF_EXIT_INSN(),
4833 		},
4834 		.fixup_map2 = { 3 },
4835 		.result = ACCEPT,
4836 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4837 	},
4838 	{
4839 		"helper access to map: bounds check using <, bad access",
4840 		.insns = {
4841 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4842 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4843 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4844 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4845 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4846 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4847 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4848 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4849 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
4850 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4851 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4852 			BPF_MOV64_IMM(BPF_REG_0, 0),
4853 			BPF_EXIT_INSN(),
4854 			BPF_MOV64_IMM(BPF_REG_0, 0),
4855 			BPF_EXIT_INSN(),
4856 		},
4857 		.fixup_map2 = { 3 },
4858 		.result = REJECT,
4859 		.errstr = "R1 unbounded memory access",
4860 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4861 	},
4862 	{
4863 		"helper access to map: bounds check using <=, good access",
4864 		.insns = {
4865 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4866 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4867 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4868 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4869 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4870 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4871 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4872 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4873 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
4874 			BPF_MOV64_IMM(BPF_REG_0, 0),
4875 			BPF_EXIT_INSN(),
4876 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4877 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4878 			BPF_MOV64_IMM(BPF_REG_0, 0),
4879 			BPF_EXIT_INSN(),
4880 		},
4881 		.fixup_map2 = { 3 },
4882 		.result = ACCEPT,
4883 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4884 	},
4885 	{
4886 		"helper access to map: bounds check using <=, bad access",
4887 		.insns = {
4888 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4889 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4890 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4891 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4892 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4893 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4894 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4895 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4896 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
4897 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4898 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4899 			BPF_MOV64_IMM(BPF_REG_0, 0),
4900 			BPF_EXIT_INSN(),
4901 			BPF_MOV64_IMM(BPF_REG_0, 0),
4902 			BPF_EXIT_INSN(),
4903 		},
4904 		.fixup_map2 = { 3 },
4905 		.result = REJECT,
4906 		.errstr = "R1 unbounded memory access",
4907 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4908 	},
4909 	{
4910 		"helper access to map: bounds check using s<, good access",
4911 		.insns = {
4912 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4913 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4914 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4915 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4916 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4917 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4918 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4919 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4920 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4921 			BPF_MOV64_IMM(BPF_REG_0, 0),
4922 			BPF_EXIT_INSN(),
4923 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
4924 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4925 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4926 			BPF_MOV64_IMM(BPF_REG_0, 0),
4927 			BPF_EXIT_INSN(),
4928 		},
4929 		.fixup_map2 = { 3 },
4930 		.result = ACCEPT,
4931 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4932 	},
4933 	{
4934 		"helper access to map: bounds check using s<, good access 2",
4935 		.insns = {
4936 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4937 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4938 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4940 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4941 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4942 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4943 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4944 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4945 			BPF_MOV64_IMM(BPF_REG_0, 0),
4946 			BPF_EXIT_INSN(),
4947 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4948 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4949 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4950 			BPF_MOV64_IMM(BPF_REG_0, 0),
4951 			BPF_EXIT_INSN(),
4952 		},
4953 		.fixup_map2 = { 3 },
4954 		.result = ACCEPT,
4955 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4956 	},
4957 	{
4958 		"helper access to map: bounds check using s<, bad access",
4959 		.insns = {
4960 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4961 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4962 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4963 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4964 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4965 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4966 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4967 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
4968 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
4969 			BPF_MOV64_IMM(BPF_REG_0, 0),
4970 			BPF_EXIT_INSN(),
4971 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
4972 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4973 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4974 			BPF_MOV64_IMM(BPF_REG_0, 0),
4975 			BPF_EXIT_INSN(),
4976 		},
4977 		.fixup_map2 = { 3 },
4978 		.result = REJECT,
4979 		.errstr = "R1 min value is negative",
4980 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4981 	},
4982 	{
4983 		"helper access to map: bounds check using s<=, good access",
4984 		.insns = {
4985 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4986 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4987 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4988 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4989 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4990 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4991 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4992 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4993 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
4994 			BPF_MOV64_IMM(BPF_REG_0, 0),
4995 			BPF_EXIT_INSN(),
4996 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
4997 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4998 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
4999 			BPF_MOV64_IMM(BPF_REG_0, 0),
5000 			BPF_EXIT_INSN(),
5001 		},
5002 		.fixup_map2 = { 3 },
5003 		.result = ACCEPT,
5004 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5005 	},
5006 	{
5007 		"helper access to map: bounds check using s<=, good access 2",
5008 		.insns = {
5009 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5010 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5011 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5012 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5013 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5014 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5015 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5016 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5017 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5018 			BPF_MOV64_IMM(BPF_REG_0, 0),
5019 			BPF_EXIT_INSN(),
5020 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5021 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5022 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5023 			BPF_MOV64_IMM(BPF_REG_0, 0),
5024 			BPF_EXIT_INSN(),
5025 		},
5026 		.fixup_map2 = { 3 },
5027 		.result = ACCEPT,
5028 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5029 	},
5030 	{
5031 		"helper access to map: bounds check using s<=, bad access",
5032 		.insns = {
5033 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5034 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5035 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5036 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5037 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5038 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5039 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5040 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5041 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5042 			BPF_MOV64_IMM(BPF_REG_0, 0),
5043 			BPF_EXIT_INSN(),
5044 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5045 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5046 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5047 			BPF_MOV64_IMM(BPF_REG_0, 0),
5048 			BPF_EXIT_INSN(),
5049 		},
5050 		.fixup_map2 = { 3 },
5051 		.result = REJECT,
5052 		.errstr = "R1 min value is negative",
5053 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5054 	},
5055 	{
5056 		"map element value is preserved across register spilling",
5057 		.insns = {
5058 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5061 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5062 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5063 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5064 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5065 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5066 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5067 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5068 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5069 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5070 			BPF_EXIT_INSN(),
5071 		},
5072 		.fixup_map2 = { 3 },
5073 		.errstr_unpriv = "R0 leaks addr",
5074 		.result = ACCEPT,
5075 		.result_unpriv = REJECT,
5076 	},
5077 	{
5078 		"map element value or null is marked on register spilling",
5079 		.insns = {
5080 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5081 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5082 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5083 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5084 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5085 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5086 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5087 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5088 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5089 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5090 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5091 			BPF_EXIT_INSN(),
5092 		},
5093 		.fixup_map2 = { 3 },
5094 		.errstr_unpriv = "R0 leaks addr",
5095 		.result = ACCEPT,
5096 		.result_unpriv = REJECT,
5097 	},
5098 	{
5099 		"map element value store of cleared call register",
5100 		.insns = {
5101 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5103 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5104 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5105 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5106 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5107 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5108 			BPF_EXIT_INSN(),
5109 		},
5110 		.fixup_map2 = { 3 },
5111 		.errstr_unpriv = "R1 !read_ok",
5112 		.errstr = "R1 !read_ok",
5113 		.result = REJECT,
5114 		.result_unpriv = REJECT,
5115 	},
5116 	{
5117 		"map element value with unaligned store",
5118 		.insns = {
5119 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5121 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5122 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5123 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5124 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
5125 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5126 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5127 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
5128 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
5129 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5130 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
5131 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
5132 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
5133 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
5134 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
5135 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
5136 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
5137 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
5138 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
5139 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
5140 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
5141 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
5142 			BPF_EXIT_INSN(),
5143 		},
5144 		.fixup_map2 = { 3 },
5145 		.errstr_unpriv = "R0 leaks addr",
5146 		.result = ACCEPT,
5147 		.result_unpriv = REJECT,
5148 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5149 	},
5150 	{
5151 		"map element value with unaligned load",
5152 		.insns = {
5153 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5154 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5155 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5156 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5157 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5158 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5159 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5160 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
5161 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
5162 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5163 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
5164 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5165 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
5166 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
5167 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
5168 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
5169 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
5170 			BPF_EXIT_INSN(),
5171 		},
5172 		.fixup_map2 = { 3 },
5173 		.errstr_unpriv = "R0 leaks addr",
5174 		.result = ACCEPT,
5175 		.result_unpriv = REJECT,
5176 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5177 	},
5178 	{
5179 		"map element value illegal alu op, 1",
5180 		.insns = {
5181 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5182 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5183 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5184 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5185 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5186 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5187 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
5188 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5189 			BPF_EXIT_INSN(),
5190 		},
5191 		.fixup_map2 = { 3 },
5192 		.errstr = "R0 bitwise operator &= on pointer",
5193 		.result = REJECT,
5194 	},
5195 	{
5196 		"map element value illegal alu op, 2",
5197 		.insns = {
5198 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5199 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5200 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5201 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5202 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5203 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5204 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
5205 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5206 			BPF_EXIT_INSN(),
5207 		},
5208 		.fixup_map2 = { 3 },
5209 		.errstr = "R0 32-bit pointer arithmetic prohibited",
5210 		.result = REJECT,
5211 	},
5212 	{
5213 		"map element value illegal alu op, 3",
5214 		.insns = {
5215 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5216 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5217 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5218 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5219 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5220 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5221 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
5222 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5223 			BPF_EXIT_INSN(),
5224 		},
5225 		.fixup_map2 = { 3 },
5226 		.errstr = "R0 pointer arithmetic with /= operator",
5227 		.result = REJECT,
5228 	},
5229 	{
5230 		"map element value illegal alu op, 4",
5231 		.insns = {
5232 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5233 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5234 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5235 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5236 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5237 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5238 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
5239 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5240 			BPF_EXIT_INSN(),
5241 		},
5242 		.fixup_map2 = { 3 },
5243 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
5244 		.errstr = "invalid mem access 'inv'",
5245 		.result = REJECT,
5246 		.result_unpriv = REJECT,
5247 	},
5248 	{
5249 		"map element value illegal alu op, 5",
5250 		.insns = {
5251 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5252 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5253 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5254 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5255 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5256 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5257 			BPF_MOV64_IMM(BPF_REG_3, 4096),
5258 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5260 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5261 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
5262 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
5263 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
5264 			BPF_EXIT_INSN(),
5265 		},
5266 		.fixup_map2 = { 3 },
5267 		.errstr = "R0 invalid mem access 'inv'",
5268 		.result = REJECT,
5269 	},
5270 	{
5271 		"map element value is preserved across register spilling",
5272 		.insns = {
5273 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5274 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5275 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5276 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5277 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5278 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
5280 				offsetof(struct test_val, foo)),
5281 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5282 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5284 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5285 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5286 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5287 			BPF_EXIT_INSN(),
5288 		},
5289 		.fixup_map2 = { 3 },
5290 		.errstr_unpriv = "R0 leaks addr",
5291 		.result = ACCEPT,
5292 		.result_unpriv = REJECT,
5293 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5294 	},
5295 	{
5296 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
5297 		.insns = {
5298 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5299 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5300 			BPF_MOV64_IMM(BPF_REG_0, 0),
5301 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5302 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5303 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5304 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5305 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5306 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5307 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5308 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5309 			BPF_MOV64_IMM(BPF_REG_2, 16),
5310 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5311 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5312 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5313 			BPF_MOV64_IMM(BPF_REG_4, 0),
5314 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5315 			BPF_MOV64_IMM(BPF_REG_3, 0),
5316 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5317 			BPF_MOV64_IMM(BPF_REG_0, 0),
5318 			BPF_EXIT_INSN(),
5319 		},
5320 		.result = ACCEPT,
5321 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5322 	},
5323 	{
5324 		"helper access to variable memory: stack, bitwise AND, zero included",
5325 		.insns = {
5326 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5328 			BPF_MOV64_IMM(BPF_REG_2, 16),
5329 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5330 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5331 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5332 			BPF_MOV64_IMM(BPF_REG_3, 0),
5333 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5334 			BPF_EXIT_INSN(),
5335 		},
5336 		.errstr = "invalid indirect read from stack off -64+0 size 64",
5337 		.result = REJECT,
5338 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5339 	},
5340 	{
5341 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
5342 		.insns = {
5343 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5344 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5345 			BPF_MOV64_IMM(BPF_REG_2, 16),
5346 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5347 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5348 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
5349 			BPF_MOV64_IMM(BPF_REG_4, 0),
5350 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5351 			BPF_MOV64_IMM(BPF_REG_3, 0),
5352 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5353 			BPF_MOV64_IMM(BPF_REG_0, 0),
5354 			BPF_EXIT_INSN(),
5355 		},
5356 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5357 		.result = REJECT,
5358 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5359 	},
5360 	{
5361 		"helper access to variable memory: stack, JMP, correct bounds",
5362 		.insns = {
5363 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5364 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5365 			BPF_MOV64_IMM(BPF_REG_0, 0),
5366 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5367 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5368 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5369 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5370 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5371 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5372 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5373 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5374 			BPF_MOV64_IMM(BPF_REG_2, 16),
5375 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5376 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5377 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
5378 			BPF_MOV64_IMM(BPF_REG_4, 0),
5379 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5380 			BPF_MOV64_IMM(BPF_REG_3, 0),
5381 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5382 			BPF_MOV64_IMM(BPF_REG_0, 0),
5383 			BPF_EXIT_INSN(),
5384 		},
5385 		.result = ACCEPT,
5386 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5387 	},
5388 	{
5389 		"helper access to variable memory: stack, JMP (signed), correct bounds",
5390 		.insns = {
5391 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5392 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5393 			BPF_MOV64_IMM(BPF_REG_0, 0),
5394 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5395 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5396 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5397 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5398 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5399 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5400 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5401 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5402 			BPF_MOV64_IMM(BPF_REG_2, 16),
5403 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5404 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5405 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
5406 			BPF_MOV64_IMM(BPF_REG_4, 0),
5407 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5408 			BPF_MOV64_IMM(BPF_REG_3, 0),
5409 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5410 			BPF_MOV64_IMM(BPF_REG_0, 0),
5411 			BPF_EXIT_INSN(),
5412 		},
5413 		.result = ACCEPT,
5414 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5415 	},
5416 	{
5417 		"helper access to variable memory: stack, JMP, bounds + offset",
5418 		.insns = {
5419 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5421 			BPF_MOV64_IMM(BPF_REG_2, 16),
5422 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5423 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5424 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
5425 			BPF_MOV64_IMM(BPF_REG_4, 0),
5426 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
5427 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5428 			BPF_MOV64_IMM(BPF_REG_3, 0),
5429 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5430 			BPF_MOV64_IMM(BPF_REG_0, 0),
5431 			BPF_EXIT_INSN(),
5432 		},
5433 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5434 		.result = REJECT,
5435 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5436 	},
5437 	{
5438 		"helper access to variable memory: stack, JMP, wrong max",
5439 		.insns = {
5440 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5442 			BPF_MOV64_IMM(BPF_REG_2, 16),
5443 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5444 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5445 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
5446 			BPF_MOV64_IMM(BPF_REG_4, 0),
5447 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5448 			BPF_MOV64_IMM(BPF_REG_3, 0),
5449 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5450 			BPF_MOV64_IMM(BPF_REG_0, 0),
5451 			BPF_EXIT_INSN(),
5452 		},
5453 		.errstr = "invalid stack type R1 off=-64 access_size=65",
5454 		.result = REJECT,
5455 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5456 	},
5457 	{
5458 		"helper access to variable memory: stack, JMP, no max check",
5459 		.insns = {
5460 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5461 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5462 			BPF_MOV64_IMM(BPF_REG_2, 16),
5463 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5464 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5465 			BPF_MOV64_IMM(BPF_REG_4, 0),
5466 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
5467 			BPF_MOV64_IMM(BPF_REG_3, 0),
5468 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5469 			BPF_MOV64_IMM(BPF_REG_0, 0),
5470 			BPF_EXIT_INSN(),
5471 		},
5472 		/* because max wasn't checked, signed min is negative */
5473 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
5474 		.result = REJECT,
5475 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5476 	},
5477 	{
5478 		"helper access to variable memory: stack, JMP, no min check",
5479 		.insns = {
5480 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5481 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5482 			BPF_MOV64_IMM(BPF_REG_2, 16),
5483 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5484 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5485 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
5486 			BPF_MOV64_IMM(BPF_REG_3, 0),
5487 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5488 			BPF_MOV64_IMM(BPF_REG_0, 0),
5489 			BPF_EXIT_INSN(),
5490 		},
5491 		.errstr = "invalid indirect read from stack off -64+0 size 64",
5492 		.result = REJECT,
5493 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5494 	},
5495 	{
5496 		"helper access to variable memory: stack, JMP (signed), no min check",
5497 		.insns = {
5498 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5499 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5500 			BPF_MOV64_IMM(BPF_REG_2, 16),
5501 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
5502 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
5503 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
5504 			BPF_MOV64_IMM(BPF_REG_3, 0),
5505 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5506 			BPF_MOV64_IMM(BPF_REG_0, 0),
5507 			BPF_EXIT_INSN(),
5508 		},
5509 		.errstr = "R2 min value is negative",
5510 		.result = REJECT,
5511 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5512 	},
5513 	{
5514 		"helper access to variable memory: map, JMP, correct bounds",
5515 		.insns = {
5516 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5517 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5518 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5519 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5520 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5521 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5522 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5523 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5524 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5525 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5526 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5527 				sizeof(struct test_val), 4),
5528 			BPF_MOV64_IMM(BPF_REG_4, 0),
5529 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5530 			BPF_MOV64_IMM(BPF_REG_3, 0),
5531 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5532 			BPF_MOV64_IMM(BPF_REG_0, 0),
5533 			BPF_EXIT_INSN(),
5534 		},
5535 		.fixup_map2 = { 3 },
5536 		.result = ACCEPT,
5537 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5538 	},
5539 	{
5540 		"helper access to variable memory: map, JMP, wrong max",
5541 		.insns = {
5542 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5543 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5544 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5545 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5546 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5547 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5548 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5549 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5550 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5551 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5552 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5553 				sizeof(struct test_val) + 1, 4),
5554 			BPF_MOV64_IMM(BPF_REG_4, 0),
5555 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5556 			BPF_MOV64_IMM(BPF_REG_3, 0),
5557 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5558 			BPF_MOV64_IMM(BPF_REG_0, 0),
5559 			BPF_EXIT_INSN(),
5560 		},
5561 		.fixup_map2 = { 3 },
5562 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
5563 		.result = REJECT,
5564 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5565 	},
5566 	{
5567 		"helper access to variable memory: map adjusted, JMP, correct bounds",
5568 		.insns = {
5569 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5570 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5571 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5572 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5573 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5574 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5575 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5576 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5577 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5578 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5579 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5580 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5581 				sizeof(struct test_val) - 20, 4),
5582 			BPF_MOV64_IMM(BPF_REG_4, 0),
5583 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5584 			BPF_MOV64_IMM(BPF_REG_3, 0),
5585 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5586 			BPF_MOV64_IMM(BPF_REG_0, 0),
5587 			BPF_EXIT_INSN(),
5588 		},
5589 		.fixup_map2 = { 3 },
5590 		.result = ACCEPT,
5591 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5592 	},
5593 	{
5594 		"helper access to variable memory: map adjusted, JMP, wrong max",
5595 		.insns = {
5596 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5597 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5598 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5599 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5600 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5601 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
5602 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
5604 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5605 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5606 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5607 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
5608 				sizeof(struct test_val) - 19, 4),
5609 			BPF_MOV64_IMM(BPF_REG_4, 0),
5610 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
5611 			BPF_MOV64_IMM(BPF_REG_3, 0),
5612 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5613 			BPF_MOV64_IMM(BPF_REG_0, 0),
5614 			BPF_EXIT_INSN(),
5615 		},
5616 		.fixup_map2 = { 3 },
5617 		.errstr = "R1 min value is outside of the array range",
5618 		.result = REJECT,
5619 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5620 	},
5621 	{
5622 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5623 		.insns = {
5624 			BPF_MOV64_IMM(BPF_REG_1, 0),
5625 			BPF_MOV64_IMM(BPF_REG_2, 0),
5626 			BPF_MOV64_IMM(BPF_REG_3, 0),
5627 			BPF_MOV64_IMM(BPF_REG_4, 0),
5628 			BPF_MOV64_IMM(BPF_REG_5, 0),
5629 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5630 			BPF_EXIT_INSN(),
5631 		},
5632 		.result = ACCEPT,
5633 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5634 	},
5635 	{
5636 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
5637 		.insns = {
5638 			BPF_MOV64_IMM(BPF_REG_1, 0),
5639 			BPF_MOV64_IMM(BPF_REG_2, 1),
5640 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5641 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5642 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
5643 			BPF_MOV64_IMM(BPF_REG_3, 0),
5644 			BPF_MOV64_IMM(BPF_REG_4, 0),
5645 			BPF_MOV64_IMM(BPF_REG_5, 0),
5646 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5647 			BPF_EXIT_INSN(),
5648 		},
5649 		.errstr = "R1 type=inv expected=fp",
5650 		.result = REJECT,
5651 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5652 	},
5653 	{
5654 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5655 		.insns = {
5656 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5657 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5658 			BPF_MOV64_IMM(BPF_REG_2, 0),
5659 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5660 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
5661 			BPF_MOV64_IMM(BPF_REG_3, 0),
5662 			BPF_MOV64_IMM(BPF_REG_4, 0),
5663 			BPF_MOV64_IMM(BPF_REG_5, 0),
5664 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5665 			BPF_EXIT_INSN(),
5666 		},
5667 		.result = ACCEPT,
5668 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5669 	},
5670 	{
5671 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5672 		.insns = {
5673 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5674 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5675 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5676 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5677 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5678 				     BPF_FUNC_map_lookup_elem),
5679 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5680 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5681 			BPF_MOV64_IMM(BPF_REG_2, 0),
5682 			BPF_MOV64_IMM(BPF_REG_3, 0),
5683 			BPF_MOV64_IMM(BPF_REG_4, 0),
5684 			BPF_MOV64_IMM(BPF_REG_5, 0),
5685 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5686 			BPF_EXIT_INSN(),
5687 		},
5688 		.fixup_map1 = { 3 },
5689 		.result = ACCEPT,
5690 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5691 	},
5692 	{
5693 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
5694 		.insns = {
5695 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5698 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5699 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5700 				     BPF_FUNC_map_lookup_elem),
5701 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5702 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5703 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
5704 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5705 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5706 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
5707 			BPF_MOV64_IMM(BPF_REG_3, 0),
5708 			BPF_MOV64_IMM(BPF_REG_4, 0),
5709 			BPF_MOV64_IMM(BPF_REG_5, 0),
5710 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5711 			BPF_EXIT_INSN(),
5712 		},
5713 		.fixup_map1 = { 3 },
5714 		.result = ACCEPT,
5715 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5716 	},
5717 	{
5718 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
5719 		.insns = {
5720 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5721 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5723 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5724 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5725 				     BPF_FUNC_map_lookup_elem),
5726 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5727 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5728 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5729 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5730 			BPF_MOV64_IMM(BPF_REG_3, 0),
5731 			BPF_MOV64_IMM(BPF_REG_4, 0),
5732 			BPF_MOV64_IMM(BPF_REG_5, 0),
5733 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5734 			BPF_EXIT_INSN(),
5735 		},
5736 		.fixup_map1 = { 3 },
5737 		.result = ACCEPT,
5738 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5739 	},
5740 	{
5741 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
5742 		.insns = {
5743 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5744 				    offsetof(struct __sk_buff, data)),
5745 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5746 				    offsetof(struct __sk_buff, data_end)),
5747 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
5748 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5749 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
5750 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5751 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
5752 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5753 			BPF_MOV64_IMM(BPF_REG_3, 0),
5754 			BPF_MOV64_IMM(BPF_REG_4, 0),
5755 			BPF_MOV64_IMM(BPF_REG_5, 0),
5756 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
5757 			BPF_EXIT_INSN(),
5758 		},
5759 		.result = ACCEPT,
5760 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
5761 	},
5762 	{
5763 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5764 		.insns = {
5765 			BPF_MOV64_IMM(BPF_REG_1, 0),
5766 			BPF_MOV64_IMM(BPF_REG_2, 0),
5767 			BPF_MOV64_IMM(BPF_REG_3, 0),
5768 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5769 			BPF_EXIT_INSN(),
5770 		},
5771 		.errstr = "R1 type=inv expected=fp",
5772 		.result = REJECT,
5773 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5774 	},
5775 	{
5776 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
5777 		.insns = {
5778 			BPF_MOV64_IMM(BPF_REG_1, 0),
5779 			BPF_MOV64_IMM(BPF_REG_2, 1),
5780 			BPF_MOV64_IMM(BPF_REG_3, 0),
5781 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5782 			BPF_EXIT_INSN(),
5783 		},
5784 		.errstr = "R1 type=inv expected=fp",
5785 		.result = REJECT,
5786 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5787 	},
5788 	{
5789 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5790 		.insns = {
5791 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5792 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5793 			BPF_MOV64_IMM(BPF_REG_2, 0),
5794 			BPF_MOV64_IMM(BPF_REG_3, 0),
5795 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5796 			BPF_EXIT_INSN(),
5797 		},
5798 		.result = ACCEPT,
5799 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5800 	},
5801 	{
5802 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5803 		.insns = {
5804 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5805 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5807 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5808 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5809 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5810 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5811 			BPF_MOV64_IMM(BPF_REG_2, 0),
5812 			BPF_MOV64_IMM(BPF_REG_3, 0),
5813 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5814 			BPF_EXIT_INSN(),
5815 		},
5816 		.fixup_map1 = { 3 },
5817 		.result = ACCEPT,
5818 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5819 	},
5820 	{
5821 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5822 		.insns = {
5823 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5824 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5825 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5826 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5827 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5828 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5829 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5830 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
5831 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5832 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
5833 			BPF_MOV64_IMM(BPF_REG_3, 0),
5834 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5835 			BPF_EXIT_INSN(),
5836 		},
5837 		.fixup_map1 = { 3 },
5838 		.result = ACCEPT,
5839 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5840 	},
5841 	{
5842 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
5843 		.insns = {
5844 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5845 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5846 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5847 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5848 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5849 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5850 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5851 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
5852 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
5853 			BPF_MOV64_IMM(BPF_REG_3, 0),
5854 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5855 			BPF_EXIT_INSN(),
5856 		},
5857 		.fixup_map1 = { 3 },
5858 		.result = ACCEPT,
5859 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5860 	},
5861 	{
5862 		"helper access to variable memory: 8 bytes leak",
5863 		.insns = {
5864 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5865 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5866 			BPF_MOV64_IMM(BPF_REG_0, 0),
5867 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5868 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5869 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5870 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5871 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5872 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5873 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5874 			BPF_MOV64_IMM(BPF_REG_2, 1),
5875 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
5876 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
5877 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
5878 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
5879 			BPF_MOV64_IMM(BPF_REG_3, 0),
5880 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5881 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5882 			BPF_EXIT_INSN(),
5883 		},
5884 		.errstr = "invalid indirect read from stack off -64+32 size 64",
5885 		.result = REJECT,
5886 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5887 	},
5888 	{
5889 		"helper access to variable memory: 8 bytes no leak (init memory)",
5890 		.insns = {
5891 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5892 			BPF_MOV64_IMM(BPF_REG_0, 0),
5893 			BPF_MOV64_IMM(BPF_REG_0, 0),
5894 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
5895 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
5896 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
5897 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
5898 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
5899 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
5900 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
5901 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
5902 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
5903 			BPF_MOV64_IMM(BPF_REG_2, 0),
5904 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
5905 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
5906 			BPF_MOV64_IMM(BPF_REG_3, 0),
5907 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5908 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
5909 			BPF_EXIT_INSN(),
5910 		},
5911 		.result = ACCEPT,
5912 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5913 	},
5914 	{
5915 		"invalid and of negative number",
5916 		.insns = {
5917 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5918 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5919 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5920 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5921 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5922 				     BPF_FUNC_map_lookup_elem),
5923 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5924 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
5925 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
5926 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5927 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5928 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5929 				   offsetof(struct test_val, foo)),
5930 			BPF_EXIT_INSN(),
5931 		},
5932 		.fixup_map2 = { 3 },
5933 		.errstr = "R0 max value is outside of the array range",
5934 		.result = REJECT,
5935 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5936 	},
5937 	{
5938 		"invalid range check",
5939 		.insns = {
5940 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5941 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5943 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5944 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5945 				     BPF_FUNC_map_lookup_elem),
5946 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
5947 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5948 			BPF_MOV64_IMM(BPF_REG_9, 1),
5949 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
5950 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
5951 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
5952 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
5953 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
5954 			BPF_MOV32_IMM(BPF_REG_3, 1),
5955 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
5956 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
5957 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
5958 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
5959 			BPF_MOV64_REG(BPF_REG_0, 0),
5960 			BPF_EXIT_INSN(),
5961 		},
5962 		.fixup_map2 = { 3 },
5963 		.errstr = "R0 max value is outside of the array range",
5964 		.result = REJECT,
5965 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5966 	},
5967 	{
5968 		"map in map access",
5969 		.insns = {
5970 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5971 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5972 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5973 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5974 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5975 				     BPF_FUNC_map_lookup_elem),
5976 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5977 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5978 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5979 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5980 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5981 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5982 				     BPF_FUNC_map_lookup_elem),
5983 			BPF_MOV64_REG(BPF_REG_0, 0),
5984 			BPF_EXIT_INSN(),
5985 		},
5986 		.fixup_map_in_map = { 3 },
5987 		.result = ACCEPT,
5988 	},
5989 	{
5990 		"invalid inner map pointer",
5991 		.insns = {
5992 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
5993 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5994 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5995 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5996 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5997 				     BPF_FUNC_map_lookup_elem),
5998 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5999 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6000 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6002 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6003 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6004 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6005 				     BPF_FUNC_map_lookup_elem),
6006 			BPF_MOV64_REG(BPF_REG_0, 0),
6007 			BPF_EXIT_INSN(),
6008 		},
6009 		.fixup_map_in_map = { 3 },
6010 		.errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6011 		.result = REJECT,
6012 	},
6013 	{
6014 		"forgot null checking on the inner map pointer",
6015 		.insns = {
6016 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6017 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6018 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6019 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6020 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6021 				     BPF_FUNC_map_lookup_elem),
6022 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6023 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6024 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6025 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6026 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6027 				     BPF_FUNC_map_lookup_elem),
6028 			BPF_MOV64_REG(BPF_REG_0, 0),
6029 			BPF_EXIT_INSN(),
6030 		},
6031 		.fixup_map_in_map = { 3 },
6032 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
6033 		.result = REJECT,
6034 	},
6035 	{
6036 		"ld_abs: check calling conv, r1",
6037 		.insns = {
6038 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6039 			BPF_MOV64_IMM(BPF_REG_1, 0),
6040 			BPF_LD_ABS(BPF_W, -0x200000),
6041 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6042 			BPF_EXIT_INSN(),
6043 		},
6044 		.errstr = "R1 !read_ok",
6045 		.result = REJECT,
6046 	},
6047 	{
6048 		"ld_abs: check calling conv, r2",
6049 		.insns = {
6050 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6051 			BPF_MOV64_IMM(BPF_REG_2, 0),
6052 			BPF_LD_ABS(BPF_W, -0x200000),
6053 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6054 			BPF_EXIT_INSN(),
6055 		},
6056 		.errstr = "R2 !read_ok",
6057 		.result = REJECT,
6058 	},
6059 	{
6060 		"ld_abs: check calling conv, r3",
6061 		.insns = {
6062 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6063 			BPF_MOV64_IMM(BPF_REG_3, 0),
6064 			BPF_LD_ABS(BPF_W, -0x200000),
6065 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6066 			BPF_EXIT_INSN(),
6067 		},
6068 		.errstr = "R3 !read_ok",
6069 		.result = REJECT,
6070 	},
6071 	{
6072 		"ld_abs: check calling conv, r4",
6073 		.insns = {
6074 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6075 			BPF_MOV64_IMM(BPF_REG_4, 0),
6076 			BPF_LD_ABS(BPF_W, -0x200000),
6077 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6078 			BPF_EXIT_INSN(),
6079 		},
6080 		.errstr = "R4 !read_ok",
6081 		.result = REJECT,
6082 	},
6083 	{
6084 		"ld_abs: check calling conv, r5",
6085 		.insns = {
6086 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6087 			BPF_MOV64_IMM(BPF_REG_5, 0),
6088 			BPF_LD_ABS(BPF_W, -0x200000),
6089 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6090 			BPF_EXIT_INSN(),
6091 		},
6092 		.errstr = "R5 !read_ok",
6093 		.result = REJECT,
6094 	},
6095 	{
6096 		"ld_abs: check calling conv, r7",
6097 		.insns = {
6098 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6099 			BPF_MOV64_IMM(BPF_REG_7, 0),
6100 			BPF_LD_ABS(BPF_W, -0x200000),
6101 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6102 			BPF_EXIT_INSN(),
6103 		},
6104 		.result = ACCEPT,
6105 	},
6106 	{
6107 		"ld_abs: tests on r6 and skb data reload helper",
6108 		.insns = {
6109 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6110 			BPF_LD_ABS(BPF_B, 0),
6111 			BPF_LD_ABS(BPF_H, 0),
6112 			BPF_LD_ABS(BPF_W, 0),
6113 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6114 			BPF_MOV64_IMM(BPF_REG_6, 0),
6115 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6116 			BPF_MOV64_IMM(BPF_REG_2, 1),
6117 			BPF_MOV64_IMM(BPF_REG_3, 2),
6118 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6119 				     BPF_FUNC_skb_vlan_push),
6120 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
6121 			BPF_LD_ABS(BPF_B, 0),
6122 			BPF_LD_ABS(BPF_H, 0),
6123 			BPF_LD_ABS(BPF_W, 0),
6124 			BPF_MOV64_IMM(BPF_REG_0, 42),
6125 			BPF_EXIT_INSN(),
6126 		},
6127 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6128 		.result = ACCEPT,
6129 	},
6130 	{
6131 		"ld_ind: check calling conv, r1",
6132 		.insns = {
6133 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6134 			BPF_MOV64_IMM(BPF_REG_1, 1),
6135 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
6136 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6137 			BPF_EXIT_INSN(),
6138 		},
6139 		.errstr = "R1 !read_ok",
6140 		.result = REJECT,
6141 	},
6142 	{
6143 		"ld_ind: check calling conv, r2",
6144 		.insns = {
6145 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6146 			BPF_MOV64_IMM(BPF_REG_2, 1),
6147 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
6148 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6149 			BPF_EXIT_INSN(),
6150 		},
6151 		.errstr = "R2 !read_ok",
6152 		.result = REJECT,
6153 	},
6154 	{
6155 		"ld_ind: check calling conv, r3",
6156 		.insns = {
6157 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6158 			BPF_MOV64_IMM(BPF_REG_3, 1),
6159 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
6160 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6161 			BPF_EXIT_INSN(),
6162 		},
6163 		.errstr = "R3 !read_ok",
6164 		.result = REJECT,
6165 	},
6166 	{
6167 		"ld_ind: check calling conv, r4",
6168 		.insns = {
6169 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6170 			BPF_MOV64_IMM(BPF_REG_4, 1),
6171 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
6172 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6173 			BPF_EXIT_INSN(),
6174 		},
6175 		.errstr = "R4 !read_ok",
6176 		.result = REJECT,
6177 	},
6178 	{
6179 		"ld_ind: check calling conv, r5",
6180 		.insns = {
6181 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6182 			BPF_MOV64_IMM(BPF_REG_5, 1),
6183 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
6184 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6185 			BPF_EXIT_INSN(),
6186 		},
6187 		.errstr = "R5 !read_ok",
6188 		.result = REJECT,
6189 	},
6190 	{
6191 		"ld_ind: check calling conv, r7",
6192 		.insns = {
6193 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6194 			BPF_MOV64_IMM(BPF_REG_7, 1),
6195 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
6196 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6197 			BPF_EXIT_INSN(),
6198 		},
6199 		.result = ACCEPT,
6200 	},
6201 	{
6202 		"check bpf_perf_event_data->sample_period byte load permitted",
6203 		.insns = {
6204 			BPF_MOV64_IMM(BPF_REG_0, 0),
6205 #if __BYTE_ORDER == __LITTLE_ENDIAN
6206 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6207 				    offsetof(struct bpf_perf_event_data, sample_period)),
6208 #else
6209 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
6210 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
6211 #endif
6212 			BPF_EXIT_INSN(),
6213 		},
6214 		.result = ACCEPT,
6215 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6216 	},
6217 	{
6218 		"check bpf_perf_event_data->sample_period half load permitted",
6219 		.insns = {
6220 			BPF_MOV64_IMM(BPF_REG_0, 0),
6221 #if __BYTE_ORDER == __LITTLE_ENDIAN
6222 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6223 				    offsetof(struct bpf_perf_event_data, sample_period)),
6224 #else
6225 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6226 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
6227 #endif
6228 			BPF_EXIT_INSN(),
6229 		},
6230 		.result = ACCEPT,
6231 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6232 	},
6233 	{
6234 		"check bpf_perf_event_data->sample_period word load permitted",
6235 		.insns = {
6236 			BPF_MOV64_IMM(BPF_REG_0, 0),
6237 #if __BYTE_ORDER == __LITTLE_ENDIAN
6238 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6239 				    offsetof(struct bpf_perf_event_data, sample_period)),
6240 #else
6241 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6242 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
6243 #endif
6244 			BPF_EXIT_INSN(),
6245 		},
6246 		.result = ACCEPT,
6247 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6248 	},
6249 	{
6250 		"check bpf_perf_event_data->sample_period dword load permitted",
6251 		.insns = {
6252 			BPF_MOV64_IMM(BPF_REG_0, 0),
6253 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
6254 				    offsetof(struct bpf_perf_event_data, sample_period)),
6255 			BPF_EXIT_INSN(),
6256 		},
6257 		.result = ACCEPT,
6258 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
6259 	},
6260 	{
6261 		"check skb->data half load not permitted",
6262 		.insns = {
6263 			BPF_MOV64_IMM(BPF_REG_0, 0),
6264 #if __BYTE_ORDER == __LITTLE_ENDIAN
6265 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6266 				    offsetof(struct __sk_buff, data)),
6267 #else
6268 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6269 				    offsetof(struct __sk_buff, data) + 2),
6270 #endif
6271 			BPF_EXIT_INSN(),
6272 		},
6273 		.result = REJECT,
6274 		.errstr = "invalid bpf_context access",
6275 	},
6276 	{
6277 		"check skb->tc_classid half load not permitted for lwt prog",
6278 		.insns = {
6279 			BPF_MOV64_IMM(BPF_REG_0, 0),
6280 #if __BYTE_ORDER == __LITTLE_ENDIAN
6281 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6282 				    offsetof(struct __sk_buff, tc_classid)),
6283 #else
6284 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
6285 				    offsetof(struct __sk_buff, tc_classid) + 2),
6286 #endif
6287 			BPF_EXIT_INSN(),
6288 		},
6289 		.result = REJECT,
6290 		.errstr = "invalid bpf_context access",
6291 		.prog_type = BPF_PROG_TYPE_LWT_IN,
6292 	},
6293 	{
6294 		"bounds checks mixing signed and unsigned, positive bounds",
6295 		.insns = {
6296 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6297 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6298 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6299 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6300 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6301 				     BPF_FUNC_map_lookup_elem),
6302 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6303 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6304 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6305 			BPF_MOV64_IMM(BPF_REG_2, 2),
6306 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
6307 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
6308 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6309 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6310 			BPF_MOV64_IMM(BPF_REG_0, 0),
6311 			BPF_EXIT_INSN(),
6312 		},
6313 		.fixup_map1 = { 3 },
6314 		.errstr = "unbounded min value",
6315 		.result = REJECT,
6316 	},
6317 	{
6318 		"bounds checks mixing signed and unsigned",
6319 		.insns = {
6320 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6321 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6322 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6323 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6324 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6325 				     BPF_FUNC_map_lookup_elem),
6326 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6327 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6328 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6329 			BPF_MOV64_IMM(BPF_REG_2, -1),
6330 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6331 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6332 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6333 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6334 			BPF_MOV64_IMM(BPF_REG_0, 0),
6335 			BPF_EXIT_INSN(),
6336 		},
6337 		.fixup_map1 = { 3 },
6338 		.errstr = "unbounded min value",
6339 		.result = REJECT,
6340 	},
6341 	{
6342 		"bounds checks mixing signed and unsigned, variant 2",
6343 		.insns = {
6344 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6345 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6346 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6347 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6348 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6349 				     BPF_FUNC_map_lookup_elem),
6350 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6351 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6352 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6353 			BPF_MOV64_IMM(BPF_REG_2, -1),
6354 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6355 			BPF_MOV64_IMM(BPF_REG_8, 0),
6356 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
6357 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6358 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6359 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6360 			BPF_MOV64_IMM(BPF_REG_0, 0),
6361 			BPF_EXIT_INSN(),
6362 		},
6363 		.fixup_map1 = { 3 },
6364 		.errstr = "unbounded min value",
6365 		.result = REJECT,
6366 	},
6367 	{
6368 		"bounds checks mixing signed and unsigned, variant 3",
6369 		.insns = {
6370 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6371 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6372 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6373 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6374 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6375 				     BPF_FUNC_map_lookup_elem),
6376 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6377 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6378 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6379 			BPF_MOV64_IMM(BPF_REG_2, -1),
6380 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
6381 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
6382 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
6383 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
6384 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
6385 			BPF_MOV64_IMM(BPF_REG_0, 0),
6386 			BPF_EXIT_INSN(),
6387 		},
6388 		.fixup_map1 = { 3 },
6389 		.errstr = "unbounded min value",
6390 		.result = REJECT,
6391 	},
6392 	{
6393 		"bounds checks mixing signed and unsigned, variant 4",
6394 		.insns = {
6395 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6396 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6397 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6398 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6399 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6400 				     BPF_FUNC_map_lookup_elem),
6401 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6402 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6403 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6404 			BPF_MOV64_IMM(BPF_REG_2, 1),
6405 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
6406 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6407 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6408 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6409 			BPF_MOV64_IMM(BPF_REG_0, 0),
6410 			BPF_EXIT_INSN(),
6411 		},
6412 		.fixup_map1 = { 3 },
6413 		.result = ACCEPT,
6414 	},
6415 	{
6416 		"bounds checks mixing signed and unsigned, variant 5",
6417 		.insns = {
6418 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6419 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6421 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6422 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6423 				     BPF_FUNC_map_lookup_elem),
6424 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6425 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6426 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6427 			BPF_MOV64_IMM(BPF_REG_2, -1),
6428 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
6429 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
6430 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
6431 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
6432 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6433 			BPF_MOV64_IMM(BPF_REG_0, 0),
6434 			BPF_EXIT_INSN(),
6435 		},
6436 		.fixup_map1 = { 3 },
6437 		.errstr = "unbounded min value",
6438 		.result = REJECT,
6439 	},
6440 	{
6441 		"bounds checks mixing signed and unsigned, variant 6",
6442 		.insns = {
6443 			BPF_MOV64_IMM(BPF_REG_2, 0),
6444 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
6445 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
6446 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6447 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
6448 			BPF_MOV64_IMM(BPF_REG_6, -1),
6449 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
6450 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
6451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
6452 			BPF_MOV64_IMM(BPF_REG_5, 0),
6453 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
6454 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6455 				     BPF_FUNC_skb_load_bytes),
6456 			BPF_MOV64_IMM(BPF_REG_0, 0),
6457 			BPF_EXIT_INSN(),
6458 		},
6459 		.errstr = "R4 min value is negative, either use unsigned",
6460 		.result = REJECT,
6461 	},
6462 	{
6463 		"bounds checks mixing signed and unsigned, variant 7",
6464 		.insns = {
6465 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6466 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6467 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6468 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6469 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6470 				     BPF_FUNC_map_lookup_elem),
6471 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6472 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6473 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6474 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
6475 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
6476 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6477 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6478 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6479 			BPF_MOV64_IMM(BPF_REG_0, 0),
6480 			BPF_EXIT_INSN(),
6481 		},
6482 		.fixup_map1 = { 3 },
6483 		.result = ACCEPT,
6484 	},
6485 	{
6486 		"bounds checks mixing signed and unsigned, variant 8",
6487 		.insns = {
6488 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6489 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6490 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6491 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6492 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6493 				     BPF_FUNC_map_lookup_elem),
6494 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6495 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6496 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6497 			BPF_MOV64_IMM(BPF_REG_2, -1),
6498 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6499 			BPF_MOV64_IMM(BPF_REG_0, 0),
6500 			BPF_EXIT_INSN(),
6501 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6502 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6503 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6504 			BPF_MOV64_IMM(BPF_REG_0, 0),
6505 			BPF_EXIT_INSN(),
6506 		},
6507 		.fixup_map1 = { 3 },
6508 		.errstr = "unbounded min value",
6509 		.result = REJECT,
6510 	},
6511 	{
6512 		"bounds checks mixing signed and unsigned, variant 9",
6513 		.insns = {
6514 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6515 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6516 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6517 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6518 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6519 				     BPF_FUNC_map_lookup_elem),
6520 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6521 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6522 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6523 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
6524 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6525 			BPF_MOV64_IMM(BPF_REG_0, 0),
6526 			BPF_EXIT_INSN(),
6527 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6528 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6529 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6530 			BPF_MOV64_IMM(BPF_REG_0, 0),
6531 			BPF_EXIT_INSN(),
6532 		},
6533 		.fixup_map1 = { 3 },
6534 		.result = ACCEPT,
6535 	},
6536 	{
6537 		"bounds checks mixing signed and unsigned, variant 10",
6538 		.insns = {
6539 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6540 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6541 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6542 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6543 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6544 				     BPF_FUNC_map_lookup_elem),
6545 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6546 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6547 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6548 			BPF_MOV64_IMM(BPF_REG_2, 0),
6549 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
6550 			BPF_MOV64_IMM(BPF_REG_0, 0),
6551 			BPF_EXIT_INSN(),
6552 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6553 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6554 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6555 			BPF_MOV64_IMM(BPF_REG_0, 0),
6556 			BPF_EXIT_INSN(),
6557 		},
6558 		.fixup_map1 = { 3 },
6559 		.errstr = "unbounded min value",
6560 		.result = REJECT,
6561 	},
6562 	{
6563 		"bounds checks mixing signed and unsigned, variant 11",
6564 		.insns = {
6565 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6566 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6567 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6568 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6569 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6570 				     BPF_FUNC_map_lookup_elem),
6571 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6572 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6573 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6574 			BPF_MOV64_IMM(BPF_REG_2, -1),
6575 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6576 			/* Dead branch. */
6577 			BPF_MOV64_IMM(BPF_REG_0, 0),
6578 			BPF_EXIT_INSN(),
6579 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6580 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6581 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6582 			BPF_MOV64_IMM(BPF_REG_0, 0),
6583 			BPF_EXIT_INSN(),
6584 		},
6585 		.fixup_map1 = { 3 },
6586 		.errstr = "unbounded min value",
6587 		.result = REJECT,
6588 	},
6589 	{
6590 		"bounds checks mixing signed and unsigned, variant 12",
6591 		.insns = {
6592 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6593 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6594 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6595 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6596 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6597 				     BPF_FUNC_map_lookup_elem),
6598 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6599 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6600 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6601 			BPF_MOV64_IMM(BPF_REG_2, -6),
6602 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6603 			BPF_MOV64_IMM(BPF_REG_0, 0),
6604 			BPF_EXIT_INSN(),
6605 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6606 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6607 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6608 			BPF_MOV64_IMM(BPF_REG_0, 0),
6609 			BPF_EXIT_INSN(),
6610 		},
6611 		.fixup_map1 = { 3 },
6612 		.errstr = "unbounded min value",
6613 		.result = REJECT,
6614 	},
6615 	{
6616 		"bounds checks mixing signed and unsigned, variant 13",
6617 		.insns = {
6618 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6619 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6621 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6622 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6623 				     BPF_FUNC_map_lookup_elem),
6624 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6625 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6626 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6627 			BPF_MOV64_IMM(BPF_REG_2, 2),
6628 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6629 			BPF_MOV64_IMM(BPF_REG_7, 1),
6630 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
6631 			BPF_MOV64_IMM(BPF_REG_0, 0),
6632 			BPF_EXIT_INSN(),
6633 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
6634 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
6635 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
6636 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6637 			BPF_MOV64_IMM(BPF_REG_0, 0),
6638 			BPF_EXIT_INSN(),
6639 		},
6640 		.fixup_map1 = { 3 },
6641 		.errstr = "unbounded min value",
6642 		.result = REJECT,
6643 	},
6644 	{
6645 		"bounds checks mixing signed and unsigned, variant 14",
6646 		.insns = {
6647 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
6648 				    offsetof(struct __sk_buff, mark)),
6649 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6650 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6651 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6652 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6653 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6654 				     BPF_FUNC_map_lookup_elem),
6655 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6656 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6657 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6658 			BPF_MOV64_IMM(BPF_REG_2, -1),
6659 			BPF_MOV64_IMM(BPF_REG_8, 2),
6660 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
6661 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
6662 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
6663 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6664 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6665 			BPF_MOV64_IMM(BPF_REG_0, 0),
6666 			BPF_EXIT_INSN(),
6667 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
6668 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
6669 		},
6670 		.fixup_map1 = { 4 },
6671 		.errstr = "unbounded min value",
6672 		.result = REJECT,
6673 	},
6674 	{
6675 		"bounds checks mixing signed and unsigned, variant 15",
6676 		.insns = {
6677 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6678 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6679 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6680 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6681 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6682 				     BPF_FUNC_map_lookup_elem),
6683 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6684 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
6685 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6686 			BPF_MOV64_IMM(BPF_REG_2, -6),
6687 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
6688 			BPF_MOV64_IMM(BPF_REG_0, 0),
6689 			BPF_EXIT_INSN(),
6690 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6691 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
6692 			BPF_MOV64_IMM(BPF_REG_0, 0),
6693 			BPF_EXIT_INSN(),
6694 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
6695 			BPF_MOV64_IMM(BPF_REG_0, 0),
6696 			BPF_EXIT_INSN(),
6697 		},
6698 		.fixup_map1 = { 3 },
6699 		.errstr = "unbounded min value",
6700 		.result = REJECT,
6701 		.result_unpriv = REJECT,
6702 	},
6703 	{
6704 		"subtraction bounds (map value) variant 1",
6705 		.insns = {
6706 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6707 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6708 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6709 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6710 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6711 				     BPF_FUNC_map_lookup_elem),
6712 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6713 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6714 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
6715 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6716 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
6717 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6718 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
6719 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6720 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6721 			BPF_EXIT_INSN(),
6722 			BPF_MOV64_IMM(BPF_REG_0, 0),
6723 			BPF_EXIT_INSN(),
6724 		},
6725 		.fixup_map1 = { 3 },
6726 		.errstr = "R0 max value is outside of the array range",
6727 		.result = REJECT,
6728 	},
6729 	{
6730 		"subtraction bounds (map value) variant 2",
6731 		.insns = {
6732 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6733 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6734 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6735 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6737 				     BPF_FUNC_map_lookup_elem),
6738 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
6739 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6740 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
6741 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
6742 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
6743 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
6744 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6745 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6746 			BPF_EXIT_INSN(),
6747 			BPF_MOV64_IMM(BPF_REG_0, 0),
6748 			BPF_EXIT_INSN(),
6749 		},
6750 		.fixup_map1 = { 3 },
6751 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
6752 		.result = REJECT,
6753 	},
6754 	{
6755 		"bounds check based on zero-extended MOV",
6756 		.insns = {
6757 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6758 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6759 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6760 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6761 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6762 				     BPF_FUNC_map_lookup_elem),
6763 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6764 			/* r2 = 0x0000'0000'ffff'ffff */
6765 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
6766 			/* r2 = 0 */
6767 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
6768 			/* no-op */
6769 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6770 			/* access at offset 0 */
6771 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6772 			/* exit */
6773 			BPF_MOV64_IMM(BPF_REG_0, 0),
6774 			BPF_EXIT_INSN(),
6775 		},
6776 		.fixup_map1 = { 3 },
6777 		.result = ACCEPT
6778 	},
6779 	{
6780 		"bounds check based on sign-extended MOV. test1",
6781 		.insns = {
6782 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6783 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6784 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6785 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6786 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6787 				     BPF_FUNC_map_lookup_elem),
6788 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6789 			/* r2 = 0xffff'ffff'ffff'ffff */
6790 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
6791 			/* r2 = 0xffff'ffff */
6792 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
6793 			/* r0 = <oob pointer> */
6794 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6795 			/* access to OOB pointer */
6796 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6797 			/* exit */
6798 			BPF_MOV64_IMM(BPF_REG_0, 0),
6799 			BPF_EXIT_INSN(),
6800 		},
6801 		.fixup_map1 = { 3 },
6802 		.errstr = "map_value pointer and 4294967295",
6803 		.result = REJECT
6804 	},
6805 	{
6806 		"bounds check based on sign-extended MOV. test2",
6807 		.insns = {
6808 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6809 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6810 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6811 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6812 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6813 				     BPF_FUNC_map_lookup_elem),
6814 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6815 			/* r2 = 0xffff'ffff'ffff'ffff */
6816 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
6817 			/* r2 = 0xfff'ffff */
6818 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
6819 			/* r0 = <oob pointer> */
6820 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
6821 			/* access to OOB pointer */
6822 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6823 			/* exit */
6824 			BPF_MOV64_IMM(BPF_REG_0, 0),
6825 			BPF_EXIT_INSN(),
6826 		},
6827 		.fixup_map1 = { 3 },
6828 		.errstr = "R0 min value is outside of the array range",
6829 		.result = REJECT
6830 	},
6831 	{
6832 		"bounds check based on reg_off + var_off + insn_off. test1",
6833 		.insns = {
6834 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6835 				    offsetof(struct __sk_buff, mark)),
6836 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6837 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6838 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6839 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6840 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6841 				     BPF_FUNC_map_lookup_elem),
6842 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6843 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
6844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
6845 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
6846 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
6847 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
6848 			BPF_MOV64_IMM(BPF_REG_0, 0),
6849 			BPF_EXIT_INSN(),
6850 		},
6851 		.fixup_map1 = { 4 },
6852 		.errstr = "value_size=8 off=1073741825",
6853 		.result = REJECT,
6854 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6855 	},
6856 	{
6857 		"bounds check based on reg_off + var_off + insn_off. test2",
6858 		.insns = {
6859 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6860 				    offsetof(struct __sk_buff, mark)),
6861 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6862 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6863 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6864 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6865 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6866 				     BPF_FUNC_map_lookup_elem),
6867 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6868 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
6869 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
6870 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
6871 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
6872 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
6873 			BPF_MOV64_IMM(BPF_REG_0, 0),
6874 			BPF_EXIT_INSN(),
6875 		},
6876 		.fixup_map1 = { 4 },
6877 		.errstr = "value 1073741823",
6878 		.result = REJECT,
6879 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6880 	},
6881 	{
6882 		"bounds check after truncation of non-boundary-crossing range",
6883 		.insns = {
6884 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6885 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6886 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6887 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6888 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6889 				     BPF_FUNC_map_lookup_elem),
6890 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6891 			/* r1 = [0x00, 0xff] */
6892 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6893 			BPF_MOV64_IMM(BPF_REG_2, 1),
6894 			/* r2 = 0x10'0000'0000 */
6895 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
6896 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
6897 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
6898 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
6899 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
6900 			/* r1 = [0x00, 0xff] */
6901 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
6902 			/* r1 = 0 */
6903 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6904 			/* no-op */
6905 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6906 			/* access at offset 0 */
6907 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6908 			/* exit */
6909 			BPF_MOV64_IMM(BPF_REG_0, 0),
6910 			BPF_EXIT_INSN(),
6911 		},
6912 		.fixup_map1 = { 3 },
6913 		.result = ACCEPT
6914 	},
6915 	{
6916 		"bounds check after truncation of boundary-crossing range (1)",
6917 		.insns = {
6918 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6919 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6920 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6921 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6922 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6923 				     BPF_FUNC_map_lookup_elem),
6924 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6925 			/* r1 = [0x00, 0xff] */
6926 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6927 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6928 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
6929 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6930 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
6931 			 *      [0x0000'0000, 0x0000'007f]
6932 			 */
6933 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
6934 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6935 			/* r1 = [0x00, 0xff] or
6936 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
6937 			 */
6938 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6939 			/* r1 = 0 or
6940 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
6941 			 */
6942 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6943 			/* no-op or OOB pointer computation */
6944 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6945 			/* potentially OOB access */
6946 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6947 			/* exit */
6948 			BPF_MOV64_IMM(BPF_REG_0, 0),
6949 			BPF_EXIT_INSN(),
6950 		},
6951 		.fixup_map1 = { 3 },
6952 		/* not actually fully unbounded, but the bound is very high */
6953 		.errstr = "R0 unbounded memory access",
6954 		.result = REJECT
6955 	},
6956 	{
6957 		"bounds check after truncation of boundary-crossing range (2)",
6958 		.insns = {
6959 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6960 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6961 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6962 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6963 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6964 				     BPF_FUNC_map_lookup_elem),
6965 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6966 			/* r1 = [0x00, 0xff] */
6967 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6968 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6969 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
6970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
6971 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
6972 			 *      [0x0000'0000, 0x0000'007f]
6973 			 * difference to previous test: truncation via MOV32
6974 			 * instead of ALU32.
6975 			 */
6976 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
6977 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6978 			/* r1 = [0x00, 0xff] or
6979 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
6980 			 */
6981 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
6982 			/* r1 = 0 or
6983 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
6984 			 */
6985 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
6986 			/* no-op or OOB pointer computation */
6987 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6988 			/* potentially OOB access */
6989 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
6990 			/* exit */
6991 			BPF_MOV64_IMM(BPF_REG_0, 0),
6992 			BPF_EXIT_INSN(),
6993 		},
6994 		.fixup_map1 = { 3 },
6995 		/* not actually fully unbounded, but the bound is very high */
6996 		.errstr = "R0 unbounded memory access",
6997 		.result = REJECT
6998 	},
6999 	{
7000 		"bounds check after wrapping 32-bit addition",
7001 		.insns = {
7002 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7003 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7004 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7005 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7006 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7007 				     BPF_FUNC_map_lookup_elem),
7008 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7009 			/* r1 = 0x7fff'ffff */
7010 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7011 			/* r1 = 0xffff'fffe */
7012 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7013 			/* r1 = 0 */
7014 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7015 			/* no-op */
7016 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7017 			/* access at offset 0 */
7018 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7019 			/* exit */
7020 			BPF_MOV64_IMM(BPF_REG_0, 0),
7021 			BPF_EXIT_INSN(),
7022 		},
7023 		.fixup_map1 = { 3 },
7024 		.result = ACCEPT
7025 	},
7026 	{
7027 		"bounds check after shift with oversized count operand",
7028 		.insns = {
7029 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7030 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7032 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7033 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7034 				     BPF_FUNC_map_lookup_elem),
7035 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7036 			BPF_MOV64_IMM(BPF_REG_2, 32),
7037 			BPF_MOV64_IMM(BPF_REG_1, 1),
7038 			/* r1 = (u32)1 << (u32)32 = ? */
7039 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7040 			/* r1 = [0x0000, 0xffff] */
7041 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7042 			/* computes unknown pointer, potentially OOB */
7043 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7044 			/* potentially OOB access */
7045 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7046 			/* exit */
7047 			BPF_MOV64_IMM(BPF_REG_0, 0),
7048 			BPF_EXIT_INSN(),
7049 		},
7050 		.fixup_map1 = { 3 },
7051 		.errstr = "R0 max value is outside of the array range",
7052 		.result = REJECT
7053 	},
7054 	{
7055 		"bounds check after right shift of maybe-negative number",
7056 		.insns = {
7057 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7058 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7060 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7061 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7062 				     BPF_FUNC_map_lookup_elem),
7063 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7064 			/* r1 = [0x00, 0xff] */
7065 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7066 			/* r1 = [-0x01, 0xfe] */
7067 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7068 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
7069 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7070 			/* r1 = 0 or 0xffff'ffff'ffff */
7071 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7072 			/* computes unknown pointer, potentially OOB */
7073 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7074 			/* potentially OOB access */
7075 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7076 			/* exit */
7077 			BPF_MOV64_IMM(BPF_REG_0, 0),
7078 			BPF_EXIT_INSN(),
7079 		},
7080 		.fixup_map1 = { 3 },
7081 		.errstr = "R0 unbounded memory access",
7082 		.result = REJECT
7083 	},
7084 	{
7085 		"bounds check map access with off+size signed 32bit overflow. test1",
7086 		.insns = {
7087 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7088 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7089 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7090 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7091 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7092 				     BPF_FUNC_map_lookup_elem),
7093 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7094 			BPF_EXIT_INSN(),
7095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7096 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7097 			BPF_JMP_A(0),
7098 			BPF_EXIT_INSN(),
7099 		},
7100 		.fixup_map1 = { 3 },
7101 		.errstr = "map_value pointer and 2147483646",
7102 		.result = REJECT
7103 	},
7104 	{
7105 		"bounds check map access with off+size signed 32bit overflow. test2",
7106 		.insns = {
7107 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7108 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7110 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7111 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7112 				     BPF_FUNC_map_lookup_elem),
7113 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7114 			BPF_EXIT_INSN(),
7115 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7116 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7117 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
7118 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7119 			BPF_JMP_A(0),
7120 			BPF_EXIT_INSN(),
7121 		},
7122 		.fixup_map1 = { 3 },
7123 		.errstr = "pointer offset 1073741822",
7124 		.result = REJECT
7125 	},
7126 	{
7127 		"bounds check map access with off+size signed 32bit overflow. test3",
7128 		.insns = {
7129 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7130 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7132 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7133 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7134 				     BPF_FUNC_map_lookup_elem),
7135 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7136 			BPF_EXIT_INSN(),
7137 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7138 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
7139 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7140 			BPF_JMP_A(0),
7141 			BPF_EXIT_INSN(),
7142 		},
7143 		.fixup_map1 = { 3 },
7144 		.errstr = "pointer offset -1073741822",
7145 		.result = REJECT
7146 	},
7147 	{
7148 		"bounds check map access with off+size signed 32bit overflow. test4",
7149 		.insns = {
7150 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7151 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7152 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7153 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7154 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7155 				     BPF_FUNC_map_lookup_elem),
7156 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7157 			BPF_EXIT_INSN(),
7158 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
7159 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
7160 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7161 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
7162 			BPF_JMP_A(0),
7163 			BPF_EXIT_INSN(),
7164 		},
7165 		.fixup_map1 = { 3 },
7166 		.errstr = "map_value pointer and 1000000000000",
7167 		.result = REJECT
7168 	},
7169 	{
7170 		"pointer/scalar confusion in state equality check (way 1)",
7171 		.insns = {
7172 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7173 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7174 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7175 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7176 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7177 				     BPF_FUNC_map_lookup_elem),
7178 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
7179 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7180 			BPF_JMP_A(1),
7181 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7182 			BPF_JMP_A(0),
7183 			BPF_EXIT_INSN(),
7184 		},
7185 		.fixup_map1 = { 3 },
7186 		.result = ACCEPT,
7187 		.result_unpriv = REJECT,
7188 		.errstr_unpriv = "R0 leaks addr as return value"
7189 	},
7190 	{
7191 		"pointer/scalar confusion in state equality check (way 2)",
7192 		.insns = {
7193 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7194 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7195 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7196 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7197 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7198 				     BPF_FUNC_map_lookup_elem),
7199 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
7200 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
7201 			BPF_JMP_A(1),
7202 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7203 			BPF_EXIT_INSN(),
7204 		},
7205 		.fixup_map1 = { 3 },
7206 		.result = ACCEPT,
7207 		.result_unpriv = REJECT,
7208 		.errstr_unpriv = "R0 leaks addr as return value"
7209 	},
7210 	{
7211 		"variable-offset ctx access",
7212 		.insns = {
7213 			/* Get an unknown value */
7214 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7215 			/* Make it small and 4-byte aligned */
7216 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7217 			/* add it to skb.  We now have either &skb->len or
7218 			 * &skb->pkt_type, but we don't know which
7219 			 */
7220 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7221 			/* dereference it */
7222 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
7223 			BPF_EXIT_INSN(),
7224 		},
7225 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
7226 		.result = REJECT,
7227 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7228 	},
7229 	{
7230 		"variable-offset stack access",
7231 		.insns = {
7232 			/* Fill the top 8 bytes of the stack */
7233 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7234 			/* Get an unknown value */
7235 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7236 			/* Make it small and 4-byte aligned */
7237 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7238 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7239 			/* add it to fp.  We now have either fp-4 or fp-8, but
7240 			 * we don't know which
7241 			 */
7242 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7243 			/* dereference it */
7244 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
7245 			BPF_EXIT_INSN(),
7246 		},
7247 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
7248 		.result = REJECT,
7249 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7250 	},
7251 	{
7252 		"indirect variable-offset stack access",
7253 		.insns = {
7254 			/* Fill the top 8 bytes of the stack */
7255 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7256 			/* Get an unknown value */
7257 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7258 			/* Make it small and 4-byte aligned */
7259 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
7260 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
7261 			/* add it to fp.  We now have either fp-4 or fp-8, but
7262 			 * we don't know which
7263 			 */
7264 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
7265 			/* dereference it indirectly */
7266 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7267 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7268 				     BPF_FUNC_map_lookup_elem),
7269 			BPF_MOV64_IMM(BPF_REG_0, 0),
7270 			BPF_EXIT_INSN(),
7271 		},
7272 		.fixup_map1 = { 5 },
7273 		.errstr = "variable stack read R2",
7274 		.result = REJECT,
7275 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7276 	},
7277 	{
7278 		"direct stack access with 32-bit wraparound. test1",
7279 		.insns = {
7280 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7282 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7283 			BPF_MOV32_IMM(BPF_REG_0, 0),
7284 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7285 			BPF_EXIT_INSN()
7286 		},
7287 		.errstr = "fp pointer and 2147483647",
7288 		.result = REJECT
7289 	},
7290 	{
7291 		"direct stack access with 32-bit wraparound. test2",
7292 		.insns = {
7293 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7294 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7295 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
7296 			BPF_MOV32_IMM(BPF_REG_0, 0),
7297 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7298 			BPF_EXIT_INSN()
7299 		},
7300 		.errstr = "fp pointer and 1073741823",
7301 		.result = REJECT
7302 	},
7303 	{
7304 		"direct stack access with 32-bit wraparound. test3",
7305 		.insns = {
7306 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7307 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7308 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
7309 			BPF_MOV32_IMM(BPF_REG_0, 0),
7310 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7311 			BPF_EXIT_INSN()
7312 		},
7313 		.errstr = "fp pointer offset 1073741822",
7314 		.result = REJECT
7315 	},
7316 	{
7317 		"liveness pruning and write screening",
7318 		.insns = {
7319 			/* Get an unknown value */
7320 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
7321 			/* branch conditions teach us nothing about R2 */
7322 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7323 			BPF_MOV64_IMM(BPF_REG_0, 0),
7324 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
7325 			BPF_MOV64_IMM(BPF_REG_0, 0),
7326 			BPF_EXIT_INSN(),
7327 		},
7328 		.errstr = "R0 !read_ok",
7329 		.result = REJECT,
7330 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7331 	},
7332 	{
7333 		"varlen_map_value_access pruning",
7334 		.insns = {
7335 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7336 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7337 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7338 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7339 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7340 				     BPF_FUNC_map_lookup_elem),
7341 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7342 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
7343 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
7344 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
7345 			BPF_MOV32_IMM(BPF_REG_1, 0),
7346 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
7347 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7348 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
7349 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7350 				   offsetof(struct test_val, foo)),
7351 			BPF_EXIT_INSN(),
7352 		},
7353 		.fixup_map2 = { 3 },
7354 		.errstr_unpriv = "R0 leaks addr",
7355 		.errstr = "R0 unbounded memory access",
7356 		.result_unpriv = REJECT,
7357 		.result = REJECT,
7358 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7359 	},
7360 	{
7361 		"invalid 64-bit BPF_END",
7362 		.insns = {
7363 			BPF_MOV32_IMM(BPF_REG_0, 0),
7364 			{
7365 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
7366 				.dst_reg = BPF_REG_0,
7367 				.src_reg = 0,
7368 				.off   = 0,
7369 				.imm   = 32,
7370 			},
7371 			BPF_EXIT_INSN(),
7372 		},
7373 		.errstr = "BPF_END uses reserved fields",
7374 		.result = REJECT,
7375 	},
7376 	{
7377 		"meta access, test1",
7378 		.insns = {
7379 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7380 				    offsetof(struct xdp_md, data_meta)),
7381 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7382 				    offsetof(struct xdp_md, data)),
7383 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7384 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7385 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7386 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7387 			BPF_MOV64_IMM(BPF_REG_0, 0),
7388 			BPF_EXIT_INSN(),
7389 		},
7390 		.result = ACCEPT,
7391 		.prog_type = BPF_PROG_TYPE_XDP,
7392 	},
7393 	{
7394 		"meta access, test2",
7395 		.insns = {
7396 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7397 				    offsetof(struct xdp_md, data_meta)),
7398 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7399 				    offsetof(struct xdp_md, data)),
7400 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7401 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
7402 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7403 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7404 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7405 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7406 			BPF_MOV64_IMM(BPF_REG_0, 0),
7407 			BPF_EXIT_INSN(),
7408 		},
7409 		.result = REJECT,
7410 		.errstr = "invalid access to packet, off=-8",
7411 		.prog_type = BPF_PROG_TYPE_XDP,
7412 	},
7413 	{
7414 		"meta access, test3",
7415 		.insns = {
7416 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7417 				    offsetof(struct xdp_md, data_meta)),
7418 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7419 				    offsetof(struct xdp_md, data_end)),
7420 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7421 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7422 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7423 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7424 			BPF_MOV64_IMM(BPF_REG_0, 0),
7425 			BPF_EXIT_INSN(),
7426 		},
7427 		.result = REJECT,
7428 		.errstr = "invalid access to packet",
7429 		.prog_type = BPF_PROG_TYPE_XDP,
7430 	},
7431 	{
7432 		"meta access, test4",
7433 		.insns = {
7434 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7435 				    offsetof(struct xdp_md, data_meta)),
7436 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7437 				    offsetof(struct xdp_md, data_end)),
7438 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7439 				    offsetof(struct xdp_md, data)),
7440 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7442 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
7443 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7444 			BPF_MOV64_IMM(BPF_REG_0, 0),
7445 			BPF_EXIT_INSN(),
7446 		},
7447 		.result = REJECT,
7448 		.errstr = "invalid access to packet",
7449 		.prog_type = BPF_PROG_TYPE_XDP,
7450 	},
7451 	{
7452 		"meta access, test5",
7453 		.insns = {
7454 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7455 				    offsetof(struct xdp_md, data_meta)),
7456 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7457 				    offsetof(struct xdp_md, data)),
7458 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7459 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7460 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
7461 			BPF_MOV64_IMM(BPF_REG_2, -8),
7462 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7463 				     BPF_FUNC_xdp_adjust_meta),
7464 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7465 			BPF_MOV64_IMM(BPF_REG_0, 0),
7466 			BPF_EXIT_INSN(),
7467 		},
7468 		.result = REJECT,
7469 		.errstr = "R3 !read_ok",
7470 		.prog_type = BPF_PROG_TYPE_XDP,
7471 	},
7472 	{
7473 		"meta access, test6",
7474 		.insns = {
7475 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7476 				    offsetof(struct xdp_md, data_meta)),
7477 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7478 				    offsetof(struct xdp_md, data)),
7479 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7480 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7481 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7483 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
7484 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7485 			BPF_MOV64_IMM(BPF_REG_0, 0),
7486 			BPF_EXIT_INSN(),
7487 		},
7488 		.result = REJECT,
7489 		.errstr = "invalid access to packet",
7490 		.prog_type = BPF_PROG_TYPE_XDP,
7491 	},
7492 	{
7493 		"meta access, test7",
7494 		.insns = {
7495 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7496 				    offsetof(struct xdp_md, data_meta)),
7497 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7498 				    offsetof(struct xdp_md, data)),
7499 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7500 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
7501 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7502 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
7503 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7504 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7505 			BPF_MOV64_IMM(BPF_REG_0, 0),
7506 			BPF_EXIT_INSN(),
7507 		},
7508 		.result = ACCEPT,
7509 		.prog_type = BPF_PROG_TYPE_XDP,
7510 	},
7511 	{
7512 		"meta access, test8",
7513 		.insns = {
7514 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7515 				    offsetof(struct xdp_md, data_meta)),
7516 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7517 				    offsetof(struct xdp_md, data)),
7518 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7520 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7521 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7522 			BPF_MOV64_IMM(BPF_REG_0, 0),
7523 			BPF_EXIT_INSN(),
7524 		},
7525 		.result = ACCEPT,
7526 		.prog_type = BPF_PROG_TYPE_XDP,
7527 	},
7528 	{
7529 		"meta access, test9",
7530 		.insns = {
7531 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7532 				    offsetof(struct xdp_md, data_meta)),
7533 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7534 				    offsetof(struct xdp_md, data)),
7535 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
7536 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
7537 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7538 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
7539 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7540 			BPF_MOV64_IMM(BPF_REG_0, 0),
7541 			BPF_EXIT_INSN(),
7542 		},
7543 		.result = REJECT,
7544 		.errstr = "invalid access to packet",
7545 		.prog_type = BPF_PROG_TYPE_XDP,
7546 	},
7547 	{
7548 		"meta access, test10",
7549 		.insns = {
7550 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7551 				    offsetof(struct xdp_md, data_meta)),
7552 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7553 				    offsetof(struct xdp_md, data)),
7554 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7555 				    offsetof(struct xdp_md, data_end)),
7556 			BPF_MOV64_IMM(BPF_REG_5, 42),
7557 			BPF_MOV64_IMM(BPF_REG_6, 24),
7558 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7559 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7560 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7561 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7562 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
7563 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7564 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7565 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7566 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
7567 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
7568 			BPF_MOV64_IMM(BPF_REG_0, 0),
7569 			BPF_EXIT_INSN(),
7570 		},
7571 		.result = REJECT,
7572 		.errstr = "invalid access to packet",
7573 		.prog_type = BPF_PROG_TYPE_XDP,
7574 	},
7575 	{
7576 		"meta access, test11",
7577 		.insns = {
7578 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7579 				    offsetof(struct xdp_md, data_meta)),
7580 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7581 				    offsetof(struct xdp_md, data)),
7582 			BPF_MOV64_IMM(BPF_REG_5, 42),
7583 			BPF_MOV64_IMM(BPF_REG_6, 24),
7584 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
7585 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
7586 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
7587 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
7588 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
7589 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7590 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
7591 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
7592 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
7593 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
7594 			BPF_MOV64_IMM(BPF_REG_0, 0),
7595 			BPF_EXIT_INSN(),
7596 		},
7597 		.result = ACCEPT,
7598 		.prog_type = BPF_PROG_TYPE_XDP,
7599 	},
7600 	{
7601 		"meta access, test12",
7602 		.insns = {
7603 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7604 				    offsetof(struct xdp_md, data_meta)),
7605 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7606 				    offsetof(struct xdp_md, data)),
7607 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
7608 				    offsetof(struct xdp_md, data_end)),
7609 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
7610 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7611 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
7612 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
7613 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
7614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
7615 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
7616 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
7617 			BPF_MOV64_IMM(BPF_REG_0, 0),
7618 			BPF_EXIT_INSN(),
7619 		},
7620 		.result = ACCEPT,
7621 		.prog_type = BPF_PROG_TYPE_XDP,
7622 	},
7623 	{
7624 		"arithmetic ops make PTR_TO_CTX unusable",
7625 		.insns = {
7626 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
7627 				      offsetof(struct __sk_buff, data) -
7628 				      offsetof(struct __sk_buff, mark)),
7629 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7630 				    offsetof(struct __sk_buff, mark)),
7631 			BPF_EXIT_INSN(),
7632 		},
7633 		.errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
7634 		.result = REJECT,
7635 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7636 	},
7637 	{
7638 		"pkt_end - pkt_start is allowed",
7639 		.insns = {
7640 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7641 				    offsetof(struct __sk_buff, data_end)),
7642 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7643 				    offsetof(struct __sk_buff, data)),
7644 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
7645 			BPF_EXIT_INSN(),
7646 		},
7647 		.result = ACCEPT,
7648 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7649 	},
7650 	{
7651 		"XDP pkt read, pkt_end mangling, bad access 1",
7652 		.insns = {
7653 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7654 				    offsetof(struct xdp_md, data)),
7655 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7656 				    offsetof(struct xdp_md, data_end)),
7657 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7658 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
7660 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7661 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7662 			BPF_MOV64_IMM(BPF_REG_0, 0),
7663 			BPF_EXIT_INSN(),
7664 		},
7665 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
7666 		.result = REJECT,
7667 		.prog_type = BPF_PROG_TYPE_XDP,
7668 	},
7669 	{
7670 		"XDP pkt read, pkt_end mangling, bad access 2",
7671 		.insns = {
7672 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7673 				    offsetof(struct xdp_md, data)),
7674 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7675 				    offsetof(struct xdp_md, data_end)),
7676 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7677 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7678 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
7679 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7680 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7681 			BPF_MOV64_IMM(BPF_REG_0, 0),
7682 			BPF_EXIT_INSN(),
7683 		},
7684 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
7685 		.result = REJECT,
7686 		.prog_type = BPF_PROG_TYPE_XDP,
7687 	},
7688 	{
7689 		"XDP pkt read, pkt_data' > pkt_end, good access",
7690 		.insns = {
7691 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7692 				    offsetof(struct xdp_md, data)),
7693 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7694 				    offsetof(struct xdp_md, data_end)),
7695 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7696 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7697 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7698 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7699 			BPF_MOV64_IMM(BPF_REG_0, 0),
7700 			BPF_EXIT_INSN(),
7701 		},
7702 		.result = ACCEPT,
7703 		.prog_type = BPF_PROG_TYPE_XDP,
7704 	},
7705 	{
7706 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
7707 		.insns = {
7708 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7709 				    offsetof(struct xdp_md, data)),
7710 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7711 				    offsetof(struct xdp_md, data_end)),
7712 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7713 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7714 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
7715 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7716 			BPF_MOV64_IMM(BPF_REG_0, 0),
7717 			BPF_EXIT_INSN(),
7718 		},
7719 		.errstr = "R1 offset is outside of the packet",
7720 		.result = REJECT,
7721 		.prog_type = BPF_PROG_TYPE_XDP,
7722 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7723 	},
7724 	{
7725 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
7726 		.insns = {
7727 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7728 				    offsetof(struct xdp_md, data)),
7729 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7730 				    offsetof(struct xdp_md, data_end)),
7731 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7732 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7733 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
7734 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7735 			BPF_MOV64_IMM(BPF_REG_0, 0),
7736 			BPF_EXIT_INSN(),
7737 		},
7738 		.errstr = "R1 offset is outside of the packet",
7739 		.result = REJECT,
7740 		.prog_type = BPF_PROG_TYPE_XDP,
7741 	},
7742 	{
7743 		"XDP pkt read, pkt_end > pkt_data', good access",
7744 		.insns = {
7745 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7746 				    offsetof(struct xdp_md, data)),
7747 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7748 				    offsetof(struct xdp_md, data_end)),
7749 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7751 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7752 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7753 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7754 			BPF_MOV64_IMM(BPF_REG_0, 0),
7755 			BPF_EXIT_INSN(),
7756 		},
7757 		.result = ACCEPT,
7758 		.prog_type = BPF_PROG_TYPE_XDP,
7759 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7760 	},
7761 	{
7762 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
7763 		.insns = {
7764 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7765 				    offsetof(struct xdp_md, data)),
7766 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7767 				    offsetof(struct xdp_md, data_end)),
7768 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7769 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7770 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7771 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7772 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7773 			BPF_MOV64_IMM(BPF_REG_0, 0),
7774 			BPF_EXIT_INSN(),
7775 		},
7776 		.errstr = "R1 offset is outside of the packet",
7777 		.result = REJECT,
7778 		.prog_type = BPF_PROG_TYPE_XDP,
7779 	},
7780 	{
7781 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
7782 		.insns = {
7783 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7784 				    offsetof(struct xdp_md, data)),
7785 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7786 				    offsetof(struct xdp_md, data_end)),
7787 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7789 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
7790 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7791 			BPF_MOV64_IMM(BPF_REG_0, 0),
7792 			BPF_EXIT_INSN(),
7793 		},
7794 		.errstr = "R1 offset is outside of the packet",
7795 		.result = REJECT,
7796 		.prog_type = BPF_PROG_TYPE_XDP,
7797 	},
7798 	{
7799 		"XDP pkt read, pkt_data' < pkt_end, good access",
7800 		.insns = {
7801 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7802 				    offsetof(struct xdp_md, data)),
7803 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7804 				    offsetof(struct xdp_md, data_end)),
7805 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7807 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7808 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7809 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7810 			BPF_MOV64_IMM(BPF_REG_0, 0),
7811 			BPF_EXIT_INSN(),
7812 		},
7813 		.result = ACCEPT,
7814 		.prog_type = BPF_PROG_TYPE_XDP,
7815 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7816 	},
7817 	{
7818 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
7819 		.insns = {
7820 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7821 				    offsetof(struct xdp_md, data)),
7822 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7823 				    offsetof(struct xdp_md, data_end)),
7824 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7825 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7826 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7827 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7828 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7829 			BPF_MOV64_IMM(BPF_REG_0, 0),
7830 			BPF_EXIT_INSN(),
7831 		},
7832 		.errstr = "R1 offset is outside of the packet",
7833 		.result = REJECT,
7834 		.prog_type = BPF_PROG_TYPE_XDP,
7835 	},
7836 	{
7837 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
7838 		.insns = {
7839 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7840 				    offsetof(struct xdp_md, data)),
7841 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7842 				    offsetof(struct xdp_md, data_end)),
7843 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7845 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
7846 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7847 			BPF_MOV64_IMM(BPF_REG_0, 0),
7848 			BPF_EXIT_INSN(),
7849 		},
7850 		.errstr = "R1 offset is outside of the packet",
7851 		.result = REJECT,
7852 		.prog_type = BPF_PROG_TYPE_XDP,
7853 	},
7854 	{
7855 		"XDP pkt read, pkt_end < pkt_data', good access",
7856 		.insns = {
7857 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7858 				    offsetof(struct xdp_md, data)),
7859 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7860 				    offsetof(struct xdp_md, data_end)),
7861 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7862 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7863 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7864 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7865 			BPF_MOV64_IMM(BPF_REG_0, 0),
7866 			BPF_EXIT_INSN(),
7867 		},
7868 		.result = ACCEPT,
7869 		.prog_type = BPF_PROG_TYPE_XDP,
7870 	},
7871 	{
7872 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
7873 		.insns = {
7874 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7875 				    offsetof(struct xdp_md, data)),
7876 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7877 				    offsetof(struct xdp_md, data_end)),
7878 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7879 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7880 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
7881 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7882 			BPF_MOV64_IMM(BPF_REG_0, 0),
7883 			BPF_EXIT_INSN(),
7884 		},
7885 		.errstr = "R1 offset is outside of the packet",
7886 		.result = REJECT,
7887 		.prog_type = BPF_PROG_TYPE_XDP,
7888 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7889 	},
7890 	{
7891 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
7892 		.insns = {
7893 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7894 				    offsetof(struct xdp_md, data)),
7895 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7896 				    offsetof(struct xdp_md, data_end)),
7897 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7898 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7899 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
7900 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7901 			BPF_MOV64_IMM(BPF_REG_0, 0),
7902 			BPF_EXIT_INSN(),
7903 		},
7904 		.errstr = "R1 offset is outside of the packet",
7905 		.result = REJECT,
7906 		.prog_type = BPF_PROG_TYPE_XDP,
7907 	},
7908 	{
7909 		"XDP pkt read, pkt_data' >= pkt_end, good access",
7910 		.insns = {
7911 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7912 				    offsetof(struct xdp_md, data)),
7913 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7914 				    offsetof(struct xdp_md, data_end)),
7915 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7917 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7918 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7919 			BPF_MOV64_IMM(BPF_REG_0, 0),
7920 			BPF_EXIT_INSN(),
7921 		},
7922 		.result = ACCEPT,
7923 		.prog_type = BPF_PROG_TYPE_XDP,
7924 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7925 	},
7926 	{
7927 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
7928 		.insns = {
7929 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7930 				    offsetof(struct xdp_md, data)),
7931 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7932 				    offsetof(struct xdp_md, data_end)),
7933 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7934 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7935 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
7936 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7937 			BPF_MOV64_IMM(BPF_REG_0, 0),
7938 			BPF_EXIT_INSN(),
7939 		},
7940 		.errstr = "R1 offset is outside of the packet",
7941 		.result = REJECT,
7942 		.prog_type = BPF_PROG_TYPE_XDP,
7943 	},
7944 	{
7945 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
7946 		.insns = {
7947 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7948 				    offsetof(struct xdp_md, data)),
7949 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7950 				    offsetof(struct xdp_md, data_end)),
7951 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7952 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7953 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
7954 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
7955 			BPF_MOV64_IMM(BPF_REG_0, 0),
7956 			BPF_EXIT_INSN(),
7957 		},
7958 		.errstr = "R1 offset is outside of the packet",
7959 		.result = REJECT,
7960 		.prog_type = BPF_PROG_TYPE_XDP,
7961 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7962 	},
7963 	{
7964 		"XDP pkt read, pkt_end >= pkt_data', good access",
7965 		.insns = {
7966 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7967 				    offsetof(struct xdp_md, data)),
7968 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7969 				    offsetof(struct xdp_md, data_end)),
7970 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7971 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7972 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7973 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7974 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
7975 			BPF_MOV64_IMM(BPF_REG_0, 0),
7976 			BPF_EXIT_INSN(),
7977 		},
7978 		.result = ACCEPT,
7979 		.prog_type = BPF_PROG_TYPE_XDP,
7980 	},
7981 	{
7982 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
7983 		.insns = {
7984 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7985 				    offsetof(struct xdp_md, data)),
7986 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
7987 				    offsetof(struct xdp_md, data_end)),
7988 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
7989 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7990 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
7991 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
7992 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
7993 			BPF_MOV64_IMM(BPF_REG_0, 0),
7994 			BPF_EXIT_INSN(),
7995 		},
7996 		.errstr = "R1 offset is outside of the packet",
7997 		.result = REJECT,
7998 		.prog_type = BPF_PROG_TYPE_XDP,
7999 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8000 	},
8001 	{
8002 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
8003 		.insns = {
8004 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8005 				    offsetof(struct xdp_md, data)),
8006 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8007 				    offsetof(struct xdp_md, data_end)),
8008 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8009 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8010 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8011 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8012 			BPF_MOV64_IMM(BPF_REG_0, 0),
8013 			BPF_EXIT_INSN(),
8014 		},
8015 		.errstr = "R1 offset is outside of the packet",
8016 		.result = REJECT,
8017 		.prog_type = BPF_PROG_TYPE_XDP,
8018 	},
8019 	{
8020 		"XDP pkt read, pkt_data' <= pkt_end, good access",
8021 		.insns = {
8022 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8023 				    offsetof(struct xdp_md, data)),
8024 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8025 				    offsetof(struct xdp_md, data_end)),
8026 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8028 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8029 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8030 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8031 			BPF_MOV64_IMM(BPF_REG_0, 0),
8032 			BPF_EXIT_INSN(),
8033 		},
8034 		.result = ACCEPT,
8035 		.prog_type = BPF_PROG_TYPE_XDP,
8036 	},
8037 	{
8038 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8039 		.insns = {
8040 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8041 				    offsetof(struct xdp_md, data)),
8042 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8043 				    offsetof(struct xdp_md, data_end)),
8044 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8045 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8046 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8047 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8048 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8049 			BPF_MOV64_IMM(BPF_REG_0, 0),
8050 			BPF_EXIT_INSN(),
8051 		},
8052 		.errstr = "R1 offset is outside of the packet",
8053 		.result = REJECT,
8054 		.prog_type = BPF_PROG_TYPE_XDP,
8055 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8056 	},
8057 	{
8058 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8059 		.insns = {
8060 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8061 				    offsetof(struct xdp_md, data)),
8062 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8063 				    offsetof(struct xdp_md, data_end)),
8064 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8065 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8066 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8067 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8068 			BPF_MOV64_IMM(BPF_REG_0, 0),
8069 			BPF_EXIT_INSN(),
8070 		},
8071 		.errstr = "R1 offset is outside of the packet",
8072 		.result = REJECT,
8073 		.prog_type = BPF_PROG_TYPE_XDP,
8074 	},
8075 	{
8076 		"XDP pkt read, pkt_end <= pkt_data', good access",
8077 		.insns = {
8078 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8079 				    offsetof(struct xdp_md, data)),
8080 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8081 				    offsetof(struct xdp_md, data_end)),
8082 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8083 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8084 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8085 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8086 			BPF_MOV64_IMM(BPF_REG_0, 0),
8087 			BPF_EXIT_INSN(),
8088 		},
8089 		.result = ACCEPT,
8090 		.prog_type = BPF_PROG_TYPE_XDP,
8091 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8092 	},
8093 	{
8094 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
8095 		.insns = {
8096 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8097 				    offsetof(struct xdp_md, data)),
8098 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8099 				    offsetof(struct xdp_md, data_end)),
8100 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8101 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8102 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8103 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8104 			BPF_MOV64_IMM(BPF_REG_0, 0),
8105 			BPF_EXIT_INSN(),
8106 		},
8107 		.errstr = "R1 offset is outside of the packet",
8108 		.result = REJECT,
8109 		.prog_type = BPF_PROG_TYPE_XDP,
8110 	},
8111 	{
8112 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
8113 		.insns = {
8114 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8115 				    offsetof(struct xdp_md, data)),
8116 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8117 				    offsetof(struct xdp_md, data_end)),
8118 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8119 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8120 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8121 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8122 			BPF_MOV64_IMM(BPF_REG_0, 0),
8123 			BPF_EXIT_INSN(),
8124 		},
8125 		.errstr = "R1 offset is outside of the packet",
8126 		.result = REJECT,
8127 		.prog_type = BPF_PROG_TYPE_XDP,
8128 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8129 	},
8130 	{
8131 		"XDP pkt read, pkt_meta' > pkt_data, good access",
8132 		.insns = {
8133 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8134 				    offsetof(struct xdp_md, data_meta)),
8135 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8136 				    offsetof(struct xdp_md, data)),
8137 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8138 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8139 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8140 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8141 			BPF_MOV64_IMM(BPF_REG_0, 0),
8142 			BPF_EXIT_INSN(),
8143 		},
8144 		.result = ACCEPT,
8145 		.prog_type = BPF_PROG_TYPE_XDP,
8146 	},
8147 	{
8148 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
8149 		.insns = {
8150 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8151 				    offsetof(struct xdp_md, data_meta)),
8152 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8153 				    offsetof(struct xdp_md, data)),
8154 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8155 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8156 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8157 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8158 			BPF_MOV64_IMM(BPF_REG_0, 0),
8159 			BPF_EXIT_INSN(),
8160 		},
8161 		.errstr = "R1 offset is outside of the packet",
8162 		.result = REJECT,
8163 		.prog_type = BPF_PROG_TYPE_XDP,
8164 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8165 	},
8166 	{
8167 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
8168 		.insns = {
8169 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8170 				    offsetof(struct xdp_md, data_meta)),
8171 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8172 				    offsetof(struct xdp_md, data)),
8173 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8174 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8175 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8176 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8177 			BPF_MOV64_IMM(BPF_REG_0, 0),
8178 			BPF_EXIT_INSN(),
8179 		},
8180 		.errstr = "R1 offset is outside of the packet",
8181 		.result = REJECT,
8182 		.prog_type = BPF_PROG_TYPE_XDP,
8183 	},
8184 	{
8185 		"XDP pkt read, pkt_data > pkt_meta', good access",
8186 		.insns = {
8187 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8188 				    offsetof(struct xdp_md, data_meta)),
8189 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8190 				    offsetof(struct xdp_md, data)),
8191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8193 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8194 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8195 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8196 			BPF_MOV64_IMM(BPF_REG_0, 0),
8197 			BPF_EXIT_INSN(),
8198 		},
8199 		.result = ACCEPT,
8200 		.prog_type = BPF_PROG_TYPE_XDP,
8201 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8202 	},
8203 	{
8204 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
8205 		.insns = {
8206 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8207 				    offsetof(struct xdp_md, data_meta)),
8208 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8209 				    offsetof(struct xdp_md, data)),
8210 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8211 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8212 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8213 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8214 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8215 			BPF_MOV64_IMM(BPF_REG_0, 0),
8216 			BPF_EXIT_INSN(),
8217 		},
8218 		.errstr = "R1 offset is outside of the packet",
8219 		.result = REJECT,
8220 		.prog_type = BPF_PROG_TYPE_XDP,
8221 	},
8222 	{
8223 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
8224 		.insns = {
8225 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8226 				    offsetof(struct xdp_md, data_meta)),
8227 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8228 				    offsetof(struct xdp_md, data)),
8229 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8231 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8232 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8233 			BPF_MOV64_IMM(BPF_REG_0, 0),
8234 			BPF_EXIT_INSN(),
8235 		},
8236 		.errstr = "R1 offset is outside of the packet",
8237 		.result = REJECT,
8238 		.prog_type = BPF_PROG_TYPE_XDP,
8239 	},
8240 	{
8241 		"XDP pkt read, pkt_meta' < pkt_data, good access",
8242 		.insns = {
8243 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8244 				    offsetof(struct xdp_md, data_meta)),
8245 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8246 				    offsetof(struct xdp_md, data)),
8247 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8249 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8250 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8251 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8252 			BPF_MOV64_IMM(BPF_REG_0, 0),
8253 			BPF_EXIT_INSN(),
8254 		},
8255 		.result = ACCEPT,
8256 		.prog_type = BPF_PROG_TYPE_XDP,
8257 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8258 	},
8259 	{
8260 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
8261 		.insns = {
8262 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8263 				    offsetof(struct xdp_md, data_meta)),
8264 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8265 				    offsetof(struct xdp_md, data)),
8266 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8267 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8268 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8269 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8270 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8271 			BPF_MOV64_IMM(BPF_REG_0, 0),
8272 			BPF_EXIT_INSN(),
8273 		},
8274 		.errstr = "R1 offset is outside of the packet",
8275 		.result = REJECT,
8276 		.prog_type = BPF_PROG_TYPE_XDP,
8277 	},
8278 	{
8279 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
8280 		.insns = {
8281 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8282 				    offsetof(struct xdp_md, data_meta)),
8283 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8284 				    offsetof(struct xdp_md, data)),
8285 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8287 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8288 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8289 			BPF_MOV64_IMM(BPF_REG_0, 0),
8290 			BPF_EXIT_INSN(),
8291 		},
8292 		.errstr = "R1 offset is outside of the packet",
8293 		.result = REJECT,
8294 		.prog_type = BPF_PROG_TYPE_XDP,
8295 	},
8296 	{
8297 		"XDP pkt read, pkt_data < pkt_meta', good access",
8298 		.insns = {
8299 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8300 				    offsetof(struct xdp_md, data_meta)),
8301 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8302 				    offsetof(struct xdp_md, data)),
8303 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8305 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8306 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8307 			BPF_MOV64_IMM(BPF_REG_0, 0),
8308 			BPF_EXIT_INSN(),
8309 		},
8310 		.result = ACCEPT,
8311 		.prog_type = BPF_PROG_TYPE_XDP,
8312 	},
8313 	{
8314 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
8315 		.insns = {
8316 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8317 				    offsetof(struct xdp_md, data_meta)),
8318 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8319 				    offsetof(struct xdp_md, data)),
8320 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8321 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8322 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8323 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8324 			BPF_MOV64_IMM(BPF_REG_0, 0),
8325 			BPF_EXIT_INSN(),
8326 		},
8327 		.errstr = "R1 offset is outside of the packet",
8328 		.result = REJECT,
8329 		.prog_type = BPF_PROG_TYPE_XDP,
8330 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8331 	},
8332 	{
8333 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
8334 		.insns = {
8335 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8336 				    offsetof(struct xdp_md, data_meta)),
8337 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8338 				    offsetof(struct xdp_md, data)),
8339 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8340 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8341 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8342 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8343 			BPF_MOV64_IMM(BPF_REG_0, 0),
8344 			BPF_EXIT_INSN(),
8345 		},
8346 		.errstr = "R1 offset is outside of the packet",
8347 		.result = REJECT,
8348 		.prog_type = BPF_PROG_TYPE_XDP,
8349 	},
8350 	{
8351 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
8352 		.insns = {
8353 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8354 				    offsetof(struct xdp_md, data_meta)),
8355 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8356 				    offsetof(struct xdp_md, data)),
8357 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8358 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8359 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8360 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8361 			BPF_MOV64_IMM(BPF_REG_0, 0),
8362 			BPF_EXIT_INSN(),
8363 		},
8364 		.result = ACCEPT,
8365 		.prog_type = BPF_PROG_TYPE_XDP,
8366 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8367 	},
8368 	{
8369 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
8370 		.insns = {
8371 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8372 				    offsetof(struct xdp_md, data_meta)),
8373 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8374 				    offsetof(struct xdp_md, data)),
8375 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8377 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8378 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8379 			BPF_MOV64_IMM(BPF_REG_0, 0),
8380 			BPF_EXIT_INSN(),
8381 		},
8382 		.errstr = "R1 offset is outside of the packet",
8383 		.result = REJECT,
8384 		.prog_type = BPF_PROG_TYPE_XDP,
8385 	},
8386 	{
8387 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
8388 		.insns = {
8389 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8390 				    offsetof(struct xdp_md, data_meta)),
8391 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8392 				    offsetof(struct xdp_md, data)),
8393 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8394 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8395 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8396 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8397 			BPF_MOV64_IMM(BPF_REG_0, 0),
8398 			BPF_EXIT_INSN(),
8399 		},
8400 		.errstr = "R1 offset is outside of the packet",
8401 		.result = REJECT,
8402 		.prog_type = BPF_PROG_TYPE_XDP,
8403 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8404 	},
8405 	{
8406 		"XDP pkt read, pkt_data >= pkt_meta', good access",
8407 		.insns = {
8408 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8409 				    offsetof(struct xdp_md, data_meta)),
8410 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8411 				    offsetof(struct xdp_md, data)),
8412 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8413 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8414 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8415 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8416 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8417 			BPF_MOV64_IMM(BPF_REG_0, 0),
8418 			BPF_EXIT_INSN(),
8419 		},
8420 		.result = ACCEPT,
8421 		.prog_type = BPF_PROG_TYPE_XDP,
8422 	},
8423 	{
8424 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
8425 		.insns = {
8426 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8427 				    offsetof(struct xdp_md, data_meta)),
8428 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8429 				    offsetof(struct xdp_md, data)),
8430 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8431 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8432 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8433 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8434 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8435 			BPF_MOV64_IMM(BPF_REG_0, 0),
8436 			BPF_EXIT_INSN(),
8437 		},
8438 		.errstr = "R1 offset is outside of the packet",
8439 		.result = REJECT,
8440 		.prog_type = BPF_PROG_TYPE_XDP,
8441 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8442 	},
8443 	{
8444 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
8445 		.insns = {
8446 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8447 				    offsetof(struct xdp_md, data_meta)),
8448 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8449 				    offsetof(struct xdp_md, data)),
8450 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8452 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8453 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8454 			BPF_MOV64_IMM(BPF_REG_0, 0),
8455 			BPF_EXIT_INSN(),
8456 		},
8457 		.errstr = "R1 offset is outside of the packet",
8458 		.result = REJECT,
8459 		.prog_type = BPF_PROG_TYPE_XDP,
8460 	},
8461 	{
8462 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
8463 		.insns = {
8464 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8465 				    offsetof(struct xdp_md, data_meta)),
8466 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8467 				    offsetof(struct xdp_md, data)),
8468 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8469 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8470 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8471 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8472 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8473 			BPF_MOV64_IMM(BPF_REG_0, 0),
8474 			BPF_EXIT_INSN(),
8475 		},
8476 		.result = ACCEPT,
8477 		.prog_type = BPF_PROG_TYPE_XDP,
8478 	},
8479 	{
8480 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
8481 		.insns = {
8482 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8483 				    offsetof(struct xdp_md, data_meta)),
8484 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8485 				    offsetof(struct xdp_md, data)),
8486 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8487 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8488 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8489 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8490 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8491 			BPF_MOV64_IMM(BPF_REG_0, 0),
8492 			BPF_EXIT_INSN(),
8493 		},
8494 		.errstr = "R1 offset is outside of the packet",
8495 		.result = REJECT,
8496 		.prog_type = BPF_PROG_TYPE_XDP,
8497 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8498 	},
8499 	{
8500 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
8501 		.insns = {
8502 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8503 				    offsetof(struct xdp_md, data_meta)),
8504 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8505 				    offsetof(struct xdp_md, data)),
8506 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8507 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8508 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8509 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8510 			BPF_MOV64_IMM(BPF_REG_0, 0),
8511 			BPF_EXIT_INSN(),
8512 		},
8513 		.errstr = "R1 offset is outside of the packet",
8514 		.result = REJECT,
8515 		.prog_type = BPF_PROG_TYPE_XDP,
8516 	},
8517 	{
8518 		"XDP pkt read, pkt_data <= pkt_meta', good access",
8519 		.insns = {
8520 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8521 				    offsetof(struct xdp_md, data_meta)),
8522 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8523 				    offsetof(struct xdp_md, data)),
8524 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8525 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8526 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8527 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8528 			BPF_MOV64_IMM(BPF_REG_0, 0),
8529 			BPF_EXIT_INSN(),
8530 		},
8531 		.result = ACCEPT,
8532 		.prog_type = BPF_PROG_TYPE_XDP,
8533 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8534 	},
8535 	{
8536 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
8537 		.insns = {
8538 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8539 				    offsetof(struct xdp_md, data_meta)),
8540 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8541 				    offsetof(struct xdp_md, data)),
8542 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8543 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8544 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8545 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8546 			BPF_MOV64_IMM(BPF_REG_0, 0),
8547 			BPF_EXIT_INSN(),
8548 		},
8549 		.errstr = "R1 offset is outside of the packet",
8550 		.result = REJECT,
8551 		.prog_type = BPF_PROG_TYPE_XDP,
8552 	},
8553 	{
8554 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
8555 		.insns = {
8556 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8557 				    offsetof(struct xdp_md, data_meta)),
8558 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8559 				    offsetof(struct xdp_md, data)),
8560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8561 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8562 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
8563 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8564 			BPF_MOV64_IMM(BPF_REG_0, 0),
8565 			BPF_EXIT_INSN(),
8566 		},
8567 		.errstr = "R1 offset is outside of the packet",
8568 		.result = REJECT,
8569 		.prog_type = BPF_PROG_TYPE_XDP,
8570 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8571 	},
8572 	{
8573 		"bpf_exit with invalid return code. test1",
8574 		.insns = {
8575 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8576 			BPF_EXIT_INSN(),
8577 		},
8578 		.errstr = "R0 has value (0x0; 0xffffffff)",
8579 		.result = REJECT,
8580 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8581 	},
8582 	{
8583 		"bpf_exit with invalid return code. test2",
8584 		.insns = {
8585 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8586 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
8587 			BPF_EXIT_INSN(),
8588 		},
8589 		.result = ACCEPT,
8590 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8591 	},
8592 	{
8593 		"bpf_exit with invalid return code. test3",
8594 		.insns = {
8595 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8596 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
8597 			BPF_EXIT_INSN(),
8598 		},
8599 		.errstr = "R0 has value (0x0; 0x3)",
8600 		.result = REJECT,
8601 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8602 	},
8603 	{
8604 		"bpf_exit with invalid return code. test4",
8605 		.insns = {
8606 			BPF_MOV64_IMM(BPF_REG_0, 1),
8607 			BPF_EXIT_INSN(),
8608 		},
8609 		.result = ACCEPT,
8610 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8611 	},
8612 	{
8613 		"bpf_exit with invalid return code. test5",
8614 		.insns = {
8615 			BPF_MOV64_IMM(BPF_REG_0, 2),
8616 			BPF_EXIT_INSN(),
8617 		},
8618 		.errstr = "R0 has value (0x2; 0x0)",
8619 		.result = REJECT,
8620 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8621 	},
8622 	{
8623 		"bpf_exit with invalid return code. test6",
8624 		.insns = {
8625 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8626 			BPF_EXIT_INSN(),
8627 		},
8628 		.errstr = "R0 is not a known value (ctx)",
8629 		.result = REJECT,
8630 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8631 	},
8632 	{
8633 		"bpf_exit with invalid return code. test7",
8634 		.insns = {
8635 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8636 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
8637 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
8638 			BPF_EXIT_INSN(),
8639 		},
8640 		.errstr = "R0 has unknown scalar value",
8641 		.result = REJECT,
8642 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
8643 	},
8644 	{
8645 		"calls: basic sanity",
8646 		.insns = {
8647 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
8648 			BPF_MOV64_IMM(BPF_REG_0, 1),
8649 			BPF_EXIT_INSN(),
8650 			BPF_MOV64_IMM(BPF_REG_0, 2),
8651 			BPF_EXIT_INSN(),
8652 		},
8653 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8654 		.result = ACCEPT,
8655 	},
8656 	{
8657 		"calls: not on unpriviledged",
8658 		.insns = {
8659 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
8660 			BPF_MOV64_IMM(BPF_REG_0, 1),
8661 			BPF_EXIT_INSN(),
8662 			BPF_MOV64_IMM(BPF_REG_0, 2),
8663 			BPF_EXIT_INSN(),
8664 		},
8665 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
8666 		.result_unpriv = REJECT,
8667 		.result = ACCEPT,
8668 	},
8669 	{
8670 		"calls: overlapping caller/callee",
8671 		.insns = {
8672 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
8673 			BPF_MOV64_IMM(BPF_REG_0, 1),
8674 			BPF_EXIT_INSN(),
8675 		},
8676 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8677 		.errstr = "last insn is not an exit or jmp",
8678 		.result = REJECT,
8679 	},
8680 	{
8681 		"calls: wrong recursive calls",
8682 		.insns = {
8683 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
8684 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
8685 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
8686 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
8687 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
8688 			BPF_MOV64_IMM(BPF_REG_0, 1),
8689 			BPF_EXIT_INSN(),
8690 		},
8691 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8692 		.errstr = "jump out of range",
8693 		.result = REJECT,
8694 	},
8695 	{
8696 		"calls: wrong src reg",
8697 		.insns = {
8698 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
8699 			BPF_MOV64_IMM(BPF_REG_0, 1),
8700 			BPF_EXIT_INSN(),
8701 		},
8702 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8703 		.errstr = "BPF_CALL uses reserved fields",
8704 		.result = REJECT,
8705 	},
8706 	{
8707 		"calls: wrong off value",
8708 		.insns = {
8709 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
8710 			BPF_MOV64_IMM(BPF_REG_0, 1),
8711 			BPF_EXIT_INSN(),
8712 			BPF_MOV64_IMM(BPF_REG_0, 2),
8713 			BPF_EXIT_INSN(),
8714 		},
8715 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8716 		.errstr = "BPF_CALL uses reserved fields",
8717 		.result = REJECT,
8718 	},
8719 	{
8720 		"calls: jump back loop",
8721 		.insns = {
8722 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
8723 			BPF_MOV64_IMM(BPF_REG_0, 1),
8724 			BPF_EXIT_INSN(),
8725 		},
8726 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8727 		.errstr = "back-edge from insn 0 to 0",
8728 		.result = REJECT,
8729 	},
8730 	{
8731 		"calls: conditional call",
8732 		.insns = {
8733 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8734 				    offsetof(struct __sk_buff, mark)),
8735 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
8736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
8737 			BPF_MOV64_IMM(BPF_REG_0, 1),
8738 			BPF_EXIT_INSN(),
8739 			BPF_MOV64_IMM(BPF_REG_0, 2),
8740 			BPF_EXIT_INSN(),
8741 		},
8742 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8743 		.errstr = "jump out of range",
8744 		.result = REJECT,
8745 	},
8746 	{
8747 		"calls: conditional call 2",
8748 		.insns = {
8749 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8750 				    offsetof(struct __sk_buff, mark)),
8751 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
8752 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
8753 			BPF_MOV64_IMM(BPF_REG_0, 1),
8754 			BPF_EXIT_INSN(),
8755 			BPF_MOV64_IMM(BPF_REG_0, 2),
8756 			BPF_EXIT_INSN(),
8757 			BPF_MOV64_IMM(BPF_REG_0, 3),
8758 			BPF_EXIT_INSN(),
8759 		},
8760 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8761 		.result = ACCEPT,
8762 	},
8763 	{
8764 		"calls: conditional call 3",
8765 		.insns = {
8766 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8767 				    offsetof(struct __sk_buff, mark)),
8768 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
8769 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
8770 			BPF_MOV64_IMM(BPF_REG_0, 1),
8771 			BPF_EXIT_INSN(),
8772 			BPF_MOV64_IMM(BPF_REG_0, 1),
8773 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
8774 			BPF_MOV64_IMM(BPF_REG_0, 3),
8775 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
8776 		},
8777 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8778 		.errstr = "back-edge from insn",
8779 		.result = REJECT,
8780 	},
8781 	{
8782 		"calls: conditional call 4",
8783 		.insns = {
8784 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8785 				    offsetof(struct __sk_buff, mark)),
8786 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
8787 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
8788 			BPF_MOV64_IMM(BPF_REG_0, 1),
8789 			BPF_EXIT_INSN(),
8790 			BPF_MOV64_IMM(BPF_REG_0, 1),
8791 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
8792 			BPF_MOV64_IMM(BPF_REG_0, 3),
8793 			BPF_EXIT_INSN(),
8794 		},
8795 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8796 		.result = ACCEPT,
8797 	},
8798 	{
8799 		"calls: conditional call 5",
8800 		.insns = {
8801 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8802 				    offsetof(struct __sk_buff, mark)),
8803 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
8804 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
8805 			BPF_MOV64_IMM(BPF_REG_0, 1),
8806 			BPF_EXIT_INSN(),
8807 			BPF_MOV64_IMM(BPF_REG_0, 1),
8808 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
8809 			BPF_MOV64_IMM(BPF_REG_0, 3),
8810 			BPF_EXIT_INSN(),
8811 		},
8812 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8813 		.errstr = "back-edge from insn",
8814 		.result = REJECT,
8815 	},
8816 	{
8817 		"calls: conditional call 6",
8818 		.insns = {
8819 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
8820 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
8821 			BPF_EXIT_INSN(),
8822 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8823 				    offsetof(struct __sk_buff, mark)),
8824 			BPF_EXIT_INSN(),
8825 		},
8826 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8827 		.errstr = "back-edge from insn",
8828 		.result = REJECT,
8829 	},
8830 	{
8831 		"calls: using r0 returned by callee",
8832 		.insns = {
8833 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8834 			BPF_EXIT_INSN(),
8835 			BPF_MOV64_IMM(BPF_REG_0, 2),
8836 			BPF_EXIT_INSN(),
8837 		},
8838 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8839 		.result = ACCEPT,
8840 	},
8841 	{
8842 		"calls: using uninit r0 from callee",
8843 		.insns = {
8844 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8845 			BPF_EXIT_INSN(),
8846 			BPF_EXIT_INSN(),
8847 		},
8848 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8849 		.errstr = "!read_ok",
8850 		.result = REJECT,
8851 	},
8852 	{
8853 		"calls: callee is using r1",
8854 		.insns = {
8855 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8856 			BPF_EXIT_INSN(),
8857 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8858 				    offsetof(struct __sk_buff, len)),
8859 			BPF_EXIT_INSN(),
8860 		},
8861 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
8862 		.result = ACCEPT,
8863 	},
8864 	{
8865 		"calls: callee using args1",
8866 		.insns = {
8867 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8868 			BPF_EXIT_INSN(),
8869 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8870 			BPF_EXIT_INSN(),
8871 		},
8872 		.errstr_unpriv = "allowed for root only",
8873 		.result_unpriv = REJECT,
8874 		.result = ACCEPT,
8875 	},
8876 	{
8877 		"calls: callee using wrong args2",
8878 		.insns = {
8879 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8880 			BPF_EXIT_INSN(),
8881 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8882 			BPF_EXIT_INSN(),
8883 		},
8884 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
8885 		.errstr = "R2 !read_ok",
8886 		.result = REJECT,
8887 	},
8888 	{
8889 		"calls: callee using two args",
8890 		.insns = {
8891 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8892 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
8893 				    offsetof(struct __sk_buff, len)),
8894 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
8895 				    offsetof(struct __sk_buff, len)),
8896 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8897 			BPF_EXIT_INSN(),
8898 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
8899 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
8900 			BPF_EXIT_INSN(),
8901 		},
8902 		.errstr_unpriv = "allowed for root only",
8903 		.result_unpriv = REJECT,
8904 		.result = ACCEPT,
8905 	},
8906 	{
8907 		"calls: callee changing pkt pointers",
8908 		.insns = {
8909 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
8910 				    offsetof(struct xdp_md, data)),
8911 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
8912 				    offsetof(struct xdp_md, data_end)),
8913 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
8914 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
8915 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
8916 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
8917 			/* clear_all_pkt_pointers() has to walk all frames
8918 			 * to make sure that pkt pointers in the caller
8919 			 * are cleared when callee is calling a helper that
8920 			 * adjusts packet size
8921 			 */
8922 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
8923 			BPF_MOV32_IMM(BPF_REG_0, 0),
8924 			BPF_EXIT_INSN(),
8925 			BPF_MOV64_IMM(BPF_REG_2, 0),
8926 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8927 				     BPF_FUNC_xdp_adjust_head),
8928 			BPF_EXIT_INSN(),
8929 		},
8930 		.result = REJECT,
8931 		.errstr = "R6 invalid mem access 'inv'",
8932 		.prog_type = BPF_PROG_TYPE_XDP,
8933 	},
8934 	{
8935 		"calls: two calls with args",
8936 		.insns = {
8937 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8938 			BPF_EXIT_INSN(),
8939 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
8940 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
8941 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
8942 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
8943 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
8944 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
8945 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
8946 			BPF_EXIT_INSN(),
8947 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8948 				    offsetof(struct __sk_buff, len)),
8949 			BPF_EXIT_INSN(),
8950 		},
8951 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8952 		.result = ACCEPT,
8953 	},
8954 	{
8955 		"calls: calls with stack arith",
8956 		.insns = {
8957 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8958 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
8959 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8960 			BPF_EXIT_INSN(),
8961 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
8962 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8963 			BPF_EXIT_INSN(),
8964 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
8965 			BPF_MOV64_IMM(BPF_REG_0, 42),
8966 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8967 			BPF_EXIT_INSN(),
8968 		},
8969 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8970 		.result = ACCEPT,
8971 	},
8972 	{
8973 		"calls: calls with misaligned stack access",
8974 		.insns = {
8975 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
8977 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8978 			BPF_EXIT_INSN(),
8979 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
8980 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
8981 			BPF_EXIT_INSN(),
8982 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
8983 			BPF_MOV64_IMM(BPF_REG_0, 42),
8984 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
8985 			BPF_EXIT_INSN(),
8986 		},
8987 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8988 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
8989 		.errstr = "misaligned stack access",
8990 		.result = REJECT,
8991 	},
8992 	{
8993 		"calls: calls control flow, jump test",
8994 		.insns = {
8995 			BPF_MOV64_IMM(BPF_REG_0, 42),
8996 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
8997 			BPF_MOV64_IMM(BPF_REG_0, 43),
8998 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8999 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
9000 			BPF_EXIT_INSN(),
9001 		},
9002 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9003 		.result = ACCEPT,
9004 	},
9005 	{
9006 		"calls: calls control flow, jump test 2",
9007 		.insns = {
9008 			BPF_MOV64_IMM(BPF_REG_0, 42),
9009 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9010 			BPF_MOV64_IMM(BPF_REG_0, 43),
9011 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9012 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9013 			BPF_EXIT_INSN(),
9014 		},
9015 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9016 		.errstr = "jump out of range from insn 1 to 4",
9017 		.result = REJECT,
9018 	},
9019 	{
9020 		"calls: two calls with bad jump",
9021 		.insns = {
9022 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9023 			BPF_EXIT_INSN(),
9024 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9025 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9026 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9027 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9028 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9029 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9030 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9031 			BPF_EXIT_INSN(),
9032 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9033 				    offsetof(struct __sk_buff, len)),
9034 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
9035 			BPF_EXIT_INSN(),
9036 		},
9037 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9038 		.errstr = "jump out of range from insn 11 to 9",
9039 		.result = REJECT,
9040 	},
9041 	{
9042 		"calls: recursive call. test1",
9043 		.insns = {
9044 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9045 			BPF_EXIT_INSN(),
9046 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9047 			BPF_EXIT_INSN(),
9048 		},
9049 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9050 		.errstr = "back-edge",
9051 		.result = REJECT,
9052 	},
9053 	{
9054 		"calls: recursive call. test2",
9055 		.insns = {
9056 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9057 			BPF_EXIT_INSN(),
9058 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
9059 			BPF_EXIT_INSN(),
9060 		},
9061 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9062 		.errstr = "back-edge",
9063 		.result = REJECT,
9064 	},
9065 	{
9066 		"calls: unreachable code",
9067 		.insns = {
9068 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9069 			BPF_EXIT_INSN(),
9070 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9071 			BPF_EXIT_INSN(),
9072 			BPF_MOV64_IMM(BPF_REG_0, 0),
9073 			BPF_EXIT_INSN(),
9074 			BPF_MOV64_IMM(BPF_REG_0, 0),
9075 			BPF_EXIT_INSN(),
9076 		},
9077 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9078 		.errstr = "unreachable insn 6",
9079 		.result = REJECT,
9080 	},
9081 	{
9082 		"calls: invalid call",
9083 		.insns = {
9084 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9085 			BPF_EXIT_INSN(),
9086 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
9087 			BPF_EXIT_INSN(),
9088 		},
9089 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9090 		.errstr = "invalid destination",
9091 		.result = REJECT,
9092 	},
9093 	{
9094 		"calls: invalid call 2",
9095 		.insns = {
9096 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9097 			BPF_EXIT_INSN(),
9098 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
9099 			BPF_EXIT_INSN(),
9100 		},
9101 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9102 		.errstr = "invalid destination",
9103 		.result = REJECT,
9104 	},
9105 	{
9106 		"calls: jumping across function bodies. test1",
9107 		.insns = {
9108 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9109 			BPF_MOV64_IMM(BPF_REG_0, 0),
9110 			BPF_EXIT_INSN(),
9111 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
9112 			BPF_EXIT_INSN(),
9113 		},
9114 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9115 		.errstr = "jump out of range",
9116 		.result = REJECT,
9117 	},
9118 	{
9119 		"calls: jumping across function bodies. test2",
9120 		.insns = {
9121 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
9122 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9123 			BPF_MOV64_IMM(BPF_REG_0, 0),
9124 			BPF_EXIT_INSN(),
9125 			BPF_EXIT_INSN(),
9126 		},
9127 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9128 		.errstr = "jump out of range",
9129 		.result = REJECT,
9130 	},
9131 	{
9132 		"calls: call without exit",
9133 		.insns = {
9134 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9135 			BPF_EXIT_INSN(),
9136 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9137 			BPF_EXIT_INSN(),
9138 			BPF_MOV64_IMM(BPF_REG_0, 0),
9139 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
9140 		},
9141 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9142 		.errstr = "not an exit",
9143 		.result = REJECT,
9144 	},
9145 	{
9146 		"calls: call into middle of ld_imm64",
9147 		.insns = {
9148 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9149 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9150 			BPF_MOV64_IMM(BPF_REG_0, 0),
9151 			BPF_EXIT_INSN(),
9152 			BPF_LD_IMM64(BPF_REG_0, 0),
9153 			BPF_EXIT_INSN(),
9154 		},
9155 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9156 		.errstr = "last insn",
9157 		.result = REJECT,
9158 	},
9159 	{
9160 		"calls: call into middle of other call",
9161 		.insns = {
9162 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9163 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9164 			BPF_MOV64_IMM(BPF_REG_0, 0),
9165 			BPF_EXIT_INSN(),
9166 			BPF_MOV64_IMM(BPF_REG_0, 0),
9167 			BPF_MOV64_IMM(BPF_REG_0, 0),
9168 			BPF_EXIT_INSN(),
9169 		},
9170 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9171 		.errstr = "last insn",
9172 		.result = REJECT,
9173 	},
9174 	{
9175 		"calls: ld_abs with changing ctx data in callee",
9176 		.insns = {
9177 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9178 			BPF_LD_ABS(BPF_B, 0),
9179 			BPF_LD_ABS(BPF_H, 0),
9180 			BPF_LD_ABS(BPF_W, 0),
9181 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
9182 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
9183 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
9184 			BPF_LD_ABS(BPF_B, 0),
9185 			BPF_LD_ABS(BPF_H, 0),
9186 			BPF_LD_ABS(BPF_W, 0),
9187 			BPF_EXIT_INSN(),
9188 			BPF_MOV64_IMM(BPF_REG_2, 1),
9189 			BPF_MOV64_IMM(BPF_REG_3, 2),
9190 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9191 				     BPF_FUNC_skb_vlan_push),
9192 			BPF_EXIT_INSN(),
9193 		},
9194 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9195 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
9196 		.result = REJECT,
9197 	},
9198 	{
9199 		"calls: two calls with bad fallthrough",
9200 		.insns = {
9201 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9202 			BPF_EXIT_INSN(),
9203 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9204 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9205 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9206 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9207 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9208 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9209 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9210 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
9211 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9212 				    offsetof(struct __sk_buff, len)),
9213 			BPF_EXIT_INSN(),
9214 		},
9215 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9216 		.errstr = "not an exit",
9217 		.result = REJECT,
9218 	},
9219 	{
9220 		"calls: two calls with stack read",
9221 		.insns = {
9222 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9223 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9224 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9225 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9226 			BPF_EXIT_INSN(),
9227 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9228 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
9229 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
9230 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9231 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9232 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
9233 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
9234 			BPF_EXIT_INSN(),
9235 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9236 			BPF_EXIT_INSN(),
9237 		},
9238 		.prog_type = BPF_PROG_TYPE_XDP,
9239 		.result = ACCEPT,
9240 	},
9241 	{
9242 		"calls: two calls with stack write",
9243 		.insns = {
9244 			/* main prog */
9245 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9246 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9247 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9248 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9249 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9250 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9251 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
9252 			BPF_EXIT_INSN(),
9253 
9254 			/* subprog 1 */
9255 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9256 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9257 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
9258 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
9259 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9260 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9261 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
9262 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
9263 			/* write into stack frame of main prog */
9264 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9265 			BPF_EXIT_INSN(),
9266 
9267 			/* subprog 2 */
9268 			/* read from stack frame of main prog */
9269 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9270 			BPF_EXIT_INSN(),
9271 		},
9272 		.prog_type = BPF_PROG_TYPE_XDP,
9273 		.result = ACCEPT,
9274 	},
9275 	{
9276 		"calls: stack overflow using two frames (pre-call access)",
9277 		.insns = {
9278 			/* prog 1 */
9279 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
9280 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
9281 			BPF_EXIT_INSN(),
9282 
9283 			/* prog 2 */
9284 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
9285 			BPF_MOV64_IMM(BPF_REG_0, 0),
9286 			BPF_EXIT_INSN(),
9287 		},
9288 		.prog_type = BPF_PROG_TYPE_XDP,
9289 		.errstr = "combined stack size",
9290 		.result = REJECT,
9291 	},
9292 	{
9293 		"calls: stack overflow using two frames (post-call access)",
9294 		.insns = {
9295 			/* prog 1 */
9296 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
9297 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
9298 			BPF_EXIT_INSN(),
9299 
9300 			/* prog 2 */
9301 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
9302 			BPF_MOV64_IMM(BPF_REG_0, 0),
9303 			BPF_EXIT_INSN(),
9304 		},
9305 		.prog_type = BPF_PROG_TYPE_XDP,
9306 		.errstr = "combined stack size",
9307 		.result = REJECT,
9308 	},
9309 	{
9310 		"calls: stack depth check using three frames. test1",
9311 		.insns = {
9312 			/* main */
9313 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
9314 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
9315 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
9316 			BPF_MOV64_IMM(BPF_REG_0, 0),
9317 			BPF_EXIT_INSN(),
9318 			/* A */
9319 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
9320 			BPF_EXIT_INSN(),
9321 			/* B */
9322 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
9323 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
9324 			BPF_EXIT_INSN(),
9325 		},
9326 		.prog_type = BPF_PROG_TYPE_XDP,
9327 		/* stack_main=32, stack_A=256, stack_B=64
9328 		 * and max(main+A, main+A+B) < 512
9329 		 */
9330 		.result = ACCEPT,
9331 	},
9332 	{
9333 		"calls: stack depth check using three frames. test2",
9334 		.insns = {
9335 			/* main */
9336 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
9337 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
9338 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
9339 			BPF_MOV64_IMM(BPF_REG_0, 0),
9340 			BPF_EXIT_INSN(),
9341 			/* A */
9342 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
9343 			BPF_EXIT_INSN(),
9344 			/* B */
9345 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
9346 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
9347 			BPF_EXIT_INSN(),
9348 		},
9349 		.prog_type = BPF_PROG_TYPE_XDP,
9350 		/* stack_main=32, stack_A=64, stack_B=256
9351 		 * and max(main+A, main+A+B) < 512
9352 		 */
9353 		.result = ACCEPT,
9354 	},
9355 	{
9356 		"calls: stack depth check using three frames. test3",
9357 		.insns = {
9358 			/* main */
9359 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9360 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
9361 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9362 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
9363 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
9364 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
9365 			BPF_MOV64_IMM(BPF_REG_0, 0),
9366 			BPF_EXIT_INSN(),
9367 			/* A */
9368 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
9369 			BPF_EXIT_INSN(),
9370 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
9371 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
9372 			/* B */
9373 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
9374 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
9375 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
9376 			BPF_EXIT_INSN(),
9377 		},
9378 		.prog_type = BPF_PROG_TYPE_XDP,
9379 		/* stack_main=64, stack_A=224, stack_B=256
9380 		 * and max(main+A, main+A+B) > 512
9381 		 */
9382 		.errstr = "combined stack",
9383 		.result = REJECT,
9384 	},
9385 	{
9386 		"calls: stack depth check using three frames. test4",
9387 		/* void main(void) {
9388 		 *   func1(0);
9389 		 *   func1(1);
9390 		 *   func2(1);
9391 		 * }
9392 		 * void func1(int alloc_or_recurse) {
9393 		 *   if (alloc_or_recurse) {
9394 		 *     frame_pointer[-300] = 1;
9395 		 *   } else {
9396 		 *     func2(alloc_or_recurse);
9397 		 *   }
9398 		 * }
9399 		 * void func2(int alloc_or_recurse) {
9400 		 *   if (alloc_or_recurse) {
9401 		 *     frame_pointer[-300] = 1;
9402 		 *   }
9403 		 * }
9404 		 */
9405 		.insns = {
9406 			/* main */
9407 			BPF_MOV64_IMM(BPF_REG_1, 0),
9408 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
9409 			BPF_MOV64_IMM(BPF_REG_1, 1),
9410 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
9411 			BPF_MOV64_IMM(BPF_REG_1, 1),
9412 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
9413 			BPF_MOV64_IMM(BPF_REG_0, 0),
9414 			BPF_EXIT_INSN(),
9415 			/* A */
9416 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
9417 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
9418 			BPF_EXIT_INSN(),
9419 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
9420 			BPF_EXIT_INSN(),
9421 			/* B */
9422 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
9423 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
9424 			BPF_EXIT_INSN(),
9425 		},
9426 		.prog_type = BPF_PROG_TYPE_XDP,
9427 		.result = REJECT,
9428 		.errstr = "combined stack",
9429 	},
9430 	{
9431 		"calls: stack depth check using three frames. test5",
9432 		.insns = {
9433 			/* main */
9434 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
9435 			BPF_EXIT_INSN(),
9436 			/* A */
9437 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
9438 			BPF_EXIT_INSN(),
9439 			/* B */
9440 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
9441 			BPF_EXIT_INSN(),
9442 			/* C */
9443 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
9444 			BPF_EXIT_INSN(),
9445 			/* D */
9446 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
9447 			BPF_EXIT_INSN(),
9448 			/* E */
9449 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
9450 			BPF_EXIT_INSN(),
9451 			/* F */
9452 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
9453 			BPF_EXIT_INSN(),
9454 			/* G */
9455 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
9456 			BPF_EXIT_INSN(),
9457 			/* H */
9458 			BPF_MOV64_IMM(BPF_REG_0, 0),
9459 			BPF_EXIT_INSN(),
9460 		},
9461 		.prog_type = BPF_PROG_TYPE_XDP,
9462 		.errstr = "call stack",
9463 		.result = REJECT,
9464 	},
9465 	{
9466 		"calls: spill into caller stack frame",
9467 		.insns = {
9468 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9469 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9470 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9471 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9472 			BPF_EXIT_INSN(),
9473 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
9474 			BPF_MOV64_IMM(BPF_REG_0, 0),
9475 			BPF_EXIT_INSN(),
9476 		},
9477 		.prog_type = BPF_PROG_TYPE_XDP,
9478 		.errstr = "cannot spill",
9479 		.result = REJECT,
9480 	},
9481 	{
9482 		"calls: write into caller stack frame",
9483 		.insns = {
9484 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9485 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9486 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9487 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9488 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
9489 			BPF_EXIT_INSN(),
9490 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
9491 			BPF_MOV64_IMM(BPF_REG_0, 0),
9492 			BPF_EXIT_INSN(),
9493 		},
9494 		.prog_type = BPF_PROG_TYPE_XDP,
9495 		.result = ACCEPT,
9496 	},
9497 	{
9498 		"calls: write into callee stack frame",
9499 		.insns = {
9500 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9501 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
9502 			BPF_EXIT_INSN(),
9503 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
9504 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
9505 			BPF_EXIT_INSN(),
9506 		},
9507 		.prog_type = BPF_PROG_TYPE_XDP,
9508 		.errstr = "cannot return stack pointer",
9509 		.result = REJECT,
9510 	},
9511 	{
9512 		"calls: two calls with stack write and void return",
9513 		.insns = {
9514 			/* main prog */
9515 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9516 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9517 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9518 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9520 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9521 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
9522 			BPF_EXIT_INSN(),
9523 
9524 			/* subprog 1 */
9525 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9526 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9527 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9528 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
9529 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9530 			BPF_EXIT_INSN(),
9531 
9532 			/* subprog 2 */
9533 			/* write into stack frame of main prog */
9534 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
9535 			BPF_EXIT_INSN(), /* void return */
9536 		},
9537 		.prog_type = BPF_PROG_TYPE_XDP,
9538 		.result = ACCEPT,
9539 	},
9540 	{
9541 		"calls: ambiguous return value",
9542 		.insns = {
9543 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9544 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
9545 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
9546 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9547 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9548 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
9549 			BPF_EXIT_INSN(),
9550 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
9551 			BPF_MOV64_IMM(BPF_REG_0, 0),
9552 			BPF_EXIT_INSN(),
9553 		},
9554 		.errstr_unpriv = "allowed for root only",
9555 		.result_unpriv = REJECT,
9556 		.errstr = "R0 !read_ok",
9557 		.result = REJECT,
9558 	},
9559 	{
9560 		"calls: two calls that return map_value",
9561 		.insns = {
9562 			/* main prog */
9563 			/* pass fp-16, fp-8 into a function */
9564 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9565 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9566 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9567 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9568 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9569 
9570 			/* fetch map_value_ptr from the stack of this function */
9571 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
9572 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
9573 			/* write into map value */
9574 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9575 			/* fetch secound map_value_ptr from the stack */
9576 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
9577 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
9578 			/* write into map value */
9579 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9580 			BPF_MOV64_IMM(BPF_REG_0, 0),
9581 			BPF_EXIT_INSN(),
9582 
9583 			/* subprog 1 */
9584 			/* call 3rd function twice */
9585 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9586 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9587 			/* first time with fp-8 */
9588 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
9589 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
9590 			/* second time with fp-16 */
9591 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9592 			BPF_EXIT_INSN(),
9593 
9594 			/* subprog 2 */
9595 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9596 			/* lookup from map */
9597 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9598 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9600 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9601 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9602 				     BPF_FUNC_map_lookup_elem),
9603 			/* write map_value_ptr into stack frame of main prog */
9604 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9605 			BPF_MOV64_IMM(BPF_REG_0, 0),
9606 			BPF_EXIT_INSN(), /* return 0 */
9607 		},
9608 		.prog_type = BPF_PROG_TYPE_XDP,
9609 		.fixup_map1 = { 23 },
9610 		.result = ACCEPT,
9611 	},
9612 	{
9613 		"calls: two calls that return map_value with bool condition",
9614 		.insns = {
9615 			/* main prog */
9616 			/* pass fp-16, fp-8 into a function */
9617 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9619 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9621 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9622 			BPF_MOV64_IMM(BPF_REG_0, 0),
9623 			BPF_EXIT_INSN(),
9624 
9625 			/* subprog 1 */
9626 			/* call 3rd function twice */
9627 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9628 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9629 			/* first time with fp-8 */
9630 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
9631 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
9632 			/* fetch map_value_ptr from the stack of this function */
9633 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
9634 			/* write into map value */
9635 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9636 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
9637 			/* second time with fp-16 */
9638 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9639 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
9640 			/* fetch secound map_value_ptr from the stack */
9641 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
9642 			/* write into map value */
9643 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9644 			BPF_EXIT_INSN(),
9645 
9646 			/* subprog 2 */
9647 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9648 			/* lookup from map */
9649 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9650 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9651 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9652 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9653 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9654 				     BPF_FUNC_map_lookup_elem),
9655 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9656 			BPF_MOV64_IMM(BPF_REG_0, 0),
9657 			BPF_EXIT_INSN(), /* return 0 */
9658 			/* write map_value_ptr into stack frame of main prog */
9659 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9660 			BPF_MOV64_IMM(BPF_REG_0, 1),
9661 			BPF_EXIT_INSN(), /* return 1 */
9662 		},
9663 		.prog_type = BPF_PROG_TYPE_XDP,
9664 		.fixup_map1 = { 23 },
9665 		.result = ACCEPT,
9666 	},
9667 	{
9668 		"calls: two calls that return map_value with incorrect bool check",
9669 		.insns = {
9670 			/* main prog */
9671 			/* pass fp-16, fp-8 into a function */
9672 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9673 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9674 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9675 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9676 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9677 			BPF_MOV64_IMM(BPF_REG_0, 0),
9678 			BPF_EXIT_INSN(),
9679 
9680 			/* subprog 1 */
9681 			/* call 3rd function twice */
9682 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9683 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9684 			/* first time with fp-8 */
9685 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
9686 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
9687 			/* fetch map_value_ptr from the stack of this function */
9688 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
9689 			/* write into map value */
9690 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9691 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
9692 			/* second time with fp-16 */
9693 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9694 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9695 			/* fetch secound map_value_ptr from the stack */
9696 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
9697 			/* write into map value */
9698 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9699 			BPF_EXIT_INSN(),
9700 
9701 			/* subprog 2 */
9702 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9703 			/* lookup from map */
9704 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9705 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9706 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9707 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9708 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9709 				     BPF_FUNC_map_lookup_elem),
9710 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9711 			BPF_MOV64_IMM(BPF_REG_0, 0),
9712 			BPF_EXIT_INSN(), /* return 0 */
9713 			/* write map_value_ptr into stack frame of main prog */
9714 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9715 			BPF_MOV64_IMM(BPF_REG_0, 1),
9716 			BPF_EXIT_INSN(), /* return 1 */
9717 		},
9718 		.prog_type = BPF_PROG_TYPE_XDP,
9719 		.fixup_map1 = { 23 },
9720 		.result = REJECT,
9721 		.errstr = "invalid read from stack off -16+0 size 8",
9722 	},
9723 	{
9724 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
9725 		.insns = {
9726 			/* main prog */
9727 			/* pass fp-16, fp-8 into a function */
9728 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9729 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9730 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9731 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9732 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9733 			BPF_MOV64_IMM(BPF_REG_0, 0),
9734 			BPF_EXIT_INSN(),
9735 
9736 			/* subprog 1 */
9737 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9738 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9739 			/* 1st lookup from map */
9740 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9741 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9742 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9743 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9744 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9745 				     BPF_FUNC_map_lookup_elem),
9746 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9747 			BPF_MOV64_IMM(BPF_REG_8, 0),
9748 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9749 			/* write map_value_ptr into stack frame of main prog at fp-8 */
9750 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9751 			BPF_MOV64_IMM(BPF_REG_8, 1),
9752 
9753 			/* 2nd lookup from map */
9754 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
9755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9756 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9757 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
9758 				     BPF_FUNC_map_lookup_elem),
9759 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9760 			BPF_MOV64_IMM(BPF_REG_9, 0),
9761 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9762 			/* write map_value_ptr into stack frame of main prog at fp-16 */
9763 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9764 			BPF_MOV64_IMM(BPF_REG_9, 1),
9765 
9766 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
9767 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
9768 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
9769 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
9770 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
9771 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
9772 			BPF_EXIT_INSN(),
9773 
9774 			/* subprog 2 */
9775 			/* if arg2 == 1 do *arg1 = 0 */
9776 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
9777 			/* fetch map_value_ptr from the stack of this function */
9778 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
9779 			/* write into map value */
9780 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9781 
9782 			/* if arg4 == 1 do *arg3 = 0 */
9783 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
9784 			/* fetch map_value_ptr from the stack of this function */
9785 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
9786 			/* write into map value */
9787 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
9788 			BPF_EXIT_INSN(),
9789 		},
9790 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9791 		.fixup_map1 = { 12, 22 },
9792 		.result = REJECT,
9793 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
9794 	},
9795 	{
9796 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
9797 		.insns = {
9798 			/* main prog */
9799 			/* pass fp-16, fp-8 into a function */
9800 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9801 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9802 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9803 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9804 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9805 			BPF_MOV64_IMM(BPF_REG_0, 0),
9806 			BPF_EXIT_INSN(),
9807 
9808 			/* subprog 1 */
9809 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9810 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9811 			/* 1st lookup from map */
9812 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9813 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9814 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9815 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9816 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9817 				     BPF_FUNC_map_lookup_elem),
9818 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9819 			BPF_MOV64_IMM(BPF_REG_8, 0),
9820 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9821 			/* write map_value_ptr into stack frame of main prog at fp-8 */
9822 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9823 			BPF_MOV64_IMM(BPF_REG_8, 1),
9824 
9825 			/* 2nd lookup from map */
9826 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
9827 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9828 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9829 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
9830 				     BPF_FUNC_map_lookup_elem),
9831 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9832 			BPF_MOV64_IMM(BPF_REG_9, 0),
9833 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9834 			/* write map_value_ptr into stack frame of main prog at fp-16 */
9835 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9836 			BPF_MOV64_IMM(BPF_REG_9, 1),
9837 
9838 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
9839 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
9840 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
9841 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
9842 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
9843 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
9844 			BPF_EXIT_INSN(),
9845 
9846 			/* subprog 2 */
9847 			/* if arg2 == 1 do *arg1 = 0 */
9848 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
9849 			/* fetch map_value_ptr from the stack of this function */
9850 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
9851 			/* write into map value */
9852 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9853 
9854 			/* if arg4 == 1 do *arg3 = 0 */
9855 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
9856 			/* fetch map_value_ptr from the stack of this function */
9857 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
9858 			/* write into map value */
9859 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9860 			BPF_EXIT_INSN(),
9861 		},
9862 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9863 		.fixup_map1 = { 12, 22 },
9864 		.result = ACCEPT,
9865 	},
9866 	{
9867 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
9868 		.insns = {
9869 			/* main prog */
9870 			/* pass fp-16, fp-8 into a function */
9871 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9873 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9874 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9875 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
9876 			BPF_MOV64_IMM(BPF_REG_0, 0),
9877 			BPF_EXIT_INSN(),
9878 
9879 			/* subprog 1 */
9880 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9881 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9882 			/* 1st lookup from map */
9883 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
9884 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9885 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
9886 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9887 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9888 				     BPF_FUNC_map_lookup_elem),
9889 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9890 			BPF_MOV64_IMM(BPF_REG_8, 0),
9891 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9892 			/* write map_value_ptr into stack frame of main prog at fp-8 */
9893 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9894 			BPF_MOV64_IMM(BPF_REG_8, 1),
9895 
9896 			/* 2nd lookup from map */
9897 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9898 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
9899 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9900 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9901 				     BPF_FUNC_map_lookup_elem),
9902 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9903 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
9904 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
9905 			/* write map_value_ptr into stack frame of main prog at fp-16 */
9906 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9907 			BPF_MOV64_IMM(BPF_REG_9, 1),
9908 
9909 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
9910 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
9911 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
9912 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
9913 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
9914 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
9915 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
9916 
9917 			/* subprog 2 */
9918 			/* if arg2 == 1 do *arg1 = 0 */
9919 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
9920 			/* fetch map_value_ptr from the stack of this function */
9921 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
9922 			/* write into map value */
9923 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9924 
9925 			/* if arg4 == 1 do *arg3 = 0 */
9926 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
9927 			/* fetch map_value_ptr from the stack of this function */
9928 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
9929 			/* write into map value */
9930 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
9931 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
9932 		},
9933 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9934 		.fixup_map1 = { 12, 22 },
9935 		.result = REJECT,
9936 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
9937 	},
9938 	{
9939 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
9940 		.insns = {
9941 			/* main prog */
9942 			/* pass fp-16, fp-8 into a function */
9943 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
9944 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
9945 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9946 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
9947 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9948 			BPF_MOV64_IMM(BPF_REG_0, 0),
9949 			BPF_EXIT_INSN(),
9950 
9951 			/* subprog 1 */
9952 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9953 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
9954 			/* 1st lookup from map */
9955 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9956 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9957 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9958 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9959 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9960 				     BPF_FUNC_map_lookup_elem),
9961 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
9962 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
9963 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9964 			BPF_MOV64_IMM(BPF_REG_8, 0),
9965 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9966 			BPF_MOV64_IMM(BPF_REG_8, 1),
9967 
9968 			/* 2nd lookup from map */
9969 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9971 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9972 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9973 				     BPF_FUNC_map_lookup_elem),
9974 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
9975 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
9976 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
9977 			BPF_MOV64_IMM(BPF_REG_9, 0),
9978 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9979 			BPF_MOV64_IMM(BPF_REG_9, 1),
9980 
9981 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
9982 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9983 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
9984 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
9985 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
9986 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9987 			BPF_EXIT_INSN(),
9988 
9989 			/* subprog 2 */
9990 			/* if arg2 == 1 do *arg1 = 0 */
9991 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
9992 			/* fetch map_value_ptr from the stack of this function */
9993 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
9994 			/* write into map value */
9995 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
9996 
9997 			/* if arg4 == 1 do *arg3 = 0 */
9998 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
9999 			/* fetch map_value_ptr from the stack of this function */
10000 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10001 			/* write into map value */
10002 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10003 			BPF_EXIT_INSN(),
10004 		},
10005 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10006 		.fixup_map1 = { 12, 22 },
10007 		.result = ACCEPT,
10008 	},
10009 	{
10010 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
10011 		.insns = {
10012 			/* main prog */
10013 			/* pass fp-16, fp-8 into a function */
10014 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10015 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10016 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10017 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10018 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10019 			BPF_MOV64_IMM(BPF_REG_0, 0),
10020 			BPF_EXIT_INSN(),
10021 
10022 			/* subprog 1 */
10023 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10024 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10025 			/* 1st lookup from map */
10026 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10027 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10028 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10029 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10030 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10031 				     BPF_FUNC_map_lookup_elem),
10032 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10033 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10034 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10035 			BPF_MOV64_IMM(BPF_REG_8, 0),
10036 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10037 			BPF_MOV64_IMM(BPF_REG_8, 1),
10038 
10039 			/* 2nd lookup from map */
10040 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10041 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10042 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10043 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10044 				     BPF_FUNC_map_lookup_elem),
10045 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
10046 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10047 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10048 			BPF_MOV64_IMM(BPF_REG_9, 0),
10049 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10050 			BPF_MOV64_IMM(BPF_REG_9, 1),
10051 
10052 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10053 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10054 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10055 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10056 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10057 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10058 			BPF_EXIT_INSN(),
10059 
10060 			/* subprog 2 */
10061 			/* if arg2 == 1 do *arg1 = 0 */
10062 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10063 			/* fetch map_value_ptr from the stack of this function */
10064 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10065 			/* write into map value */
10066 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10067 
10068 			/* if arg4 == 0 do *arg3 = 0 */
10069 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
10070 			/* fetch map_value_ptr from the stack of this function */
10071 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10072 			/* write into map value */
10073 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10074 			BPF_EXIT_INSN(),
10075 		},
10076 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10077 		.fixup_map1 = { 12, 22 },
10078 		.result = REJECT,
10079 		.errstr = "R0 invalid mem access 'inv'",
10080 	},
10081 	{
10082 		"calls: pkt_ptr spill into caller stack",
10083 		.insns = {
10084 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10085 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10086 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10087 			BPF_EXIT_INSN(),
10088 
10089 			/* subprog 1 */
10090 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10091 				    offsetof(struct __sk_buff, data)),
10092 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10093 				    offsetof(struct __sk_buff, data_end)),
10094 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10096 			/* spill unchecked pkt_ptr into stack of caller */
10097 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10098 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10099 			/* now the pkt range is verified, read pkt_ptr from stack */
10100 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10101 			/* write 4 bytes into packet */
10102 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10103 			BPF_EXIT_INSN(),
10104 		},
10105 		.result = ACCEPT,
10106 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10107 	},
10108 	{
10109 		"calls: pkt_ptr spill into caller stack 2",
10110 		.insns = {
10111 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10113 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10114 			/* Marking is still kept, but not in all cases safe. */
10115 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10116 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10117 			BPF_EXIT_INSN(),
10118 
10119 			/* subprog 1 */
10120 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10121 				    offsetof(struct __sk_buff, data)),
10122 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10123 				    offsetof(struct __sk_buff, data_end)),
10124 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10125 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10126 			/* spill unchecked pkt_ptr into stack of caller */
10127 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10128 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10129 			/* now the pkt range is verified, read pkt_ptr from stack */
10130 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10131 			/* write 4 bytes into packet */
10132 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10133 			BPF_EXIT_INSN(),
10134 		},
10135 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10136 		.errstr = "invalid access to packet",
10137 		.result = REJECT,
10138 	},
10139 	{
10140 		"calls: pkt_ptr spill into caller stack 3",
10141 		.insns = {
10142 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10143 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10144 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10146 			/* Marking is still kept and safe here. */
10147 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10148 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10149 			BPF_EXIT_INSN(),
10150 
10151 			/* subprog 1 */
10152 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10153 				    offsetof(struct __sk_buff, data)),
10154 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10155 				    offsetof(struct __sk_buff, data_end)),
10156 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10157 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10158 			/* spill unchecked pkt_ptr into stack of caller */
10159 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10160 			BPF_MOV64_IMM(BPF_REG_5, 0),
10161 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10162 			BPF_MOV64_IMM(BPF_REG_5, 1),
10163 			/* now the pkt range is verified, read pkt_ptr from stack */
10164 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
10165 			/* write 4 bytes into packet */
10166 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10167 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10168 			BPF_EXIT_INSN(),
10169 		},
10170 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10171 		.result = ACCEPT,
10172 	},
10173 	{
10174 		"calls: pkt_ptr spill into caller stack 4",
10175 		.insns = {
10176 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10177 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10178 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10179 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
10180 			/* Check marking propagated. */
10181 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10182 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
10183 			BPF_EXIT_INSN(),
10184 
10185 			/* subprog 1 */
10186 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10187 				    offsetof(struct __sk_buff, data)),
10188 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10189 				    offsetof(struct __sk_buff, data_end)),
10190 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10191 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10192 			/* spill unchecked pkt_ptr into stack of caller */
10193 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10194 			BPF_MOV64_IMM(BPF_REG_5, 0),
10195 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10196 			BPF_MOV64_IMM(BPF_REG_5, 1),
10197 			/* don't read back pkt_ptr from stack here */
10198 			/* write 4 bytes into packet */
10199 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10200 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10201 			BPF_EXIT_INSN(),
10202 		},
10203 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10204 		.result = ACCEPT,
10205 	},
10206 	{
10207 		"calls: pkt_ptr spill into caller stack 5",
10208 		.insns = {
10209 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10211 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
10212 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10213 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10214 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10215 			BPF_EXIT_INSN(),
10216 
10217 			/* subprog 1 */
10218 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10219 				    offsetof(struct __sk_buff, data)),
10220 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10221 				    offsetof(struct __sk_buff, data_end)),
10222 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10223 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10224 			BPF_MOV64_IMM(BPF_REG_5, 0),
10225 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10226 			/* spill checked pkt_ptr into stack of caller */
10227 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10228 			BPF_MOV64_IMM(BPF_REG_5, 1),
10229 			/* don't read back pkt_ptr from stack here */
10230 			/* write 4 bytes into packet */
10231 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10232 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10233 			BPF_EXIT_INSN(),
10234 		},
10235 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10236 		.errstr = "same insn cannot be used with different",
10237 		.result = REJECT,
10238 	},
10239 	{
10240 		"calls: pkt_ptr spill into caller stack 6",
10241 		.insns = {
10242 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10243 				    offsetof(struct __sk_buff, data_end)),
10244 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10245 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10246 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10247 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10248 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10249 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10250 			BPF_EXIT_INSN(),
10251 
10252 			/* subprog 1 */
10253 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10254 				    offsetof(struct __sk_buff, data)),
10255 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10256 				    offsetof(struct __sk_buff, data_end)),
10257 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10258 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10259 			BPF_MOV64_IMM(BPF_REG_5, 0),
10260 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10261 			/* spill checked pkt_ptr into stack of caller */
10262 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10263 			BPF_MOV64_IMM(BPF_REG_5, 1),
10264 			/* don't read back pkt_ptr from stack here */
10265 			/* write 4 bytes into packet */
10266 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10267 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10268 			BPF_EXIT_INSN(),
10269 		},
10270 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10271 		.errstr = "R4 invalid mem access",
10272 		.result = REJECT,
10273 	},
10274 	{
10275 		"calls: pkt_ptr spill into caller stack 7",
10276 		.insns = {
10277 			BPF_MOV64_IMM(BPF_REG_2, 0),
10278 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10280 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10281 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10282 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10283 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10284 			BPF_EXIT_INSN(),
10285 
10286 			/* subprog 1 */
10287 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10288 				    offsetof(struct __sk_buff, data)),
10289 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10290 				    offsetof(struct __sk_buff, data_end)),
10291 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10292 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10293 			BPF_MOV64_IMM(BPF_REG_5, 0),
10294 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10295 			/* spill checked pkt_ptr into stack of caller */
10296 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10297 			BPF_MOV64_IMM(BPF_REG_5, 1),
10298 			/* don't read back pkt_ptr from stack here */
10299 			/* write 4 bytes into packet */
10300 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10301 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10302 			BPF_EXIT_INSN(),
10303 		},
10304 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10305 		.errstr = "R4 invalid mem access",
10306 		.result = REJECT,
10307 	},
10308 	{
10309 		"calls: pkt_ptr spill into caller stack 8",
10310 		.insns = {
10311 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10312 				    offsetof(struct __sk_buff, data)),
10313 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10314 				    offsetof(struct __sk_buff, data_end)),
10315 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10316 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10317 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
10318 			BPF_EXIT_INSN(),
10319 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10321 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10322 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10323 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10324 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10325 			BPF_EXIT_INSN(),
10326 
10327 			/* subprog 1 */
10328 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10329 				    offsetof(struct __sk_buff, data)),
10330 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10331 				    offsetof(struct __sk_buff, data_end)),
10332 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10333 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10334 			BPF_MOV64_IMM(BPF_REG_5, 0),
10335 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
10336 			/* spill checked pkt_ptr into stack of caller */
10337 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10338 			BPF_MOV64_IMM(BPF_REG_5, 1),
10339 			/* don't read back pkt_ptr from stack here */
10340 			/* write 4 bytes into packet */
10341 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10342 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10343 			BPF_EXIT_INSN(),
10344 		},
10345 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10346 		.result = ACCEPT,
10347 	},
10348 	{
10349 		"calls: pkt_ptr spill into caller stack 9",
10350 		.insns = {
10351 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10352 				    offsetof(struct __sk_buff, data)),
10353 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10354 				    offsetof(struct __sk_buff, data_end)),
10355 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10356 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10357 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
10358 			BPF_EXIT_INSN(),
10359 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
10360 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
10361 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10362 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10363 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
10364 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
10365 			BPF_EXIT_INSN(),
10366 
10367 			/* subprog 1 */
10368 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
10369 				    offsetof(struct __sk_buff, data)),
10370 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
10371 				    offsetof(struct __sk_buff, data_end)),
10372 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10373 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
10374 			BPF_MOV64_IMM(BPF_REG_5, 0),
10375 			/* spill unchecked pkt_ptr into stack of caller */
10376 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
10377 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
10378 			BPF_MOV64_IMM(BPF_REG_5, 1),
10379 			/* don't read back pkt_ptr from stack here */
10380 			/* write 4 bytes into packet */
10381 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
10382 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
10383 			BPF_EXIT_INSN(),
10384 		},
10385 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10386 		.errstr = "invalid access to packet",
10387 		.result = REJECT,
10388 	},
10389 	{
10390 		"calls: caller stack init to zero or map_value_or_null",
10391 		.insns = {
10392 			BPF_MOV64_IMM(BPF_REG_0, 0),
10393 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
10394 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10395 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10396 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10397 			/* fetch map_value_or_null or const_zero from stack */
10398 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10399 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10400 			/* store into map_value */
10401 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
10402 			BPF_EXIT_INSN(),
10403 
10404 			/* subprog 1 */
10405 			/* if (ctx == 0) return; */
10406 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
10407 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
10408 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
10409 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10410 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10411 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10412 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10413 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10414 				     BPF_FUNC_map_lookup_elem),
10415 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
10416 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10417 			BPF_EXIT_INSN(),
10418 		},
10419 		.fixup_map1 = { 13 },
10420 		.result = ACCEPT,
10421 		.prog_type = BPF_PROG_TYPE_XDP,
10422 	},
10423 	{
10424 		"calls: stack init to zero and pruning",
10425 		.insns = {
10426 			/* first make allocated_stack 16 byte */
10427 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
10428 			/* now fork the execution such that the false branch
10429 			 * of JGT insn will be verified second and it skisp zero
10430 			 * init of fp-8 stack slot. If stack liveness marking
10431 			 * is missing live_read marks from call map_lookup
10432 			 * processing then pruning will incorrectly assume
10433 			 * that fp-8 stack slot was unused in the fall-through
10434 			 * branch and will accept the program incorrectly
10435 			 */
10436 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
10437 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10438 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
10439 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10441 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10442 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10443 				     BPF_FUNC_map_lookup_elem),
10444 			BPF_EXIT_INSN(),
10445 		},
10446 		.fixup_map2 = { 6 },
10447 		.errstr = "invalid indirect read from stack off -8+0 size 8",
10448 		.result = REJECT,
10449 		.prog_type = BPF_PROG_TYPE_XDP,
10450 	},
10451 	{
10452 		"search pruning: all branches should be verified (nop operation)",
10453 		.insns = {
10454 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10455 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10456 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
10457 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10458 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
10459 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
10460 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
10461 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
10462 			BPF_MOV64_IMM(BPF_REG_4, 0),
10463 			BPF_JMP_A(1),
10464 			BPF_MOV64_IMM(BPF_REG_4, 1),
10465 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
10466 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
10467 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
10468 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
10469 			BPF_MOV64_IMM(BPF_REG_6, 0),
10470 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
10471 			BPF_EXIT_INSN(),
10472 		},
10473 		.fixup_map1 = { 3 },
10474 		.errstr = "R6 invalid mem access 'inv'",
10475 		.result = REJECT,
10476 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10477 	},
10478 	{
10479 		"search pruning: all branches should be verified (invalid stack access)",
10480 		.insns = {
10481 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10482 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10483 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
10484 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10485 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
10486 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
10487 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
10488 			BPF_MOV64_IMM(BPF_REG_4, 0),
10489 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
10490 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
10491 			BPF_JMP_A(1),
10492 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
10493 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
10494 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
10495 			BPF_EXIT_INSN(),
10496 		},
10497 		.fixup_map1 = { 3 },
10498 		.errstr = "invalid read from stack off -16+0 size 8",
10499 		.result = REJECT,
10500 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10501 	},
10502 };
10503 
10504 static int probe_filter_length(const struct bpf_insn *fp)
10505 {
10506 	int len;
10507 
10508 	for (len = MAX_INSNS - 1; len > 0; --len)
10509 		if (fp[len].code != 0 || fp[len].imm != 0)
10510 			break;
10511 	return len + 1;
10512 }
10513 
10514 static int create_map(uint32_t size_value, uint32_t max_elem)
10515 {
10516 	int fd;
10517 
10518 	fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
10519 			    size_value, max_elem, BPF_F_NO_PREALLOC);
10520 	if (fd < 0)
10521 		printf("Failed to create hash map '%s'!\n", strerror(errno));
10522 
10523 	return fd;
10524 }
10525 
10526 static int create_prog_array(void)
10527 {
10528 	int fd;
10529 
10530 	fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
10531 			    sizeof(int), 4, 0);
10532 	if (fd < 0)
10533 		printf("Failed to create prog array '%s'!\n", strerror(errno));
10534 
10535 	return fd;
10536 }
10537 
10538 static int create_map_in_map(void)
10539 {
10540 	int inner_map_fd, outer_map_fd;
10541 
10542 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
10543 				      sizeof(int), 1, 0);
10544 	if (inner_map_fd < 0) {
10545 		printf("Failed to create array '%s'!\n", strerror(errno));
10546 		return inner_map_fd;
10547 	}
10548 
10549 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
10550 					     sizeof(int), inner_map_fd, 1, 0);
10551 	if (outer_map_fd < 0)
10552 		printf("Failed to create array of maps '%s'!\n",
10553 		       strerror(errno));
10554 
10555 	close(inner_map_fd);
10556 
10557 	return outer_map_fd;
10558 }
10559 
10560 static char bpf_vlog[32768];
10561 
10562 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
10563 			  int *map_fds)
10564 {
10565 	int *fixup_map1 = test->fixup_map1;
10566 	int *fixup_map2 = test->fixup_map2;
10567 	int *fixup_prog = test->fixup_prog;
10568 	int *fixup_map_in_map = test->fixup_map_in_map;
10569 
10570 	/* Allocating HTs with 1 elem is fine here, since we only test
10571 	 * for verifier and not do a runtime lookup, so the only thing
10572 	 * that really matters is value size in this case.
10573 	 */
10574 	if (*fixup_map1) {
10575 		map_fds[0] = create_map(sizeof(long long), 1);
10576 		do {
10577 			prog[*fixup_map1].imm = map_fds[0];
10578 			fixup_map1++;
10579 		} while (*fixup_map1);
10580 	}
10581 
10582 	if (*fixup_map2) {
10583 		map_fds[1] = create_map(sizeof(struct test_val), 1);
10584 		do {
10585 			prog[*fixup_map2].imm = map_fds[1];
10586 			fixup_map2++;
10587 		} while (*fixup_map2);
10588 	}
10589 
10590 	if (*fixup_prog) {
10591 		map_fds[2] = create_prog_array();
10592 		do {
10593 			prog[*fixup_prog].imm = map_fds[2];
10594 			fixup_prog++;
10595 		} while (*fixup_prog);
10596 	}
10597 
10598 	if (*fixup_map_in_map) {
10599 		map_fds[3] = create_map_in_map();
10600 		do {
10601 			prog[*fixup_map_in_map].imm = map_fds[3];
10602 			fixup_map_in_map++;
10603 		} while (*fixup_map_in_map);
10604 	}
10605 }
10606 
10607 static void do_test_single(struct bpf_test *test, bool unpriv,
10608 			   int *passes, int *errors)
10609 {
10610 	int fd_prog, expected_ret, reject_from_alignment;
10611 	struct bpf_insn *prog = test->insns;
10612 	int prog_len = probe_filter_length(prog);
10613 	int prog_type = test->prog_type;
10614 	int map_fds[MAX_NR_MAPS];
10615 	const char *expected_err;
10616 	int i;
10617 
10618 	for (i = 0; i < MAX_NR_MAPS; i++)
10619 		map_fds[i] = -1;
10620 
10621 	do_test_fixup(test, prog, map_fds);
10622 
10623 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
10624 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
10625 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
10626 
10627 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
10628 		       test->result_unpriv : test->result;
10629 	expected_err = unpriv && test->errstr_unpriv ?
10630 		       test->errstr_unpriv : test->errstr;
10631 
10632 	reject_from_alignment = fd_prog < 0 &&
10633 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
10634 				strstr(bpf_vlog, "Unknown alignment.");
10635 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
10636 	if (reject_from_alignment) {
10637 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
10638 		       strerror(errno));
10639 		goto fail_log;
10640 	}
10641 #endif
10642 	if (expected_ret == ACCEPT) {
10643 		if (fd_prog < 0 && !reject_from_alignment) {
10644 			printf("FAIL\nFailed to load prog '%s'!\n",
10645 			       strerror(errno));
10646 			goto fail_log;
10647 		}
10648 	} else {
10649 		if (fd_prog >= 0) {
10650 			printf("FAIL\nUnexpected success to load!\n");
10651 			goto fail_log;
10652 		}
10653 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
10654 			printf("FAIL\nUnexpected error message!\n");
10655 			goto fail_log;
10656 		}
10657 	}
10658 
10659 	(*passes)++;
10660 	printf("OK%s\n", reject_from_alignment ?
10661 	       " (NOTE: reject due to unknown alignment)" : "");
10662 close_fds:
10663 	close(fd_prog);
10664 	for (i = 0; i < MAX_NR_MAPS; i++)
10665 		close(map_fds[i]);
10666 	sched_yield();
10667 	return;
10668 fail_log:
10669 	(*errors)++;
10670 	printf("%s", bpf_vlog);
10671 	goto close_fds;
10672 }
10673 
10674 static bool is_admin(void)
10675 {
10676 	cap_t caps;
10677 	cap_flag_value_t sysadmin = CAP_CLEAR;
10678 	const cap_value_t cap_val = CAP_SYS_ADMIN;
10679 
10680 #ifdef CAP_IS_SUPPORTED
10681 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
10682 		perror("cap_get_flag");
10683 		return false;
10684 	}
10685 #endif
10686 	caps = cap_get_proc();
10687 	if (!caps) {
10688 		perror("cap_get_proc");
10689 		return false;
10690 	}
10691 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
10692 		perror("cap_get_flag");
10693 	if (cap_free(caps))
10694 		perror("cap_free");
10695 	return (sysadmin == CAP_SET);
10696 }
10697 
10698 static int set_admin(bool admin)
10699 {
10700 	cap_t caps;
10701 	const cap_value_t cap_val = CAP_SYS_ADMIN;
10702 	int ret = -1;
10703 
10704 	caps = cap_get_proc();
10705 	if (!caps) {
10706 		perror("cap_get_proc");
10707 		return -1;
10708 	}
10709 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
10710 				admin ? CAP_SET : CAP_CLEAR)) {
10711 		perror("cap_set_flag");
10712 		goto out;
10713 	}
10714 	if (cap_set_proc(caps)) {
10715 		perror("cap_set_proc");
10716 		goto out;
10717 	}
10718 	ret = 0;
10719 out:
10720 	if (cap_free(caps))
10721 		perror("cap_free");
10722 	return ret;
10723 }
10724 
10725 static int do_test(bool unpriv, unsigned int from, unsigned int to)
10726 {
10727 	int i, passes = 0, errors = 0;
10728 
10729 	for (i = from; i < to; i++) {
10730 		struct bpf_test *test = &tests[i];
10731 
10732 		/* Program types that are not supported by non-root we
10733 		 * skip right away.
10734 		 */
10735 		if (!test->prog_type) {
10736 			if (!unpriv)
10737 				set_admin(false);
10738 			printf("#%d/u %s ", i, test->descr);
10739 			do_test_single(test, true, &passes, &errors);
10740 			if (!unpriv)
10741 				set_admin(true);
10742 		}
10743 
10744 		if (!unpriv) {
10745 			printf("#%d/p %s ", i, test->descr);
10746 			do_test_single(test, false, &passes, &errors);
10747 		}
10748 	}
10749 
10750 	printf("Summary: %d PASSED, %d FAILED\n", passes, errors);
10751 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
10752 }
10753 
10754 int main(int argc, char **argv)
10755 {
10756 	struct rlimit rinf = { RLIM_INFINITY, RLIM_INFINITY };
10757 	struct rlimit rlim = { 1 << 20, 1 << 20 };
10758 	unsigned int from = 0, to = ARRAY_SIZE(tests);
10759 	bool unpriv = !is_admin();
10760 
10761 	if (argc == 3) {
10762 		unsigned int l = atoi(argv[argc - 2]);
10763 		unsigned int u = atoi(argv[argc - 1]);
10764 
10765 		if (l < to && u < to) {
10766 			from = l;
10767 			to   = u + 1;
10768 		}
10769 	} else if (argc == 2) {
10770 		unsigned int t = atoi(argv[argc - 1]);
10771 
10772 		if (t < to) {
10773 			from = t;
10774 			to   = t + 1;
10775 		}
10776 	}
10777 
10778 	setrlimit(RLIMIT_MEMLOCK, unpriv ? &rlim : &rinf);
10779 	return do_test(unpriv, from, to);
10780 }
10781