1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of version 2 of the GNU General Public
9  * License as published by the Free Software Foundation.
10  */
11 
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 #include <limits.h>
25 
26 #include <sys/capability.h>
27 
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
33 
34 #include <bpf/bpf.h>
35 
36 #ifdef HAVE_GENHDR
37 # include "autoconf.h"
38 #else
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 # endif
42 #endif
43 #include "bpf_rlimit.h"
44 #include "bpf_rand.h"
45 #include "bpf_util.h"
46 #include "../../../include/linux/filter.h"
47 
48 #define MAX_INSNS	BPF_MAXINSNS
49 #define MAX_FIXUPS	8
50 #define MAX_NR_MAPS	8
51 #define POINTER_VALUE	0xcafe4all
52 #define TEST_DATA_LEN	64
53 
54 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
55 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
56 
57 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
58 static bool unpriv_disabled = false;
59 
60 struct bpf_test {
61 	const char *descr;
62 	struct bpf_insn	insns[MAX_INSNS];
63 	int fixup_map1[MAX_FIXUPS];
64 	int fixup_map2[MAX_FIXUPS];
65 	int fixup_map3[MAX_FIXUPS];
66 	int fixup_map4[MAX_FIXUPS];
67 	int fixup_prog1[MAX_FIXUPS];
68 	int fixup_prog2[MAX_FIXUPS];
69 	int fixup_map_in_map[MAX_FIXUPS];
70 	int fixup_cgroup_storage[MAX_FIXUPS];
71 	const char *errstr;
72 	const char *errstr_unpriv;
73 	uint32_t retval;
74 	enum {
75 		UNDEF,
76 		ACCEPT,
77 		REJECT
78 	} result, result_unpriv;
79 	enum bpf_prog_type prog_type;
80 	uint8_t flags;
81 	__u8 data[TEST_DATA_LEN];
82 	void (*fill_helper)(struct bpf_test *self);
83 };
84 
85 /* Note we want this to be 64 bit aligned so that the end of our array is
86  * actually the end of the structure.
87  */
88 #define MAX_ENTRIES 11
89 
90 struct test_val {
91 	unsigned int index;
92 	int foo[MAX_ENTRIES];
93 };
94 
95 struct other_val {
96 	long long foo;
97 	long long bar;
98 };
99 
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
101 {
102 	/* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
103 #define PUSH_CNT 51
104 	unsigned int len = BPF_MAXINSNS;
105 	struct bpf_insn *insn = self->insns;
106 	int i = 0, j, k = 0;
107 
108 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
109 loop:
110 	for (j = 0; j < PUSH_CNT; j++) {
111 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
112 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
113 		i++;
114 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115 		insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116 		insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118 					 BPF_FUNC_skb_vlan_push),
119 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
120 		i++;
121 	}
122 
123 	for (j = 0; j < PUSH_CNT; j++) {
124 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
125 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
126 		i++;
127 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129 					 BPF_FUNC_skb_vlan_pop),
130 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
131 		i++;
132 	}
133 	if (++k < 5)
134 		goto loop;
135 
136 	for (; i < len - 1; i++)
137 		insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138 	insn[len - 1] = BPF_EXIT_INSN();
139 }
140 
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
142 {
143 	struct bpf_insn *insn = self->insns;
144 	unsigned int len = BPF_MAXINSNS;
145 	int i = 0;
146 
147 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148 	insn[i++] = BPF_LD_ABS(BPF_B, 0);
149 	insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
150 	i++;
151 	while (i < len - 1)
152 		insn[i++] = BPF_LD_ABS(BPF_B, 1);
153 	insn[i] = BPF_EXIT_INSN();
154 }
155 
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
157 {
158 	struct bpf_insn *insn = self->insns;
159 	uint64_t res = 0;
160 	int i = 0;
161 
162 	insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163 	while (i < self->retval) {
164 		uint64_t val = bpf_semi_rand_get();
165 		struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
166 
167 		res ^= val;
168 		insn[i++] = tmp[0];
169 		insn[i++] = tmp[1];
170 		insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
171 	}
172 	insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173 	insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174 	insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 	insn[i] = BPF_EXIT_INSN();
176 	res ^= (res >> 32);
177 	self->retval = (uint32_t)res;
178 }
179 
180 static struct bpf_test tests[] = {
181 	{
182 		"add+sub+mul",
183 		.insns = {
184 			BPF_MOV64_IMM(BPF_REG_1, 1),
185 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186 			BPF_MOV64_IMM(BPF_REG_2, 3),
187 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
191 			BPF_EXIT_INSN(),
192 		},
193 		.result = ACCEPT,
194 		.retval = -3,
195 	},
196 	{
197 		"DIV32 by 0, zero check 1",
198 		.insns = {
199 			BPF_MOV32_IMM(BPF_REG_0, 42),
200 			BPF_MOV32_IMM(BPF_REG_1, 0),
201 			BPF_MOV32_IMM(BPF_REG_2, 1),
202 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
203 			BPF_EXIT_INSN(),
204 		},
205 		.result = ACCEPT,
206 		.retval = 42,
207 	},
208 	{
209 		"DIV32 by 0, zero check 2",
210 		.insns = {
211 			BPF_MOV32_IMM(BPF_REG_0, 42),
212 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213 			BPF_MOV32_IMM(BPF_REG_2, 1),
214 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
215 			BPF_EXIT_INSN(),
216 		},
217 		.result = ACCEPT,
218 		.retval = 42,
219 	},
220 	{
221 		"DIV64 by 0, zero check",
222 		.insns = {
223 			BPF_MOV32_IMM(BPF_REG_0, 42),
224 			BPF_MOV32_IMM(BPF_REG_1, 0),
225 			BPF_MOV32_IMM(BPF_REG_2, 1),
226 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227 			BPF_EXIT_INSN(),
228 		},
229 		.result = ACCEPT,
230 		.retval = 42,
231 	},
232 	{
233 		"MOD32 by 0, zero check 1",
234 		.insns = {
235 			BPF_MOV32_IMM(BPF_REG_0, 42),
236 			BPF_MOV32_IMM(BPF_REG_1, 0),
237 			BPF_MOV32_IMM(BPF_REG_2, 1),
238 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
239 			BPF_EXIT_INSN(),
240 		},
241 		.result = ACCEPT,
242 		.retval = 42,
243 	},
244 	{
245 		"MOD32 by 0, zero check 2",
246 		.insns = {
247 			BPF_MOV32_IMM(BPF_REG_0, 42),
248 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249 			BPF_MOV32_IMM(BPF_REG_2, 1),
250 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
251 			BPF_EXIT_INSN(),
252 		},
253 		.result = ACCEPT,
254 		.retval = 42,
255 	},
256 	{
257 		"MOD64 by 0, zero check",
258 		.insns = {
259 			BPF_MOV32_IMM(BPF_REG_0, 42),
260 			BPF_MOV32_IMM(BPF_REG_1, 0),
261 			BPF_MOV32_IMM(BPF_REG_2, 1),
262 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263 			BPF_EXIT_INSN(),
264 		},
265 		.result = ACCEPT,
266 		.retval = 42,
267 	},
268 	{
269 		"DIV32 by 0, zero check ok, cls",
270 		.insns = {
271 			BPF_MOV32_IMM(BPF_REG_0, 42),
272 			BPF_MOV32_IMM(BPF_REG_1, 2),
273 			BPF_MOV32_IMM(BPF_REG_2, 16),
274 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
276 			BPF_EXIT_INSN(),
277 		},
278 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
279 		.result = ACCEPT,
280 		.retval = 8,
281 	},
282 	{
283 		"DIV32 by 0, zero check 1, cls",
284 		.insns = {
285 			BPF_MOV32_IMM(BPF_REG_1, 0),
286 			BPF_MOV32_IMM(BPF_REG_0, 1),
287 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
288 			BPF_EXIT_INSN(),
289 		},
290 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
291 		.result = ACCEPT,
292 		.retval = 0,
293 	},
294 	{
295 		"DIV32 by 0, zero check 2, cls",
296 		.insns = {
297 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298 			BPF_MOV32_IMM(BPF_REG_0, 1),
299 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
300 			BPF_EXIT_INSN(),
301 		},
302 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
303 		.result = ACCEPT,
304 		.retval = 0,
305 	},
306 	{
307 		"DIV64 by 0, zero check, cls",
308 		.insns = {
309 			BPF_MOV32_IMM(BPF_REG_1, 0),
310 			BPF_MOV32_IMM(BPF_REG_0, 1),
311 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312 			BPF_EXIT_INSN(),
313 		},
314 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
315 		.result = ACCEPT,
316 		.retval = 0,
317 	},
318 	{
319 		"MOD32 by 0, zero check ok, cls",
320 		.insns = {
321 			BPF_MOV32_IMM(BPF_REG_0, 42),
322 			BPF_MOV32_IMM(BPF_REG_1, 3),
323 			BPF_MOV32_IMM(BPF_REG_2, 5),
324 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
326 			BPF_EXIT_INSN(),
327 		},
328 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
329 		.result = ACCEPT,
330 		.retval = 2,
331 	},
332 	{
333 		"MOD32 by 0, zero check 1, cls",
334 		.insns = {
335 			BPF_MOV32_IMM(BPF_REG_1, 0),
336 			BPF_MOV32_IMM(BPF_REG_0, 1),
337 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
338 			BPF_EXIT_INSN(),
339 		},
340 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
341 		.result = ACCEPT,
342 		.retval = 1,
343 	},
344 	{
345 		"MOD32 by 0, zero check 2, cls",
346 		.insns = {
347 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348 			BPF_MOV32_IMM(BPF_REG_0, 1),
349 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
350 			BPF_EXIT_INSN(),
351 		},
352 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 		.result = ACCEPT,
354 		.retval = 1,
355 	},
356 	{
357 		"MOD64 by 0, zero check 1, cls",
358 		.insns = {
359 			BPF_MOV32_IMM(BPF_REG_1, 0),
360 			BPF_MOV32_IMM(BPF_REG_0, 2),
361 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362 			BPF_EXIT_INSN(),
363 		},
364 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 		.result = ACCEPT,
366 		.retval = 2,
367 	},
368 	{
369 		"MOD64 by 0, zero check 2, cls",
370 		.insns = {
371 			BPF_MOV32_IMM(BPF_REG_1, 0),
372 			BPF_MOV32_IMM(BPF_REG_0, -1),
373 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 			BPF_EXIT_INSN(),
375 		},
376 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
377 		.result = ACCEPT,
378 		.retval = -1,
379 	},
380 	/* Just make sure that JITs used udiv/umod as otherwise we get
381 	 * an exception from INT_MIN/-1 overflow similarly as with div
382 	 * by zero.
383 	 */
384 	{
385 		"DIV32 overflow, check 1",
386 		.insns = {
387 			BPF_MOV32_IMM(BPF_REG_1, -1),
388 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
390 			BPF_EXIT_INSN(),
391 		},
392 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 		.result = ACCEPT,
394 		.retval = 0,
395 	},
396 	{
397 		"DIV32 overflow, check 2",
398 		.insns = {
399 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
401 			BPF_EXIT_INSN(),
402 		},
403 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 		.result = ACCEPT,
405 		.retval = 0,
406 	},
407 	{
408 		"DIV64 overflow, check 1",
409 		.insns = {
410 			BPF_MOV64_IMM(BPF_REG_1, -1),
411 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
413 			BPF_EXIT_INSN(),
414 		},
415 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
416 		.result = ACCEPT,
417 		.retval = 0,
418 	},
419 	{
420 		"DIV64 overflow, check 2",
421 		.insns = {
422 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
424 			BPF_EXIT_INSN(),
425 		},
426 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
427 		.result = ACCEPT,
428 		.retval = 0,
429 	},
430 	{
431 		"MOD32 overflow, check 1",
432 		.insns = {
433 			BPF_MOV32_IMM(BPF_REG_1, -1),
434 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
436 			BPF_EXIT_INSN(),
437 		},
438 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
439 		.result = ACCEPT,
440 		.retval = INT_MIN,
441 	},
442 	{
443 		"MOD32 overflow, check 2",
444 		.insns = {
445 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
447 			BPF_EXIT_INSN(),
448 		},
449 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
450 		.result = ACCEPT,
451 		.retval = INT_MIN,
452 	},
453 	{
454 		"MOD64 overflow, check 1",
455 		.insns = {
456 			BPF_MOV64_IMM(BPF_REG_1, -1),
457 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460 			BPF_MOV32_IMM(BPF_REG_0, 0),
461 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462 			BPF_MOV32_IMM(BPF_REG_0, 1),
463 			BPF_EXIT_INSN(),
464 		},
465 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
466 		.result = ACCEPT,
467 		.retval = 1,
468 	},
469 	{
470 		"MOD64 overflow, check 2",
471 		.insns = {
472 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475 			BPF_MOV32_IMM(BPF_REG_0, 0),
476 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477 			BPF_MOV32_IMM(BPF_REG_0, 1),
478 			BPF_EXIT_INSN(),
479 		},
480 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
481 		.result = ACCEPT,
482 		.retval = 1,
483 	},
484 	{
485 		"xor32 zero extend check",
486 		.insns = {
487 			BPF_MOV32_IMM(BPF_REG_2, -1),
488 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491 			BPF_MOV32_IMM(BPF_REG_0, 2),
492 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493 			BPF_MOV32_IMM(BPF_REG_0, 1),
494 			BPF_EXIT_INSN(),
495 		},
496 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
497 		.result = ACCEPT,
498 		.retval = 1,
499 	},
500 	{
501 		"empty prog",
502 		.insns = {
503 		},
504 		.errstr = "unknown opcode 00",
505 		.result = REJECT,
506 	},
507 	{
508 		"only exit insn",
509 		.insns = {
510 			BPF_EXIT_INSN(),
511 		},
512 		.errstr = "R0 !read_ok",
513 		.result = REJECT,
514 	},
515 	{
516 		"unreachable",
517 		.insns = {
518 			BPF_EXIT_INSN(),
519 			BPF_EXIT_INSN(),
520 		},
521 		.errstr = "unreachable",
522 		.result = REJECT,
523 	},
524 	{
525 		"unreachable2",
526 		.insns = {
527 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
529 			BPF_EXIT_INSN(),
530 		},
531 		.errstr = "unreachable",
532 		.result = REJECT,
533 	},
534 	{
535 		"out of range jump",
536 		.insns = {
537 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
538 			BPF_EXIT_INSN(),
539 		},
540 		.errstr = "jump out of range",
541 		.result = REJECT,
542 	},
543 	{
544 		"out of range jump2",
545 		.insns = {
546 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
547 			BPF_EXIT_INSN(),
548 		},
549 		.errstr = "jump out of range",
550 		.result = REJECT,
551 	},
552 	{
553 		"test1 ld_imm64",
554 		.insns = {
555 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556 			BPF_LD_IMM64(BPF_REG_0, 0),
557 			BPF_LD_IMM64(BPF_REG_0, 0),
558 			BPF_LD_IMM64(BPF_REG_0, 1),
559 			BPF_LD_IMM64(BPF_REG_0, 1),
560 			BPF_MOV64_IMM(BPF_REG_0, 2),
561 			BPF_EXIT_INSN(),
562 		},
563 		.errstr = "invalid BPF_LD_IMM insn",
564 		.errstr_unpriv = "R1 pointer comparison",
565 		.result = REJECT,
566 	},
567 	{
568 		"test2 ld_imm64",
569 		.insns = {
570 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571 			BPF_LD_IMM64(BPF_REG_0, 0),
572 			BPF_LD_IMM64(BPF_REG_0, 0),
573 			BPF_LD_IMM64(BPF_REG_0, 1),
574 			BPF_LD_IMM64(BPF_REG_0, 1),
575 			BPF_EXIT_INSN(),
576 		},
577 		.errstr = "invalid BPF_LD_IMM insn",
578 		.errstr_unpriv = "R1 pointer comparison",
579 		.result = REJECT,
580 	},
581 	{
582 		"test3 ld_imm64",
583 		.insns = {
584 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586 			BPF_LD_IMM64(BPF_REG_0, 0),
587 			BPF_LD_IMM64(BPF_REG_0, 0),
588 			BPF_LD_IMM64(BPF_REG_0, 1),
589 			BPF_LD_IMM64(BPF_REG_0, 1),
590 			BPF_EXIT_INSN(),
591 		},
592 		.errstr = "invalid bpf_ld_imm64 insn",
593 		.result = REJECT,
594 	},
595 	{
596 		"test4 ld_imm64",
597 		.insns = {
598 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
599 			BPF_EXIT_INSN(),
600 		},
601 		.errstr = "invalid bpf_ld_imm64 insn",
602 		.result = REJECT,
603 	},
604 	{
605 		"test5 ld_imm64",
606 		.insns = {
607 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
608 		},
609 		.errstr = "invalid bpf_ld_imm64 insn",
610 		.result = REJECT,
611 	},
612 	{
613 		"test6 ld_imm64",
614 		.insns = {
615 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616 			BPF_RAW_INSN(0, 0, 0, 0, 0),
617 			BPF_EXIT_INSN(),
618 		},
619 		.result = ACCEPT,
620 	},
621 	{
622 		"test7 ld_imm64",
623 		.insns = {
624 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625 			BPF_RAW_INSN(0, 0, 0, 0, 1),
626 			BPF_EXIT_INSN(),
627 		},
628 		.result = ACCEPT,
629 		.retval = 1,
630 	},
631 	{
632 		"test8 ld_imm64",
633 		.insns = {
634 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635 			BPF_RAW_INSN(0, 0, 0, 0, 1),
636 			BPF_EXIT_INSN(),
637 		},
638 		.errstr = "uses reserved fields",
639 		.result = REJECT,
640 	},
641 	{
642 		"test9 ld_imm64",
643 		.insns = {
644 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645 			BPF_RAW_INSN(0, 0, 0, 1, 1),
646 			BPF_EXIT_INSN(),
647 		},
648 		.errstr = "invalid bpf_ld_imm64 insn",
649 		.result = REJECT,
650 	},
651 	{
652 		"test10 ld_imm64",
653 		.insns = {
654 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
656 			BPF_EXIT_INSN(),
657 		},
658 		.errstr = "invalid bpf_ld_imm64 insn",
659 		.result = REJECT,
660 	},
661 	{
662 		"test11 ld_imm64",
663 		.insns = {
664 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
666 			BPF_EXIT_INSN(),
667 		},
668 		.errstr = "invalid bpf_ld_imm64 insn",
669 		.result = REJECT,
670 	},
671 	{
672 		"test12 ld_imm64",
673 		.insns = {
674 			BPF_MOV64_IMM(BPF_REG_1, 0),
675 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676 			BPF_RAW_INSN(0, 0, 0, 0, 1),
677 			BPF_EXIT_INSN(),
678 		},
679 		.errstr = "not pointing to valid bpf_map",
680 		.result = REJECT,
681 	},
682 	{
683 		"test13 ld_imm64",
684 		.insns = {
685 			BPF_MOV64_IMM(BPF_REG_1, 0),
686 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
688 			BPF_EXIT_INSN(),
689 		},
690 		.errstr = "invalid bpf_ld_imm64 insn",
691 		.result = REJECT,
692 	},
693 	{
694 		"arsh32 on imm",
695 		.insns = {
696 			BPF_MOV64_IMM(BPF_REG_0, 1),
697 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
698 			BPF_EXIT_INSN(),
699 		},
700 		.result = REJECT,
701 		.errstr = "unknown opcode c4",
702 	},
703 	{
704 		"arsh32 on reg",
705 		.insns = {
706 			BPF_MOV64_IMM(BPF_REG_0, 1),
707 			BPF_MOV64_IMM(BPF_REG_1, 5),
708 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
709 			BPF_EXIT_INSN(),
710 		},
711 		.result = REJECT,
712 		.errstr = "unknown opcode cc",
713 	},
714 	{
715 		"arsh64 on imm",
716 		.insns = {
717 			BPF_MOV64_IMM(BPF_REG_0, 1),
718 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
719 			BPF_EXIT_INSN(),
720 		},
721 		.result = ACCEPT,
722 	},
723 	{
724 		"arsh64 on reg",
725 		.insns = {
726 			BPF_MOV64_IMM(BPF_REG_0, 1),
727 			BPF_MOV64_IMM(BPF_REG_1, 5),
728 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
729 			BPF_EXIT_INSN(),
730 		},
731 		.result = ACCEPT,
732 	},
733 	{
734 		"no bpf_exit",
735 		.insns = {
736 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
737 		},
738 		.errstr = "not an exit",
739 		.result = REJECT,
740 	},
741 	{
742 		"loop (back-edge)",
743 		.insns = {
744 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
745 			BPF_EXIT_INSN(),
746 		},
747 		.errstr = "back-edge",
748 		.result = REJECT,
749 	},
750 	{
751 		"loop2 (back-edge)",
752 		.insns = {
753 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
757 			BPF_EXIT_INSN(),
758 		},
759 		.errstr = "back-edge",
760 		.result = REJECT,
761 	},
762 	{
763 		"conditional loop",
764 		.insns = {
765 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
769 			BPF_EXIT_INSN(),
770 		},
771 		.errstr = "back-edge",
772 		.result = REJECT,
773 	},
774 	{
775 		"read uninitialized register",
776 		.insns = {
777 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
778 			BPF_EXIT_INSN(),
779 		},
780 		.errstr = "R2 !read_ok",
781 		.result = REJECT,
782 	},
783 	{
784 		"read invalid register",
785 		.insns = {
786 			BPF_MOV64_REG(BPF_REG_0, -1),
787 			BPF_EXIT_INSN(),
788 		},
789 		.errstr = "R15 is invalid",
790 		.result = REJECT,
791 	},
792 	{
793 		"program doesn't init R0 before exit",
794 		.insns = {
795 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
796 			BPF_EXIT_INSN(),
797 		},
798 		.errstr = "R0 !read_ok",
799 		.result = REJECT,
800 	},
801 	{
802 		"program doesn't init R0 before exit in all branches",
803 		.insns = {
804 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805 			BPF_MOV64_IMM(BPF_REG_0, 1),
806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
807 			BPF_EXIT_INSN(),
808 		},
809 		.errstr = "R0 !read_ok",
810 		.errstr_unpriv = "R1 pointer comparison",
811 		.result = REJECT,
812 	},
813 	{
814 		"stack out of bounds",
815 		.insns = {
816 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
817 			BPF_EXIT_INSN(),
818 		},
819 		.errstr = "invalid stack",
820 		.result = REJECT,
821 	},
822 	{
823 		"invalid call insn1",
824 		.insns = {
825 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
826 			BPF_EXIT_INSN(),
827 		},
828 		.errstr = "unknown opcode 8d",
829 		.result = REJECT,
830 	},
831 	{
832 		"invalid call insn2",
833 		.insns = {
834 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
835 			BPF_EXIT_INSN(),
836 		},
837 		.errstr = "BPF_CALL uses reserved",
838 		.result = REJECT,
839 	},
840 	{
841 		"invalid function call",
842 		.insns = {
843 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
844 			BPF_EXIT_INSN(),
845 		},
846 		.errstr = "invalid func unknown#1234567",
847 		.result = REJECT,
848 	},
849 	{
850 		"uninitialized stack1",
851 		.insns = {
852 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854 			BPF_LD_MAP_FD(BPF_REG_1, 0),
855 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856 				     BPF_FUNC_map_lookup_elem),
857 			BPF_EXIT_INSN(),
858 		},
859 		.fixup_map1 = { 2 },
860 		.errstr = "invalid indirect read from stack",
861 		.result = REJECT,
862 	},
863 	{
864 		"uninitialized stack2",
865 		.insns = {
866 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
868 			BPF_EXIT_INSN(),
869 		},
870 		.errstr = "invalid read from stack",
871 		.result = REJECT,
872 	},
873 	{
874 		"invalid fp arithmetic",
875 		/* If this gets ever changed, make sure JITs can deal with it. */
876 		.insns = {
877 			BPF_MOV64_IMM(BPF_REG_0, 0),
878 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
881 			BPF_EXIT_INSN(),
882 		},
883 		.errstr = "R1 subtraction from stack pointer",
884 		.result = REJECT,
885 	},
886 	{
887 		"non-invalid fp arithmetic",
888 		.insns = {
889 			BPF_MOV64_IMM(BPF_REG_0, 0),
890 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
891 			BPF_EXIT_INSN(),
892 		},
893 		.result = ACCEPT,
894 	},
895 	{
896 		"invalid argument register",
897 		.insns = {
898 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899 				     BPF_FUNC_get_cgroup_classid),
900 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 				     BPF_FUNC_get_cgroup_classid),
902 			BPF_EXIT_INSN(),
903 		},
904 		.errstr = "R1 !read_ok",
905 		.result = REJECT,
906 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
907 	},
908 	{
909 		"non-invalid argument register",
910 		.insns = {
911 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913 				     BPF_FUNC_get_cgroup_classid),
914 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 				     BPF_FUNC_get_cgroup_classid),
917 			BPF_EXIT_INSN(),
918 		},
919 		.result = ACCEPT,
920 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
921 	},
922 	{
923 		"check valid spill/fill",
924 		.insns = {
925 			/* spill R1(ctx) into stack */
926 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927 			/* fill it back into R2 */
928 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929 			/* should be able to access R0 = *(R2 + 8) */
930 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
932 			BPF_EXIT_INSN(),
933 		},
934 		.errstr_unpriv = "R0 leaks addr",
935 		.result = ACCEPT,
936 		.result_unpriv = REJECT,
937 		.retval = POINTER_VALUE,
938 	},
939 	{
940 		"check valid spill/fill, skb mark",
941 		.insns = {
942 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946 				    offsetof(struct __sk_buff, mark)),
947 			BPF_EXIT_INSN(),
948 		},
949 		.result = ACCEPT,
950 		.result_unpriv = ACCEPT,
951 	},
952 	{
953 		"check corrupted spill/fill",
954 		.insns = {
955 			/* spill R1(ctx) into stack */
956 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957 			/* mess up with R1 pointer on stack */
958 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959 			/* fill back into R0 should fail */
960 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
961 			BPF_EXIT_INSN(),
962 		},
963 		.errstr_unpriv = "attempt to corrupt spilled",
964 		.errstr = "corrupted spill",
965 		.result = REJECT,
966 	},
967 	{
968 		"invalid src register in STX",
969 		.insns = {
970 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
971 			BPF_EXIT_INSN(),
972 		},
973 		.errstr = "R15 is invalid",
974 		.result = REJECT,
975 	},
976 	{
977 		"invalid dst register in STX",
978 		.insns = {
979 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
980 			BPF_EXIT_INSN(),
981 		},
982 		.errstr = "R14 is invalid",
983 		.result = REJECT,
984 	},
985 	{
986 		"invalid dst register in ST",
987 		.insns = {
988 			BPF_ST_MEM(BPF_B, 14, -1, -1),
989 			BPF_EXIT_INSN(),
990 		},
991 		.errstr = "R14 is invalid",
992 		.result = REJECT,
993 	},
994 	{
995 		"invalid src register in LDX",
996 		.insns = {
997 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
998 			BPF_EXIT_INSN(),
999 		},
1000 		.errstr = "R12 is invalid",
1001 		.result = REJECT,
1002 	},
1003 	{
1004 		"invalid dst register in LDX",
1005 		.insns = {
1006 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1007 			BPF_EXIT_INSN(),
1008 		},
1009 		.errstr = "R11 is invalid",
1010 		.result = REJECT,
1011 	},
1012 	{
1013 		"junk insn",
1014 		.insns = {
1015 			BPF_RAW_INSN(0, 0, 0, 0, 0),
1016 			BPF_EXIT_INSN(),
1017 		},
1018 		.errstr = "unknown opcode 00",
1019 		.result = REJECT,
1020 	},
1021 	{
1022 		"junk insn2",
1023 		.insns = {
1024 			BPF_RAW_INSN(1, 0, 0, 0, 0),
1025 			BPF_EXIT_INSN(),
1026 		},
1027 		.errstr = "BPF_LDX uses reserved fields",
1028 		.result = REJECT,
1029 	},
1030 	{
1031 		"junk insn3",
1032 		.insns = {
1033 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
1034 			BPF_EXIT_INSN(),
1035 		},
1036 		.errstr = "unknown opcode ff",
1037 		.result = REJECT,
1038 	},
1039 	{
1040 		"junk insn4",
1041 		.insns = {
1042 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
1043 			BPF_EXIT_INSN(),
1044 		},
1045 		.errstr = "unknown opcode ff",
1046 		.result = REJECT,
1047 	},
1048 	{
1049 		"junk insn5",
1050 		.insns = {
1051 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1052 			BPF_EXIT_INSN(),
1053 		},
1054 		.errstr = "BPF_ALU uses reserved fields",
1055 		.result = REJECT,
1056 	},
1057 	{
1058 		"misaligned read from stack",
1059 		.insns = {
1060 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1062 			BPF_EXIT_INSN(),
1063 		},
1064 		.errstr = "misaligned stack access",
1065 		.result = REJECT,
1066 	},
1067 	{
1068 		"invalid map_fd for function call",
1069 		.insns = {
1070 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075 				     BPF_FUNC_map_delete_elem),
1076 			BPF_EXIT_INSN(),
1077 		},
1078 		.errstr = "fd 0 is not pointing to valid bpf_map",
1079 		.result = REJECT,
1080 	},
1081 	{
1082 		"don't check return value before access",
1083 		.insns = {
1084 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089 				     BPF_FUNC_map_lookup_elem),
1090 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1091 			BPF_EXIT_INSN(),
1092 		},
1093 		.fixup_map1 = { 3 },
1094 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1095 		.result = REJECT,
1096 	},
1097 	{
1098 		"access memory with incorrect alignment",
1099 		.insns = {
1100 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1104 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105 				     BPF_FUNC_map_lookup_elem),
1106 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1108 			BPF_EXIT_INSN(),
1109 		},
1110 		.fixup_map1 = { 3 },
1111 		.errstr = "misaligned value access",
1112 		.result = REJECT,
1113 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1114 	},
1115 	{
1116 		"sometimes access memory with incorrect alignment",
1117 		.insns = {
1118 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1122 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123 				     BPF_FUNC_map_lookup_elem),
1124 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1126 			BPF_EXIT_INSN(),
1127 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1128 			BPF_EXIT_INSN(),
1129 		},
1130 		.fixup_map1 = { 3 },
1131 		.errstr = "R0 invalid mem access",
1132 		.errstr_unpriv = "R0 leaks addr",
1133 		.result = REJECT,
1134 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1135 	},
1136 	{
1137 		"jump test 1",
1138 		.insns = {
1139 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153 			BPF_MOV64_IMM(BPF_REG_0, 0),
1154 			BPF_EXIT_INSN(),
1155 		},
1156 		.errstr_unpriv = "R1 pointer comparison",
1157 		.result_unpriv = REJECT,
1158 		.result = ACCEPT,
1159 	},
1160 	{
1161 		"jump test 2",
1162 		.insns = {
1163 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181 			BPF_MOV64_IMM(BPF_REG_0, 0),
1182 			BPF_EXIT_INSN(),
1183 		},
1184 		.errstr_unpriv = "R1 pointer comparison",
1185 		.result_unpriv = REJECT,
1186 		.result = ACCEPT,
1187 	},
1188 	{
1189 		"jump test 3",
1190 		.insns = {
1191 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1216 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217 				     BPF_FUNC_map_delete_elem),
1218 			BPF_EXIT_INSN(),
1219 		},
1220 		.fixup_map1 = { 24 },
1221 		.errstr_unpriv = "R1 pointer comparison",
1222 		.result_unpriv = REJECT,
1223 		.result = ACCEPT,
1224 		.retval = -ENOENT,
1225 	},
1226 	{
1227 		"jump test 4",
1228 		.insns = {
1229 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 			BPF_MOV64_IMM(BPF_REG_0, 0),
1270 			BPF_EXIT_INSN(),
1271 		},
1272 		.errstr_unpriv = "R1 pointer comparison",
1273 		.result_unpriv = REJECT,
1274 		.result = ACCEPT,
1275 	},
1276 	{
1277 		"jump test 5",
1278 		.insns = {
1279 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286 			BPF_MOV64_IMM(BPF_REG_0, 0),
1287 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292 			BPF_MOV64_IMM(BPF_REG_0, 0),
1293 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298 			BPF_MOV64_IMM(BPF_REG_0, 0),
1299 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304 			BPF_MOV64_IMM(BPF_REG_0, 0),
1305 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 			BPF_MOV64_IMM(BPF_REG_0, 0),
1311 			BPF_EXIT_INSN(),
1312 		},
1313 		.errstr_unpriv = "R1 pointer comparison",
1314 		.result_unpriv = REJECT,
1315 		.result = ACCEPT,
1316 	},
1317 	{
1318 		"access skb fields ok",
1319 		.insns = {
1320 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321 				    offsetof(struct __sk_buff, len)),
1322 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 				    offsetof(struct __sk_buff, mark)),
1325 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 				    offsetof(struct __sk_buff, pkt_type)),
1328 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 				    offsetof(struct __sk_buff, queue_mapping)),
1331 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 				    offsetof(struct __sk_buff, protocol)),
1334 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 				    offsetof(struct __sk_buff, vlan_present)),
1337 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 				    offsetof(struct __sk_buff, vlan_tci)),
1340 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 				    offsetof(struct __sk_buff, napi_id)),
1343 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1344 			BPF_EXIT_INSN(),
1345 		},
1346 		.result = ACCEPT,
1347 	},
1348 	{
1349 		"access skb fields bad1",
1350 		.insns = {
1351 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1352 			BPF_EXIT_INSN(),
1353 		},
1354 		.errstr = "invalid bpf_context access",
1355 		.result = REJECT,
1356 	},
1357 	{
1358 		"access skb fields bad2",
1359 		.insns = {
1360 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 				     BPF_FUNC_map_lookup_elem),
1367 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1368 			BPF_EXIT_INSN(),
1369 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 				    offsetof(struct __sk_buff, pkt_type)),
1372 			BPF_EXIT_INSN(),
1373 		},
1374 		.fixup_map1 = { 4 },
1375 		.errstr = "different pointers",
1376 		.errstr_unpriv = "R1 pointer comparison",
1377 		.result = REJECT,
1378 	},
1379 	{
1380 		"access skb fields bad3",
1381 		.insns = {
1382 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 				    offsetof(struct __sk_buff, pkt_type)),
1385 			BPF_EXIT_INSN(),
1386 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1390 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391 				     BPF_FUNC_map_lookup_elem),
1392 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393 			BPF_EXIT_INSN(),
1394 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1396 		},
1397 		.fixup_map1 = { 6 },
1398 		.errstr = "different pointers",
1399 		.errstr_unpriv = "R1 pointer comparison",
1400 		.result = REJECT,
1401 	},
1402 	{
1403 		"access skb fields bad4",
1404 		.insns = {
1405 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407 				    offsetof(struct __sk_buff, len)),
1408 			BPF_MOV64_IMM(BPF_REG_0, 0),
1409 			BPF_EXIT_INSN(),
1410 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 				     BPF_FUNC_map_lookup_elem),
1416 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417 			BPF_EXIT_INSN(),
1418 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1420 		},
1421 		.fixup_map1 = { 7 },
1422 		.errstr = "different pointers",
1423 		.errstr_unpriv = "R1 pointer comparison",
1424 		.result = REJECT,
1425 	},
1426 	{
1427 		"invalid access __sk_buff family",
1428 		.insns = {
1429 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430 				    offsetof(struct __sk_buff, family)),
1431 			BPF_EXIT_INSN(),
1432 		},
1433 		.errstr = "invalid bpf_context access",
1434 		.result = REJECT,
1435 	},
1436 	{
1437 		"invalid access __sk_buff remote_ip4",
1438 		.insns = {
1439 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440 				    offsetof(struct __sk_buff, remote_ip4)),
1441 			BPF_EXIT_INSN(),
1442 		},
1443 		.errstr = "invalid bpf_context access",
1444 		.result = REJECT,
1445 	},
1446 	{
1447 		"invalid access __sk_buff local_ip4",
1448 		.insns = {
1449 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450 				    offsetof(struct __sk_buff, local_ip4)),
1451 			BPF_EXIT_INSN(),
1452 		},
1453 		.errstr = "invalid bpf_context access",
1454 		.result = REJECT,
1455 	},
1456 	{
1457 		"invalid access __sk_buff remote_ip6",
1458 		.insns = {
1459 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460 				    offsetof(struct __sk_buff, remote_ip6)),
1461 			BPF_EXIT_INSN(),
1462 		},
1463 		.errstr = "invalid bpf_context access",
1464 		.result = REJECT,
1465 	},
1466 	{
1467 		"invalid access __sk_buff local_ip6",
1468 		.insns = {
1469 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470 				    offsetof(struct __sk_buff, local_ip6)),
1471 			BPF_EXIT_INSN(),
1472 		},
1473 		.errstr = "invalid bpf_context access",
1474 		.result = REJECT,
1475 	},
1476 	{
1477 		"invalid access __sk_buff remote_port",
1478 		.insns = {
1479 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480 				    offsetof(struct __sk_buff, remote_port)),
1481 			BPF_EXIT_INSN(),
1482 		},
1483 		.errstr = "invalid bpf_context access",
1484 		.result = REJECT,
1485 	},
1486 	{
1487 		"invalid access __sk_buff remote_port",
1488 		.insns = {
1489 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 				    offsetof(struct __sk_buff, local_port)),
1491 			BPF_EXIT_INSN(),
1492 		},
1493 		.errstr = "invalid bpf_context access",
1494 		.result = REJECT,
1495 	},
1496 	{
1497 		"valid access __sk_buff family",
1498 		.insns = {
1499 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500 				    offsetof(struct __sk_buff, family)),
1501 			BPF_EXIT_INSN(),
1502 		},
1503 		.result = ACCEPT,
1504 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1505 	},
1506 	{
1507 		"valid access __sk_buff remote_ip4",
1508 		.insns = {
1509 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510 				    offsetof(struct __sk_buff, remote_ip4)),
1511 			BPF_EXIT_INSN(),
1512 		},
1513 		.result = ACCEPT,
1514 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1515 	},
1516 	{
1517 		"valid access __sk_buff local_ip4",
1518 		.insns = {
1519 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520 				    offsetof(struct __sk_buff, local_ip4)),
1521 			BPF_EXIT_INSN(),
1522 		},
1523 		.result = ACCEPT,
1524 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1525 	},
1526 	{
1527 		"valid access __sk_buff remote_ip6",
1528 		.insns = {
1529 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530 				    offsetof(struct __sk_buff, remote_ip6[0])),
1531 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 				    offsetof(struct __sk_buff, remote_ip6[1])),
1533 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 				    offsetof(struct __sk_buff, remote_ip6[2])),
1535 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 				    offsetof(struct __sk_buff, remote_ip6[3])),
1537 			BPF_EXIT_INSN(),
1538 		},
1539 		.result = ACCEPT,
1540 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1541 	},
1542 	{
1543 		"valid access __sk_buff local_ip6",
1544 		.insns = {
1545 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546 				    offsetof(struct __sk_buff, local_ip6[0])),
1547 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 				    offsetof(struct __sk_buff, local_ip6[1])),
1549 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 				    offsetof(struct __sk_buff, local_ip6[2])),
1551 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 				    offsetof(struct __sk_buff, local_ip6[3])),
1553 			BPF_EXIT_INSN(),
1554 		},
1555 		.result = ACCEPT,
1556 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1557 	},
1558 	{
1559 		"valid access __sk_buff remote_port",
1560 		.insns = {
1561 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562 				    offsetof(struct __sk_buff, remote_port)),
1563 			BPF_EXIT_INSN(),
1564 		},
1565 		.result = ACCEPT,
1566 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1567 	},
1568 	{
1569 		"valid access __sk_buff remote_port",
1570 		.insns = {
1571 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 				    offsetof(struct __sk_buff, local_port)),
1573 			BPF_EXIT_INSN(),
1574 		},
1575 		.result = ACCEPT,
1576 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1577 	},
1578 	{
1579 		"invalid access of tc_classid for SK_SKB",
1580 		.insns = {
1581 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582 				    offsetof(struct __sk_buff, tc_classid)),
1583 			BPF_EXIT_INSN(),
1584 		},
1585 		.result = REJECT,
1586 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1587 		.errstr = "invalid bpf_context access",
1588 	},
1589 	{
1590 		"invalid access of skb->mark for SK_SKB",
1591 		.insns = {
1592 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 				    offsetof(struct __sk_buff, mark)),
1594 			BPF_EXIT_INSN(),
1595 		},
1596 		.result =  REJECT,
1597 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1598 		.errstr = "invalid bpf_context access",
1599 	},
1600 	{
1601 		"check skb->mark is not writeable by SK_SKB",
1602 		.insns = {
1603 			BPF_MOV64_IMM(BPF_REG_0, 0),
1604 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 				    offsetof(struct __sk_buff, mark)),
1606 			BPF_EXIT_INSN(),
1607 		},
1608 		.result =  REJECT,
1609 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1610 		.errstr = "invalid bpf_context access",
1611 	},
1612 	{
1613 		"check skb->tc_index is writeable by SK_SKB",
1614 		.insns = {
1615 			BPF_MOV64_IMM(BPF_REG_0, 0),
1616 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617 				    offsetof(struct __sk_buff, tc_index)),
1618 			BPF_EXIT_INSN(),
1619 		},
1620 		.result = ACCEPT,
1621 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1622 	},
1623 	{
1624 		"check skb->priority is writeable by SK_SKB",
1625 		.insns = {
1626 			BPF_MOV64_IMM(BPF_REG_0, 0),
1627 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628 				    offsetof(struct __sk_buff, priority)),
1629 			BPF_EXIT_INSN(),
1630 		},
1631 		.result = ACCEPT,
1632 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1633 	},
1634 	{
1635 		"direct packet read for SK_SKB",
1636 		.insns = {
1637 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638 				    offsetof(struct __sk_buff, data)),
1639 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640 				    offsetof(struct __sk_buff, data_end)),
1641 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645 			BPF_MOV64_IMM(BPF_REG_0, 0),
1646 			BPF_EXIT_INSN(),
1647 		},
1648 		.result = ACCEPT,
1649 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1650 	},
1651 	{
1652 		"direct packet write for SK_SKB",
1653 		.insns = {
1654 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655 				    offsetof(struct __sk_buff, data)),
1656 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657 				    offsetof(struct __sk_buff, data_end)),
1658 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662 			BPF_MOV64_IMM(BPF_REG_0, 0),
1663 			BPF_EXIT_INSN(),
1664 		},
1665 		.result = ACCEPT,
1666 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1667 	},
1668 	{
1669 		"overlapping checks for direct packet access SK_SKB",
1670 		.insns = {
1671 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672 				    offsetof(struct __sk_buff, data)),
1673 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674 				    offsetof(struct __sk_buff, data_end)),
1675 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682 			BPF_MOV64_IMM(BPF_REG_0, 0),
1683 			BPF_EXIT_INSN(),
1684 		},
1685 		.result = ACCEPT,
1686 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1687 	},
1688 	{
1689 		"valid access family in SK_MSG",
1690 		.insns = {
1691 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1692 				    offsetof(struct sk_msg_md, family)),
1693 			BPF_EXIT_INSN(),
1694 		},
1695 		.result = ACCEPT,
1696 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1697 	},
1698 	{
1699 		"valid access remote_ip4 in SK_MSG",
1700 		.insns = {
1701 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1702 				    offsetof(struct sk_msg_md, remote_ip4)),
1703 			BPF_EXIT_INSN(),
1704 		},
1705 		.result = ACCEPT,
1706 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1707 	},
1708 	{
1709 		"valid access local_ip4 in SK_MSG",
1710 		.insns = {
1711 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1712 				    offsetof(struct sk_msg_md, local_ip4)),
1713 			BPF_EXIT_INSN(),
1714 		},
1715 		.result = ACCEPT,
1716 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1717 	},
1718 	{
1719 		"valid access remote_port in SK_MSG",
1720 		.insns = {
1721 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1722 				    offsetof(struct sk_msg_md, remote_port)),
1723 			BPF_EXIT_INSN(),
1724 		},
1725 		.result = ACCEPT,
1726 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1727 	},
1728 	{
1729 		"valid access local_port in SK_MSG",
1730 		.insns = {
1731 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1732 				    offsetof(struct sk_msg_md, local_port)),
1733 			BPF_EXIT_INSN(),
1734 		},
1735 		.result = ACCEPT,
1736 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1737 	},
1738 	{
1739 		"valid access remote_ip6 in SK_MSG",
1740 		.insns = {
1741 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1742 				    offsetof(struct sk_msg_md, remote_ip6[0])),
1743 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744 				    offsetof(struct sk_msg_md, remote_ip6[1])),
1745 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746 				    offsetof(struct sk_msg_md, remote_ip6[2])),
1747 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748 				    offsetof(struct sk_msg_md, remote_ip6[3])),
1749 			BPF_EXIT_INSN(),
1750 		},
1751 		.result = ACCEPT,
1752 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1753 	},
1754 	{
1755 		"valid access local_ip6 in SK_MSG",
1756 		.insns = {
1757 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1758 				    offsetof(struct sk_msg_md, local_ip6[0])),
1759 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760 				    offsetof(struct sk_msg_md, local_ip6[1])),
1761 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762 				    offsetof(struct sk_msg_md, local_ip6[2])),
1763 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764 				    offsetof(struct sk_msg_md, local_ip6[3])),
1765 			BPF_EXIT_INSN(),
1766 		},
1767 		.result = ACCEPT,
1768 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1769 	},
1770 	{
1771 		"invalid 64B read of family in SK_MSG",
1772 		.insns = {
1773 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1774 				    offsetof(struct sk_msg_md, family)),
1775 			BPF_EXIT_INSN(),
1776 		},
1777 		.errstr = "invalid bpf_context access",
1778 		.result = REJECT,
1779 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1780 	},
1781 	{
1782 		"invalid read past end of SK_MSG",
1783 		.insns = {
1784 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1785 				    offsetof(struct sk_msg_md, local_port) + 4),
1786 			BPF_EXIT_INSN(),
1787 		},
1788 		.errstr = "R0 !read_ok",
1789 		.result = REJECT,
1790 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1791 	},
1792 	{
1793 		"invalid read offset in SK_MSG",
1794 		.insns = {
1795 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1796 				    offsetof(struct sk_msg_md, family) + 1),
1797 			BPF_EXIT_INSN(),
1798 		},
1799 		.errstr = "invalid bpf_context access",
1800 		.result = REJECT,
1801 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1802 	},
1803 	{
1804 		"direct packet read for SK_MSG",
1805 		.insns = {
1806 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1807 				    offsetof(struct sk_msg_md, data)),
1808 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1809 				    offsetof(struct sk_msg_md, data_end)),
1810 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1812 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1813 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1814 			BPF_MOV64_IMM(BPF_REG_0, 0),
1815 			BPF_EXIT_INSN(),
1816 		},
1817 		.result = ACCEPT,
1818 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1819 	},
1820 	{
1821 		"direct packet write for SK_MSG",
1822 		.insns = {
1823 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1824 				    offsetof(struct sk_msg_md, data)),
1825 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1826 				    offsetof(struct sk_msg_md, data_end)),
1827 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1829 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1830 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1831 			BPF_MOV64_IMM(BPF_REG_0, 0),
1832 			BPF_EXIT_INSN(),
1833 		},
1834 		.result = ACCEPT,
1835 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1836 	},
1837 	{
1838 		"overlapping checks for direct packet access SK_MSG",
1839 		.insns = {
1840 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1841 				    offsetof(struct sk_msg_md, data)),
1842 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1843 				    offsetof(struct sk_msg_md, data_end)),
1844 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1846 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1847 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1849 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1850 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1851 			BPF_MOV64_IMM(BPF_REG_0, 0),
1852 			BPF_EXIT_INSN(),
1853 		},
1854 		.result = ACCEPT,
1855 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1856 	},
1857 	{
1858 		"check skb->mark is not writeable by sockets",
1859 		.insns = {
1860 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1861 				    offsetof(struct __sk_buff, mark)),
1862 			BPF_EXIT_INSN(),
1863 		},
1864 		.errstr = "invalid bpf_context access",
1865 		.errstr_unpriv = "R1 leaks addr",
1866 		.result = REJECT,
1867 	},
1868 	{
1869 		"check skb->tc_index is not writeable by sockets",
1870 		.insns = {
1871 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1872 				    offsetof(struct __sk_buff, tc_index)),
1873 			BPF_EXIT_INSN(),
1874 		},
1875 		.errstr = "invalid bpf_context access",
1876 		.errstr_unpriv = "R1 leaks addr",
1877 		.result = REJECT,
1878 	},
1879 	{
1880 		"check cb access: byte",
1881 		.insns = {
1882 			BPF_MOV64_IMM(BPF_REG_0, 0),
1883 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1884 				    offsetof(struct __sk_buff, cb[0])),
1885 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886 				    offsetof(struct __sk_buff, cb[0]) + 1),
1887 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888 				    offsetof(struct __sk_buff, cb[0]) + 2),
1889 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890 				    offsetof(struct __sk_buff, cb[0]) + 3),
1891 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892 				    offsetof(struct __sk_buff, cb[1])),
1893 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894 				    offsetof(struct __sk_buff, cb[1]) + 1),
1895 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896 				    offsetof(struct __sk_buff, cb[1]) + 2),
1897 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898 				    offsetof(struct __sk_buff, cb[1]) + 3),
1899 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900 				    offsetof(struct __sk_buff, cb[2])),
1901 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902 				    offsetof(struct __sk_buff, cb[2]) + 1),
1903 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904 				    offsetof(struct __sk_buff, cb[2]) + 2),
1905 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906 				    offsetof(struct __sk_buff, cb[2]) + 3),
1907 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908 				    offsetof(struct __sk_buff, cb[3])),
1909 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910 				    offsetof(struct __sk_buff, cb[3]) + 1),
1911 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912 				    offsetof(struct __sk_buff, cb[3]) + 2),
1913 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914 				    offsetof(struct __sk_buff, cb[3]) + 3),
1915 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916 				    offsetof(struct __sk_buff, cb[4])),
1917 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918 				    offsetof(struct __sk_buff, cb[4]) + 1),
1919 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920 				    offsetof(struct __sk_buff, cb[4]) + 2),
1921 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922 				    offsetof(struct __sk_buff, cb[4]) + 3),
1923 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1924 				    offsetof(struct __sk_buff, cb[0])),
1925 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926 				    offsetof(struct __sk_buff, cb[0]) + 1),
1927 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928 				    offsetof(struct __sk_buff, cb[0]) + 2),
1929 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930 				    offsetof(struct __sk_buff, cb[0]) + 3),
1931 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932 				    offsetof(struct __sk_buff, cb[1])),
1933 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934 				    offsetof(struct __sk_buff, cb[1]) + 1),
1935 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936 				    offsetof(struct __sk_buff, cb[1]) + 2),
1937 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938 				    offsetof(struct __sk_buff, cb[1]) + 3),
1939 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940 				    offsetof(struct __sk_buff, cb[2])),
1941 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942 				    offsetof(struct __sk_buff, cb[2]) + 1),
1943 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944 				    offsetof(struct __sk_buff, cb[2]) + 2),
1945 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946 				    offsetof(struct __sk_buff, cb[2]) + 3),
1947 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948 				    offsetof(struct __sk_buff, cb[3])),
1949 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950 				    offsetof(struct __sk_buff, cb[3]) + 1),
1951 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952 				    offsetof(struct __sk_buff, cb[3]) + 2),
1953 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954 				    offsetof(struct __sk_buff, cb[3]) + 3),
1955 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956 				    offsetof(struct __sk_buff, cb[4])),
1957 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958 				    offsetof(struct __sk_buff, cb[4]) + 1),
1959 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960 				    offsetof(struct __sk_buff, cb[4]) + 2),
1961 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962 				    offsetof(struct __sk_buff, cb[4]) + 3),
1963 			BPF_EXIT_INSN(),
1964 		},
1965 		.result = ACCEPT,
1966 	},
1967 	{
1968 		"__sk_buff->hash, offset 0, byte store not permitted",
1969 		.insns = {
1970 			BPF_MOV64_IMM(BPF_REG_0, 0),
1971 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1972 				    offsetof(struct __sk_buff, hash)),
1973 			BPF_EXIT_INSN(),
1974 		},
1975 		.errstr = "invalid bpf_context access",
1976 		.result = REJECT,
1977 	},
1978 	{
1979 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1980 		.insns = {
1981 			BPF_MOV64_IMM(BPF_REG_0, 0),
1982 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1983 				    offsetof(struct __sk_buff, tc_index) + 3),
1984 			BPF_EXIT_INSN(),
1985 		},
1986 		.errstr = "invalid bpf_context access",
1987 		.result = REJECT,
1988 	},
1989 	{
1990 		"check skb->hash byte load permitted",
1991 		.insns = {
1992 			BPF_MOV64_IMM(BPF_REG_0, 0),
1993 #if __BYTE_ORDER == __LITTLE_ENDIAN
1994 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1995 				    offsetof(struct __sk_buff, hash)),
1996 #else
1997 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998 				    offsetof(struct __sk_buff, hash) + 3),
1999 #endif
2000 			BPF_EXIT_INSN(),
2001 		},
2002 		.result = ACCEPT,
2003 	},
2004 	{
2005 		"check skb->hash byte load not permitted 1",
2006 		.insns = {
2007 			BPF_MOV64_IMM(BPF_REG_0, 0),
2008 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2009 				    offsetof(struct __sk_buff, hash) + 1),
2010 			BPF_EXIT_INSN(),
2011 		},
2012 		.errstr = "invalid bpf_context access",
2013 		.result = REJECT,
2014 	},
2015 	{
2016 		"check skb->hash byte load not permitted 2",
2017 		.insns = {
2018 			BPF_MOV64_IMM(BPF_REG_0, 0),
2019 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020 				    offsetof(struct __sk_buff, hash) + 2),
2021 			BPF_EXIT_INSN(),
2022 		},
2023 		.errstr = "invalid bpf_context access",
2024 		.result = REJECT,
2025 	},
2026 	{
2027 		"check skb->hash byte load not permitted 3",
2028 		.insns = {
2029 			BPF_MOV64_IMM(BPF_REG_0, 0),
2030 #if __BYTE_ORDER == __LITTLE_ENDIAN
2031 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032 				    offsetof(struct __sk_buff, hash) + 3),
2033 #else
2034 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2035 				    offsetof(struct __sk_buff, hash)),
2036 #endif
2037 			BPF_EXIT_INSN(),
2038 		},
2039 		.errstr = "invalid bpf_context access",
2040 		.result = REJECT,
2041 	},
2042 	{
2043 		"check cb access: byte, wrong type",
2044 		.insns = {
2045 			BPF_MOV64_IMM(BPF_REG_0, 0),
2046 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2047 				    offsetof(struct __sk_buff, cb[0])),
2048 			BPF_EXIT_INSN(),
2049 		},
2050 		.errstr = "invalid bpf_context access",
2051 		.result = REJECT,
2052 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2053 	},
2054 	{
2055 		"check cb access: half",
2056 		.insns = {
2057 			BPF_MOV64_IMM(BPF_REG_0, 0),
2058 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2059 				    offsetof(struct __sk_buff, cb[0])),
2060 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061 				    offsetof(struct __sk_buff, cb[0]) + 2),
2062 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063 				    offsetof(struct __sk_buff, cb[1])),
2064 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065 				    offsetof(struct __sk_buff, cb[1]) + 2),
2066 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067 				    offsetof(struct __sk_buff, cb[2])),
2068 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069 				    offsetof(struct __sk_buff, cb[2]) + 2),
2070 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071 				    offsetof(struct __sk_buff, cb[3])),
2072 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073 				    offsetof(struct __sk_buff, cb[3]) + 2),
2074 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075 				    offsetof(struct __sk_buff, cb[4])),
2076 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077 				    offsetof(struct __sk_buff, cb[4]) + 2),
2078 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2079 				    offsetof(struct __sk_buff, cb[0])),
2080 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081 				    offsetof(struct __sk_buff, cb[0]) + 2),
2082 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083 				    offsetof(struct __sk_buff, cb[1])),
2084 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085 				    offsetof(struct __sk_buff, cb[1]) + 2),
2086 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087 				    offsetof(struct __sk_buff, cb[2])),
2088 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089 				    offsetof(struct __sk_buff, cb[2]) + 2),
2090 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091 				    offsetof(struct __sk_buff, cb[3])),
2092 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093 				    offsetof(struct __sk_buff, cb[3]) + 2),
2094 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095 				    offsetof(struct __sk_buff, cb[4])),
2096 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097 				    offsetof(struct __sk_buff, cb[4]) + 2),
2098 			BPF_EXIT_INSN(),
2099 		},
2100 		.result = ACCEPT,
2101 	},
2102 	{
2103 		"check cb access: half, unaligned",
2104 		.insns = {
2105 			BPF_MOV64_IMM(BPF_REG_0, 0),
2106 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2107 				    offsetof(struct __sk_buff, cb[0]) + 1),
2108 			BPF_EXIT_INSN(),
2109 		},
2110 		.errstr = "misaligned context access",
2111 		.result = REJECT,
2112 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2113 	},
2114 	{
2115 		"check __sk_buff->hash, offset 0, half store not permitted",
2116 		.insns = {
2117 			BPF_MOV64_IMM(BPF_REG_0, 0),
2118 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2119 				    offsetof(struct __sk_buff, hash)),
2120 			BPF_EXIT_INSN(),
2121 		},
2122 		.errstr = "invalid bpf_context access",
2123 		.result = REJECT,
2124 	},
2125 	{
2126 		"check __sk_buff->tc_index, offset 2, half store not permitted",
2127 		.insns = {
2128 			BPF_MOV64_IMM(BPF_REG_0, 0),
2129 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2130 				    offsetof(struct __sk_buff, tc_index) + 2),
2131 			BPF_EXIT_INSN(),
2132 		},
2133 		.errstr = "invalid bpf_context access",
2134 		.result = REJECT,
2135 	},
2136 	{
2137 		"check skb->hash half load permitted",
2138 		.insns = {
2139 			BPF_MOV64_IMM(BPF_REG_0, 0),
2140 #if __BYTE_ORDER == __LITTLE_ENDIAN
2141 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2142 				    offsetof(struct __sk_buff, hash)),
2143 #else
2144 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2145 				    offsetof(struct __sk_buff, hash) + 2),
2146 #endif
2147 			BPF_EXIT_INSN(),
2148 		},
2149 		.result = ACCEPT,
2150 	},
2151 	{
2152 		"check skb->hash half load not permitted",
2153 		.insns = {
2154 			BPF_MOV64_IMM(BPF_REG_0, 0),
2155 #if __BYTE_ORDER == __LITTLE_ENDIAN
2156 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2157 				    offsetof(struct __sk_buff, hash) + 2),
2158 #else
2159 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2160 				    offsetof(struct __sk_buff, hash)),
2161 #endif
2162 			BPF_EXIT_INSN(),
2163 		},
2164 		.errstr = "invalid bpf_context access",
2165 		.result = REJECT,
2166 	},
2167 	{
2168 		"check cb access: half, wrong type",
2169 		.insns = {
2170 			BPF_MOV64_IMM(BPF_REG_0, 0),
2171 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2172 				    offsetof(struct __sk_buff, cb[0])),
2173 			BPF_EXIT_INSN(),
2174 		},
2175 		.errstr = "invalid bpf_context access",
2176 		.result = REJECT,
2177 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2178 	},
2179 	{
2180 		"check cb access: word",
2181 		.insns = {
2182 			BPF_MOV64_IMM(BPF_REG_0, 0),
2183 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2184 				    offsetof(struct __sk_buff, cb[0])),
2185 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186 				    offsetof(struct __sk_buff, cb[1])),
2187 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188 				    offsetof(struct __sk_buff, cb[2])),
2189 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190 				    offsetof(struct __sk_buff, cb[3])),
2191 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192 				    offsetof(struct __sk_buff, cb[4])),
2193 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2194 				    offsetof(struct __sk_buff, cb[0])),
2195 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196 				    offsetof(struct __sk_buff, cb[1])),
2197 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198 				    offsetof(struct __sk_buff, cb[2])),
2199 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200 				    offsetof(struct __sk_buff, cb[3])),
2201 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202 				    offsetof(struct __sk_buff, cb[4])),
2203 			BPF_EXIT_INSN(),
2204 		},
2205 		.result = ACCEPT,
2206 	},
2207 	{
2208 		"check cb access: word, unaligned 1",
2209 		.insns = {
2210 			BPF_MOV64_IMM(BPF_REG_0, 0),
2211 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212 				    offsetof(struct __sk_buff, cb[0]) + 2),
2213 			BPF_EXIT_INSN(),
2214 		},
2215 		.errstr = "misaligned context access",
2216 		.result = REJECT,
2217 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2218 	},
2219 	{
2220 		"check cb access: word, unaligned 2",
2221 		.insns = {
2222 			BPF_MOV64_IMM(BPF_REG_0, 0),
2223 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2224 				    offsetof(struct __sk_buff, cb[4]) + 1),
2225 			BPF_EXIT_INSN(),
2226 		},
2227 		.errstr = "misaligned context access",
2228 		.result = REJECT,
2229 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2230 	},
2231 	{
2232 		"check cb access: word, unaligned 3",
2233 		.insns = {
2234 			BPF_MOV64_IMM(BPF_REG_0, 0),
2235 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236 				    offsetof(struct __sk_buff, cb[4]) + 2),
2237 			BPF_EXIT_INSN(),
2238 		},
2239 		.errstr = "misaligned context access",
2240 		.result = REJECT,
2241 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2242 	},
2243 	{
2244 		"check cb access: word, unaligned 4",
2245 		.insns = {
2246 			BPF_MOV64_IMM(BPF_REG_0, 0),
2247 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248 				    offsetof(struct __sk_buff, cb[4]) + 3),
2249 			BPF_EXIT_INSN(),
2250 		},
2251 		.errstr = "misaligned context access",
2252 		.result = REJECT,
2253 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2254 	},
2255 	{
2256 		"check cb access: double",
2257 		.insns = {
2258 			BPF_MOV64_IMM(BPF_REG_0, 0),
2259 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2260 				    offsetof(struct __sk_buff, cb[0])),
2261 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262 				    offsetof(struct __sk_buff, cb[2])),
2263 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2264 				    offsetof(struct __sk_buff, cb[0])),
2265 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266 				    offsetof(struct __sk_buff, cb[2])),
2267 			BPF_EXIT_INSN(),
2268 		},
2269 		.result = ACCEPT,
2270 	},
2271 	{
2272 		"check cb access: double, unaligned 1",
2273 		.insns = {
2274 			BPF_MOV64_IMM(BPF_REG_0, 0),
2275 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2276 				    offsetof(struct __sk_buff, cb[1])),
2277 			BPF_EXIT_INSN(),
2278 		},
2279 		.errstr = "misaligned context access",
2280 		.result = REJECT,
2281 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2282 	},
2283 	{
2284 		"check cb access: double, unaligned 2",
2285 		.insns = {
2286 			BPF_MOV64_IMM(BPF_REG_0, 0),
2287 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2288 				    offsetof(struct __sk_buff, cb[3])),
2289 			BPF_EXIT_INSN(),
2290 		},
2291 		.errstr = "misaligned context access",
2292 		.result = REJECT,
2293 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2294 	},
2295 	{
2296 		"check cb access: double, oob 1",
2297 		.insns = {
2298 			BPF_MOV64_IMM(BPF_REG_0, 0),
2299 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300 				    offsetof(struct __sk_buff, cb[4])),
2301 			BPF_EXIT_INSN(),
2302 		},
2303 		.errstr = "invalid bpf_context access",
2304 		.result = REJECT,
2305 	},
2306 	{
2307 		"check cb access: double, oob 2",
2308 		.insns = {
2309 			BPF_MOV64_IMM(BPF_REG_0, 0),
2310 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2311 				    offsetof(struct __sk_buff, cb[4])),
2312 			BPF_EXIT_INSN(),
2313 		},
2314 		.errstr = "invalid bpf_context access",
2315 		.result = REJECT,
2316 	},
2317 	{
2318 		"check __sk_buff->ifindex dw store not permitted",
2319 		.insns = {
2320 			BPF_MOV64_IMM(BPF_REG_0, 0),
2321 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2322 				    offsetof(struct __sk_buff, ifindex)),
2323 			BPF_EXIT_INSN(),
2324 		},
2325 		.errstr = "invalid bpf_context access",
2326 		.result = REJECT,
2327 	},
2328 	{
2329 		"check __sk_buff->ifindex dw load not permitted",
2330 		.insns = {
2331 			BPF_MOV64_IMM(BPF_REG_0, 0),
2332 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2333 				    offsetof(struct __sk_buff, ifindex)),
2334 			BPF_EXIT_INSN(),
2335 		},
2336 		.errstr = "invalid bpf_context access",
2337 		.result = REJECT,
2338 	},
2339 	{
2340 		"check cb access: double, wrong type",
2341 		.insns = {
2342 			BPF_MOV64_IMM(BPF_REG_0, 0),
2343 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2344 				    offsetof(struct __sk_buff, cb[0])),
2345 			BPF_EXIT_INSN(),
2346 		},
2347 		.errstr = "invalid bpf_context access",
2348 		.result = REJECT,
2349 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2350 	},
2351 	{
2352 		"check out of range skb->cb access",
2353 		.insns = {
2354 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2355 				    offsetof(struct __sk_buff, cb[0]) + 256),
2356 			BPF_EXIT_INSN(),
2357 		},
2358 		.errstr = "invalid bpf_context access",
2359 		.errstr_unpriv = "",
2360 		.result = REJECT,
2361 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2362 	},
2363 	{
2364 		"write skb fields from socket prog",
2365 		.insns = {
2366 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2367 				    offsetof(struct __sk_buff, cb[4])),
2368 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2369 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2370 				    offsetof(struct __sk_buff, mark)),
2371 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372 				    offsetof(struct __sk_buff, tc_index)),
2373 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2374 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2375 				    offsetof(struct __sk_buff, cb[0])),
2376 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377 				    offsetof(struct __sk_buff, cb[2])),
2378 			BPF_EXIT_INSN(),
2379 		},
2380 		.result = ACCEPT,
2381 		.errstr_unpriv = "R1 leaks addr",
2382 		.result_unpriv = REJECT,
2383 	},
2384 	{
2385 		"write skb fields from tc_cls_act prog",
2386 		.insns = {
2387 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2388 				    offsetof(struct __sk_buff, cb[0])),
2389 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2390 				    offsetof(struct __sk_buff, mark)),
2391 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2392 				    offsetof(struct __sk_buff, tc_index)),
2393 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2394 				    offsetof(struct __sk_buff, tc_index)),
2395 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396 				    offsetof(struct __sk_buff, cb[3])),
2397 			BPF_EXIT_INSN(),
2398 		},
2399 		.errstr_unpriv = "",
2400 		.result_unpriv = REJECT,
2401 		.result = ACCEPT,
2402 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2403 	},
2404 	{
2405 		"PTR_TO_STACK store/load",
2406 		.insns = {
2407 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2408 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2409 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2410 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2411 			BPF_EXIT_INSN(),
2412 		},
2413 		.result = ACCEPT,
2414 		.retval = 0xfaceb00c,
2415 	},
2416 	{
2417 		"PTR_TO_STACK store/load - bad alignment on off",
2418 		.insns = {
2419 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2420 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2421 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2422 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2423 			BPF_EXIT_INSN(),
2424 		},
2425 		.result = REJECT,
2426 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2427 	},
2428 	{
2429 		"PTR_TO_STACK store/load - bad alignment on reg",
2430 		.insns = {
2431 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2434 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2435 			BPF_EXIT_INSN(),
2436 		},
2437 		.result = REJECT,
2438 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2439 	},
2440 	{
2441 		"PTR_TO_STACK store/load - out of bounds low",
2442 		.insns = {
2443 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2445 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2446 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2447 			BPF_EXIT_INSN(),
2448 		},
2449 		.result = REJECT,
2450 		.errstr = "invalid stack off=-79992 size=8",
2451 	},
2452 	{
2453 		"PTR_TO_STACK store/load - out of bounds high",
2454 		.insns = {
2455 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2457 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2459 			BPF_EXIT_INSN(),
2460 		},
2461 		.result = REJECT,
2462 		.errstr = "invalid stack off=0 size=8",
2463 	},
2464 	{
2465 		"unpriv: return pointer",
2466 		.insns = {
2467 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2468 			BPF_EXIT_INSN(),
2469 		},
2470 		.result = ACCEPT,
2471 		.result_unpriv = REJECT,
2472 		.errstr_unpriv = "R0 leaks addr",
2473 		.retval = POINTER_VALUE,
2474 	},
2475 	{
2476 		"unpriv: add const to pointer",
2477 		.insns = {
2478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2479 			BPF_MOV64_IMM(BPF_REG_0, 0),
2480 			BPF_EXIT_INSN(),
2481 		},
2482 		.result = ACCEPT,
2483 	},
2484 	{
2485 		"unpriv: add pointer to pointer",
2486 		.insns = {
2487 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2488 			BPF_MOV64_IMM(BPF_REG_0, 0),
2489 			BPF_EXIT_INSN(),
2490 		},
2491 		.result = REJECT,
2492 		.errstr = "R1 pointer += pointer",
2493 	},
2494 	{
2495 		"unpriv: neg pointer",
2496 		.insns = {
2497 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2498 			BPF_MOV64_IMM(BPF_REG_0, 0),
2499 			BPF_EXIT_INSN(),
2500 		},
2501 		.result = ACCEPT,
2502 		.result_unpriv = REJECT,
2503 		.errstr_unpriv = "R1 pointer arithmetic",
2504 	},
2505 	{
2506 		"unpriv: cmp pointer with const",
2507 		.insns = {
2508 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2509 			BPF_MOV64_IMM(BPF_REG_0, 0),
2510 			BPF_EXIT_INSN(),
2511 		},
2512 		.result = ACCEPT,
2513 		.result_unpriv = REJECT,
2514 		.errstr_unpriv = "R1 pointer comparison",
2515 	},
2516 	{
2517 		"unpriv: cmp pointer with pointer",
2518 		.insns = {
2519 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2520 			BPF_MOV64_IMM(BPF_REG_0, 0),
2521 			BPF_EXIT_INSN(),
2522 		},
2523 		.result = ACCEPT,
2524 		.result_unpriv = REJECT,
2525 		.errstr_unpriv = "R10 pointer comparison",
2526 	},
2527 	{
2528 		"unpriv: check that printk is disallowed",
2529 		.insns = {
2530 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2531 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2532 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2533 			BPF_MOV64_IMM(BPF_REG_2, 8),
2534 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2535 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2536 				     BPF_FUNC_trace_printk),
2537 			BPF_MOV64_IMM(BPF_REG_0, 0),
2538 			BPF_EXIT_INSN(),
2539 		},
2540 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2541 		.result_unpriv = REJECT,
2542 		.result = ACCEPT,
2543 	},
2544 	{
2545 		"unpriv: pass pointer to helper function",
2546 		.insns = {
2547 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2548 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2549 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2550 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2551 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2552 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2553 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554 				     BPF_FUNC_map_update_elem),
2555 			BPF_MOV64_IMM(BPF_REG_0, 0),
2556 			BPF_EXIT_INSN(),
2557 		},
2558 		.fixup_map1 = { 3 },
2559 		.errstr_unpriv = "R4 leaks addr",
2560 		.result_unpriv = REJECT,
2561 		.result = ACCEPT,
2562 	},
2563 	{
2564 		"unpriv: indirectly pass pointer on stack to helper function",
2565 		.insns = {
2566 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2567 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2568 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2569 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2570 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2571 				     BPF_FUNC_map_lookup_elem),
2572 			BPF_MOV64_IMM(BPF_REG_0, 0),
2573 			BPF_EXIT_INSN(),
2574 		},
2575 		.fixup_map1 = { 3 },
2576 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2577 		.result = REJECT,
2578 	},
2579 	{
2580 		"unpriv: mangle pointer on stack 1",
2581 		.insns = {
2582 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2583 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2584 			BPF_MOV64_IMM(BPF_REG_0, 0),
2585 			BPF_EXIT_INSN(),
2586 		},
2587 		.errstr_unpriv = "attempt to corrupt spilled",
2588 		.result_unpriv = REJECT,
2589 		.result = ACCEPT,
2590 	},
2591 	{
2592 		"unpriv: mangle pointer on stack 2",
2593 		.insns = {
2594 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2595 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2596 			BPF_MOV64_IMM(BPF_REG_0, 0),
2597 			BPF_EXIT_INSN(),
2598 		},
2599 		.errstr_unpriv = "attempt to corrupt spilled",
2600 		.result_unpriv = REJECT,
2601 		.result = ACCEPT,
2602 	},
2603 	{
2604 		"unpriv: read pointer from stack in small chunks",
2605 		.insns = {
2606 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2608 			BPF_MOV64_IMM(BPF_REG_0, 0),
2609 			BPF_EXIT_INSN(),
2610 		},
2611 		.errstr = "invalid size",
2612 		.result = REJECT,
2613 	},
2614 	{
2615 		"unpriv: write pointer into ctx",
2616 		.insns = {
2617 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2618 			BPF_MOV64_IMM(BPF_REG_0, 0),
2619 			BPF_EXIT_INSN(),
2620 		},
2621 		.errstr_unpriv = "R1 leaks addr",
2622 		.result_unpriv = REJECT,
2623 		.errstr = "invalid bpf_context access",
2624 		.result = REJECT,
2625 	},
2626 	{
2627 		"unpriv: spill/fill of ctx",
2628 		.insns = {
2629 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2630 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2631 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2632 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2633 			BPF_MOV64_IMM(BPF_REG_0, 0),
2634 			BPF_EXIT_INSN(),
2635 		},
2636 		.result = ACCEPT,
2637 	},
2638 	{
2639 		"unpriv: spill/fill of ctx 2",
2640 		.insns = {
2641 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2642 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2643 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2644 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2645 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2646 				     BPF_FUNC_get_hash_recalc),
2647 			BPF_MOV64_IMM(BPF_REG_0, 0),
2648 			BPF_EXIT_INSN(),
2649 		},
2650 		.result = ACCEPT,
2651 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2652 	},
2653 	{
2654 		"unpriv: spill/fill of ctx 3",
2655 		.insns = {
2656 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2657 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2658 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2659 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2660 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2661 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2662 				     BPF_FUNC_get_hash_recalc),
2663 			BPF_EXIT_INSN(),
2664 		},
2665 		.result = REJECT,
2666 		.errstr = "R1 type=fp expected=ctx",
2667 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2668 	},
2669 	{
2670 		"unpriv: spill/fill of ctx 4",
2671 		.insns = {
2672 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2673 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2674 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2675 			BPF_MOV64_IMM(BPF_REG_0, 1),
2676 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2677 				     BPF_REG_0, -8, 0),
2678 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2679 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2680 				     BPF_FUNC_get_hash_recalc),
2681 			BPF_EXIT_INSN(),
2682 		},
2683 		.result = REJECT,
2684 		.errstr = "R1 type=inv expected=ctx",
2685 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2686 	},
2687 	{
2688 		"unpriv: spill/fill of different pointers stx",
2689 		.insns = {
2690 			BPF_MOV64_IMM(BPF_REG_3, 42),
2691 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2692 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2693 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2694 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2695 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2696 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2697 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2698 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2700 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2701 				    offsetof(struct __sk_buff, mark)),
2702 			BPF_MOV64_IMM(BPF_REG_0, 0),
2703 			BPF_EXIT_INSN(),
2704 		},
2705 		.result = REJECT,
2706 		.errstr = "same insn cannot be used with different pointers",
2707 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2708 	},
2709 	{
2710 		"unpriv: spill/fill of different pointers ldx",
2711 		.insns = {
2712 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2713 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2714 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2715 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2716 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2717 				      -(__s32)offsetof(struct bpf_perf_event_data,
2718 						       sample_period) - 8),
2719 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2720 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2721 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2722 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2723 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2724 				    offsetof(struct bpf_perf_event_data,
2725 					     sample_period)),
2726 			BPF_MOV64_IMM(BPF_REG_0, 0),
2727 			BPF_EXIT_INSN(),
2728 		},
2729 		.result = REJECT,
2730 		.errstr = "same insn cannot be used with different pointers",
2731 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2732 	},
2733 	{
2734 		"unpriv: write pointer into map elem value",
2735 		.insns = {
2736 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2737 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2738 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2739 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2740 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2741 				     BPF_FUNC_map_lookup_elem),
2742 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2743 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2744 			BPF_EXIT_INSN(),
2745 		},
2746 		.fixup_map1 = { 3 },
2747 		.errstr_unpriv = "R0 leaks addr",
2748 		.result_unpriv = REJECT,
2749 		.result = ACCEPT,
2750 	},
2751 	{
2752 		"unpriv: partial copy of pointer",
2753 		.insns = {
2754 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2755 			BPF_MOV64_IMM(BPF_REG_0, 0),
2756 			BPF_EXIT_INSN(),
2757 		},
2758 		.errstr_unpriv = "R10 partial copy",
2759 		.result_unpriv = REJECT,
2760 		.result = ACCEPT,
2761 	},
2762 	{
2763 		"unpriv: pass pointer to tail_call",
2764 		.insns = {
2765 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2766 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2767 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2768 				     BPF_FUNC_tail_call),
2769 			BPF_MOV64_IMM(BPF_REG_0, 0),
2770 			BPF_EXIT_INSN(),
2771 		},
2772 		.fixup_prog1 = { 1 },
2773 		.errstr_unpriv = "R3 leaks addr into helper",
2774 		.result_unpriv = REJECT,
2775 		.result = ACCEPT,
2776 	},
2777 	{
2778 		"unpriv: cmp map pointer with zero",
2779 		.insns = {
2780 			BPF_MOV64_IMM(BPF_REG_1, 0),
2781 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2782 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2783 			BPF_MOV64_IMM(BPF_REG_0, 0),
2784 			BPF_EXIT_INSN(),
2785 		},
2786 		.fixup_map1 = { 1 },
2787 		.errstr_unpriv = "R1 pointer comparison",
2788 		.result_unpriv = REJECT,
2789 		.result = ACCEPT,
2790 	},
2791 	{
2792 		"unpriv: write into frame pointer",
2793 		.insns = {
2794 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2795 			BPF_MOV64_IMM(BPF_REG_0, 0),
2796 			BPF_EXIT_INSN(),
2797 		},
2798 		.errstr = "frame pointer is read only",
2799 		.result = REJECT,
2800 	},
2801 	{
2802 		"unpriv: spill/fill frame pointer",
2803 		.insns = {
2804 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2805 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2806 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2807 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2808 			BPF_MOV64_IMM(BPF_REG_0, 0),
2809 			BPF_EXIT_INSN(),
2810 		},
2811 		.errstr = "frame pointer is read only",
2812 		.result = REJECT,
2813 	},
2814 	{
2815 		"unpriv: cmp of frame pointer",
2816 		.insns = {
2817 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2818 			BPF_MOV64_IMM(BPF_REG_0, 0),
2819 			BPF_EXIT_INSN(),
2820 		},
2821 		.errstr_unpriv = "R10 pointer comparison",
2822 		.result_unpriv = REJECT,
2823 		.result = ACCEPT,
2824 	},
2825 	{
2826 		"unpriv: adding of fp",
2827 		.insns = {
2828 			BPF_MOV64_IMM(BPF_REG_0, 0),
2829 			BPF_MOV64_IMM(BPF_REG_1, 0),
2830 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2831 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2832 			BPF_EXIT_INSN(),
2833 		},
2834 		.result = ACCEPT,
2835 	},
2836 	{
2837 		"unpriv: cmp of stack pointer",
2838 		.insns = {
2839 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2840 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2841 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2842 			BPF_MOV64_IMM(BPF_REG_0, 0),
2843 			BPF_EXIT_INSN(),
2844 		},
2845 		.errstr_unpriv = "R2 pointer comparison",
2846 		.result_unpriv = REJECT,
2847 		.result = ACCEPT,
2848 	},
2849 	{
2850 		"runtime/jit: tail_call within bounds, prog once",
2851 		.insns = {
2852 			BPF_MOV64_IMM(BPF_REG_3, 0),
2853 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2854 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2855 				     BPF_FUNC_tail_call),
2856 			BPF_MOV64_IMM(BPF_REG_0, 1),
2857 			BPF_EXIT_INSN(),
2858 		},
2859 		.fixup_prog1 = { 1 },
2860 		.result = ACCEPT,
2861 		.retval = 42,
2862 	},
2863 	{
2864 		"runtime/jit: tail_call within bounds, prog loop",
2865 		.insns = {
2866 			BPF_MOV64_IMM(BPF_REG_3, 1),
2867 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2868 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2869 				     BPF_FUNC_tail_call),
2870 			BPF_MOV64_IMM(BPF_REG_0, 1),
2871 			BPF_EXIT_INSN(),
2872 		},
2873 		.fixup_prog1 = { 1 },
2874 		.result = ACCEPT,
2875 		.retval = 41,
2876 	},
2877 	{
2878 		"runtime/jit: tail_call within bounds, no prog",
2879 		.insns = {
2880 			BPF_MOV64_IMM(BPF_REG_3, 2),
2881 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2882 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2883 				     BPF_FUNC_tail_call),
2884 			BPF_MOV64_IMM(BPF_REG_0, 1),
2885 			BPF_EXIT_INSN(),
2886 		},
2887 		.fixup_prog1 = { 1 },
2888 		.result = ACCEPT,
2889 		.retval = 1,
2890 	},
2891 	{
2892 		"runtime/jit: tail_call out of bounds",
2893 		.insns = {
2894 			BPF_MOV64_IMM(BPF_REG_3, 256),
2895 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2896 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2897 				     BPF_FUNC_tail_call),
2898 			BPF_MOV64_IMM(BPF_REG_0, 2),
2899 			BPF_EXIT_INSN(),
2900 		},
2901 		.fixup_prog1 = { 1 },
2902 		.result = ACCEPT,
2903 		.retval = 2,
2904 	},
2905 	{
2906 		"runtime/jit: pass negative index to tail_call",
2907 		.insns = {
2908 			BPF_MOV64_IMM(BPF_REG_3, -1),
2909 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2911 				     BPF_FUNC_tail_call),
2912 			BPF_MOV64_IMM(BPF_REG_0, 2),
2913 			BPF_EXIT_INSN(),
2914 		},
2915 		.fixup_prog1 = { 1 },
2916 		.result = ACCEPT,
2917 		.retval = 2,
2918 	},
2919 	{
2920 		"runtime/jit: pass > 32bit index to tail_call",
2921 		.insns = {
2922 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2923 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2924 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2925 				     BPF_FUNC_tail_call),
2926 			BPF_MOV64_IMM(BPF_REG_0, 2),
2927 			BPF_EXIT_INSN(),
2928 		},
2929 		.fixup_prog1 = { 2 },
2930 		.result = ACCEPT,
2931 		.retval = 42,
2932 	},
2933 	{
2934 		"stack pointer arithmetic",
2935 		.insns = {
2936 			BPF_MOV64_IMM(BPF_REG_1, 4),
2937 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2938 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2939 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2940 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2941 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2942 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2943 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2944 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2945 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2946 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2947 			BPF_MOV64_IMM(BPF_REG_0, 0),
2948 			BPF_EXIT_INSN(),
2949 		},
2950 		.result = ACCEPT,
2951 	},
2952 	{
2953 		"raw_stack: no skb_load_bytes",
2954 		.insns = {
2955 			BPF_MOV64_IMM(BPF_REG_2, 4),
2956 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2957 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2958 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2959 			BPF_MOV64_IMM(BPF_REG_4, 8),
2960 			/* Call to skb_load_bytes() omitted. */
2961 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2962 			BPF_EXIT_INSN(),
2963 		},
2964 		.result = REJECT,
2965 		.errstr = "invalid read from stack off -8+0 size 8",
2966 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2967 	},
2968 	{
2969 		"raw_stack: skb_load_bytes, negative len",
2970 		.insns = {
2971 			BPF_MOV64_IMM(BPF_REG_2, 4),
2972 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2973 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2974 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2975 			BPF_MOV64_IMM(BPF_REG_4, -8),
2976 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2977 				     BPF_FUNC_skb_load_bytes),
2978 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2979 			BPF_EXIT_INSN(),
2980 		},
2981 		.result = REJECT,
2982 		.errstr = "R4 min value is negative",
2983 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2984 	},
2985 	{
2986 		"raw_stack: skb_load_bytes, negative len 2",
2987 		.insns = {
2988 			BPF_MOV64_IMM(BPF_REG_2, 4),
2989 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2990 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2991 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2992 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2993 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2994 				     BPF_FUNC_skb_load_bytes),
2995 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2996 			BPF_EXIT_INSN(),
2997 		},
2998 		.result = REJECT,
2999 		.errstr = "R4 min value is negative",
3000 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3001 	},
3002 	{
3003 		"raw_stack: skb_load_bytes, zero len",
3004 		.insns = {
3005 			BPF_MOV64_IMM(BPF_REG_2, 4),
3006 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3007 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3008 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3009 			BPF_MOV64_IMM(BPF_REG_4, 0),
3010 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3011 				     BPF_FUNC_skb_load_bytes),
3012 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3013 			BPF_EXIT_INSN(),
3014 		},
3015 		.result = REJECT,
3016 		.errstr = "invalid stack type R3",
3017 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3018 	},
3019 	{
3020 		"raw_stack: skb_load_bytes, no init",
3021 		.insns = {
3022 			BPF_MOV64_IMM(BPF_REG_2, 4),
3023 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3024 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3025 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3026 			BPF_MOV64_IMM(BPF_REG_4, 8),
3027 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3028 				     BPF_FUNC_skb_load_bytes),
3029 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3030 			BPF_EXIT_INSN(),
3031 		},
3032 		.result = ACCEPT,
3033 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3034 	},
3035 	{
3036 		"raw_stack: skb_load_bytes, init",
3037 		.insns = {
3038 			BPF_MOV64_IMM(BPF_REG_2, 4),
3039 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3040 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3041 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3042 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3043 			BPF_MOV64_IMM(BPF_REG_4, 8),
3044 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3045 				     BPF_FUNC_skb_load_bytes),
3046 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3047 			BPF_EXIT_INSN(),
3048 		},
3049 		.result = ACCEPT,
3050 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3051 	},
3052 	{
3053 		"raw_stack: skb_load_bytes, spilled regs around bounds",
3054 		.insns = {
3055 			BPF_MOV64_IMM(BPF_REG_2, 4),
3056 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3057 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3058 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3059 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3060 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3061 			BPF_MOV64_IMM(BPF_REG_4, 8),
3062 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3063 				     BPF_FUNC_skb_load_bytes),
3064 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3065 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3066 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3067 				    offsetof(struct __sk_buff, mark)),
3068 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3069 				    offsetof(struct __sk_buff, priority)),
3070 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3071 			BPF_EXIT_INSN(),
3072 		},
3073 		.result = ACCEPT,
3074 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3075 	},
3076 	{
3077 		"raw_stack: skb_load_bytes, spilled regs corruption",
3078 		.insns = {
3079 			BPF_MOV64_IMM(BPF_REG_2, 4),
3080 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3081 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3082 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3083 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3084 			BPF_MOV64_IMM(BPF_REG_4, 8),
3085 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3086 				     BPF_FUNC_skb_load_bytes),
3087 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3088 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3089 				    offsetof(struct __sk_buff, mark)),
3090 			BPF_EXIT_INSN(),
3091 		},
3092 		.result = REJECT,
3093 		.errstr = "R0 invalid mem access 'inv'",
3094 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3095 	},
3096 	{
3097 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
3098 		.insns = {
3099 			BPF_MOV64_IMM(BPF_REG_2, 4),
3100 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3101 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3102 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3103 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3104 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3105 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3106 			BPF_MOV64_IMM(BPF_REG_4, 8),
3107 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3108 				     BPF_FUNC_skb_load_bytes),
3109 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3110 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3111 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3112 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3113 				    offsetof(struct __sk_buff, mark)),
3114 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3115 				    offsetof(struct __sk_buff, priority)),
3116 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3117 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3118 				    offsetof(struct __sk_buff, pkt_type)),
3119 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3120 			BPF_EXIT_INSN(),
3121 		},
3122 		.result = REJECT,
3123 		.errstr = "R3 invalid mem access 'inv'",
3124 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3125 	},
3126 	{
3127 		"raw_stack: skb_load_bytes, spilled regs + data",
3128 		.insns = {
3129 			BPF_MOV64_IMM(BPF_REG_2, 4),
3130 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3132 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3133 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3134 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3135 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3136 			BPF_MOV64_IMM(BPF_REG_4, 8),
3137 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3138 				     BPF_FUNC_skb_load_bytes),
3139 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3140 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3141 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3142 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3143 				    offsetof(struct __sk_buff, mark)),
3144 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3145 				    offsetof(struct __sk_buff, priority)),
3146 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3147 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3148 			BPF_EXIT_INSN(),
3149 		},
3150 		.result = ACCEPT,
3151 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3152 	},
3153 	{
3154 		"raw_stack: skb_load_bytes, invalid access 1",
3155 		.insns = {
3156 			BPF_MOV64_IMM(BPF_REG_2, 4),
3157 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3158 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3159 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3160 			BPF_MOV64_IMM(BPF_REG_4, 8),
3161 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3162 				     BPF_FUNC_skb_load_bytes),
3163 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3164 			BPF_EXIT_INSN(),
3165 		},
3166 		.result = REJECT,
3167 		.errstr = "invalid stack type R3 off=-513 access_size=8",
3168 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3169 	},
3170 	{
3171 		"raw_stack: skb_load_bytes, invalid access 2",
3172 		.insns = {
3173 			BPF_MOV64_IMM(BPF_REG_2, 4),
3174 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3175 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3176 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3177 			BPF_MOV64_IMM(BPF_REG_4, 8),
3178 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3179 				     BPF_FUNC_skb_load_bytes),
3180 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3181 			BPF_EXIT_INSN(),
3182 		},
3183 		.result = REJECT,
3184 		.errstr = "invalid stack type R3 off=-1 access_size=8",
3185 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3186 	},
3187 	{
3188 		"raw_stack: skb_load_bytes, invalid access 3",
3189 		.insns = {
3190 			BPF_MOV64_IMM(BPF_REG_2, 4),
3191 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3193 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3194 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3195 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3196 				     BPF_FUNC_skb_load_bytes),
3197 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3198 			BPF_EXIT_INSN(),
3199 		},
3200 		.result = REJECT,
3201 		.errstr = "R4 min value is negative",
3202 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3203 	},
3204 	{
3205 		"raw_stack: skb_load_bytes, invalid access 4",
3206 		.insns = {
3207 			BPF_MOV64_IMM(BPF_REG_2, 4),
3208 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3209 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3210 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3211 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3212 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3213 				     BPF_FUNC_skb_load_bytes),
3214 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3215 			BPF_EXIT_INSN(),
3216 		},
3217 		.result = REJECT,
3218 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3219 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3220 	},
3221 	{
3222 		"raw_stack: skb_load_bytes, invalid access 5",
3223 		.insns = {
3224 			BPF_MOV64_IMM(BPF_REG_2, 4),
3225 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3226 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3227 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3228 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3229 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3230 				     BPF_FUNC_skb_load_bytes),
3231 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3232 			BPF_EXIT_INSN(),
3233 		},
3234 		.result = REJECT,
3235 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3236 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3237 	},
3238 	{
3239 		"raw_stack: skb_load_bytes, invalid access 6",
3240 		.insns = {
3241 			BPF_MOV64_IMM(BPF_REG_2, 4),
3242 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3243 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3244 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3245 			BPF_MOV64_IMM(BPF_REG_4, 0),
3246 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3247 				     BPF_FUNC_skb_load_bytes),
3248 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3249 			BPF_EXIT_INSN(),
3250 		},
3251 		.result = REJECT,
3252 		.errstr = "invalid stack type R3 off=-512 access_size=0",
3253 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3254 	},
3255 	{
3256 		"raw_stack: skb_load_bytes, large access",
3257 		.insns = {
3258 			BPF_MOV64_IMM(BPF_REG_2, 4),
3259 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3260 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3261 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3262 			BPF_MOV64_IMM(BPF_REG_4, 512),
3263 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3264 				     BPF_FUNC_skb_load_bytes),
3265 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3266 			BPF_EXIT_INSN(),
3267 		},
3268 		.result = ACCEPT,
3269 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3270 	},
3271 	{
3272 		"context stores via ST",
3273 		.insns = {
3274 			BPF_MOV64_IMM(BPF_REG_0, 0),
3275 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3276 			BPF_EXIT_INSN(),
3277 		},
3278 		.errstr = "BPF_ST stores into R1 context is not allowed",
3279 		.result = REJECT,
3280 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3281 	},
3282 	{
3283 		"context stores via XADD",
3284 		.insns = {
3285 			BPF_MOV64_IMM(BPF_REG_0, 0),
3286 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3287 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3288 			BPF_EXIT_INSN(),
3289 		},
3290 		.errstr = "BPF_XADD stores into R1 context is not allowed",
3291 		.result = REJECT,
3292 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3293 	},
3294 	{
3295 		"direct packet access: test1",
3296 		.insns = {
3297 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3298 				    offsetof(struct __sk_buff, data)),
3299 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3300 				    offsetof(struct __sk_buff, data_end)),
3301 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3302 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3303 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3304 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3305 			BPF_MOV64_IMM(BPF_REG_0, 0),
3306 			BPF_EXIT_INSN(),
3307 		},
3308 		.result = ACCEPT,
3309 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3310 	},
3311 	{
3312 		"direct packet access: test2",
3313 		.insns = {
3314 			BPF_MOV64_IMM(BPF_REG_0, 1),
3315 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3316 				    offsetof(struct __sk_buff, data_end)),
3317 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3318 				    offsetof(struct __sk_buff, data)),
3319 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3321 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3322 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3323 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3324 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3325 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3326 				    offsetof(struct __sk_buff, data)),
3327 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3328 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3329 				    offsetof(struct __sk_buff, len)),
3330 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3331 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3332 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3333 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3334 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3335 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3336 				    offsetof(struct __sk_buff, data_end)),
3337 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3338 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3339 			BPF_MOV64_IMM(BPF_REG_0, 0),
3340 			BPF_EXIT_INSN(),
3341 		},
3342 		.result = ACCEPT,
3343 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3344 	},
3345 	{
3346 		"direct packet access: test3",
3347 		.insns = {
3348 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3349 				    offsetof(struct __sk_buff, data)),
3350 			BPF_MOV64_IMM(BPF_REG_0, 0),
3351 			BPF_EXIT_INSN(),
3352 		},
3353 		.errstr = "invalid bpf_context access off=76",
3354 		.result = REJECT,
3355 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3356 	},
3357 	{
3358 		"direct packet access: test4 (write)",
3359 		.insns = {
3360 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3361 				    offsetof(struct __sk_buff, data)),
3362 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3363 				    offsetof(struct __sk_buff, data_end)),
3364 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3365 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3366 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3367 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3368 			BPF_MOV64_IMM(BPF_REG_0, 0),
3369 			BPF_EXIT_INSN(),
3370 		},
3371 		.result = ACCEPT,
3372 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3373 	},
3374 	{
3375 		"direct packet access: test5 (pkt_end >= reg, good access)",
3376 		.insns = {
3377 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3378 				    offsetof(struct __sk_buff, data)),
3379 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3380 				    offsetof(struct __sk_buff, data_end)),
3381 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3382 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3383 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3384 			BPF_MOV64_IMM(BPF_REG_0, 1),
3385 			BPF_EXIT_INSN(),
3386 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3387 			BPF_MOV64_IMM(BPF_REG_0, 0),
3388 			BPF_EXIT_INSN(),
3389 		},
3390 		.result = ACCEPT,
3391 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3392 	},
3393 	{
3394 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3395 		.insns = {
3396 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3397 				    offsetof(struct __sk_buff, data)),
3398 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3399 				    offsetof(struct __sk_buff, data_end)),
3400 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3402 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3403 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3404 			BPF_MOV64_IMM(BPF_REG_0, 1),
3405 			BPF_EXIT_INSN(),
3406 			BPF_MOV64_IMM(BPF_REG_0, 0),
3407 			BPF_EXIT_INSN(),
3408 		},
3409 		.errstr = "invalid access to packet",
3410 		.result = REJECT,
3411 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3412 	},
3413 	{
3414 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3415 		.insns = {
3416 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3417 				    offsetof(struct __sk_buff, data)),
3418 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3419 				    offsetof(struct __sk_buff, data_end)),
3420 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3421 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3422 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3423 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3424 			BPF_MOV64_IMM(BPF_REG_0, 1),
3425 			BPF_EXIT_INSN(),
3426 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3427 			BPF_MOV64_IMM(BPF_REG_0, 0),
3428 			BPF_EXIT_INSN(),
3429 		},
3430 		.errstr = "invalid access to packet",
3431 		.result = REJECT,
3432 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3433 	},
3434 	{
3435 		"direct packet access: test8 (double test, variant 1)",
3436 		.insns = {
3437 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3438 				    offsetof(struct __sk_buff, data)),
3439 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3440 				    offsetof(struct __sk_buff, data_end)),
3441 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3442 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3443 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3444 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3445 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3446 			BPF_MOV64_IMM(BPF_REG_0, 1),
3447 			BPF_EXIT_INSN(),
3448 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3449 			BPF_MOV64_IMM(BPF_REG_0, 0),
3450 			BPF_EXIT_INSN(),
3451 		},
3452 		.result = ACCEPT,
3453 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3454 	},
3455 	{
3456 		"direct packet access: test9 (double test, variant 2)",
3457 		.insns = {
3458 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3459 				    offsetof(struct __sk_buff, data)),
3460 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3461 				    offsetof(struct __sk_buff, data_end)),
3462 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3463 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3464 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3465 			BPF_MOV64_IMM(BPF_REG_0, 1),
3466 			BPF_EXIT_INSN(),
3467 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3468 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3469 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3470 			BPF_MOV64_IMM(BPF_REG_0, 0),
3471 			BPF_EXIT_INSN(),
3472 		},
3473 		.result = ACCEPT,
3474 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3475 	},
3476 	{
3477 		"direct packet access: test10 (write invalid)",
3478 		.insns = {
3479 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3480 				    offsetof(struct __sk_buff, data)),
3481 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3482 				    offsetof(struct __sk_buff, data_end)),
3483 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3484 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3485 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3486 			BPF_MOV64_IMM(BPF_REG_0, 0),
3487 			BPF_EXIT_INSN(),
3488 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3489 			BPF_MOV64_IMM(BPF_REG_0, 0),
3490 			BPF_EXIT_INSN(),
3491 		},
3492 		.errstr = "invalid access to packet",
3493 		.result = REJECT,
3494 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3495 	},
3496 	{
3497 		"direct packet access: test11 (shift, good access)",
3498 		.insns = {
3499 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3500 				    offsetof(struct __sk_buff, data)),
3501 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3502 				    offsetof(struct __sk_buff, data_end)),
3503 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3504 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3505 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3506 			BPF_MOV64_IMM(BPF_REG_3, 144),
3507 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3508 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3509 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3510 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3511 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3512 			BPF_MOV64_IMM(BPF_REG_0, 1),
3513 			BPF_EXIT_INSN(),
3514 			BPF_MOV64_IMM(BPF_REG_0, 0),
3515 			BPF_EXIT_INSN(),
3516 		},
3517 		.result = ACCEPT,
3518 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3519 		.retval = 1,
3520 	},
3521 	{
3522 		"direct packet access: test12 (and, good access)",
3523 		.insns = {
3524 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3525 				    offsetof(struct __sk_buff, data)),
3526 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3527 				    offsetof(struct __sk_buff, data_end)),
3528 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3529 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3530 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3531 			BPF_MOV64_IMM(BPF_REG_3, 144),
3532 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3533 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3534 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3535 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3536 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3537 			BPF_MOV64_IMM(BPF_REG_0, 1),
3538 			BPF_EXIT_INSN(),
3539 			BPF_MOV64_IMM(BPF_REG_0, 0),
3540 			BPF_EXIT_INSN(),
3541 		},
3542 		.result = ACCEPT,
3543 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3544 		.retval = 1,
3545 	},
3546 	{
3547 		"direct packet access: test13 (branches, good access)",
3548 		.insns = {
3549 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3550 				    offsetof(struct __sk_buff, data)),
3551 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3552 				    offsetof(struct __sk_buff, data_end)),
3553 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3554 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3555 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3556 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3557 				    offsetof(struct __sk_buff, mark)),
3558 			BPF_MOV64_IMM(BPF_REG_4, 1),
3559 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3560 			BPF_MOV64_IMM(BPF_REG_3, 14),
3561 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3562 			BPF_MOV64_IMM(BPF_REG_3, 24),
3563 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3564 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3565 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3566 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3567 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3568 			BPF_MOV64_IMM(BPF_REG_0, 1),
3569 			BPF_EXIT_INSN(),
3570 			BPF_MOV64_IMM(BPF_REG_0, 0),
3571 			BPF_EXIT_INSN(),
3572 		},
3573 		.result = ACCEPT,
3574 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3575 		.retval = 1,
3576 	},
3577 	{
3578 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3579 		.insns = {
3580 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3581 				    offsetof(struct __sk_buff, data)),
3582 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3583 				    offsetof(struct __sk_buff, data_end)),
3584 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3585 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3586 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3587 			BPF_MOV64_IMM(BPF_REG_5, 12),
3588 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3589 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3590 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3591 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3592 			BPF_MOV64_IMM(BPF_REG_0, 1),
3593 			BPF_EXIT_INSN(),
3594 			BPF_MOV64_IMM(BPF_REG_0, 0),
3595 			BPF_EXIT_INSN(),
3596 		},
3597 		.result = ACCEPT,
3598 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3599 		.retval = 1,
3600 	},
3601 	{
3602 		"direct packet access: test15 (spill with xadd)",
3603 		.insns = {
3604 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3605 				    offsetof(struct __sk_buff, data)),
3606 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3607 				    offsetof(struct __sk_buff, data_end)),
3608 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3609 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3610 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3611 			BPF_MOV64_IMM(BPF_REG_5, 4096),
3612 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3613 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3614 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3615 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3616 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3617 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3618 			BPF_MOV64_IMM(BPF_REG_0, 0),
3619 			BPF_EXIT_INSN(),
3620 		},
3621 		.errstr = "R2 invalid mem access 'inv'",
3622 		.result = REJECT,
3623 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3624 	},
3625 	{
3626 		"direct packet access: test16 (arith on data_end)",
3627 		.insns = {
3628 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3629 				    offsetof(struct __sk_buff, data)),
3630 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3631 				    offsetof(struct __sk_buff, data_end)),
3632 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3633 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3634 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3635 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3636 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3637 			BPF_MOV64_IMM(BPF_REG_0, 0),
3638 			BPF_EXIT_INSN(),
3639 		},
3640 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3641 		.result = REJECT,
3642 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3643 	},
3644 	{
3645 		"direct packet access: test17 (pruning, alignment)",
3646 		.insns = {
3647 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3648 				    offsetof(struct __sk_buff, data)),
3649 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3650 				    offsetof(struct __sk_buff, data_end)),
3651 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3652 				    offsetof(struct __sk_buff, mark)),
3653 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3654 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3655 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3656 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3657 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3658 			BPF_MOV64_IMM(BPF_REG_0, 0),
3659 			BPF_EXIT_INSN(),
3660 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3661 			BPF_JMP_A(-6),
3662 		},
3663 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3664 		.result = REJECT,
3665 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3666 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3667 	},
3668 	{
3669 		"direct packet access: test18 (imm += pkt_ptr, 1)",
3670 		.insns = {
3671 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3672 				    offsetof(struct __sk_buff, data)),
3673 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3674 				    offsetof(struct __sk_buff, data_end)),
3675 			BPF_MOV64_IMM(BPF_REG_0, 8),
3676 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3677 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3678 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3679 			BPF_MOV64_IMM(BPF_REG_0, 0),
3680 			BPF_EXIT_INSN(),
3681 		},
3682 		.result = ACCEPT,
3683 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3684 	},
3685 	{
3686 		"direct packet access: test19 (imm += pkt_ptr, 2)",
3687 		.insns = {
3688 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3689 				    offsetof(struct __sk_buff, data)),
3690 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3691 				    offsetof(struct __sk_buff, data_end)),
3692 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3693 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3694 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3695 			BPF_MOV64_IMM(BPF_REG_4, 4),
3696 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3697 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3698 			BPF_MOV64_IMM(BPF_REG_0, 0),
3699 			BPF_EXIT_INSN(),
3700 		},
3701 		.result = ACCEPT,
3702 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3703 	},
3704 	{
3705 		"direct packet access: test20 (x += pkt_ptr, 1)",
3706 		.insns = {
3707 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3708 				    offsetof(struct __sk_buff, data)),
3709 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3710 				    offsetof(struct __sk_buff, data_end)),
3711 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3712 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3713 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3714 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3715 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3716 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3717 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3718 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3719 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3720 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3721 			BPF_MOV64_IMM(BPF_REG_0, 0),
3722 			BPF_EXIT_INSN(),
3723 		},
3724 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3725 		.result = ACCEPT,
3726 	},
3727 	{
3728 		"direct packet access: test21 (x += pkt_ptr, 2)",
3729 		.insns = {
3730 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3731 				    offsetof(struct __sk_buff, data)),
3732 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3733 				    offsetof(struct __sk_buff, data_end)),
3734 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3736 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3737 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3738 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3739 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3740 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3741 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3742 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3743 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3744 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3745 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3746 			BPF_MOV64_IMM(BPF_REG_0, 0),
3747 			BPF_EXIT_INSN(),
3748 		},
3749 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3750 		.result = ACCEPT,
3751 	},
3752 	{
3753 		"direct packet access: test22 (x += pkt_ptr, 3)",
3754 		.insns = {
3755 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3756 				    offsetof(struct __sk_buff, data)),
3757 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3758 				    offsetof(struct __sk_buff, data_end)),
3759 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3760 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3761 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3762 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3763 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3764 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3765 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3766 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3767 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3768 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3769 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3770 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3771 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3772 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3773 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3774 			BPF_MOV64_IMM(BPF_REG_2, 1),
3775 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3776 			BPF_MOV64_IMM(BPF_REG_0, 0),
3777 			BPF_EXIT_INSN(),
3778 		},
3779 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3780 		.result = ACCEPT,
3781 	},
3782 	{
3783 		"direct packet access: test23 (x += pkt_ptr, 4)",
3784 		.insns = {
3785 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786 				    offsetof(struct __sk_buff, data)),
3787 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3788 				    offsetof(struct __sk_buff, data_end)),
3789 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3790 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3791 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3792 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3793 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3794 			BPF_MOV64_IMM(BPF_REG_0, 31),
3795 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3796 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3797 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3798 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3799 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3800 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3801 			BPF_MOV64_IMM(BPF_REG_0, 0),
3802 			BPF_EXIT_INSN(),
3803 		},
3804 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3805 		.result = REJECT,
3806 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3807 	},
3808 	{
3809 		"direct packet access: test24 (x += pkt_ptr, 5)",
3810 		.insns = {
3811 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3812 				    offsetof(struct __sk_buff, data)),
3813 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3814 				    offsetof(struct __sk_buff, data_end)),
3815 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3816 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3817 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3818 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3819 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3820 			BPF_MOV64_IMM(BPF_REG_0, 64),
3821 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3822 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3823 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3825 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3826 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3827 			BPF_MOV64_IMM(BPF_REG_0, 0),
3828 			BPF_EXIT_INSN(),
3829 		},
3830 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3831 		.result = ACCEPT,
3832 	},
3833 	{
3834 		"direct packet access: test25 (marking on <, good access)",
3835 		.insns = {
3836 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3837 				    offsetof(struct __sk_buff, data)),
3838 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3839 				    offsetof(struct __sk_buff, data_end)),
3840 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3841 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3842 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3843 			BPF_MOV64_IMM(BPF_REG_0, 0),
3844 			BPF_EXIT_INSN(),
3845 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3846 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3847 		},
3848 		.result = ACCEPT,
3849 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3850 	},
3851 	{
3852 		"direct packet access: test26 (marking on <, bad access)",
3853 		.insns = {
3854 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3855 				    offsetof(struct __sk_buff, data)),
3856 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3857 				    offsetof(struct __sk_buff, data_end)),
3858 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3859 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3860 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3861 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3862 			BPF_MOV64_IMM(BPF_REG_0, 0),
3863 			BPF_EXIT_INSN(),
3864 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3865 		},
3866 		.result = REJECT,
3867 		.errstr = "invalid access to packet",
3868 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3869 	},
3870 	{
3871 		"direct packet access: test27 (marking on <=, good access)",
3872 		.insns = {
3873 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3874 				    offsetof(struct __sk_buff, data)),
3875 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3876 				    offsetof(struct __sk_buff, data_end)),
3877 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3878 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3879 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3880 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3881 			BPF_MOV64_IMM(BPF_REG_0, 1),
3882 			BPF_EXIT_INSN(),
3883 		},
3884 		.result = ACCEPT,
3885 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3886 		.retval = 1,
3887 	},
3888 	{
3889 		"direct packet access: test28 (marking on <=, bad access)",
3890 		.insns = {
3891 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3892 				    offsetof(struct __sk_buff, data)),
3893 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3894 				    offsetof(struct __sk_buff, data_end)),
3895 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3896 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3897 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3898 			BPF_MOV64_IMM(BPF_REG_0, 1),
3899 			BPF_EXIT_INSN(),
3900 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3901 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3902 		},
3903 		.result = REJECT,
3904 		.errstr = "invalid access to packet",
3905 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3906 	},
3907 	{
3908 		"helper access to packet: test1, valid packet_ptr range",
3909 		.insns = {
3910 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3911 				    offsetof(struct xdp_md, data)),
3912 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3913 				    offsetof(struct xdp_md, data_end)),
3914 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3915 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3916 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3917 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3918 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3919 			BPF_MOV64_IMM(BPF_REG_4, 0),
3920 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3921 				     BPF_FUNC_map_update_elem),
3922 			BPF_MOV64_IMM(BPF_REG_0, 0),
3923 			BPF_EXIT_INSN(),
3924 		},
3925 		.fixup_map1 = { 5 },
3926 		.result_unpriv = ACCEPT,
3927 		.result = ACCEPT,
3928 		.prog_type = BPF_PROG_TYPE_XDP,
3929 	},
3930 	{
3931 		"helper access to packet: test2, unchecked packet_ptr",
3932 		.insns = {
3933 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3934 				    offsetof(struct xdp_md, data)),
3935 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3936 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3937 				     BPF_FUNC_map_lookup_elem),
3938 			BPF_MOV64_IMM(BPF_REG_0, 0),
3939 			BPF_EXIT_INSN(),
3940 		},
3941 		.fixup_map1 = { 1 },
3942 		.result = REJECT,
3943 		.errstr = "invalid access to packet",
3944 		.prog_type = BPF_PROG_TYPE_XDP,
3945 	},
3946 	{
3947 		"helper access to packet: test3, variable add",
3948 		.insns = {
3949 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3950 					offsetof(struct xdp_md, data)),
3951 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3952 					offsetof(struct xdp_md, data_end)),
3953 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3954 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3955 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3956 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3957 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3958 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3959 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3960 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3961 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3962 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3963 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965 				     BPF_FUNC_map_lookup_elem),
3966 			BPF_MOV64_IMM(BPF_REG_0, 0),
3967 			BPF_EXIT_INSN(),
3968 		},
3969 		.fixup_map1 = { 11 },
3970 		.result = ACCEPT,
3971 		.prog_type = BPF_PROG_TYPE_XDP,
3972 	},
3973 	{
3974 		"helper access to packet: test4, packet_ptr with bad range",
3975 		.insns = {
3976 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977 				    offsetof(struct xdp_md, data)),
3978 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979 				    offsetof(struct xdp_md, data_end)),
3980 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3982 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3983 			BPF_MOV64_IMM(BPF_REG_0, 0),
3984 			BPF_EXIT_INSN(),
3985 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3986 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3987 				     BPF_FUNC_map_lookup_elem),
3988 			BPF_MOV64_IMM(BPF_REG_0, 0),
3989 			BPF_EXIT_INSN(),
3990 		},
3991 		.fixup_map1 = { 7 },
3992 		.result = REJECT,
3993 		.errstr = "invalid access to packet",
3994 		.prog_type = BPF_PROG_TYPE_XDP,
3995 	},
3996 	{
3997 		"helper access to packet: test5, packet_ptr with too short range",
3998 		.insns = {
3999 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4000 				    offsetof(struct xdp_md, data)),
4001 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4002 				    offsetof(struct xdp_md, data_end)),
4003 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4004 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4005 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4006 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4007 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4008 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4009 				     BPF_FUNC_map_lookup_elem),
4010 			BPF_MOV64_IMM(BPF_REG_0, 0),
4011 			BPF_EXIT_INSN(),
4012 		},
4013 		.fixup_map1 = { 6 },
4014 		.result = REJECT,
4015 		.errstr = "invalid access to packet",
4016 		.prog_type = BPF_PROG_TYPE_XDP,
4017 	},
4018 	{
4019 		"helper access to packet: test6, cls valid packet_ptr range",
4020 		.insns = {
4021 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4022 				    offsetof(struct __sk_buff, data)),
4023 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4024 				    offsetof(struct __sk_buff, data_end)),
4025 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4026 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4027 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4028 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4029 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4030 			BPF_MOV64_IMM(BPF_REG_4, 0),
4031 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4032 				     BPF_FUNC_map_update_elem),
4033 			BPF_MOV64_IMM(BPF_REG_0, 0),
4034 			BPF_EXIT_INSN(),
4035 		},
4036 		.fixup_map1 = { 5 },
4037 		.result = ACCEPT,
4038 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4039 	},
4040 	{
4041 		"helper access to packet: test7, cls unchecked packet_ptr",
4042 		.insns = {
4043 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4044 				    offsetof(struct __sk_buff, data)),
4045 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4046 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4047 				     BPF_FUNC_map_lookup_elem),
4048 			BPF_MOV64_IMM(BPF_REG_0, 0),
4049 			BPF_EXIT_INSN(),
4050 		},
4051 		.fixup_map1 = { 1 },
4052 		.result = REJECT,
4053 		.errstr = "invalid access to packet",
4054 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4055 	},
4056 	{
4057 		"helper access to packet: test8, cls variable add",
4058 		.insns = {
4059 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4060 					offsetof(struct __sk_buff, data)),
4061 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4062 					offsetof(struct __sk_buff, data_end)),
4063 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4064 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4065 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4066 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4067 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4068 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4069 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4070 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4071 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4072 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4073 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4075 				     BPF_FUNC_map_lookup_elem),
4076 			BPF_MOV64_IMM(BPF_REG_0, 0),
4077 			BPF_EXIT_INSN(),
4078 		},
4079 		.fixup_map1 = { 11 },
4080 		.result = ACCEPT,
4081 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4082 	},
4083 	{
4084 		"helper access to packet: test9, cls packet_ptr with bad range",
4085 		.insns = {
4086 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4087 				    offsetof(struct __sk_buff, data)),
4088 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4089 				    offsetof(struct __sk_buff, data_end)),
4090 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4091 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4092 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4093 			BPF_MOV64_IMM(BPF_REG_0, 0),
4094 			BPF_EXIT_INSN(),
4095 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4096 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4097 				     BPF_FUNC_map_lookup_elem),
4098 			BPF_MOV64_IMM(BPF_REG_0, 0),
4099 			BPF_EXIT_INSN(),
4100 		},
4101 		.fixup_map1 = { 7 },
4102 		.result = REJECT,
4103 		.errstr = "invalid access to packet",
4104 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4105 	},
4106 	{
4107 		"helper access to packet: test10, cls packet_ptr with too short range",
4108 		.insns = {
4109 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4110 				    offsetof(struct __sk_buff, data)),
4111 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4112 				    offsetof(struct __sk_buff, data_end)),
4113 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4114 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4115 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4116 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4117 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4118 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4119 				     BPF_FUNC_map_lookup_elem),
4120 			BPF_MOV64_IMM(BPF_REG_0, 0),
4121 			BPF_EXIT_INSN(),
4122 		},
4123 		.fixup_map1 = { 6 },
4124 		.result = REJECT,
4125 		.errstr = "invalid access to packet",
4126 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4127 	},
4128 	{
4129 		"helper access to packet: test11, cls unsuitable helper 1",
4130 		.insns = {
4131 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4132 				    offsetof(struct __sk_buff, data)),
4133 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4134 				    offsetof(struct __sk_buff, data_end)),
4135 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4136 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4137 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4138 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4139 			BPF_MOV64_IMM(BPF_REG_2, 0),
4140 			BPF_MOV64_IMM(BPF_REG_4, 42),
4141 			BPF_MOV64_IMM(BPF_REG_5, 0),
4142 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4143 				     BPF_FUNC_skb_store_bytes),
4144 			BPF_MOV64_IMM(BPF_REG_0, 0),
4145 			BPF_EXIT_INSN(),
4146 		},
4147 		.result = REJECT,
4148 		.errstr = "helper access to the packet",
4149 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4150 	},
4151 	{
4152 		"helper access to packet: test12, cls unsuitable helper 2",
4153 		.insns = {
4154 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4155 				    offsetof(struct __sk_buff, data)),
4156 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4157 				    offsetof(struct __sk_buff, data_end)),
4158 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4159 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4160 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4161 			BPF_MOV64_IMM(BPF_REG_2, 0),
4162 			BPF_MOV64_IMM(BPF_REG_4, 4),
4163 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4164 				     BPF_FUNC_skb_load_bytes),
4165 			BPF_MOV64_IMM(BPF_REG_0, 0),
4166 			BPF_EXIT_INSN(),
4167 		},
4168 		.result = REJECT,
4169 		.errstr = "helper access to the packet",
4170 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4171 	},
4172 	{
4173 		"helper access to packet: test13, cls helper ok",
4174 		.insns = {
4175 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4176 				    offsetof(struct __sk_buff, data)),
4177 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4178 				    offsetof(struct __sk_buff, data_end)),
4179 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4180 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4182 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4183 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4184 			BPF_MOV64_IMM(BPF_REG_2, 4),
4185 			BPF_MOV64_IMM(BPF_REG_3, 0),
4186 			BPF_MOV64_IMM(BPF_REG_4, 0),
4187 			BPF_MOV64_IMM(BPF_REG_5, 0),
4188 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4189 				     BPF_FUNC_csum_diff),
4190 			BPF_MOV64_IMM(BPF_REG_0, 0),
4191 			BPF_EXIT_INSN(),
4192 		},
4193 		.result = ACCEPT,
4194 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4195 	},
4196 	{
4197 		"helper access to packet: test14, cls helper ok sub",
4198 		.insns = {
4199 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4200 				    offsetof(struct __sk_buff, data)),
4201 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4202 				    offsetof(struct __sk_buff, data_end)),
4203 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4204 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4206 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4207 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4208 			BPF_MOV64_IMM(BPF_REG_2, 4),
4209 			BPF_MOV64_IMM(BPF_REG_3, 0),
4210 			BPF_MOV64_IMM(BPF_REG_4, 0),
4211 			BPF_MOV64_IMM(BPF_REG_5, 0),
4212 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4213 				     BPF_FUNC_csum_diff),
4214 			BPF_MOV64_IMM(BPF_REG_0, 0),
4215 			BPF_EXIT_INSN(),
4216 		},
4217 		.result = ACCEPT,
4218 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4219 	},
4220 	{
4221 		"helper access to packet: test15, cls helper fail sub",
4222 		.insns = {
4223 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4224 				    offsetof(struct __sk_buff, data)),
4225 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4226 				    offsetof(struct __sk_buff, data_end)),
4227 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4228 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4229 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4230 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4231 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4232 			BPF_MOV64_IMM(BPF_REG_2, 4),
4233 			BPF_MOV64_IMM(BPF_REG_3, 0),
4234 			BPF_MOV64_IMM(BPF_REG_4, 0),
4235 			BPF_MOV64_IMM(BPF_REG_5, 0),
4236 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4237 				     BPF_FUNC_csum_diff),
4238 			BPF_MOV64_IMM(BPF_REG_0, 0),
4239 			BPF_EXIT_INSN(),
4240 		},
4241 		.result = REJECT,
4242 		.errstr = "invalid access to packet",
4243 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4244 	},
4245 	{
4246 		"helper access to packet: test16, cls helper fail range 1",
4247 		.insns = {
4248 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4249 				    offsetof(struct __sk_buff, data)),
4250 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4251 				    offsetof(struct __sk_buff, data_end)),
4252 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4253 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4254 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4255 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4256 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4257 			BPF_MOV64_IMM(BPF_REG_2, 8),
4258 			BPF_MOV64_IMM(BPF_REG_3, 0),
4259 			BPF_MOV64_IMM(BPF_REG_4, 0),
4260 			BPF_MOV64_IMM(BPF_REG_5, 0),
4261 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4262 				     BPF_FUNC_csum_diff),
4263 			BPF_MOV64_IMM(BPF_REG_0, 0),
4264 			BPF_EXIT_INSN(),
4265 		},
4266 		.result = REJECT,
4267 		.errstr = "invalid access to packet",
4268 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4269 	},
4270 	{
4271 		"helper access to packet: test17, cls helper fail range 2",
4272 		.insns = {
4273 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4274 				    offsetof(struct __sk_buff, data)),
4275 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4276 				    offsetof(struct __sk_buff, data_end)),
4277 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4278 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4279 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4280 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4281 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4282 			BPF_MOV64_IMM(BPF_REG_2, -9),
4283 			BPF_MOV64_IMM(BPF_REG_3, 0),
4284 			BPF_MOV64_IMM(BPF_REG_4, 0),
4285 			BPF_MOV64_IMM(BPF_REG_5, 0),
4286 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4287 				     BPF_FUNC_csum_diff),
4288 			BPF_MOV64_IMM(BPF_REG_0, 0),
4289 			BPF_EXIT_INSN(),
4290 		},
4291 		.result = REJECT,
4292 		.errstr = "R2 min value is negative",
4293 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4294 	},
4295 	{
4296 		"helper access to packet: test18, cls helper fail range 3",
4297 		.insns = {
4298 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4299 				    offsetof(struct __sk_buff, data)),
4300 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4301 				    offsetof(struct __sk_buff, data_end)),
4302 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4303 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4305 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4306 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4307 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4308 			BPF_MOV64_IMM(BPF_REG_3, 0),
4309 			BPF_MOV64_IMM(BPF_REG_4, 0),
4310 			BPF_MOV64_IMM(BPF_REG_5, 0),
4311 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4312 				     BPF_FUNC_csum_diff),
4313 			BPF_MOV64_IMM(BPF_REG_0, 0),
4314 			BPF_EXIT_INSN(),
4315 		},
4316 		.result = REJECT,
4317 		.errstr = "R2 min value is negative",
4318 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4319 	},
4320 	{
4321 		"helper access to packet: test19, cls helper range zero",
4322 		.insns = {
4323 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4324 				    offsetof(struct __sk_buff, data)),
4325 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4326 				    offsetof(struct __sk_buff, data_end)),
4327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4328 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4329 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4330 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4331 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4332 			BPF_MOV64_IMM(BPF_REG_2, 0),
4333 			BPF_MOV64_IMM(BPF_REG_3, 0),
4334 			BPF_MOV64_IMM(BPF_REG_4, 0),
4335 			BPF_MOV64_IMM(BPF_REG_5, 0),
4336 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4337 				     BPF_FUNC_csum_diff),
4338 			BPF_MOV64_IMM(BPF_REG_0, 0),
4339 			BPF_EXIT_INSN(),
4340 		},
4341 		.result = ACCEPT,
4342 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4343 	},
4344 	{
4345 		"helper access to packet: test20, pkt end as input",
4346 		.insns = {
4347 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4348 				    offsetof(struct __sk_buff, data)),
4349 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4350 				    offsetof(struct __sk_buff, data_end)),
4351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4352 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4353 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4354 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4355 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4356 			BPF_MOV64_IMM(BPF_REG_2, 4),
4357 			BPF_MOV64_IMM(BPF_REG_3, 0),
4358 			BPF_MOV64_IMM(BPF_REG_4, 0),
4359 			BPF_MOV64_IMM(BPF_REG_5, 0),
4360 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4361 				     BPF_FUNC_csum_diff),
4362 			BPF_MOV64_IMM(BPF_REG_0, 0),
4363 			BPF_EXIT_INSN(),
4364 		},
4365 		.result = REJECT,
4366 		.errstr = "R1 type=pkt_end expected=fp",
4367 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4368 	},
4369 	{
4370 		"helper access to packet: test21, wrong reg",
4371 		.insns = {
4372 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4373 				    offsetof(struct __sk_buff, data)),
4374 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4375 				    offsetof(struct __sk_buff, data_end)),
4376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4377 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4378 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4379 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4380 			BPF_MOV64_IMM(BPF_REG_2, 4),
4381 			BPF_MOV64_IMM(BPF_REG_3, 0),
4382 			BPF_MOV64_IMM(BPF_REG_4, 0),
4383 			BPF_MOV64_IMM(BPF_REG_5, 0),
4384 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4385 				     BPF_FUNC_csum_diff),
4386 			BPF_MOV64_IMM(BPF_REG_0, 0),
4387 			BPF_EXIT_INSN(),
4388 		},
4389 		.result = REJECT,
4390 		.errstr = "invalid access to packet",
4391 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4392 	},
4393 	{
4394 		"valid map access into an array with a constant",
4395 		.insns = {
4396 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4397 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4399 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4400 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4401 				     BPF_FUNC_map_lookup_elem),
4402 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4403 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4404 				   offsetof(struct test_val, foo)),
4405 			BPF_EXIT_INSN(),
4406 		},
4407 		.fixup_map2 = { 3 },
4408 		.errstr_unpriv = "R0 leaks addr",
4409 		.result_unpriv = REJECT,
4410 		.result = ACCEPT,
4411 	},
4412 	{
4413 		"valid map access into an array with a register",
4414 		.insns = {
4415 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4416 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4417 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4418 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4419 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4420 				     BPF_FUNC_map_lookup_elem),
4421 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4422 			BPF_MOV64_IMM(BPF_REG_1, 4),
4423 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4424 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4425 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4426 				   offsetof(struct test_val, foo)),
4427 			BPF_EXIT_INSN(),
4428 		},
4429 		.fixup_map2 = { 3 },
4430 		.errstr_unpriv = "R0 leaks addr",
4431 		.result_unpriv = REJECT,
4432 		.result = ACCEPT,
4433 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4434 	},
4435 	{
4436 		"valid map access into an array with a variable",
4437 		.insns = {
4438 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4439 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4441 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4442 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4443 				     BPF_FUNC_map_lookup_elem),
4444 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4445 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4446 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4447 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4448 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4449 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4450 				   offsetof(struct test_val, foo)),
4451 			BPF_EXIT_INSN(),
4452 		},
4453 		.fixup_map2 = { 3 },
4454 		.errstr_unpriv = "R0 leaks addr",
4455 		.result_unpriv = REJECT,
4456 		.result = ACCEPT,
4457 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4458 	},
4459 	{
4460 		"valid map access into an array with a signed variable",
4461 		.insns = {
4462 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4463 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4464 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4465 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4466 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467 				     BPF_FUNC_map_lookup_elem),
4468 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4469 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4470 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4471 			BPF_MOV32_IMM(BPF_REG_1, 0),
4472 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4473 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4474 			BPF_MOV32_IMM(BPF_REG_1, 0),
4475 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4476 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4477 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4478 				   offsetof(struct test_val, foo)),
4479 			BPF_EXIT_INSN(),
4480 		},
4481 		.fixup_map2 = { 3 },
4482 		.errstr_unpriv = "R0 leaks addr",
4483 		.result_unpriv = REJECT,
4484 		.result = ACCEPT,
4485 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4486 	},
4487 	{
4488 		"invalid map access into an array with a constant",
4489 		.insns = {
4490 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4491 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4492 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4493 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4494 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4495 				     BPF_FUNC_map_lookup_elem),
4496 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4497 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4498 				   offsetof(struct test_val, foo)),
4499 			BPF_EXIT_INSN(),
4500 		},
4501 		.fixup_map2 = { 3 },
4502 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
4503 		.result = REJECT,
4504 	},
4505 	{
4506 		"invalid map access into an array with a register",
4507 		.insns = {
4508 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4509 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4510 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4511 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4512 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4513 				     BPF_FUNC_map_lookup_elem),
4514 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4515 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4516 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4517 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4518 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4519 				   offsetof(struct test_val, foo)),
4520 			BPF_EXIT_INSN(),
4521 		},
4522 		.fixup_map2 = { 3 },
4523 		.errstr = "R0 min value is outside of the array range",
4524 		.result = REJECT,
4525 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4526 	},
4527 	{
4528 		"invalid map access into an array with a variable",
4529 		.insns = {
4530 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4531 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4532 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4533 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4534 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4535 				     BPF_FUNC_map_lookup_elem),
4536 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4537 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4538 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4539 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4540 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4541 				   offsetof(struct test_val, foo)),
4542 			BPF_EXIT_INSN(),
4543 		},
4544 		.fixup_map2 = { 3 },
4545 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4546 		.result = REJECT,
4547 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4548 	},
4549 	{
4550 		"invalid map access into an array with no floor check",
4551 		.insns = {
4552 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4553 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4554 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4555 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4556 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4557 				     BPF_FUNC_map_lookup_elem),
4558 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4559 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4560 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4561 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4562 			BPF_MOV32_IMM(BPF_REG_1, 0),
4563 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4564 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4565 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4566 				   offsetof(struct test_val, foo)),
4567 			BPF_EXIT_INSN(),
4568 		},
4569 		.fixup_map2 = { 3 },
4570 		.errstr_unpriv = "R0 leaks addr",
4571 		.errstr = "R0 unbounded memory access",
4572 		.result_unpriv = REJECT,
4573 		.result = REJECT,
4574 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4575 	},
4576 	{
4577 		"invalid map access into an array with a invalid max check",
4578 		.insns = {
4579 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4580 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4581 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4582 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4583 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4584 				     BPF_FUNC_map_lookup_elem),
4585 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4586 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4587 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4588 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4589 			BPF_MOV32_IMM(BPF_REG_1, 0),
4590 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4591 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4592 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4593 				   offsetof(struct test_val, foo)),
4594 			BPF_EXIT_INSN(),
4595 		},
4596 		.fixup_map2 = { 3 },
4597 		.errstr_unpriv = "R0 leaks addr",
4598 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
4599 		.result_unpriv = REJECT,
4600 		.result = REJECT,
4601 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4602 	},
4603 	{
4604 		"invalid map access into an array with a invalid max check",
4605 		.insns = {
4606 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4607 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4608 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4609 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4610 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4611 				     BPF_FUNC_map_lookup_elem),
4612 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4613 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4614 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4615 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4616 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4617 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4618 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4619 				     BPF_FUNC_map_lookup_elem),
4620 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4621 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4622 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4623 				    offsetof(struct test_val, foo)),
4624 			BPF_EXIT_INSN(),
4625 		},
4626 		.fixup_map2 = { 3, 11 },
4627 		.errstr = "R0 pointer += pointer",
4628 		.result = REJECT,
4629 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4630 	},
4631 	{
4632 		"valid cgroup storage access",
4633 		.insns = {
4634 			BPF_MOV64_IMM(BPF_REG_2, 0),
4635 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4636 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4637 				     BPF_FUNC_get_local_storage),
4638 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4639 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4640 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4641 			BPF_EXIT_INSN(),
4642 		},
4643 		.fixup_cgroup_storage = { 1 },
4644 		.result = ACCEPT,
4645 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4646 	},
4647 	{
4648 		"invalid cgroup storage access 1",
4649 		.insns = {
4650 			BPF_MOV64_IMM(BPF_REG_2, 0),
4651 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4652 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4653 				     BPF_FUNC_get_local_storage),
4654 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4655 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4656 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4657 			BPF_EXIT_INSN(),
4658 		},
4659 		.fixup_map1 = { 1 },
4660 		.result = REJECT,
4661 		.errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4662 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4663 	},
4664 	{
4665 		"invalid cgroup storage access 2",
4666 		.insns = {
4667 			BPF_MOV64_IMM(BPF_REG_2, 0),
4668 			BPF_LD_MAP_FD(BPF_REG_1, 1),
4669 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4670 				     BPF_FUNC_get_local_storage),
4671 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4672 			BPF_EXIT_INSN(),
4673 		},
4674 		.result = REJECT,
4675 		.errstr = "fd 1 is not pointing to valid bpf_map",
4676 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4677 	},
4678 	{
4679 		"invalid per-cgroup storage access 3",
4680 		.insns = {
4681 			BPF_MOV64_IMM(BPF_REG_2, 0),
4682 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4683 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4684 				     BPF_FUNC_get_local_storage),
4685 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4687 			BPF_MOV64_IMM(BPF_REG_0, 0),
4688 			BPF_EXIT_INSN(),
4689 		},
4690 		.fixup_cgroup_storage = { 1 },
4691 		.result = REJECT,
4692 		.errstr = "invalid access to map value, value_size=64 off=256 size=4",
4693 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4694 	},
4695 	{
4696 		"invalid cgroup storage access 4",
4697 		.insns = {
4698 			BPF_MOV64_IMM(BPF_REG_2, 0),
4699 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4700 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4701 				     BPF_FUNC_get_local_storage),
4702 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4703 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4704 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4705 			BPF_EXIT_INSN(),
4706 		},
4707 		.fixup_cgroup_storage = { 1 },
4708 		.result = REJECT,
4709 		.errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4710 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4711 	},
4712 	{
4713 		"invalid cgroup storage access 5",
4714 		.insns = {
4715 			BPF_MOV64_IMM(BPF_REG_2, 7),
4716 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4717 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4718 				     BPF_FUNC_get_local_storage),
4719 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4720 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4721 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4722 			BPF_EXIT_INSN(),
4723 		},
4724 		.fixup_cgroup_storage = { 1 },
4725 		.result = REJECT,
4726 		.errstr = "get_local_storage() doesn't support non-zero flags",
4727 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4728 	},
4729 	{
4730 		"invalid cgroup storage access 6",
4731 		.insns = {
4732 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4733 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4734 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4735 				     BPF_FUNC_get_local_storage),
4736 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4737 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4738 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4739 			BPF_EXIT_INSN(),
4740 		},
4741 		.fixup_cgroup_storage = { 1 },
4742 		.result = REJECT,
4743 		.errstr = "get_local_storage() doesn't support non-zero flags",
4744 		.prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4745 	},
4746 	{
4747 		"multiple registers share map_lookup_elem result",
4748 		.insns = {
4749 			BPF_MOV64_IMM(BPF_REG_1, 10),
4750 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4751 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4752 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4753 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4754 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4755 				     BPF_FUNC_map_lookup_elem),
4756 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4757 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4758 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4759 			BPF_EXIT_INSN(),
4760 		},
4761 		.fixup_map1 = { 4 },
4762 		.result = ACCEPT,
4763 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4764 	},
4765 	{
4766 		"alu ops on ptr_to_map_value_or_null, 1",
4767 		.insns = {
4768 			BPF_MOV64_IMM(BPF_REG_1, 10),
4769 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4770 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4771 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4772 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4773 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4774 				     BPF_FUNC_map_lookup_elem),
4775 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4776 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4777 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4778 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4779 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4780 			BPF_EXIT_INSN(),
4781 		},
4782 		.fixup_map1 = { 4 },
4783 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4784 		.result = REJECT,
4785 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4786 	},
4787 	{
4788 		"alu ops on ptr_to_map_value_or_null, 2",
4789 		.insns = {
4790 			BPF_MOV64_IMM(BPF_REG_1, 10),
4791 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4792 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4793 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4794 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4795 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4796 				     BPF_FUNC_map_lookup_elem),
4797 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4798 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4799 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4800 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4801 			BPF_EXIT_INSN(),
4802 		},
4803 		.fixup_map1 = { 4 },
4804 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4805 		.result = REJECT,
4806 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4807 	},
4808 	{
4809 		"alu ops on ptr_to_map_value_or_null, 3",
4810 		.insns = {
4811 			BPF_MOV64_IMM(BPF_REG_1, 10),
4812 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4813 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4814 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4815 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4816 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4817 				     BPF_FUNC_map_lookup_elem),
4818 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4819 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4820 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4821 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4822 			BPF_EXIT_INSN(),
4823 		},
4824 		.fixup_map1 = { 4 },
4825 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4826 		.result = REJECT,
4827 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4828 	},
4829 	{
4830 		"invalid memory access with multiple map_lookup_elem calls",
4831 		.insns = {
4832 			BPF_MOV64_IMM(BPF_REG_1, 10),
4833 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4834 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4835 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4836 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4837 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4838 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4839 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4840 				     BPF_FUNC_map_lookup_elem),
4841 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4842 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4843 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4844 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4845 				     BPF_FUNC_map_lookup_elem),
4846 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4847 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4848 			BPF_EXIT_INSN(),
4849 		},
4850 		.fixup_map1 = { 4 },
4851 		.result = REJECT,
4852 		.errstr = "R4 !read_ok",
4853 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4854 	},
4855 	{
4856 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
4857 		.insns = {
4858 			BPF_MOV64_IMM(BPF_REG_1, 10),
4859 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4860 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4861 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4862 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4863 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4864 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4865 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4866 				     BPF_FUNC_map_lookup_elem),
4867 			BPF_MOV64_IMM(BPF_REG_2, 10),
4868 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4869 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4870 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4871 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4872 				     BPF_FUNC_map_lookup_elem),
4873 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4874 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4875 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4876 			BPF_EXIT_INSN(),
4877 		},
4878 		.fixup_map1 = { 4 },
4879 		.result = ACCEPT,
4880 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4881 	},
4882 	{
4883 		"invalid map access from else condition",
4884 		.insns = {
4885 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4886 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4887 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4888 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4889 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4890 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4891 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4892 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4893 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4894 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4895 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4896 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4897 			BPF_EXIT_INSN(),
4898 		},
4899 		.fixup_map2 = { 3 },
4900 		.errstr = "R0 unbounded memory access",
4901 		.result = REJECT,
4902 		.errstr_unpriv = "R0 leaks addr",
4903 		.result_unpriv = REJECT,
4904 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4905 	},
4906 	{
4907 		"constant register |= constant should keep constant type",
4908 		.insns = {
4909 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4910 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4911 			BPF_MOV64_IMM(BPF_REG_2, 34),
4912 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4913 			BPF_MOV64_IMM(BPF_REG_3, 0),
4914 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4915 			BPF_EXIT_INSN(),
4916 		},
4917 		.result = ACCEPT,
4918 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4919 	},
4920 	{
4921 		"constant register |= constant should not bypass stack boundary checks",
4922 		.insns = {
4923 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4924 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4925 			BPF_MOV64_IMM(BPF_REG_2, 34),
4926 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4927 			BPF_MOV64_IMM(BPF_REG_3, 0),
4928 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4929 			BPF_EXIT_INSN(),
4930 		},
4931 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4932 		.result = REJECT,
4933 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4934 	},
4935 	{
4936 		"constant register |= constant register should keep constant type",
4937 		.insns = {
4938 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4939 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4940 			BPF_MOV64_IMM(BPF_REG_2, 34),
4941 			BPF_MOV64_IMM(BPF_REG_4, 13),
4942 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4943 			BPF_MOV64_IMM(BPF_REG_3, 0),
4944 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4945 			BPF_EXIT_INSN(),
4946 		},
4947 		.result = ACCEPT,
4948 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4949 	},
4950 	{
4951 		"constant register |= constant register should not bypass stack boundary checks",
4952 		.insns = {
4953 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4954 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4955 			BPF_MOV64_IMM(BPF_REG_2, 34),
4956 			BPF_MOV64_IMM(BPF_REG_4, 24),
4957 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4958 			BPF_MOV64_IMM(BPF_REG_3, 0),
4959 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4960 			BPF_EXIT_INSN(),
4961 		},
4962 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4963 		.result = REJECT,
4964 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4965 	},
4966 	{
4967 		"invalid direct packet write for LWT_IN",
4968 		.insns = {
4969 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4970 				    offsetof(struct __sk_buff, data)),
4971 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4972 				    offsetof(struct __sk_buff, data_end)),
4973 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4974 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4975 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4976 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4977 			BPF_MOV64_IMM(BPF_REG_0, 0),
4978 			BPF_EXIT_INSN(),
4979 		},
4980 		.errstr = "cannot write into packet",
4981 		.result = REJECT,
4982 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4983 	},
4984 	{
4985 		"invalid direct packet write for LWT_OUT",
4986 		.insns = {
4987 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4988 				    offsetof(struct __sk_buff, data)),
4989 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4990 				    offsetof(struct __sk_buff, data_end)),
4991 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4992 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4993 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4994 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4995 			BPF_MOV64_IMM(BPF_REG_0, 0),
4996 			BPF_EXIT_INSN(),
4997 		},
4998 		.errstr = "cannot write into packet",
4999 		.result = REJECT,
5000 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
5001 	},
5002 	{
5003 		"direct packet write for LWT_XMIT",
5004 		.insns = {
5005 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5006 				    offsetof(struct __sk_buff, data)),
5007 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5008 				    offsetof(struct __sk_buff, data_end)),
5009 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5010 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5011 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5012 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5013 			BPF_MOV64_IMM(BPF_REG_0, 0),
5014 			BPF_EXIT_INSN(),
5015 		},
5016 		.result = ACCEPT,
5017 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5018 	},
5019 	{
5020 		"direct packet read for LWT_IN",
5021 		.insns = {
5022 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5023 				    offsetof(struct __sk_buff, data)),
5024 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5025 				    offsetof(struct __sk_buff, data_end)),
5026 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5027 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5028 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5029 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5030 			BPF_MOV64_IMM(BPF_REG_0, 0),
5031 			BPF_EXIT_INSN(),
5032 		},
5033 		.result = ACCEPT,
5034 		.prog_type = BPF_PROG_TYPE_LWT_IN,
5035 	},
5036 	{
5037 		"direct packet read for LWT_OUT",
5038 		.insns = {
5039 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5040 				    offsetof(struct __sk_buff, data)),
5041 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5042 				    offsetof(struct __sk_buff, data_end)),
5043 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5044 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5045 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5046 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5047 			BPF_MOV64_IMM(BPF_REG_0, 0),
5048 			BPF_EXIT_INSN(),
5049 		},
5050 		.result = ACCEPT,
5051 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
5052 	},
5053 	{
5054 		"direct packet read for LWT_XMIT",
5055 		.insns = {
5056 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5057 				    offsetof(struct __sk_buff, data)),
5058 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5059 				    offsetof(struct __sk_buff, data_end)),
5060 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5061 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5062 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5063 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5064 			BPF_MOV64_IMM(BPF_REG_0, 0),
5065 			BPF_EXIT_INSN(),
5066 		},
5067 		.result = ACCEPT,
5068 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5069 	},
5070 	{
5071 		"overlapping checks for direct packet access",
5072 		.insns = {
5073 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5074 				    offsetof(struct __sk_buff, data)),
5075 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5076 				    offsetof(struct __sk_buff, data_end)),
5077 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5078 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5079 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5080 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5081 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5082 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5083 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5084 			BPF_MOV64_IMM(BPF_REG_0, 0),
5085 			BPF_EXIT_INSN(),
5086 		},
5087 		.result = ACCEPT,
5088 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5089 	},
5090 	{
5091 		"make headroom for LWT_XMIT",
5092 		.insns = {
5093 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5094 			BPF_MOV64_IMM(BPF_REG_2, 34),
5095 			BPF_MOV64_IMM(BPF_REG_3, 0),
5096 			BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5097 			/* split for s390 to succeed */
5098 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5099 			BPF_MOV64_IMM(BPF_REG_2, 42),
5100 			BPF_MOV64_IMM(BPF_REG_3, 0),
5101 			BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5102 			BPF_MOV64_IMM(BPF_REG_0, 0),
5103 			BPF_EXIT_INSN(),
5104 		},
5105 		.result = ACCEPT,
5106 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
5107 	},
5108 	{
5109 		"invalid access of tc_classid for LWT_IN",
5110 		.insns = {
5111 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5112 				    offsetof(struct __sk_buff, tc_classid)),
5113 			BPF_EXIT_INSN(),
5114 		},
5115 		.result = REJECT,
5116 		.errstr = "invalid bpf_context access",
5117 	},
5118 	{
5119 		"invalid access of tc_classid for LWT_OUT",
5120 		.insns = {
5121 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5122 				    offsetof(struct __sk_buff, tc_classid)),
5123 			BPF_EXIT_INSN(),
5124 		},
5125 		.result = REJECT,
5126 		.errstr = "invalid bpf_context access",
5127 	},
5128 	{
5129 		"invalid access of tc_classid for LWT_XMIT",
5130 		.insns = {
5131 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5132 				    offsetof(struct __sk_buff, tc_classid)),
5133 			BPF_EXIT_INSN(),
5134 		},
5135 		.result = REJECT,
5136 		.errstr = "invalid bpf_context access",
5137 	},
5138 	{
5139 		"leak pointer into ctx 1",
5140 		.insns = {
5141 			BPF_MOV64_IMM(BPF_REG_0, 0),
5142 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5143 				    offsetof(struct __sk_buff, cb[0])),
5144 			BPF_LD_MAP_FD(BPF_REG_2, 0),
5145 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5146 				      offsetof(struct __sk_buff, cb[0])),
5147 			BPF_EXIT_INSN(),
5148 		},
5149 		.fixup_map1 = { 2 },
5150 		.errstr_unpriv = "R2 leaks addr into mem",
5151 		.result_unpriv = REJECT,
5152 		.result = REJECT,
5153 		.errstr = "BPF_XADD stores into R1 context is not allowed",
5154 	},
5155 	{
5156 		"leak pointer into ctx 2",
5157 		.insns = {
5158 			BPF_MOV64_IMM(BPF_REG_0, 0),
5159 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5160 				    offsetof(struct __sk_buff, cb[0])),
5161 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5162 				      offsetof(struct __sk_buff, cb[0])),
5163 			BPF_EXIT_INSN(),
5164 		},
5165 		.errstr_unpriv = "R10 leaks addr into mem",
5166 		.result_unpriv = REJECT,
5167 		.result = REJECT,
5168 		.errstr = "BPF_XADD stores into R1 context is not allowed",
5169 	},
5170 	{
5171 		"leak pointer into ctx 3",
5172 		.insns = {
5173 			BPF_MOV64_IMM(BPF_REG_0, 0),
5174 			BPF_LD_MAP_FD(BPF_REG_2, 0),
5175 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5176 				      offsetof(struct __sk_buff, cb[0])),
5177 			BPF_EXIT_INSN(),
5178 		},
5179 		.fixup_map1 = { 1 },
5180 		.errstr_unpriv = "R2 leaks addr into ctx",
5181 		.result_unpriv = REJECT,
5182 		.result = ACCEPT,
5183 	},
5184 	{
5185 		"leak pointer into map val",
5186 		.insns = {
5187 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5188 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5189 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5190 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5191 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5192 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5193 				     BPF_FUNC_map_lookup_elem),
5194 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5195 			BPF_MOV64_IMM(BPF_REG_3, 0),
5196 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5197 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5198 			BPF_MOV64_IMM(BPF_REG_0, 0),
5199 			BPF_EXIT_INSN(),
5200 		},
5201 		.fixup_map1 = { 4 },
5202 		.errstr_unpriv = "R6 leaks addr into mem",
5203 		.result_unpriv = REJECT,
5204 		.result = ACCEPT,
5205 	},
5206 	{
5207 		"helper access to map: full range",
5208 		.insns = {
5209 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5211 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5212 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5213 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5214 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5215 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5216 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5217 			BPF_MOV64_IMM(BPF_REG_3, 0),
5218 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5219 			BPF_EXIT_INSN(),
5220 		},
5221 		.fixup_map2 = { 3 },
5222 		.result = ACCEPT,
5223 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5224 	},
5225 	{
5226 		"helper access to map: partial range",
5227 		.insns = {
5228 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5229 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5230 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5231 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5232 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5234 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5235 			BPF_MOV64_IMM(BPF_REG_2, 8),
5236 			BPF_MOV64_IMM(BPF_REG_3, 0),
5237 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5238 			BPF_EXIT_INSN(),
5239 		},
5240 		.fixup_map2 = { 3 },
5241 		.result = ACCEPT,
5242 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5243 	},
5244 	{
5245 		"helper access to map: empty range",
5246 		.insns = {
5247 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5249 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5250 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5251 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5252 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5253 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5254 			BPF_MOV64_IMM(BPF_REG_2, 0),
5255 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5256 			BPF_EXIT_INSN(),
5257 		},
5258 		.fixup_map2 = { 3 },
5259 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
5260 		.result = REJECT,
5261 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5262 	},
5263 	{
5264 		"helper access to map: out-of-bound range",
5265 		.insns = {
5266 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5267 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5268 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5269 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5270 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5271 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5272 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5273 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5274 			BPF_MOV64_IMM(BPF_REG_3, 0),
5275 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5276 			BPF_EXIT_INSN(),
5277 		},
5278 		.fixup_map2 = { 3 },
5279 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
5280 		.result = REJECT,
5281 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5282 	},
5283 	{
5284 		"helper access to map: negative range",
5285 		.insns = {
5286 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5287 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5288 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5289 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5290 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5291 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5292 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5293 			BPF_MOV64_IMM(BPF_REG_2, -8),
5294 			BPF_MOV64_IMM(BPF_REG_3, 0),
5295 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5296 			BPF_EXIT_INSN(),
5297 		},
5298 		.fixup_map2 = { 3 },
5299 		.errstr = "R2 min value is negative",
5300 		.result = REJECT,
5301 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5302 	},
5303 	{
5304 		"helper access to adjusted map (via const imm): full range",
5305 		.insns = {
5306 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5307 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5308 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5309 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5310 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5311 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5312 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5313 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5314 				offsetof(struct test_val, foo)),
5315 			BPF_MOV64_IMM(BPF_REG_2,
5316 				sizeof(struct test_val) -
5317 				offsetof(struct test_val, foo)),
5318 			BPF_MOV64_IMM(BPF_REG_3, 0),
5319 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5320 			BPF_EXIT_INSN(),
5321 		},
5322 		.fixup_map2 = { 3 },
5323 		.result = ACCEPT,
5324 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5325 	},
5326 	{
5327 		"helper access to adjusted map (via const imm): partial range",
5328 		.insns = {
5329 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5331 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5332 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5333 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5334 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5335 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5336 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5337 				offsetof(struct test_val, foo)),
5338 			BPF_MOV64_IMM(BPF_REG_2, 8),
5339 			BPF_MOV64_IMM(BPF_REG_3, 0),
5340 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5341 			BPF_EXIT_INSN(),
5342 		},
5343 		.fixup_map2 = { 3 },
5344 		.result = ACCEPT,
5345 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5346 	},
5347 	{
5348 		"helper access to adjusted map (via const imm): empty range",
5349 		.insns = {
5350 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5352 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5353 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5354 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5355 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5356 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5357 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5358 				offsetof(struct test_val, foo)),
5359 			BPF_MOV64_IMM(BPF_REG_2, 0),
5360 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5361 			BPF_EXIT_INSN(),
5362 		},
5363 		.fixup_map2 = { 3 },
5364 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
5365 		.result = REJECT,
5366 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5367 	},
5368 	{
5369 		"helper access to adjusted map (via const imm): out-of-bound range",
5370 		.insns = {
5371 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5372 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5373 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5374 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5375 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5376 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5377 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5378 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5379 				offsetof(struct test_val, foo)),
5380 			BPF_MOV64_IMM(BPF_REG_2,
5381 				sizeof(struct test_val) -
5382 				offsetof(struct test_val, foo) + 8),
5383 			BPF_MOV64_IMM(BPF_REG_3, 0),
5384 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5385 			BPF_EXIT_INSN(),
5386 		},
5387 		.fixup_map2 = { 3 },
5388 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5389 		.result = REJECT,
5390 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5391 	},
5392 	{
5393 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
5394 		.insns = {
5395 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5396 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5397 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5398 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5399 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5400 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5401 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5402 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5403 				offsetof(struct test_val, foo)),
5404 			BPF_MOV64_IMM(BPF_REG_2, -8),
5405 			BPF_MOV64_IMM(BPF_REG_3, 0),
5406 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5407 			BPF_EXIT_INSN(),
5408 		},
5409 		.fixup_map2 = { 3 },
5410 		.errstr = "R2 min value is negative",
5411 		.result = REJECT,
5412 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5413 	},
5414 	{
5415 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
5416 		.insns = {
5417 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5418 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5419 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5420 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5421 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5422 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5423 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5425 				offsetof(struct test_val, foo)),
5426 			BPF_MOV64_IMM(BPF_REG_2, -1),
5427 			BPF_MOV64_IMM(BPF_REG_3, 0),
5428 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5429 			BPF_EXIT_INSN(),
5430 		},
5431 		.fixup_map2 = { 3 },
5432 		.errstr = "R2 min value is negative",
5433 		.result = REJECT,
5434 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5435 	},
5436 	{
5437 		"helper access to adjusted map (via const reg): full range",
5438 		.insns = {
5439 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5440 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5441 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5442 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5443 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5444 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5445 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5446 			BPF_MOV64_IMM(BPF_REG_3,
5447 				offsetof(struct test_val, foo)),
5448 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5449 			BPF_MOV64_IMM(BPF_REG_2,
5450 				sizeof(struct test_val) -
5451 				offsetof(struct test_val, foo)),
5452 			BPF_MOV64_IMM(BPF_REG_3, 0),
5453 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5454 			BPF_EXIT_INSN(),
5455 		},
5456 		.fixup_map2 = { 3 },
5457 		.result = ACCEPT,
5458 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5459 	},
5460 	{
5461 		"helper access to adjusted map (via const reg): partial range",
5462 		.insns = {
5463 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5464 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5465 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5466 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5467 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5468 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5469 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5470 			BPF_MOV64_IMM(BPF_REG_3,
5471 				offsetof(struct test_val, foo)),
5472 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5473 			BPF_MOV64_IMM(BPF_REG_2, 8),
5474 			BPF_MOV64_IMM(BPF_REG_3, 0),
5475 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5476 			BPF_EXIT_INSN(),
5477 		},
5478 		.fixup_map2 = { 3 },
5479 		.result = ACCEPT,
5480 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5481 	},
5482 	{
5483 		"helper access to adjusted map (via const reg): empty range",
5484 		.insns = {
5485 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5486 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5487 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5488 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5489 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5490 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5491 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5492 			BPF_MOV64_IMM(BPF_REG_3, 0),
5493 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5494 			BPF_MOV64_IMM(BPF_REG_2, 0),
5495 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5496 			BPF_EXIT_INSN(),
5497 		},
5498 		.fixup_map2 = { 3 },
5499 		.errstr = "R1 min value is outside of the array range",
5500 		.result = REJECT,
5501 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5502 	},
5503 	{
5504 		"helper access to adjusted map (via const reg): out-of-bound range",
5505 		.insns = {
5506 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5507 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5508 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5509 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5510 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5511 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5512 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5513 			BPF_MOV64_IMM(BPF_REG_3,
5514 				offsetof(struct test_val, foo)),
5515 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5516 			BPF_MOV64_IMM(BPF_REG_2,
5517 				sizeof(struct test_val) -
5518 				offsetof(struct test_val, foo) + 8),
5519 			BPF_MOV64_IMM(BPF_REG_3, 0),
5520 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5521 			BPF_EXIT_INSN(),
5522 		},
5523 		.fixup_map2 = { 3 },
5524 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5525 		.result = REJECT,
5526 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5527 	},
5528 	{
5529 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
5530 		.insns = {
5531 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5532 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5533 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5534 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5535 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5536 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5537 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5538 			BPF_MOV64_IMM(BPF_REG_3,
5539 				offsetof(struct test_val, foo)),
5540 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5541 			BPF_MOV64_IMM(BPF_REG_2, -8),
5542 			BPF_MOV64_IMM(BPF_REG_3, 0),
5543 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5544 			BPF_EXIT_INSN(),
5545 		},
5546 		.fixup_map2 = { 3 },
5547 		.errstr = "R2 min value is negative",
5548 		.result = REJECT,
5549 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5550 	},
5551 	{
5552 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
5553 		.insns = {
5554 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5558 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5560 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561 			BPF_MOV64_IMM(BPF_REG_3,
5562 				offsetof(struct test_val, foo)),
5563 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5564 			BPF_MOV64_IMM(BPF_REG_2, -1),
5565 			BPF_MOV64_IMM(BPF_REG_3, 0),
5566 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5567 			BPF_EXIT_INSN(),
5568 		},
5569 		.fixup_map2 = { 3 },
5570 		.errstr = "R2 min value is negative",
5571 		.result = REJECT,
5572 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5573 	},
5574 	{
5575 		"helper access to adjusted map (via variable): full range",
5576 		.insns = {
5577 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5579 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5580 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5581 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5582 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5583 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5584 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5585 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5586 				offsetof(struct test_val, foo), 4),
5587 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5588 			BPF_MOV64_IMM(BPF_REG_2,
5589 				sizeof(struct test_val) -
5590 				offsetof(struct test_val, foo)),
5591 			BPF_MOV64_IMM(BPF_REG_3, 0),
5592 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5593 			BPF_EXIT_INSN(),
5594 		},
5595 		.fixup_map2 = { 3 },
5596 		.result = ACCEPT,
5597 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5598 	},
5599 	{
5600 		"helper access to adjusted map (via variable): partial range",
5601 		.insns = {
5602 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5604 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5605 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5606 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5607 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5608 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5609 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5610 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5611 				offsetof(struct test_val, foo), 4),
5612 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5613 			BPF_MOV64_IMM(BPF_REG_2, 8),
5614 			BPF_MOV64_IMM(BPF_REG_3, 0),
5615 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5616 			BPF_EXIT_INSN(),
5617 		},
5618 		.fixup_map2 = { 3 },
5619 		.result = ACCEPT,
5620 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5621 	},
5622 	{
5623 		"helper access to adjusted map (via variable): empty range",
5624 		.insns = {
5625 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5626 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5627 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5628 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5629 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5630 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5631 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5632 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5633 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5634 				offsetof(struct test_val, foo), 3),
5635 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5636 			BPF_MOV64_IMM(BPF_REG_2, 0),
5637 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5638 			BPF_EXIT_INSN(),
5639 		},
5640 		.fixup_map2 = { 3 },
5641 		.errstr = "R1 min value is outside of the array range",
5642 		.result = REJECT,
5643 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5644 	},
5645 	{
5646 		"helper access to adjusted map (via variable): no max check",
5647 		.insns = {
5648 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5649 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5650 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5651 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5652 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5653 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5654 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5655 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5656 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5657 			BPF_MOV64_IMM(BPF_REG_2, 1),
5658 			BPF_MOV64_IMM(BPF_REG_3, 0),
5659 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5660 			BPF_EXIT_INSN(),
5661 		},
5662 		.fixup_map2 = { 3 },
5663 		.errstr = "R1 unbounded memory access",
5664 		.result = REJECT,
5665 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5666 	},
5667 	{
5668 		"helper access to adjusted map (via variable): wrong max check",
5669 		.insns = {
5670 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5671 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5672 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5673 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5674 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5675 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5676 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5677 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5678 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5679 				offsetof(struct test_val, foo), 4),
5680 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5681 			BPF_MOV64_IMM(BPF_REG_2,
5682 				sizeof(struct test_val) -
5683 				offsetof(struct test_val, foo) + 1),
5684 			BPF_MOV64_IMM(BPF_REG_3, 0),
5685 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5686 			BPF_EXIT_INSN(),
5687 		},
5688 		.fixup_map2 = { 3 },
5689 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
5690 		.result = REJECT,
5691 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5692 	},
5693 	{
5694 		"helper access to map: bounds check using <, good access",
5695 		.insns = {
5696 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5697 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5698 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5699 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5700 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5701 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5702 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5703 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5704 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5705 			BPF_MOV64_IMM(BPF_REG_0, 0),
5706 			BPF_EXIT_INSN(),
5707 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5708 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5709 			BPF_MOV64_IMM(BPF_REG_0, 0),
5710 			BPF_EXIT_INSN(),
5711 		},
5712 		.fixup_map2 = { 3 },
5713 		.result = ACCEPT,
5714 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5715 	},
5716 	{
5717 		"helper access to map: bounds check using <, bad access",
5718 		.insns = {
5719 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5720 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5721 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5722 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5723 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5724 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5725 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5726 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5727 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5728 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5729 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5730 			BPF_MOV64_IMM(BPF_REG_0, 0),
5731 			BPF_EXIT_INSN(),
5732 			BPF_MOV64_IMM(BPF_REG_0, 0),
5733 			BPF_EXIT_INSN(),
5734 		},
5735 		.fixup_map2 = { 3 },
5736 		.result = REJECT,
5737 		.errstr = "R1 unbounded memory access",
5738 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5739 	},
5740 	{
5741 		"helper access to map: bounds check using <=, good access",
5742 		.insns = {
5743 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5745 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5746 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5747 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5748 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5749 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5750 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5751 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5752 			BPF_MOV64_IMM(BPF_REG_0, 0),
5753 			BPF_EXIT_INSN(),
5754 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5755 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5756 			BPF_MOV64_IMM(BPF_REG_0, 0),
5757 			BPF_EXIT_INSN(),
5758 		},
5759 		.fixup_map2 = { 3 },
5760 		.result = ACCEPT,
5761 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5762 	},
5763 	{
5764 		"helper access to map: bounds check using <=, bad access",
5765 		.insns = {
5766 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5767 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5768 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5769 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5770 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5771 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5772 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5773 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5774 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5775 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5776 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5777 			BPF_MOV64_IMM(BPF_REG_0, 0),
5778 			BPF_EXIT_INSN(),
5779 			BPF_MOV64_IMM(BPF_REG_0, 0),
5780 			BPF_EXIT_INSN(),
5781 		},
5782 		.fixup_map2 = { 3 },
5783 		.result = REJECT,
5784 		.errstr = "R1 unbounded memory access",
5785 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786 	},
5787 	{
5788 		"helper access to map: bounds check using s<, good access",
5789 		.insns = {
5790 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5791 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5792 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5793 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5794 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5795 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5796 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5797 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5798 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5799 			BPF_MOV64_IMM(BPF_REG_0, 0),
5800 			BPF_EXIT_INSN(),
5801 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5802 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5803 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5804 			BPF_MOV64_IMM(BPF_REG_0, 0),
5805 			BPF_EXIT_INSN(),
5806 		},
5807 		.fixup_map2 = { 3 },
5808 		.result = ACCEPT,
5809 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5810 	},
5811 	{
5812 		"helper access to map: bounds check using s<, good access 2",
5813 		.insns = {
5814 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5815 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5816 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5817 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5818 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5819 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5820 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5821 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5822 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5823 			BPF_MOV64_IMM(BPF_REG_0, 0),
5824 			BPF_EXIT_INSN(),
5825 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5826 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5827 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5828 			BPF_MOV64_IMM(BPF_REG_0, 0),
5829 			BPF_EXIT_INSN(),
5830 		},
5831 		.fixup_map2 = { 3 },
5832 		.result = ACCEPT,
5833 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5834 	},
5835 	{
5836 		"helper access to map: bounds check using s<, bad access",
5837 		.insns = {
5838 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5839 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5840 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5841 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5842 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5843 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5844 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5845 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5846 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5847 			BPF_MOV64_IMM(BPF_REG_0, 0),
5848 			BPF_EXIT_INSN(),
5849 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5850 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5851 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5852 			BPF_MOV64_IMM(BPF_REG_0, 0),
5853 			BPF_EXIT_INSN(),
5854 		},
5855 		.fixup_map2 = { 3 },
5856 		.result = REJECT,
5857 		.errstr = "R1 min value is negative",
5858 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5859 	},
5860 	{
5861 		"helper access to map: bounds check using s<=, good access",
5862 		.insns = {
5863 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5864 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5865 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5866 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5867 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5868 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5869 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5870 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5871 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5872 			BPF_MOV64_IMM(BPF_REG_0, 0),
5873 			BPF_EXIT_INSN(),
5874 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5875 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5876 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5877 			BPF_MOV64_IMM(BPF_REG_0, 0),
5878 			BPF_EXIT_INSN(),
5879 		},
5880 		.fixup_map2 = { 3 },
5881 		.result = ACCEPT,
5882 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5883 	},
5884 	{
5885 		"helper access to map: bounds check using s<=, good access 2",
5886 		.insns = {
5887 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5888 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5889 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5890 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5891 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5892 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5893 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5894 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5895 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5896 			BPF_MOV64_IMM(BPF_REG_0, 0),
5897 			BPF_EXIT_INSN(),
5898 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5899 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5900 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5901 			BPF_MOV64_IMM(BPF_REG_0, 0),
5902 			BPF_EXIT_INSN(),
5903 		},
5904 		.fixup_map2 = { 3 },
5905 		.result = ACCEPT,
5906 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5907 	},
5908 	{
5909 		"helper access to map: bounds check using s<=, bad access",
5910 		.insns = {
5911 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5912 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5913 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5914 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5915 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5916 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5917 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5918 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5919 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5920 			BPF_MOV64_IMM(BPF_REG_0, 0),
5921 			BPF_EXIT_INSN(),
5922 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5923 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5924 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5925 			BPF_MOV64_IMM(BPF_REG_0, 0),
5926 			BPF_EXIT_INSN(),
5927 		},
5928 		.fixup_map2 = { 3 },
5929 		.result = REJECT,
5930 		.errstr = "R1 min value is negative",
5931 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5932 	},
5933 	{
5934 		"map lookup helper access to map",
5935 		.insns = {
5936 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5937 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5938 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5939 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5940 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5941 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5942 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5943 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5944 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5945 			BPF_EXIT_INSN(),
5946 		},
5947 		.fixup_map3 = { 3, 8 },
5948 		.result = ACCEPT,
5949 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5950 	},
5951 	{
5952 		"map update helper access to map",
5953 		.insns = {
5954 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5956 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5957 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5958 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5959 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5960 			BPF_MOV64_IMM(BPF_REG_4, 0),
5961 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5962 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5963 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5964 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5965 			BPF_EXIT_INSN(),
5966 		},
5967 		.fixup_map3 = { 3, 10 },
5968 		.result = ACCEPT,
5969 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5970 	},
5971 	{
5972 		"map update helper access to map: wrong size",
5973 		.insns = {
5974 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5976 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5977 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5978 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5979 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5980 			BPF_MOV64_IMM(BPF_REG_4, 0),
5981 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5982 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5983 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5984 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5985 			BPF_EXIT_INSN(),
5986 		},
5987 		.fixup_map1 = { 3 },
5988 		.fixup_map3 = { 10 },
5989 		.result = REJECT,
5990 		.errstr = "invalid access to map value, value_size=8 off=0 size=16",
5991 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5992 	},
5993 	{
5994 		"map helper access to adjusted map (via const imm)",
5995 		.insns = {
5996 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5997 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5998 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5999 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6000 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6001 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6002 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6003 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6004 				      offsetof(struct other_val, bar)),
6005 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6006 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6007 			BPF_EXIT_INSN(),
6008 		},
6009 		.fixup_map3 = { 3, 9 },
6010 		.result = ACCEPT,
6011 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6012 	},
6013 	{
6014 		"map helper access to adjusted map (via const imm): out-of-bound 1",
6015 		.insns = {
6016 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6017 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6018 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6019 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6020 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6021 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6022 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6023 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6024 				      sizeof(struct other_val) - 4),
6025 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6026 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6027 			BPF_EXIT_INSN(),
6028 		},
6029 		.fixup_map3 = { 3, 9 },
6030 		.result = REJECT,
6031 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
6032 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6033 	},
6034 	{
6035 		"map helper access to adjusted map (via const imm): out-of-bound 2",
6036 		.insns = {
6037 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6038 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6039 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6040 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6041 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6042 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6043 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6044 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6045 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6046 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6047 			BPF_EXIT_INSN(),
6048 		},
6049 		.fixup_map3 = { 3, 9 },
6050 		.result = REJECT,
6051 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6052 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6053 	},
6054 	{
6055 		"map helper access to adjusted map (via const reg)",
6056 		.insns = {
6057 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6058 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6059 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6060 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6061 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6062 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6063 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6064 			BPF_MOV64_IMM(BPF_REG_3,
6065 				      offsetof(struct other_val, bar)),
6066 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6067 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6068 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6069 			BPF_EXIT_INSN(),
6070 		},
6071 		.fixup_map3 = { 3, 10 },
6072 		.result = ACCEPT,
6073 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6074 	},
6075 	{
6076 		"map helper access to adjusted map (via const reg): out-of-bound 1",
6077 		.insns = {
6078 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6082 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6084 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6085 			BPF_MOV64_IMM(BPF_REG_3,
6086 				      sizeof(struct other_val) - 4),
6087 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6088 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6089 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6090 			BPF_EXIT_INSN(),
6091 		},
6092 		.fixup_map3 = { 3, 10 },
6093 		.result = REJECT,
6094 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
6095 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6096 	},
6097 	{
6098 		"map helper access to adjusted map (via const reg): out-of-bound 2",
6099 		.insns = {
6100 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6101 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6102 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6103 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6104 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6105 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6106 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6107 			BPF_MOV64_IMM(BPF_REG_3, -4),
6108 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6109 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6110 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6111 			BPF_EXIT_INSN(),
6112 		},
6113 		.fixup_map3 = { 3, 10 },
6114 		.result = REJECT,
6115 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6116 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6117 	},
6118 	{
6119 		"map helper access to adjusted map (via variable)",
6120 		.insns = {
6121 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6122 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6123 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6124 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6125 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6126 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6127 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6128 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6129 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6130 				    offsetof(struct other_val, bar), 4),
6131 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6132 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6133 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6134 			BPF_EXIT_INSN(),
6135 		},
6136 		.fixup_map3 = { 3, 11 },
6137 		.result = ACCEPT,
6138 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6139 	},
6140 	{
6141 		"map helper access to adjusted map (via variable): no max check",
6142 		.insns = {
6143 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6145 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6146 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6147 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6148 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6149 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6150 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6151 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6152 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6153 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6154 			BPF_EXIT_INSN(),
6155 		},
6156 		.fixup_map3 = { 3, 10 },
6157 		.result = REJECT,
6158 		.errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6159 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6160 	},
6161 	{
6162 		"map helper access to adjusted map (via variable): wrong max check",
6163 		.insns = {
6164 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6165 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6166 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6167 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6168 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6169 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6170 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6171 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6172 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6173 				    offsetof(struct other_val, bar) + 1, 4),
6174 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6175 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6176 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6177 			BPF_EXIT_INSN(),
6178 		},
6179 		.fixup_map3 = { 3, 11 },
6180 		.result = REJECT,
6181 		.errstr = "invalid access to map value, value_size=16 off=9 size=8",
6182 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6183 	},
6184 	{
6185 		"map element value is preserved across register spilling",
6186 		.insns = {
6187 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6188 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6189 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6190 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6191 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6192 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6193 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6194 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6195 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6196 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6197 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6198 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6199 			BPF_EXIT_INSN(),
6200 		},
6201 		.fixup_map2 = { 3 },
6202 		.errstr_unpriv = "R0 leaks addr",
6203 		.result = ACCEPT,
6204 		.result_unpriv = REJECT,
6205 	},
6206 	{
6207 		"map element value or null is marked on register spilling",
6208 		.insns = {
6209 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6211 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6212 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6213 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6214 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6215 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6216 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6217 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6218 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6219 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6220 			BPF_EXIT_INSN(),
6221 		},
6222 		.fixup_map2 = { 3 },
6223 		.errstr_unpriv = "R0 leaks addr",
6224 		.result = ACCEPT,
6225 		.result_unpriv = REJECT,
6226 	},
6227 	{
6228 		"map element value store of cleared call register",
6229 		.insns = {
6230 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6231 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6232 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6233 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6234 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6236 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6237 			BPF_EXIT_INSN(),
6238 		},
6239 		.fixup_map2 = { 3 },
6240 		.errstr_unpriv = "R1 !read_ok",
6241 		.errstr = "R1 !read_ok",
6242 		.result = REJECT,
6243 		.result_unpriv = REJECT,
6244 	},
6245 	{
6246 		"map element value with unaligned store",
6247 		.insns = {
6248 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6249 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6250 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6251 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6252 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6254 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6255 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6256 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6257 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6258 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6259 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6260 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6261 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6262 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6263 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6264 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6265 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6266 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6267 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6268 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6269 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6270 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6271 			BPF_EXIT_INSN(),
6272 		},
6273 		.fixup_map2 = { 3 },
6274 		.errstr_unpriv = "R0 leaks addr",
6275 		.result = ACCEPT,
6276 		.result_unpriv = REJECT,
6277 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6278 	},
6279 	{
6280 		"map element value with unaligned load",
6281 		.insns = {
6282 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6284 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6285 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6286 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6287 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6288 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6289 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6290 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6291 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6292 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6293 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6294 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6295 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6296 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6297 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6298 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6299 			BPF_EXIT_INSN(),
6300 		},
6301 		.fixup_map2 = { 3 },
6302 		.errstr_unpriv = "R0 leaks addr",
6303 		.result = ACCEPT,
6304 		.result_unpriv = REJECT,
6305 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6306 	},
6307 	{
6308 		"map element value illegal alu op, 1",
6309 		.insns = {
6310 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6311 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6312 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6313 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6314 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6315 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6316 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6317 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6318 			BPF_EXIT_INSN(),
6319 		},
6320 		.fixup_map2 = { 3 },
6321 		.errstr = "R0 bitwise operator &= on pointer",
6322 		.result = REJECT,
6323 	},
6324 	{
6325 		"map element value illegal alu op, 2",
6326 		.insns = {
6327 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6328 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6329 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6330 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6331 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6332 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6333 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6334 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6335 			BPF_EXIT_INSN(),
6336 		},
6337 		.fixup_map2 = { 3 },
6338 		.errstr = "R0 32-bit pointer arithmetic prohibited",
6339 		.result = REJECT,
6340 	},
6341 	{
6342 		"map element value illegal alu op, 3",
6343 		.insns = {
6344 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6345 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6346 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6347 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6348 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6349 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6350 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6351 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6352 			BPF_EXIT_INSN(),
6353 		},
6354 		.fixup_map2 = { 3 },
6355 		.errstr = "R0 pointer arithmetic with /= operator",
6356 		.result = REJECT,
6357 	},
6358 	{
6359 		"map element value illegal alu op, 4",
6360 		.insns = {
6361 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6362 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6363 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6364 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6365 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6366 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6367 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6368 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6369 			BPF_EXIT_INSN(),
6370 		},
6371 		.fixup_map2 = { 3 },
6372 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
6373 		.errstr = "invalid mem access 'inv'",
6374 		.result = REJECT,
6375 		.result_unpriv = REJECT,
6376 	},
6377 	{
6378 		"map element value illegal alu op, 5",
6379 		.insns = {
6380 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6381 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6382 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6383 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6384 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6385 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6386 			BPF_MOV64_IMM(BPF_REG_3, 4096),
6387 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6388 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6389 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6390 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6391 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6392 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6393 			BPF_EXIT_INSN(),
6394 		},
6395 		.fixup_map2 = { 3 },
6396 		.errstr = "R0 invalid mem access 'inv'",
6397 		.result = REJECT,
6398 	},
6399 	{
6400 		"map element value is preserved across register spilling",
6401 		.insns = {
6402 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6403 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6404 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6405 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6406 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6407 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6408 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6409 				offsetof(struct test_val, foo)),
6410 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6411 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6412 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6413 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6414 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6415 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6416 			BPF_EXIT_INSN(),
6417 		},
6418 		.fixup_map2 = { 3 },
6419 		.errstr_unpriv = "R0 leaks addr",
6420 		.result = ACCEPT,
6421 		.result_unpriv = REJECT,
6422 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6423 	},
6424 	{
6425 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6426 		.insns = {
6427 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6428 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6429 			BPF_MOV64_IMM(BPF_REG_0, 0),
6430 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6431 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6432 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6433 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6434 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6435 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6436 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6437 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6438 			BPF_MOV64_IMM(BPF_REG_2, 16),
6439 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6440 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6441 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6442 			BPF_MOV64_IMM(BPF_REG_4, 0),
6443 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6444 			BPF_MOV64_IMM(BPF_REG_3, 0),
6445 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6446 			BPF_MOV64_IMM(BPF_REG_0, 0),
6447 			BPF_EXIT_INSN(),
6448 		},
6449 		.result = ACCEPT,
6450 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6451 	},
6452 	{
6453 		"helper access to variable memory: stack, bitwise AND, zero included",
6454 		.insns = {
6455 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6456 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6457 			BPF_MOV64_IMM(BPF_REG_2, 16),
6458 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6459 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6460 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6461 			BPF_MOV64_IMM(BPF_REG_3, 0),
6462 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6463 			BPF_EXIT_INSN(),
6464 		},
6465 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6466 		.result = REJECT,
6467 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6468 	},
6469 	{
6470 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6471 		.insns = {
6472 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6473 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6474 			BPF_MOV64_IMM(BPF_REG_2, 16),
6475 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6476 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6477 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6478 			BPF_MOV64_IMM(BPF_REG_4, 0),
6479 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6480 			BPF_MOV64_IMM(BPF_REG_3, 0),
6481 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6482 			BPF_MOV64_IMM(BPF_REG_0, 0),
6483 			BPF_EXIT_INSN(),
6484 		},
6485 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6486 		.result = REJECT,
6487 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6488 	},
6489 	{
6490 		"helper access to variable memory: stack, JMP, correct bounds",
6491 		.insns = {
6492 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6493 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6494 			BPF_MOV64_IMM(BPF_REG_0, 0),
6495 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6496 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6497 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6498 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6499 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6500 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6501 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6502 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6503 			BPF_MOV64_IMM(BPF_REG_2, 16),
6504 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6505 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6506 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6507 			BPF_MOV64_IMM(BPF_REG_4, 0),
6508 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6509 			BPF_MOV64_IMM(BPF_REG_3, 0),
6510 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6511 			BPF_MOV64_IMM(BPF_REG_0, 0),
6512 			BPF_EXIT_INSN(),
6513 		},
6514 		.result = ACCEPT,
6515 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6516 	},
6517 	{
6518 		"helper access to variable memory: stack, JMP (signed), correct bounds",
6519 		.insns = {
6520 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6521 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6522 			BPF_MOV64_IMM(BPF_REG_0, 0),
6523 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6524 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6525 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6526 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6527 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6528 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6529 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6530 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6531 			BPF_MOV64_IMM(BPF_REG_2, 16),
6532 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6533 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6534 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6535 			BPF_MOV64_IMM(BPF_REG_4, 0),
6536 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6537 			BPF_MOV64_IMM(BPF_REG_3, 0),
6538 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6539 			BPF_MOV64_IMM(BPF_REG_0, 0),
6540 			BPF_EXIT_INSN(),
6541 		},
6542 		.result = ACCEPT,
6543 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6544 	},
6545 	{
6546 		"helper access to variable memory: stack, JMP, bounds + offset",
6547 		.insns = {
6548 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6549 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6550 			BPF_MOV64_IMM(BPF_REG_2, 16),
6551 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6552 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6553 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6554 			BPF_MOV64_IMM(BPF_REG_4, 0),
6555 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6557 			BPF_MOV64_IMM(BPF_REG_3, 0),
6558 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6559 			BPF_MOV64_IMM(BPF_REG_0, 0),
6560 			BPF_EXIT_INSN(),
6561 		},
6562 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6563 		.result = REJECT,
6564 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6565 	},
6566 	{
6567 		"helper access to variable memory: stack, JMP, wrong max",
6568 		.insns = {
6569 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6570 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6571 			BPF_MOV64_IMM(BPF_REG_2, 16),
6572 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6573 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6574 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6575 			BPF_MOV64_IMM(BPF_REG_4, 0),
6576 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6577 			BPF_MOV64_IMM(BPF_REG_3, 0),
6578 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6579 			BPF_MOV64_IMM(BPF_REG_0, 0),
6580 			BPF_EXIT_INSN(),
6581 		},
6582 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6583 		.result = REJECT,
6584 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6585 	},
6586 	{
6587 		"helper access to variable memory: stack, JMP, no max check",
6588 		.insns = {
6589 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6590 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6591 			BPF_MOV64_IMM(BPF_REG_2, 16),
6592 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6593 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6594 			BPF_MOV64_IMM(BPF_REG_4, 0),
6595 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6596 			BPF_MOV64_IMM(BPF_REG_3, 0),
6597 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6598 			BPF_MOV64_IMM(BPF_REG_0, 0),
6599 			BPF_EXIT_INSN(),
6600 		},
6601 		/* because max wasn't checked, signed min is negative */
6602 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6603 		.result = REJECT,
6604 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6605 	},
6606 	{
6607 		"helper access to variable memory: stack, JMP, no min check",
6608 		.insns = {
6609 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6610 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6611 			BPF_MOV64_IMM(BPF_REG_2, 16),
6612 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6613 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6614 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6615 			BPF_MOV64_IMM(BPF_REG_3, 0),
6616 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6617 			BPF_MOV64_IMM(BPF_REG_0, 0),
6618 			BPF_EXIT_INSN(),
6619 		},
6620 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6621 		.result = REJECT,
6622 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6623 	},
6624 	{
6625 		"helper access to variable memory: stack, JMP (signed), no min check",
6626 		.insns = {
6627 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6628 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6629 			BPF_MOV64_IMM(BPF_REG_2, 16),
6630 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6631 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6632 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6633 			BPF_MOV64_IMM(BPF_REG_3, 0),
6634 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6635 			BPF_MOV64_IMM(BPF_REG_0, 0),
6636 			BPF_EXIT_INSN(),
6637 		},
6638 		.errstr = "R2 min value is negative",
6639 		.result = REJECT,
6640 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6641 	},
6642 	{
6643 		"helper access to variable memory: map, JMP, correct bounds",
6644 		.insns = {
6645 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6646 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6647 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6648 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6649 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6650 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6651 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6652 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6653 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6654 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6655 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6656 				sizeof(struct test_val), 4),
6657 			BPF_MOV64_IMM(BPF_REG_4, 0),
6658 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6659 			BPF_MOV64_IMM(BPF_REG_3, 0),
6660 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6661 			BPF_MOV64_IMM(BPF_REG_0, 0),
6662 			BPF_EXIT_INSN(),
6663 		},
6664 		.fixup_map2 = { 3 },
6665 		.result = ACCEPT,
6666 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6667 	},
6668 	{
6669 		"helper access to variable memory: map, JMP, wrong max",
6670 		.insns = {
6671 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6672 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6673 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6674 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6675 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6676 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6677 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6678 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6679 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6680 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6681 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6682 				sizeof(struct test_val) + 1, 4),
6683 			BPF_MOV64_IMM(BPF_REG_4, 0),
6684 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6685 			BPF_MOV64_IMM(BPF_REG_3, 0),
6686 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6687 			BPF_MOV64_IMM(BPF_REG_0, 0),
6688 			BPF_EXIT_INSN(),
6689 		},
6690 		.fixup_map2 = { 3 },
6691 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
6692 		.result = REJECT,
6693 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6694 	},
6695 	{
6696 		"helper access to variable memory: map adjusted, JMP, correct bounds",
6697 		.insns = {
6698 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6700 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6701 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6702 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6703 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6704 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6705 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6706 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6707 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6708 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6709 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6710 				sizeof(struct test_val) - 20, 4),
6711 			BPF_MOV64_IMM(BPF_REG_4, 0),
6712 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6713 			BPF_MOV64_IMM(BPF_REG_3, 0),
6714 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6715 			BPF_MOV64_IMM(BPF_REG_0, 0),
6716 			BPF_EXIT_INSN(),
6717 		},
6718 		.fixup_map2 = { 3 },
6719 		.result = ACCEPT,
6720 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6721 	},
6722 	{
6723 		"helper access to variable memory: map adjusted, JMP, wrong max",
6724 		.insns = {
6725 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6727 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6728 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6729 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6730 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6731 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6732 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6733 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6734 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6735 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6736 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6737 				sizeof(struct test_val) - 19, 4),
6738 			BPF_MOV64_IMM(BPF_REG_4, 0),
6739 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6740 			BPF_MOV64_IMM(BPF_REG_3, 0),
6741 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6742 			BPF_MOV64_IMM(BPF_REG_0, 0),
6743 			BPF_EXIT_INSN(),
6744 		},
6745 		.fixup_map2 = { 3 },
6746 		.errstr = "R1 min value is outside of the array range",
6747 		.result = REJECT,
6748 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6749 	},
6750 	{
6751 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6752 		.insns = {
6753 			BPF_MOV64_IMM(BPF_REG_1, 0),
6754 			BPF_MOV64_IMM(BPF_REG_2, 0),
6755 			BPF_MOV64_IMM(BPF_REG_3, 0),
6756 			BPF_MOV64_IMM(BPF_REG_4, 0),
6757 			BPF_MOV64_IMM(BPF_REG_5, 0),
6758 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6759 			BPF_EXIT_INSN(),
6760 		},
6761 		.result = ACCEPT,
6762 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6763 	},
6764 	{
6765 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6766 		.insns = {
6767 			BPF_MOV64_IMM(BPF_REG_1, 0),
6768 			BPF_MOV64_IMM(BPF_REG_2, 1),
6769 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6770 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6771 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6772 			BPF_MOV64_IMM(BPF_REG_3, 0),
6773 			BPF_MOV64_IMM(BPF_REG_4, 0),
6774 			BPF_MOV64_IMM(BPF_REG_5, 0),
6775 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6776 			BPF_EXIT_INSN(),
6777 		},
6778 		.errstr = "R1 type=inv expected=fp",
6779 		.result = REJECT,
6780 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6781 	},
6782 	{
6783 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6784 		.insns = {
6785 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6786 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6787 			BPF_MOV64_IMM(BPF_REG_2, 0),
6788 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6789 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6790 			BPF_MOV64_IMM(BPF_REG_3, 0),
6791 			BPF_MOV64_IMM(BPF_REG_4, 0),
6792 			BPF_MOV64_IMM(BPF_REG_5, 0),
6793 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6794 			BPF_EXIT_INSN(),
6795 		},
6796 		.result = ACCEPT,
6797 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6798 	},
6799 	{
6800 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6801 		.insns = {
6802 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6803 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6804 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6805 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6806 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6807 				     BPF_FUNC_map_lookup_elem),
6808 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6809 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6810 			BPF_MOV64_IMM(BPF_REG_2, 0),
6811 			BPF_MOV64_IMM(BPF_REG_3, 0),
6812 			BPF_MOV64_IMM(BPF_REG_4, 0),
6813 			BPF_MOV64_IMM(BPF_REG_5, 0),
6814 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6815 			BPF_EXIT_INSN(),
6816 		},
6817 		.fixup_map1 = { 3 },
6818 		.result = ACCEPT,
6819 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6820 	},
6821 	{
6822 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6823 		.insns = {
6824 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6825 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6827 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6828 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6829 				     BPF_FUNC_map_lookup_elem),
6830 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6831 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6832 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6833 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6834 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6835 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6836 			BPF_MOV64_IMM(BPF_REG_3, 0),
6837 			BPF_MOV64_IMM(BPF_REG_4, 0),
6838 			BPF_MOV64_IMM(BPF_REG_5, 0),
6839 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6840 			BPF_EXIT_INSN(),
6841 		},
6842 		.fixup_map1 = { 3 },
6843 		.result = ACCEPT,
6844 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6845 	},
6846 	{
6847 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6848 		.insns = {
6849 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6850 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6851 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6852 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6853 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6854 				     BPF_FUNC_map_lookup_elem),
6855 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6856 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6857 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6858 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6859 			BPF_MOV64_IMM(BPF_REG_3, 0),
6860 			BPF_MOV64_IMM(BPF_REG_4, 0),
6861 			BPF_MOV64_IMM(BPF_REG_5, 0),
6862 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6863 			BPF_EXIT_INSN(),
6864 		},
6865 		.fixup_map1 = { 3 },
6866 		.result = ACCEPT,
6867 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6868 	},
6869 	{
6870 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6871 		.insns = {
6872 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6873 				    offsetof(struct __sk_buff, data)),
6874 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6875 				    offsetof(struct __sk_buff, data_end)),
6876 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6877 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6878 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6879 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6880 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6881 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6882 			BPF_MOV64_IMM(BPF_REG_3, 0),
6883 			BPF_MOV64_IMM(BPF_REG_4, 0),
6884 			BPF_MOV64_IMM(BPF_REG_5, 0),
6885 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6886 			BPF_EXIT_INSN(),
6887 		},
6888 		.result = ACCEPT,
6889 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6890 		.retval = 0 /* csum_diff of 64-byte packet */,
6891 	},
6892 	{
6893 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6894 		.insns = {
6895 			BPF_MOV64_IMM(BPF_REG_1, 0),
6896 			BPF_MOV64_IMM(BPF_REG_2, 0),
6897 			BPF_MOV64_IMM(BPF_REG_3, 0),
6898 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6899 			BPF_EXIT_INSN(),
6900 		},
6901 		.errstr = "R1 type=inv expected=fp",
6902 		.result = REJECT,
6903 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6904 	},
6905 	{
6906 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6907 		.insns = {
6908 			BPF_MOV64_IMM(BPF_REG_1, 0),
6909 			BPF_MOV64_IMM(BPF_REG_2, 1),
6910 			BPF_MOV64_IMM(BPF_REG_3, 0),
6911 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6912 			BPF_EXIT_INSN(),
6913 		},
6914 		.errstr = "R1 type=inv expected=fp",
6915 		.result = REJECT,
6916 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6917 	},
6918 	{
6919 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6920 		.insns = {
6921 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6922 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6923 			BPF_MOV64_IMM(BPF_REG_2, 0),
6924 			BPF_MOV64_IMM(BPF_REG_3, 0),
6925 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6926 			BPF_EXIT_INSN(),
6927 		},
6928 		.result = ACCEPT,
6929 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6930 	},
6931 	{
6932 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6933 		.insns = {
6934 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6935 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6936 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6937 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6938 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6939 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6940 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6941 			BPF_MOV64_IMM(BPF_REG_2, 0),
6942 			BPF_MOV64_IMM(BPF_REG_3, 0),
6943 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6944 			BPF_EXIT_INSN(),
6945 		},
6946 		.fixup_map1 = { 3 },
6947 		.result = ACCEPT,
6948 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6949 	},
6950 	{
6951 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6952 		.insns = {
6953 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6954 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6956 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6957 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6958 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6959 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6960 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6961 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6963 			BPF_MOV64_IMM(BPF_REG_3, 0),
6964 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6965 			BPF_EXIT_INSN(),
6966 		},
6967 		.fixup_map1 = { 3 },
6968 		.result = ACCEPT,
6969 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6970 	},
6971 	{
6972 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6973 		.insns = {
6974 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6975 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6977 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6978 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6979 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6980 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6981 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6982 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6983 			BPF_MOV64_IMM(BPF_REG_3, 0),
6984 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6985 			BPF_EXIT_INSN(),
6986 		},
6987 		.fixup_map1 = { 3 },
6988 		.result = ACCEPT,
6989 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6990 	},
6991 	{
6992 		"helper access to variable memory: 8 bytes leak",
6993 		.insns = {
6994 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6996 			BPF_MOV64_IMM(BPF_REG_0, 0),
6997 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6998 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6999 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7000 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7001 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7002 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7003 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7004 			BPF_MOV64_IMM(BPF_REG_2, 1),
7005 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
7006 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
7007 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
7008 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
7009 			BPF_MOV64_IMM(BPF_REG_3, 0),
7010 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7011 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7012 			BPF_EXIT_INSN(),
7013 		},
7014 		.errstr = "invalid indirect read from stack off -64+32 size 64",
7015 		.result = REJECT,
7016 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7017 	},
7018 	{
7019 		"helper access to variable memory: 8 bytes no leak (init memory)",
7020 		.insns = {
7021 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
7022 			BPF_MOV64_IMM(BPF_REG_0, 0),
7023 			BPF_MOV64_IMM(BPF_REG_0, 0),
7024 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
7025 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
7026 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
7027 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
7028 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
7029 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
7030 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
7031 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
7032 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
7033 			BPF_MOV64_IMM(BPF_REG_2, 0),
7034 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
7035 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
7036 			BPF_MOV64_IMM(BPF_REG_3, 0),
7037 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
7038 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7039 			BPF_EXIT_INSN(),
7040 		},
7041 		.result = ACCEPT,
7042 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
7043 	},
7044 	{
7045 		"invalid and of negative number",
7046 		.insns = {
7047 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7048 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7049 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7050 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7051 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7052 				     BPF_FUNC_map_lookup_elem),
7053 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7054 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7055 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
7056 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
7057 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7058 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
7059 				   offsetof(struct test_val, foo)),
7060 			BPF_EXIT_INSN(),
7061 		},
7062 		.fixup_map2 = { 3 },
7063 		.errstr = "R0 max value is outside of the array range",
7064 		.result = REJECT,
7065 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7066 	},
7067 	{
7068 		"invalid range check",
7069 		.insns = {
7070 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7071 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7073 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7075 				     BPF_FUNC_map_lookup_elem),
7076 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
7077 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
7078 			BPF_MOV64_IMM(BPF_REG_9, 1),
7079 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
7080 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
7081 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
7082 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
7083 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
7084 			BPF_MOV32_IMM(BPF_REG_3, 1),
7085 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
7086 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
7087 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
7088 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
7089 			BPF_MOV64_REG(BPF_REG_0, 0),
7090 			BPF_EXIT_INSN(),
7091 		},
7092 		.fixup_map2 = { 3 },
7093 		.errstr = "R0 max value is outside of the array range",
7094 		.result = REJECT,
7095 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
7096 	},
7097 	{
7098 		"map in map access",
7099 		.insns = {
7100 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7101 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7103 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7104 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7105 				     BPF_FUNC_map_lookup_elem),
7106 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7107 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7108 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7110 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7111 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7112 				     BPF_FUNC_map_lookup_elem),
7113 			BPF_MOV64_IMM(BPF_REG_0, 0),
7114 			BPF_EXIT_INSN(),
7115 		},
7116 		.fixup_map_in_map = { 3 },
7117 		.result = ACCEPT,
7118 	},
7119 	{
7120 		"invalid inner map pointer",
7121 		.insns = {
7122 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7123 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7124 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7125 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7126 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7127 				     BPF_FUNC_map_lookup_elem),
7128 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7129 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7130 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7132 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7133 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
7134 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7135 				     BPF_FUNC_map_lookup_elem),
7136 			BPF_MOV64_IMM(BPF_REG_0, 0),
7137 			BPF_EXIT_INSN(),
7138 		},
7139 		.fixup_map_in_map = { 3 },
7140 		.errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
7141 		.result = REJECT,
7142 	},
7143 	{
7144 		"forgot null checking on the inner map pointer",
7145 		.insns = {
7146 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7147 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7148 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7149 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7150 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7151 				     BPF_FUNC_map_lookup_elem),
7152 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
7153 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7154 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
7155 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
7156 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7157 				     BPF_FUNC_map_lookup_elem),
7158 			BPF_MOV64_IMM(BPF_REG_0, 0),
7159 			BPF_EXIT_INSN(),
7160 		},
7161 		.fixup_map_in_map = { 3 },
7162 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
7163 		.result = REJECT,
7164 	},
7165 	{
7166 		"ld_abs: check calling conv, r1",
7167 		.insns = {
7168 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7169 			BPF_MOV64_IMM(BPF_REG_1, 0),
7170 			BPF_LD_ABS(BPF_W, -0x200000),
7171 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7172 			BPF_EXIT_INSN(),
7173 		},
7174 		.errstr = "R1 !read_ok",
7175 		.result = REJECT,
7176 	},
7177 	{
7178 		"ld_abs: check calling conv, r2",
7179 		.insns = {
7180 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7181 			BPF_MOV64_IMM(BPF_REG_2, 0),
7182 			BPF_LD_ABS(BPF_W, -0x200000),
7183 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7184 			BPF_EXIT_INSN(),
7185 		},
7186 		.errstr = "R2 !read_ok",
7187 		.result = REJECT,
7188 	},
7189 	{
7190 		"ld_abs: check calling conv, r3",
7191 		.insns = {
7192 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7193 			BPF_MOV64_IMM(BPF_REG_3, 0),
7194 			BPF_LD_ABS(BPF_W, -0x200000),
7195 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7196 			BPF_EXIT_INSN(),
7197 		},
7198 		.errstr = "R3 !read_ok",
7199 		.result = REJECT,
7200 	},
7201 	{
7202 		"ld_abs: check calling conv, r4",
7203 		.insns = {
7204 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7205 			BPF_MOV64_IMM(BPF_REG_4, 0),
7206 			BPF_LD_ABS(BPF_W, -0x200000),
7207 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7208 			BPF_EXIT_INSN(),
7209 		},
7210 		.errstr = "R4 !read_ok",
7211 		.result = REJECT,
7212 	},
7213 	{
7214 		"ld_abs: check calling conv, r5",
7215 		.insns = {
7216 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7217 			BPF_MOV64_IMM(BPF_REG_5, 0),
7218 			BPF_LD_ABS(BPF_W, -0x200000),
7219 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7220 			BPF_EXIT_INSN(),
7221 		},
7222 		.errstr = "R5 !read_ok",
7223 		.result = REJECT,
7224 	},
7225 	{
7226 		"ld_abs: check calling conv, r7",
7227 		.insns = {
7228 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7229 			BPF_MOV64_IMM(BPF_REG_7, 0),
7230 			BPF_LD_ABS(BPF_W, -0x200000),
7231 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7232 			BPF_EXIT_INSN(),
7233 		},
7234 		.result = ACCEPT,
7235 	},
7236 	{
7237 		"ld_abs: tests on r6 and skb data reload helper",
7238 		.insns = {
7239 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7240 			BPF_LD_ABS(BPF_B, 0),
7241 			BPF_LD_ABS(BPF_H, 0),
7242 			BPF_LD_ABS(BPF_W, 0),
7243 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
7244 			BPF_MOV64_IMM(BPF_REG_6, 0),
7245 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
7246 			BPF_MOV64_IMM(BPF_REG_2, 1),
7247 			BPF_MOV64_IMM(BPF_REG_3, 2),
7248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7249 				     BPF_FUNC_skb_vlan_push),
7250 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7251 			BPF_LD_ABS(BPF_B, 0),
7252 			BPF_LD_ABS(BPF_H, 0),
7253 			BPF_LD_ABS(BPF_W, 0),
7254 			BPF_MOV64_IMM(BPF_REG_0, 42),
7255 			BPF_EXIT_INSN(),
7256 		},
7257 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7258 		.result = ACCEPT,
7259 		.retval = 42 /* ultimate return value */,
7260 	},
7261 	{
7262 		"ld_ind: check calling conv, r1",
7263 		.insns = {
7264 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7265 			BPF_MOV64_IMM(BPF_REG_1, 1),
7266 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7267 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7268 			BPF_EXIT_INSN(),
7269 		},
7270 		.errstr = "R1 !read_ok",
7271 		.result = REJECT,
7272 	},
7273 	{
7274 		"ld_ind: check calling conv, r2",
7275 		.insns = {
7276 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7277 			BPF_MOV64_IMM(BPF_REG_2, 1),
7278 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7279 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7280 			BPF_EXIT_INSN(),
7281 		},
7282 		.errstr = "R2 !read_ok",
7283 		.result = REJECT,
7284 	},
7285 	{
7286 		"ld_ind: check calling conv, r3",
7287 		.insns = {
7288 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7289 			BPF_MOV64_IMM(BPF_REG_3, 1),
7290 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7291 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7292 			BPF_EXIT_INSN(),
7293 		},
7294 		.errstr = "R3 !read_ok",
7295 		.result = REJECT,
7296 	},
7297 	{
7298 		"ld_ind: check calling conv, r4",
7299 		.insns = {
7300 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7301 			BPF_MOV64_IMM(BPF_REG_4, 1),
7302 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7303 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7304 			BPF_EXIT_INSN(),
7305 		},
7306 		.errstr = "R4 !read_ok",
7307 		.result = REJECT,
7308 	},
7309 	{
7310 		"ld_ind: check calling conv, r5",
7311 		.insns = {
7312 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7313 			BPF_MOV64_IMM(BPF_REG_5, 1),
7314 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7315 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7316 			BPF_EXIT_INSN(),
7317 		},
7318 		.errstr = "R5 !read_ok",
7319 		.result = REJECT,
7320 	},
7321 	{
7322 		"ld_ind: check calling conv, r7",
7323 		.insns = {
7324 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7325 			BPF_MOV64_IMM(BPF_REG_7, 1),
7326 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7327 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7328 			BPF_EXIT_INSN(),
7329 		},
7330 		.result = ACCEPT,
7331 		.retval = 1,
7332 	},
7333 	{
7334 		"check bpf_perf_event_data->sample_period byte load permitted",
7335 		.insns = {
7336 			BPF_MOV64_IMM(BPF_REG_0, 0),
7337 #if __BYTE_ORDER == __LITTLE_ENDIAN
7338 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7339 				    offsetof(struct bpf_perf_event_data, sample_period)),
7340 #else
7341 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7342 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
7343 #endif
7344 			BPF_EXIT_INSN(),
7345 		},
7346 		.result = ACCEPT,
7347 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7348 	},
7349 	{
7350 		"check bpf_perf_event_data->sample_period half load permitted",
7351 		.insns = {
7352 			BPF_MOV64_IMM(BPF_REG_0, 0),
7353 #if __BYTE_ORDER == __LITTLE_ENDIAN
7354 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7355 				    offsetof(struct bpf_perf_event_data, sample_period)),
7356 #else
7357 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7358 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
7359 #endif
7360 			BPF_EXIT_INSN(),
7361 		},
7362 		.result = ACCEPT,
7363 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7364 	},
7365 	{
7366 		"check bpf_perf_event_data->sample_period word load permitted",
7367 		.insns = {
7368 			BPF_MOV64_IMM(BPF_REG_0, 0),
7369 #if __BYTE_ORDER == __LITTLE_ENDIAN
7370 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7371 				    offsetof(struct bpf_perf_event_data, sample_period)),
7372 #else
7373 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7374 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
7375 #endif
7376 			BPF_EXIT_INSN(),
7377 		},
7378 		.result = ACCEPT,
7379 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7380 	},
7381 	{
7382 		"check bpf_perf_event_data->sample_period dword load permitted",
7383 		.insns = {
7384 			BPF_MOV64_IMM(BPF_REG_0, 0),
7385 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7386 				    offsetof(struct bpf_perf_event_data, sample_period)),
7387 			BPF_EXIT_INSN(),
7388 		},
7389 		.result = ACCEPT,
7390 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7391 	},
7392 	{
7393 		"check skb->data half load not permitted",
7394 		.insns = {
7395 			BPF_MOV64_IMM(BPF_REG_0, 0),
7396 #if __BYTE_ORDER == __LITTLE_ENDIAN
7397 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7398 				    offsetof(struct __sk_buff, data)),
7399 #else
7400 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7401 				    offsetof(struct __sk_buff, data) + 2),
7402 #endif
7403 			BPF_EXIT_INSN(),
7404 		},
7405 		.result = REJECT,
7406 		.errstr = "invalid bpf_context access",
7407 	},
7408 	{
7409 		"check skb->tc_classid half load not permitted for lwt prog",
7410 		.insns = {
7411 			BPF_MOV64_IMM(BPF_REG_0, 0),
7412 #if __BYTE_ORDER == __LITTLE_ENDIAN
7413 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7414 				    offsetof(struct __sk_buff, tc_classid)),
7415 #else
7416 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7417 				    offsetof(struct __sk_buff, tc_classid) + 2),
7418 #endif
7419 			BPF_EXIT_INSN(),
7420 		},
7421 		.result = REJECT,
7422 		.errstr = "invalid bpf_context access",
7423 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7424 	},
7425 	{
7426 		"bounds checks mixing signed and unsigned, positive bounds",
7427 		.insns = {
7428 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7429 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7430 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7431 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7432 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7433 				     BPF_FUNC_map_lookup_elem),
7434 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7435 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7436 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7437 			BPF_MOV64_IMM(BPF_REG_2, 2),
7438 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7439 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7440 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7441 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7442 			BPF_MOV64_IMM(BPF_REG_0, 0),
7443 			BPF_EXIT_INSN(),
7444 		},
7445 		.fixup_map1 = { 3 },
7446 		.errstr = "unbounded min value",
7447 		.result = REJECT,
7448 	},
7449 	{
7450 		"bounds checks mixing signed and unsigned",
7451 		.insns = {
7452 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7453 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7454 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7455 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7456 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7457 				     BPF_FUNC_map_lookup_elem),
7458 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7459 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7460 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7461 			BPF_MOV64_IMM(BPF_REG_2, -1),
7462 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7463 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7464 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7465 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7466 			BPF_MOV64_IMM(BPF_REG_0, 0),
7467 			BPF_EXIT_INSN(),
7468 		},
7469 		.fixup_map1 = { 3 },
7470 		.errstr = "unbounded min value",
7471 		.result = REJECT,
7472 	},
7473 	{
7474 		"bounds checks mixing signed and unsigned, variant 2",
7475 		.insns = {
7476 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7477 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7479 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7480 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7481 				     BPF_FUNC_map_lookup_elem),
7482 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7483 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7484 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7485 			BPF_MOV64_IMM(BPF_REG_2, -1),
7486 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7487 			BPF_MOV64_IMM(BPF_REG_8, 0),
7488 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7489 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7490 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7491 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7492 			BPF_MOV64_IMM(BPF_REG_0, 0),
7493 			BPF_EXIT_INSN(),
7494 		},
7495 		.fixup_map1 = { 3 },
7496 		.errstr = "unbounded min value",
7497 		.result = REJECT,
7498 	},
7499 	{
7500 		"bounds checks mixing signed and unsigned, variant 3",
7501 		.insns = {
7502 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7503 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7504 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7505 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7506 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7507 				     BPF_FUNC_map_lookup_elem),
7508 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7509 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7510 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7511 			BPF_MOV64_IMM(BPF_REG_2, -1),
7512 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7513 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7514 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7515 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7516 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7517 			BPF_MOV64_IMM(BPF_REG_0, 0),
7518 			BPF_EXIT_INSN(),
7519 		},
7520 		.fixup_map1 = { 3 },
7521 		.errstr = "unbounded min value",
7522 		.result = REJECT,
7523 	},
7524 	{
7525 		"bounds checks mixing signed and unsigned, variant 4",
7526 		.insns = {
7527 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7528 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7529 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7530 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7531 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7532 				     BPF_FUNC_map_lookup_elem),
7533 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7534 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7535 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7536 			BPF_MOV64_IMM(BPF_REG_2, 1),
7537 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7538 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7539 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7540 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7541 			BPF_MOV64_IMM(BPF_REG_0, 0),
7542 			BPF_EXIT_INSN(),
7543 		},
7544 		.fixup_map1 = { 3 },
7545 		.result = ACCEPT,
7546 	},
7547 	{
7548 		"bounds checks mixing signed and unsigned, variant 5",
7549 		.insns = {
7550 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7551 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7552 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7553 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7554 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7555 				     BPF_FUNC_map_lookup_elem),
7556 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7557 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7558 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7559 			BPF_MOV64_IMM(BPF_REG_2, -1),
7560 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7561 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7562 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7563 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7564 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7565 			BPF_MOV64_IMM(BPF_REG_0, 0),
7566 			BPF_EXIT_INSN(),
7567 		},
7568 		.fixup_map1 = { 3 },
7569 		.errstr = "unbounded min value",
7570 		.result = REJECT,
7571 	},
7572 	{
7573 		"bounds checks mixing signed and unsigned, variant 6",
7574 		.insns = {
7575 			BPF_MOV64_IMM(BPF_REG_2, 0),
7576 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7577 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7578 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7579 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7580 			BPF_MOV64_IMM(BPF_REG_6, -1),
7581 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7582 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7583 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7584 			BPF_MOV64_IMM(BPF_REG_5, 0),
7585 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7586 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7587 				     BPF_FUNC_skb_load_bytes),
7588 			BPF_MOV64_IMM(BPF_REG_0, 0),
7589 			BPF_EXIT_INSN(),
7590 		},
7591 		.errstr = "R4 min value is negative, either use unsigned",
7592 		.result = REJECT,
7593 	},
7594 	{
7595 		"bounds checks mixing signed and unsigned, variant 7",
7596 		.insns = {
7597 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7598 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7600 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7601 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7602 				     BPF_FUNC_map_lookup_elem),
7603 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7604 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7605 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7606 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7607 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7608 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7609 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7610 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7611 			BPF_MOV64_IMM(BPF_REG_0, 0),
7612 			BPF_EXIT_INSN(),
7613 		},
7614 		.fixup_map1 = { 3 },
7615 		.result = ACCEPT,
7616 	},
7617 	{
7618 		"bounds checks mixing signed and unsigned, variant 8",
7619 		.insns = {
7620 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7621 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7622 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7623 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7624 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7625 				     BPF_FUNC_map_lookup_elem),
7626 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7627 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7628 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7629 			BPF_MOV64_IMM(BPF_REG_2, -1),
7630 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7631 			BPF_MOV64_IMM(BPF_REG_0, 0),
7632 			BPF_EXIT_INSN(),
7633 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7634 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7635 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7636 			BPF_MOV64_IMM(BPF_REG_0, 0),
7637 			BPF_EXIT_INSN(),
7638 		},
7639 		.fixup_map1 = { 3 },
7640 		.errstr = "unbounded min value",
7641 		.result = REJECT,
7642 	},
7643 	{
7644 		"bounds checks mixing signed and unsigned, variant 9",
7645 		.insns = {
7646 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7647 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7648 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7649 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7650 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7651 				     BPF_FUNC_map_lookup_elem),
7652 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7653 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7654 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7655 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7656 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7657 			BPF_MOV64_IMM(BPF_REG_0, 0),
7658 			BPF_EXIT_INSN(),
7659 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7660 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7661 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7662 			BPF_MOV64_IMM(BPF_REG_0, 0),
7663 			BPF_EXIT_INSN(),
7664 		},
7665 		.fixup_map1 = { 3 },
7666 		.result = ACCEPT,
7667 	},
7668 	{
7669 		"bounds checks mixing signed and unsigned, variant 10",
7670 		.insns = {
7671 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7672 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7673 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7674 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7675 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7676 				     BPF_FUNC_map_lookup_elem),
7677 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7678 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7679 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7680 			BPF_MOV64_IMM(BPF_REG_2, 0),
7681 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7682 			BPF_MOV64_IMM(BPF_REG_0, 0),
7683 			BPF_EXIT_INSN(),
7684 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7685 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7686 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7687 			BPF_MOV64_IMM(BPF_REG_0, 0),
7688 			BPF_EXIT_INSN(),
7689 		},
7690 		.fixup_map1 = { 3 },
7691 		.errstr = "unbounded min value",
7692 		.result = REJECT,
7693 	},
7694 	{
7695 		"bounds checks mixing signed and unsigned, variant 11",
7696 		.insns = {
7697 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7698 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7700 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7701 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7702 				     BPF_FUNC_map_lookup_elem),
7703 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7704 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7705 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7706 			BPF_MOV64_IMM(BPF_REG_2, -1),
7707 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7708 			/* Dead branch. */
7709 			BPF_MOV64_IMM(BPF_REG_0, 0),
7710 			BPF_EXIT_INSN(),
7711 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7712 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7713 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7714 			BPF_MOV64_IMM(BPF_REG_0, 0),
7715 			BPF_EXIT_INSN(),
7716 		},
7717 		.fixup_map1 = { 3 },
7718 		.errstr = "unbounded min value",
7719 		.result = REJECT,
7720 	},
7721 	{
7722 		"bounds checks mixing signed and unsigned, variant 12",
7723 		.insns = {
7724 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7725 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7727 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7729 				     BPF_FUNC_map_lookup_elem),
7730 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7731 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7732 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7733 			BPF_MOV64_IMM(BPF_REG_2, -6),
7734 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7735 			BPF_MOV64_IMM(BPF_REG_0, 0),
7736 			BPF_EXIT_INSN(),
7737 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7738 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7739 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7740 			BPF_MOV64_IMM(BPF_REG_0, 0),
7741 			BPF_EXIT_INSN(),
7742 		},
7743 		.fixup_map1 = { 3 },
7744 		.errstr = "unbounded min value",
7745 		.result = REJECT,
7746 	},
7747 	{
7748 		"bounds checks mixing signed and unsigned, variant 13",
7749 		.insns = {
7750 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7751 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7752 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7753 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7754 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7755 				     BPF_FUNC_map_lookup_elem),
7756 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7757 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7758 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7759 			BPF_MOV64_IMM(BPF_REG_2, 2),
7760 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7761 			BPF_MOV64_IMM(BPF_REG_7, 1),
7762 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7763 			BPF_MOV64_IMM(BPF_REG_0, 0),
7764 			BPF_EXIT_INSN(),
7765 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7766 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7767 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7768 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7769 			BPF_MOV64_IMM(BPF_REG_0, 0),
7770 			BPF_EXIT_INSN(),
7771 		},
7772 		.fixup_map1 = { 3 },
7773 		.errstr = "unbounded min value",
7774 		.result = REJECT,
7775 	},
7776 	{
7777 		"bounds checks mixing signed and unsigned, variant 14",
7778 		.insns = {
7779 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7780 				    offsetof(struct __sk_buff, mark)),
7781 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7782 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7783 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7784 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7785 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7786 				     BPF_FUNC_map_lookup_elem),
7787 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7788 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7789 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7790 			BPF_MOV64_IMM(BPF_REG_2, -1),
7791 			BPF_MOV64_IMM(BPF_REG_8, 2),
7792 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7793 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7794 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7795 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7796 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7797 			BPF_MOV64_IMM(BPF_REG_0, 0),
7798 			BPF_EXIT_INSN(),
7799 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7800 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7801 		},
7802 		.fixup_map1 = { 4 },
7803 		.errstr = "R0 invalid mem access 'inv'",
7804 		.result = REJECT,
7805 	},
7806 	{
7807 		"bounds checks mixing signed and unsigned, variant 15",
7808 		.insns = {
7809 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7810 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7812 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7813 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7814 				     BPF_FUNC_map_lookup_elem),
7815 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7816 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7817 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7818 			BPF_MOV64_IMM(BPF_REG_2, -6),
7819 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7820 			BPF_MOV64_IMM(BPF_REG_0, 0),
7821 			BPF_EXIT_INSN(),
7822 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7823 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7824 			BPF_MOV64_IMM(BPF_REG_0, 0),
7825 			BPF_EXIT_INSN(),
7826 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7827 			BPF_MOV64_IMM(BPF_REG_0, 0),
7828 			BPF_EXIT_INSN(),
7829 		},
7830 		.fixup_map1 = { 3 },
7831 		.errstr = "unbounded min value",
7832 		.result = REJECT,
7833 		.result_unpriv = REJECT,
7834 	},
7835 	{
7836 		"subtraction bounds (map value) variant 1",
7837 		.insns = {
7838 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7839 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7840 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7841 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7842 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7843 				     BPF_FUNC_map_lookup_elem),
7844 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7845 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7846 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7847 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7848 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7849 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7850 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7851 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7852 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7853 			BPF_EXIT_INSN(),
7854 			BPF_MOV64_IMM(BPF_REG_0, 0),
7855 			BPF_EXIT_INSN(),
7856 		},
7857 		.fixup_map1 = { 3 },
7858 		.errstr = "R0 max value is outside of the array range",
7859 		.result = REJECT,
7860 	},
7861 	{
7862 		"subtraction bounds (map value) variant 2",
7863 		.insns = {
7864 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7865 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7866 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7867 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7868 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7869 				     BPF_FUNC_map_lookup_elem),
7870 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7871 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7872 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7873 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7874 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7875 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7876 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7877 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7878 			BPF_EXIT_INSN(),
7879 			BPF_MOV64_IMM(BPF_REG_0, 0),
7880 			BPF_EXIT_INSN(),
7881 		},
7882 		.fixup_map1 = { 3 },
7883 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7884 		.result = REJECT,
7885 	},
7886 	{
7887 		"bounds check based on zero-extended MOV",
7888 		.insns = {
7889 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7890 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7891 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7892 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7893 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7894 				     BPF_FUNC_map_lookup_elem),
7895 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7896 			/* r2 = 0x0000'0000'ffff'ffff */
7897 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7898 			/* r2 = 0 */
7899 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7900 			/* no-op */
7901 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7902 			/* access at offset 0 */
7903 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7904 			/* exit */
7905 			BPF_MOV64_IMM(BPF_REG_0, 0),
7906 			BPF_EXIT_INSN(),
7907 		},
7908 		.fixup_map1 = { 3 },
7909 		.result = ACCEPT
7910 	},
7911 	{
7912 		"bounds check based on sign-extended MOV. test1",
7913 		.insns = {
7914 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7915 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7917 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7918 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7919 				     BPF_FUNC_map_lookup_elem),
7920 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7921 			/* r2 = 0xffff'ffff'ffff'ffff */
7922 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7923 			/* r2 = 0xffff'ffff */
7924 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7925 			/* r0 = <oob pointer> */
7926 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7927 			/* access to OOB pointer */
7928 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7929 			/* exit */
7930 			BPF_MOV64_IMM(BPF_REG_0, 0),
7931 			BPF_EXIT_INSN(),
7932 		},
7933 		.fixup_map1 = { 3 },
7934 		.errstr = "map_value pointer and 4294967295",
7935 		.result = REJECT
7936 	},
7937 	{
7938 		"bounds check based on sign-extended MOV. test2",
7939 		.insns = {
7940 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7941 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7943 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7944 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7945 				     BPF_FUNC_map_lookup_elem),
7946 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7947 			/* r2 = 0xffff'ffff'ffff'ffff */
7948 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7949 			/* r2 = 0xfff'ffff */
7950 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7951 			/* r0 = <oob pointer> */
7952 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7953 			/* access to OOB pointer */
7954 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7955 			/* exit */
7956 			BPF_MOV64_IMM(BPF_REG_0, 0),
7957 			BPF_EXIT_INSN(),
7958 		},
7959 		.fixup_map1 = { 3 },
7960 		.errstr = "R0 min value is outside of the array range",
7961 		.result = REJECT
7962 	},
7963 	{
7964 		"bounds check based on reg_off + var_off + insn_off. test1",
7965 		.insns = {
7966 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7967 				    offsetof(struct __sk_buff, mark)),
7968 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7969 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7970 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7971 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7972 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7973 				     BPF_FUNC_map_lookup_elem),
7974 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7975 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7977 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7978 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7979 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7980 			BPF_MOV64_IMM(BPF_REG_0, 0),
7981 			BPF_EXIT_INSN(),
7982 		},
7983 		.fixup_map1 = { 4 },
7984 		.errstr = "value_size=8 off=1073741825",
7985 		.result = REJECT,
7986 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7987 	},
7988 	{
7989 		"bounds check based on reg_off + var_off + insn_off. test2",
7990 		.insns = {
7991 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7992 				    offsetof(struct __sk_buff, mark)),
7993 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7994 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7995 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7996 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7997 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7998 				     BPF_FUNC_map_lookup_elem),
7999 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
8000 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
8001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
8002 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
8003 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
8004 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
8005 			BPF_MOV64_IMM(BPF_REG_0, 0),
8006 			BPF_EXIT_INSN(),
8007 		},
8008 		.fixup_map1 = { 4 },
8009 		.errstr = "value 1073741823",
8010 		.result = REJECT,
8011 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8012 	},
8013 	{
8014 		"bounds check after truncation of non-boundary-crossing range",
8015 		.insns = {
8016 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8017 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8018 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8019 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8020 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8021 				     BPF_FUNC_map_lookup_elem),
8022 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8023 			/* r1 = [0x00, 0xff] */
8024 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8025 			BPF_MOV64_IMM(BPF_REG_2, 1),
8026 			/* r2 = 0x10'0000'0000 */
8027 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
8028 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
8029 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8030 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
8031 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8032 			/* r1 = [0x00, 0xff] */
8033 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
8034 			/* r1 = 0 */
8035 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8036 			/* no-op */
8037 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8038 			/* access at offset 0 */
8039 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8040 			/* exit */
8041 			BPF_MOV64_IMM(BPF_REG_0, 0),
8042 			BPF_EXIT_INSN(),
8043 		},
8044 		.fixup_map1 = { 3 },
8045 		.result = ACCEPT
8046 	},
8047 	{
8048 		"bounds check after truncation of boundary-crossing range (1)",
8049 		.insns = {
8050 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8051 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8052 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8053 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8054 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8055 				     BPF_FUNC_map_lookup_elem),
8056 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8057 			/* r1 = [0x00, 0xff] */
8058 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8060 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
8061 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8062 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
8063 			 *      [0x0000'0000, 0x0000'007f]
8064 			 */
8065 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
8066 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8067 			/* r1 = [0x00, 0xff] or
8068 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8069 			 */
8070 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8071 			/* r1 = 0 or
8072 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8073 			 */
8074 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8075 			/* no-op or OOB pointer computation */
8076 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8077 			/* potentially OOB access */
8078 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8079 			/* exit */
8080 			BPF_MOV64_IMM(BPF_REG_0, 0),
8081 			BPF_EXIT_INSN(),
8082 		},
8083 		.fixup_map1 = { 3 },
8084 		/* not actually fully unbounded, but the bound is very high */
8085 		.errstr = "R0 unbounded memory access",
8086 		.result = REJECT
8087 	},
8088 	{
8089 		"bounds check after truncation of boundary-crossing range (2)",
8090 		.insns = {
8091 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8092 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8093 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8094 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8095 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8096 				     BPF_FUNC_map_lookup_elem),
8097 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
8098 			/* r1 = [0x00, 0xff] */
8099 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8100 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8101 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
8102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
8103 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
8104 			 *      [0x0000'0000, 0x0000'007f]
8105 			 * difference to previous test: truncation via MOV32
8106 			 * instead of ALU32.
8107 			 */
8108 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
8109 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8110 			/* r1 = [0x00, 0xff] or
8111 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
8112 			 */
8113 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
8114 			/* r1 = 0 or
8115 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
8116 			 */
8117 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8118 			/* no-op or OOB pointer computation */
8119 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8120 			/* potentially OOB access */
8121 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8122 			/* exit */
8123 			BPF_MOV64_IMM(BPF_REG_0, 0),
8124 			BPF_EXIT_INSN(),
8125 		},
8126 		.fixup_map1 = { 3 },
8127 		/* not actually fully unbounded, but the bound is very high */
8128 		.errstr = "R0 unbounded memory access",
8129 		.result = REJECT
8130 	},
8131 	{
8132 		"bounds check after wrapping 32-bit addition",
8133 		.insns = {
8134 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8135 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8136 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8137 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8138 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8139 				     BPF_FUNC_map_lookup_elem),
8140 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
8141 			/* r1 = 0x7fff'ffff */
8142 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
8143 			/* r1 = 0xffff'fffe */
8144 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8145 			/* r1 = 0 */
8146 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
8147 			/* no-op */
8148 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8149 			/* access at offset 0 */
8150 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8151 			/* exit */
8152 			BPF_MOV64_IMM(BPF_REG_0, 0),
8153 			BPF_EXIT_INSN(),
8154 		},
8155 		.fixup_map1 = { 3 },
8156 		.result = ACCEPT
8157 	},
8158 	{
8159 		"bounds check after shift with oversized count operand",
8160 		.insns = {
8161 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8162 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8163 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8164 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8165 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8166 				     BPF_FUNC_map_lookup_elem),
8167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8168 			BPF_MOV64_IMM(BPF_REG_2, 32),
8169 			BPF_MOV64_IMM(BPF_REG_1, 1),
8170 			/* r1 = (u32)1 << (u32)32 = ? */
8171 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
8172 			/* r1 = [0x0000, 0xffff] */
8173 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
8174 			/* computes unknown pointer, potentially OOB */
8175 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8176 			/* potentially OOB access */
8177 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8178 			/* exit */
8179 			BPF_MOV64_IMM(BPF_REG_0, 0),
8180 			BPF_EXIT_INSN(),
8181 		},
8182 		.fixup_map1 = { 3 },
8183 		.errstr = "R0 max value is outside of the array range",
8184 		.result = REJECT
8185 	},
8186 	{
8187 		"bounds check after right shift of maybe-negative number",
8188 		.insns = {
8189 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8190 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8191 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8192 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8193 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8194 				     BPF_FUNC_map_lookup_elem),
8195 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
8196 			/* r1 = [0x00, 0xff] */
8197 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8198 			/* r1 = [-0x01, 0xfe] */
8199 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
8200 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
8201 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8202 			/* r1 = 0 or 0xffff'ffff'ffff */
8203 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
8204 			/* computes unknown pointer, potentially OOB */
8205 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8206 			/* potentially OOB access */
8207 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8208 			/* exit */
8209 			BPF_MOV64_IMM(BPF_REG_0, 0),
8210 			BPF_EXIT_INSN(),
8211 		},
8212 		.fixup_map1 = { 3 },
8213 		.errstr = "R0 unbounded memory access",
8214 		.result = REJECT
8215 	},
8216 	{
8217 		"bounds check map access with off+size signed 32bit overflow. test1",
8218 		.insns = {
8219 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8220 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8221 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8222 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8223 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8224 				     BPF_FUNC_map_lookup_elem),
8225 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8226 			BPF_EXIT_INSN(),
8227 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
8228 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8229 			BPF_JMP_A(0),
8230 			BPF_EXIT_INSN(),
8231 		},
8232 		.fixup_map1 = { 3 },
8233 		.errstr = "map_value pointer and 2147483646",
8234 		.result = REJECT
8235 	},
8236 	{
8237 		"bounds check map access with off+size signed 32bit overflow. test2",
8238 		.insns = {
8239 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8240 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8241 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8242 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8243 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8244 				     BPF_FUNC_map_lookup_elem),
8245 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8246 			BPF_EXIT_INSN(),
8247 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8249 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8250 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8251 			BPF_JMP_A(0),
8252 			BPF_EXIT_INSN(),
8253 		},
8254 		.fixup_map1 = { 3 },
8255 		.errstr = "pointer offset 1073741822",
8256 		.result = REJECT
8257 	},
8258 	{
8259 		"bounds check map access with off+size signed 32bit overflow. test3",
8260 		.insns = {
8261 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8262 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8263 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8264 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8265 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8266 				     BPF_FUNC_map_lookup_elem),
8267 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8268 			BPF_EXIT_INSN(),
8269 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8270 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8271 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8272 			BPF_JMP_A(0),
8273 			BPF_EXIT_INSN(),
8274 		},
8275 		.fixup_map1 = { 3 },
8276 		.errstr = "pointer offset -1073741822",
8277 		.result = REJECT
8278 	},
8279 	{
8280 		"bounds check map access with off+size signed 32bit overflow. test4",
8281 		.insns = {
8282 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8283 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8284 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8285 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8286 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8287 				     BPF_FUNC_map_lookup_elem),
8288 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8289 			BPF_EXIT_INSN(),
8290 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
8291 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8292 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8293 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8294 			BPF_JMP_A(0),
8295 			BPF_EXIT_INSN(),
8296 		},
8297 		.fixup_map1 = { 3 },
8298 		.errstr = "map_value pointer and 1000000000000",
8299 		.result = REJECT
8300 	},
8301 	{
8302 		"pointer/scalar confusion in state equality check (way 1)",
8303 		.insns = {
8304 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8305 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8306 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8307 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8308 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8309 				     BPF_FUNC_map_lookup_elem),
8310 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8311 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8312 			BPF_JMP_A(1),
8313 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8314 			BPF_JMP_A(0),
8315 			BPF_EXIT_INSN(),
8316 		},
8317 		.fixup_map1 = { 3 },
8318 		.result = ACCEPT,
8319 		.retval = POINTER_VALUE,
8320 		.result_unpriv = REJECT,
8321 		.errstr_unpriv = "R0 leaks addr as return value"
8322 	},
8323 	{
8324 		"pointer/scalar confusion in state equality check (way 2)",
8325 		.insns = {
8326 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8327 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8328 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8329 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8330 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8331 				     BPF_FUNC_map_lookup_elem),
8332 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8333 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8334 			BPF_JMP_A(1),
8335 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8336 			BPF_EXIT_INSN(),
8337 		},
8338 		.fixup_map1 = { 3 },
8339 		.result = ACCEPT,
8340 		.retval = POINTER_VALUE,
8341 		.result_unpriv = REJECT,
8342 		.errstr_unpriv = "R0 leaks addr as return value"
8343 	},
8344 	{
8345 		"variable-offset ctx access",
8346 		.insns = {
8347 			/* Get an unknown value */
8348 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8349 			/* Make it small and 4-byte aligned */
8350 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8351 			/* add it to skb.  We now have either &skb->len or
8352 			 * &skb->pkt_type, but we don't know which
8353 			 */
8354 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8355 			/* dereference it */
8356 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8357 			BPF_EXIT_INSN(),
8358 		},
8359 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
8360 		.result = REJECT,
8361 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8362 	},
8363 	{
8364 		"variable-offset stack access",
8365 		.insns = {
8366 			/* Fill the top 8 bytes of the stack */
8367 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8368 			/* Get an unknown value */
8369 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8370 			/* Make it small and 4-byte aligned */
8371 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8372 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8373 			/* add it to fp.  We now have either fp-4 or fp-8, but
8374 			 * we don't know which
8375 			 */
8376 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8377 			/* dereference it */
8378 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8379 			BPF_EXIT_INSN(),
8380 		},
8381 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8382 		.result = REJECT,
8383 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8384 	},
8385 	{
8386 		"indirect variable-offset stack access",
8387 		.insns = {
8388 			/* Fill the top 8 bytes of the stack */
8389 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8390 			/* Get an unknown value */
8391 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8392 			/* Make it small and 4-byte aligned */
8393 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8394 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8395 			/* add it to fp.  We now have either fp-4 or fp-8, but
8396 			 * we don't know which
8397 			 */
8398 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8399 			/* dereference it indirectly */
8400 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8401 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8402 				     BPF_FUNC_map_lookup_elem),
8403 			BPF_MOV64_IMM(BPF_REG_0, 0),
8404 			BPF_EXIT_INSN(),
8405 		},
8406 		.fixup_map1 = { 5 },
8407 		.errstr = "variable stack read R2",
8408 		.result = REJECT,
8409 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8410 	},
8411 	{
8412 		"direct stack access with 32-bit wraparound. test1",
8413 		.insns = {
8414 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8415 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8416 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8417 			BPF_MOV32_IMM(BPF_REG_0, 0),
8418 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8419 			BPF_EXIT_INSN()
8420 		},
8421 		.errstr = "fp pointer and 2147483647",
8422 		.result = REJECT
8423 	},
8424 	{
8425 		"direct stack access with 32-bit wraparound. test2",
8426 		.insns = {
8427 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8428 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8429 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8430 			BPF_MOV32_IMM(BPF_REG_0, 0),
8431 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8432 			BPF_EXIT_INSN()
8433 		},
8434 		.errstr = "fp pointer and 1073741823",
8435 		.result = REJECT
8436 	},
8437 	{
8438 		"direct stack access with 32-bit wraparound. test3",
8439 		.insns = {
8440 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8441 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8442 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8443 			BPF_MOV32_IMM(BPF_REG_0, 0),
8444 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8445 			BPF_EXIT_INSN()
8446 		},
8447 		.errstr = "fp pointer offset 1073741822",
8448 		.result = REJECT
8449 	},
8450 	{
8451 		"liveness pruning and write screening",
8452 		.insns = {
8453 			/* Get an unknown value */
8454 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8455 			/* branch conditions teach us nothing about R2 */
8456 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8457 			BPF_MOV64_IMM(BPF_REG_0, 0),
8458 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8459 			BPF_MOV64_IMM(BPF_REG_0, 0),
8460 			BPF_EXIT_INSN(),
8461 		},
8462 		.errstr = "R0 !read_ok",
8463 		.result = REJECT,
8464 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8465 	},
8466 	{
8467 		"varlen_map_value_access pruning",
8468 		.insns = {
8469 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8470 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8471 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8472 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8473 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8474 				     BPF_FUNC_map_lookup_elem),
8475 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8476 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8477 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8478 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8479 			BPF_MOV32_IMM(BPF_REG_1, 0),
8480 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8481 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8482 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8483 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8484 				   offsetof(struct test_val, foo)),
8485 			BPF_EXIT_INSN(),
8486 		},
8487 		.fixup_map2 = { 3 },
8488 		.errstr_unpriv = "R0 leaks addr",
8489 		.errstr = "R0 unbounded memory access",
8490 		.result_unpriv = REJECT,
8491 		.result = REJECT,
8492 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8493 	},
8494 	{
8495 		"invalid 64-bit BPF_END",
8496 		.insns = {
8497 			BPF_MOV32_IMM(BPF_REG_0, 0),
8498 			{
8499 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
8500 				.dst_reg = BPF_REG_0,
8501 				.src_reg = 0,
8502 				.off   = 0,
8503 				.imm   = 32,
8504 			},
8505 			BPF_EXIT_INSN(),
8506 		},
8507 		.errstr = "unknown opcode d7",
8508 		.result = REJECT,
8509 	},
8510 	{
8511 		"XDP, using ifindex from netdev",
8512 		.insns = {
8513 			BPF_MOV64_IMM(BPF_REG_0, 0),
8514 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8515 				    offsetof(struct xdp_md, ingress_ifindex)),
8516 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8517 			BPF_MOV64_IMM(BPF_REG_0, 1),
8518 			BPF_EXIT_INSN(),
8519 		},
8520 		.result = ACCEPT,
8521 		.prog_type = BPF_PROG_TYPE_XDP,
8522 		.retval = 1,
8523 	},
8524 	{
8525 		"meta access, test1",
8526 		.insns = {
8527 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8528 				    offsetof(struct xdp_md, data_meta)),
8529 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8530 				    offsetof(struct xdp_md, data)),
8531 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8532 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8533 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8534 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8535 			BPF_MOV64_IMM(BPF_REG_0, 0),
8536 			BPF_EXIT_INSN(),
8537 		},
8538 		.result = ACCEPT,
8539 		.prog_type = BPF_PROG_TYPE_XDP,
8540 	},
8541 	{
8542 		"meta access, test2",
8543 		.insns = {
8544 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8545 				    offsetof(struct xdp_md, data_meta)),
8546 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8547 				    offsetof(struct xdp_md, data)),
8548 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8549 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8550 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8551 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8552 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8553 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8554 			BPF_MOV64_IMM(BPF_REG_0, 0),
8555 			BPF_EXIT_INSN(),
8556 		},
8557 		.result = REJECT,
8558 		.errstr = "invalid access to packet, off=-8",
8559 		.prog_type = BPF_PROG_TYPE_XDP,
8560 	},
8561 	{
8562 		"meta access, test3",
8563 		.insns = {
8564 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8565 				    offsetof(struct xdp_md, data_meta)),
8566 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8567 				    offsetof(struct xdp_md, data_end)),
8568 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8569 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8570 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8571 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8572 			BPF_MOV64_IMM(BPF_REG_0, 0),
8573 			BPF_EXIT_INSN(),
8574 		},
8575 		.result = REJECT,
8576 		.errstr = "invalid access to packet",
8577 		.prog_type = BPF_PROG_TYPE_XDP,
8578 	},
8579 	{
8580 		"meta access, test4",
8581 		.insns = {
8582 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8583 				    offsetof(struct xdp_md, data_meta)),
8584 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8585 				    offsetof(struct xdp_md, data_end)),
8586 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8587 				    offsetof(struct xdp_md, data)),
8588 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8589 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8590 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8591 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8592 			BPF_MOV64_IMM(BPF_REG_0, 0),
8593 			BPF_EXIT_INSN(),
8594 		},
8595 		.result = REJECT,
8596 		.errstr = "invalid access to packet",
8597 		.prog_type = BPF_PROG_TYPE_XDP,
8598 	},
8599 	{
8600 		"meta access, test5",
8601 		.insns = {
8602 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8603 				    offsetof(struct xdp_md, data_meta)),
8604 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8605 				    offsetof(struct xdp_md, data)),
8606 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8607 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8608 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8609 			BPF_MOV64_IMM(BPF_REG_2, -8),
8610 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8611 				     BPF_FUNC_xdp_adjust_meta),
8612 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8613 			BPF_MOV64_IMM(BPF_REG_0, 0),
8614 			BPF_EXIT_INSN(),
8615 		},
8616 		.result = REJECT,
8617 		.errstr = "R3 !read_ok",
8618 		.prog_type = BPF_PROG_TYPE_XDP,
8619 	},
8620 	{
8621 		"meta access, test6",
8622 		.insns = {
8623 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8624 				    offsetof(struct xdp_md, data_meta)),
8625 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8626 				    offsetof(struct xdp_md, data)),
8627 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8628 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8629 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8630 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8631 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8632 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8633 			BPF_MOV64_IMM(BPF_REG_0, 0),
8634 			BPF_EXIT_INSN(),
8635 		},
8636 		.result = REJECT,
8637 		.errstr = "invalid access to packet",
8638 		.prog_type = BPF_PROG_TYPE_XDP,
8639 	},
8640 	{
8641 		"meta access, test7",
8642 		.insns = {
8643 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8644 				    offsetof(struct xdp_md, data_meta)),
8645 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8646 				    offsetof(struct xdp_md, data)),
8647 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8648 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8649 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8650 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8651 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8652 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8653 			BPF_MOV64_IMM(BPF_REG_0, 0),
8654 			BPF_EXIT_INSN(),
8655 		},
8656 		.result = ACCEPT,
8657 		.prog_type = BPF_PROG_TYPE_XDP,
8658 	},
8659 	{
8660 		"meta access, test8",
8661 		.insns = {
8662 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8663 				    offsetof(struct xdp_md, data_meta)),
8664 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8665 				    offsetof(struct xdp_md, data)),
8666 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8667 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8668 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8669 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8670 			BPF_MOV64_IMM(BPF_REG_0, 0),
8671 			BPF_EXIT_INSN(),
8672 		},
8673 		.result = ACCEPT,
8674 		.prog_type = BPF_PROG_TYPE_XDP,
8675 	},
8676 	{
8677 		"meta access, test9",
8678 		.insns = {
8679 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8680 				    offsetof(struct xdp_md, data_meta)),
8681 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8682 				    offsetof(struct xdp_md, data)),
8683 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8684 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8685 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8686 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8687 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8688 			BPF_MOV64_IMM(BPF_REG_0, 0),
8689 			BPF_EXIT_INSN(),
8690 		},
8691 		.result = REJECT,
8692 		.errstr = "invalid access to packet",
8693 		.prog_type = BPF_PROG_TYPE_XDP,
8694 	},
8695 	{
8696 		"meta access, test10",
8697 		.insns = {
8698 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8699 				    offsetof(struct xdp_md, data_meta)),
8700 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8701 				    offsetof(struct xdp_md, data)),
8702 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8703 				    offsetof(struct xdp_md, data_end)),
8704 			BPF_MOV64_IMM(BPF_REG_5, 42),
8705 			BPF_MOV64_IMM(BPF_REG_6, 24),
8706 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8707 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8708 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8709 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8710 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8711 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8712 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8713 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8714 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8715 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8716 			BPF_MOV64_IMM(BPF_REG_0, 0),
8717 			BPF_EXIT_INSN(),
8718 		},
8719 		.result = REJECT,
8720 		.errstr = "invalid access to packet",
8721 		.prog_type = BPF_PROG_TYPE_XDP,
8722 	},
8723 	{
8724 		"meta access, test11",
8725 		.insns = {
8726 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8727 				    offsetof(struct xdp_md, data_meta)),
8728 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8729 				    offsetof(struct xdp_md, data)),
8730 			BPF_MOV64_IMM(BPF_REG_5, 42),
8731 			BPF_MOV64_IMM(BPF_REG_6, 24),
8732 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8733 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8734 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8735 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8736 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8737 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8738 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8739 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8740 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8741 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8742 			BPF_MOV64_IMM(BPF_REG_0, 0),
8743 			BPF_EXIT_INSN(),
8744 		},
8745 		.result = ACCEPT,
8746 		.prog_type = BPF_PROG_TYPE_XDP,
8747 	},
8748 	{
8749 		"meta access, test12",
8750 		.insns = {
8751 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8752 				    offsetof(struct xdp_md, data_meta)),
8753 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8754 				    offsetof(struct xdp_md, data)),
8755 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8756 				    offsetof(struct xdp_md, data_end)),
8757 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8758 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8759 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8760 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8761 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8762 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8763 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8764 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8765 			BPF_MOV64_IMM(BPF_REG_0, 0),
8766 			BPF_EXIT_INSN(),
8767 		},
8768 		.result = ACCEPT,
8769 		.prog_type = BPF_PROG_TYPE_XDP,
8770 	},
8771 	{
8772 		"arithmetic ops make PTR_TO_CTX unusable",
8773 		.insns = {
8774 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8775 				      offsetof(struct __sk_buff, data) -
8776 				      offsetof(struct __sk_buff, mark)),
8777 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8778 				    offsetof(struct __sk_buff, mark)),
8779 			BPF_EXIT_INSN(),
8780 		},
8781 		.errstr = "dereference of modified ctx ptr",
8782 		.result = REJECT,
8783 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8784 	},
8785 	{
8786 		"pkt_end - pkt_start is allowed",
8787 		.insns = {
8788 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8789 				    offsetof(struct __sk_buff, data_end)),
8790 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8791 				    offsetof(struct __sk_buff, data)),
8792 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8793 			BPF_EXIT_INSN(),
8794 		},
8795 		.result = ACCEPT,
8796 		.retval = TEST_DATA_LEN,
8797 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8798 	},
8799 	{
8800 		"XDP pkt read, pkt_end mangling, bad access 1",
8801 		.insns = {
8802 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8803 				    offsetof(struct xdp_md, data)),
8804 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8805 				    offsetof(struct xdp_md, data_end)),
8806 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8807 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8808 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8809 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8810 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8811 			BPF_MOV64_IMM(BPF_REG_0, 0),
8812 			BPF_EXIT_INSN(),
8813 		},
8814 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8815 		.result = REJECT,
8816 		.prog_type = BPF_PROG_TYPE_XDP,
8817 	},
8818 	{
8819 		"XDP pkt read, pkt_end mangling, bad access 2",
8820 		.insns = {
8821 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8822 				    offsetof(struct xdp_md, data)),
8823 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8824 				    offsetof(struct xdp_md, data_end)),
8825 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8826 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8827 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8828 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8829 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8830 			BPF_MOV64_IMM(BPF_REG_0, 0),
8831 			BPF_EXIT_INSN(),
8832 		},
8833 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8834 		.result = REJECT,
8835 		.prog_type = BPF_PROG_TYPE_XDP,
8836 	},
8837 	{
8838 		"XDP pkt read, pkt_data' > pkt_end, good access",
8839 		.insns = {
8840 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8841 				    offsetof(struct xdp_md, data)),
8842 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8843 				    offsetof(struct xdp_md, data_end)),
8844 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8846 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8847 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8848 			BPF_MOV64_IMM(BPF_REG_0, 0),
8849 			BPF_EXIT_INSN(),
8850 		},
8851 		.result = ACCEPT,
8852 		.prog_type = BPF_PROG_TYPE_XDP,
8853 	},
8854 	{
8855 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
8856 		.insns = {
8857 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8858 				    offsetof(struct xdp_md, data)),
8859 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8860 				    offsetof(struct xdp_md, data_end)),
8861 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8862 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8863 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8864 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8865 			BPF_MOV64_IMM(BPF_REG_0, 0),
8866 			BPF_EXIT_INSN(),
8867 		},
8868 		.errstr = "R1 offset is outside of the packet",
8869 		.result = REJECT,
8870 		.prog_type = BPF_PROG_TYPE_XDP,
8871 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8872 	},
8873 	{
8874 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
8875 		.insns = {
8876 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8877 				    offsetof(struct xdp_md, data)),
8878 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8879 				    offsetof(struct xdp_md, data_end)),
8880 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8881 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8882 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8883 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8884 			BPF_MOV64_IMM(BPF_REG_0, 0),
8885 			BPF_EXIT_INSN(),
8886 		},
8887 		.errstr = "R1 offset is outside of the packet",
8888 		.result = REJECT,
8889 		.prog_type = BPF_PROG_TYPE_XDP,
8890 	},
8891 	{
8892 		"XDP pkt read, pkt_end > pkt_data', good access",
8893 		.insns = {
8894 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8895 				    offsetof(struct xdp_md, data)),
8896 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8897 				    offsetof(struct xdp_md, data_end)),
8898 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8899 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8900 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8901 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8902 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8903 			BPF_MOV64_IMM(BPF_REG_0, 0),
8904 			BPF_EXIT_INSN(),
8905 		},
8906 		.result = ACCEPT,
8907 		.prog_type = BPF_PROG_TYPE_XDP,
8908 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8909 	},
8910 	{
8911 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
8912 		.insns = {
8913 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8914 				    offsetof(struct xdp_md, data)),
8915 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8916 				    offsetof(struct xdp_md, data_end)),
8917 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8919 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8920 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8921 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8922 			BPF_MOV64_IMM(BPF_REG_0, 0),
8923 			BPF_EXIT_INSN(),
8924 		},
8925 		.errstr = "R1 offset is outside of the packet",
8926 		.result = REJECT,
8927 		.prog_type = BPF_PROG_TYPE_XDP,
8928 	},
8929 	{
8930 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
8931 		.insns = {
8932 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8933 				    offsetof(struct xdp_md, data)),
8934 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8935 				    offsetof(struct xdp_md, data_end)),
8936 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8937 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8938 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8939 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8940 			BPF_MOV64_IMM(BPF_REG_0, 0),
8941 			BPF_EXIT_INSN(),
8942 		},
8943 		.errstr = "R1 offset is outside of the packet",
8944 		.result = REJECT,
8945 		.prog_type = BPF_PROG_TYPE_XDP,
8946 	},
8947 	{
8948 		"XDP pkt read, pkt_data' < pkt_end, good access",
8949 		.insns = {
8950 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8951 				    offsetof(struct xdp_md, data)),
8952 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8953 				    offsetof(struct xdp_md, data_end)),
8954 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8956 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8957 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8958 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8959 			BPF_MOV64_IMM(BPF_REG_0, 0),
8960 			BPF_EXIT_INSN(),
8961 		},
8962 		.result = ACCEPT,
8963 		.prog_type = BPF_PROG_TYPE_XDP,
8964 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8965 	},
8966 	{
8967 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
8968 		.insns = {
8969 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8970 				    offsetof(struct xdp_md, data)),
8971 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8972 				    offsetof(struct xdp_md, data_end)),
8973 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8974 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8975 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8976 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8977 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8978 			BPF_MOV64_IMM(BPF_REG_0, 0),
8979 			BPF_EXIT_INSN(),
8980 		},
8981 		.errstr = "R1 offset is outside of the packet",
8982 		.result = REJECT,
8983 		.prog_type = BPF_PROG_TYPE_XDP,
8984 	},
8985 	{
8986 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
8987 		.insns = {
8988 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8989 				    offsetof(struct xdp_md, data)),
8990 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8991 				    offsetof(struct xdp_md, data_end)),
8992 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8993 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8994 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8995 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8996 			BPF_MOV64_IMM(BPF_REG_0, 0),
8997 			BPF_EXIT_INSN(),
8998 		},
8999 		.errstr = "R1 offset is outside of the packet",
9000 		.result = REJECT,
9001 		.prog_type = BPF_PROG_TYPE_XDP,
9002 	},
9003 	{
9004 		"XDP pkt read, pkt_end < pkt_data', good access",
9005 		.insns = {
9006 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9007 				    offsetof(struct xdp_md, data)),
9008 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9009 				    offsetof(struct xdp_md, data_end)),
9010 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9011 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9012 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9013 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9014 			BPF_MOV64_IMM(BPF_REG_0, 0),
9015 			BPF_EXIT_INSN(),
9016 		},
9017 		.result = ACCEPT,
9018 		.prog_type = BPF_PROG_TYPE_XDP,
9019 	},
9020 	{
9021 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
9022 		.insns = {
9023 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9024 				    offsetof(struct xdp_md, data)),
9025 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9026 				    offsetof(struct xdp_md, data_end)),
9027 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9028 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9029 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9030 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9031 			BPF_MOV64_IMM(BPF_REG_0, 0),
9032 			BPF_EXIT_INSN(),
9033 		},
9034 		.errstr = "R1 offset is outside of the packet",
9035 		.result = REJECT,
9036 		.prog_type = BPF_PROG_TYPE_XDP,
9037 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9038 	},
9039 	{
9040 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
9041 		.insns = {
9042 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9043 				    offsetof(struct xdp_md, data)),
9044 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9045 				    offsetof(struct xdp_md, data_end)),
9046 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9047 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9048 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9049 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9050 			BPF_MOV64_IMM(BPF_REG_0, 0),
9051 			BPF_EXIT_INSN(),
9052 		},
9053 		.errstr = "R1 offset is outside of the packet",
9054 		.result = REJECT,
9055 		.prog_type = BPF_PROG_TYPE_XDP,
9056 	},
9057 	{
9058 		"XDP pkt read, pkt_data' >= pkt_end, good access",
9059 		.insns = {
9060 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9061 				    offsetof(struct xdp_md, data)),
9062 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9063 				    offsetof(struct xdp_md, data_end)),
9064 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9065 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9066 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9067 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9068 			BPF_MOV64_IMM(BPF_REG_0, 0),
9069 			BPF_EXIT_INSN(),
9070 		},
9071 		.result = ACCEPT,
9072 		.prog_type = BPF_PROG_TYPE_XDP,
9073 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9074 	},
9075 	{
9076 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
9077 		.insns = {
9078 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9079 				    offsetof(struct xdp_md, data)),
9080 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9081 				    offsetof(struct xdp_md, data_end)),
9082 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9083 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9084 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9085 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9086 			BPF_MOV64_IMM(BPF_REG_0, 0),
9087 			BPF_EXIT_INSN(),
9088 		},
9089 		.errstr = "R1 offset is outside of the packet",
9090 		.result = REJECT,
9091 		.prog_type = BPF_PROG_TYPE_XDP,
9092 	},
9093 	{
9094 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
9095 		.insns = {
9096 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9097 				    offsetof(struct xdp_md, data)),
9098 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9099 				    offsetof(struct xdp_md, data_end)),
9100 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9101 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9102 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9103 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9104 			BPF_MOV64_IMM(BPF_REG_0, 0),
9105 			BPF_EXIT_INSN(),
9106 		},
9107 		.errstr = "R1 offset is outside of the packet",
9108 		.result = REJECT,
9109 		.prog_type = BPF_PROG_TYPE_XDP,
9110 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9111 	},
9112 	{
9113 		"XDP pkt read, pkt_end >= pkt_data', good access",
9114 		.insns = {
9115 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9116 				    offsetof(struct xdp_md, data)),
9117 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9118 				    offsetof(struct xdp_md, data_end)),
9119 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9121 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9122 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9123 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9124 			BPF_MOV64_IMM(BPF_REG_0, 0),
9125 			BPF_EXIT_INSN(),
9126 		},
9127 		.result = ACCEPT,
9128 		.prog_type = BPF_PROG_TYPE_XDP,
9129 	},
9130 	{
9131 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
9132 		.insns = {
9133 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9134 				    offsetof(struct xdp_md, data)),
9135 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9136 				    offsetof(struct xdp_md, data_end)),
9137 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9138 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9139 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9140 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9141 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9142 			BPF_MOV64_IMM(BPF_REG_0, 0),
9143 			BPF_EXIT_INSN(),
9144 		},
9145 		.errstr = "R1 offset is outside of the packet",
9146 		.result = REJECT,
9147 		.prog_type = BPF_PROG_TYPE_XDP,
9148 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9149 	},
9150 	{
9151 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
9152 		.insns = {
9153 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9154 				    offsetof(struct xdp_md, data)),
9155 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9156 				    offsetof(struct xdp_md, data_end)),
9157 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9158 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9159 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9160 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9161 			BPF_MOV64_IMM(BPF_REG_0, 0),
9162 			BPF_EXIT_INSN(),
9163 		},
9164 		.errstr = "R1 offset is outside of the packet",
9165 		.result = REJECT,
9166 		.prog_type = BPF_PROG_TYPE_XDP,
9167 	},
9168 	{
9169 		"XDP pkt read, pkt_data' <= pkt_end, good access",
9170 		.insns = {
9171 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9172 				    offsetof(struct xdp_md, data)),
9173 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9174 				    offsetof(struct xdp_md, data_end)),
9175 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9177 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9178 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9179 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9180 			BPF_MOV64_IMM(BPF_REG_0, 0),
9181 			BPF_EXIT_INSN(),
9182 		},
9183 		.result = ACCEPT,
9184 		.prog_type = BPF_PROG_TYPE_XDP,
9185 	},
9186 	{
9187 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
9188 		.insns = {
9189 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9190 				    offsetof(struct xdp_md, data)),
9191 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9192 				    offsetof(struct xdp_md, data_end)),
9193 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9195 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9196 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9197 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9198 			BPF_MOV64_IMM(BPF_REG_0, 0),
9199 			BPF_EXIT_INSN(),
9200 		},
9201 		.errstr = "R1 offset is outside of the packet",
9202 		.result = REJECT,
9203 		.prog_type = BPF_PROG_TYPE_XDP,
9204 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9205 	},
9206 	{
9207 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
9208 		.insns = {
9209 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9210 				    offsetof(struct xdp_md, data)),
9211 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9212 				    offsetof(struct xdp_md, data_end)),
9213 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9215 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9216 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9217 			BPF_MOV64_IMM(BPF_REG_0, 0),
9218 			BPF_EXIT_INSN(),
9219 		},
9220 		.errstr = "R1 offset is outside of the packet",
9221 		.result = REJECT,
9222 		.prog_type = BPF_PROG_TYPE_XDP,
9223 	},
9224 	{
9225 		"XDP pkt read, pkt_end <= pkt_data', good access",
9226 		.insns = {
9227 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9228 				    offsetof(struct xdp_md, data)),
9229 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9230 				    offsetof(struct xdp_md, data_end)),
9231 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9232 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9233 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9234 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9235 			BPF_MOV64_IMM(BPF_REG_0, 0),
9236 			BPF_EXIT_INSN(),
9237 		},
9238 		.result = ACCEPT,
9239 		.prog_type = BPF_PROG_TYPE_XDP,
9240 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9241 	},
9242 	{
9243 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
9244 		.insns = {
9245 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9246 				    offsetof(struct xdp_md, data)),
9247 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9248 				    offsetof(struct xdp_md, data_end)),
9249 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9250 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9251 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9252 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9253 			BPF_MOV64_IMM(BPF_REG_0, 0),
9254 			BPF_EXIT_INSN(),
9255 		},
9256 		.errstr = "R1 offset is outside of the packet",
9257 		.result = REJECT,
9258 		.prog_type = BPF_PROG_TYPE_XDP,
9259 	},
9260 	{
9261 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
9262 		.insns = {
9263 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9264 				    offsetof(struct xdp_md, data)),
9265 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9266 				    offsetof(struct xdp_md, data_end)),
9267 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9268 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9269 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9270 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9271 			BPF_MOV64_IMM(BPF_REG_0, 0),
9272 			BPF_EXIT_INSN(),
9273 		},
9274 		.errstr = "R1 offset is outside of the packet",
9275 		.result = REJECT,
9276 		.prog_type = BPF_PROG_TYPE_XDP,
9277 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9278 	},
9279 	{
9280 		"XDP pkt read, pkt_meta' > pkt_data, good access",
9281 		.insns = {
9282 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9283 				    offsetof(struct xdp_md, data_meta)),
9284 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9285 				    offsetof(struct xdp_md, data)),
9286 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9287 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9288 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9289 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9290 			BPF_MOV64_IMM(BPF_REG_0, 0),
9291 			BPF_EXIT_INSN(),
9292 		},
9293 		.result = ACCEPT,
9294 		.prog_type = BPF_PROG_TYPE_XDP,
9295 	},
9296 	{
9297 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9298 		.insns = {
9299 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9300 				    offsetof(struct xdp_md, data_meta)),
9301 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9302 				    offsetof(struct xdp_md, data)),
9303 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9305 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9306 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9307 			BPF_MOV64_IMM(BPF_REG_0, 0),
9308 			BPF_EXIT_INSN(),
9309 		},
9310 		.errstr = "R1 offset is outside of the packet",
9311 		.result = REJECT,
9312 		.prog_type = BPF_PROG_TYPE_XDP,
9313 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9314 	},
9315 	{
9316 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9317 		.insns = {
9318 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9319 				    offsetof(struct xdp_md, data_meta)),
9320 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9321 				    offsetof(struct xdp_md, data)),
9322 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9323 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9324 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9325 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9326 			BPF_MOV64_IMM(BPF_REG_0, 0),
9327 			BPF_EXIT_INSN(),
9328 		},
9329 		.errstr = "R1 offset is outside of the packet",
9330 		.result = REJECT,
9331 		.prog_type = BPF_PROG_TYPE_XDP,
9332 	},
9333 	{
9334 		"XDP pkt read, pkt_data > pkt_meta', good access",
9335 		.insns = {
9336 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9337 				    offsetof(struct xdp_md, data_meta)),
9338 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9339 				    offsetof(struct xdp_md, data)),
9340 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9342 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9343 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9344 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9345 			BPF_MOV64_IMM(BPF_REG_0, 0),
9346 			BPF_EXIT_INSN(),
9347 		},
9348 		.result = ACCEPT,
9349 		.prog_type = BPF_PROG_TYPE_XDP,
9350 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9351 	},
9352 	{
9353 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
9354 		.insns = {
9355 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9356 				    offsetof(struct xdp_md, data_meta)),
9357 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9358 				    offsetof(struct xdp_md, data)),
9359 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9360 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9361 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9362 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9363 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9364 			BPF_MOV64_IMM(BPF_REG_0, 0),
9365 			BPF_EXIT_INSN(),
9366 		},
9367 		.errstr = "R1 offset is outside of the packet",
9368 		.result = REJECT,
9369 		.prog_type = BPF_PROG_TYPE_XDP,
9370 	},
9371 	{
9372 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
9373 		.insns = {
9374 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9375 				    offsetof(struct xdp_md, data_meta)),
9376 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9377 				    offsetof(struct xdp_md, data)),
9378 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9379 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9380 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9381 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9382 			BPF_MOV64_IMM(BPF_REG_0, 0),
9383 			BPF_EXIT_INSN(),
9384 		},
9385 		.errstr = "R1 offset is outside of the packet",
9386 		.result = REJECT,
9387 		.prog_type = BPF_PROG_TYPE_XDP,
9388 	},
9389 	{
9390 		"XDP pkt read, pkt_meta' < pkt_data, good access",
9391 		.insns = {
9392 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9393 				    offsetof(struct xdp_md, data_meta)),
9394 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9395 				    offsetof(struct xdp_md, data)),
9396 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9397 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9398 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9399 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9400 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9401 			BPF_MOV64_IMM(BPF_REG_0, 0),
9402 			BPF_EXIT_INSN(),
9403 		},
9404 		.result = ACCEPT,
9405 		.prog_type = BPF_PROG_TYPE_XDP,
9406 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9407 	},
9408 	{
9409 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9410 		.insns = {
9411 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9412 				    offsetof(struct xdp_md, data_meta)),
9413 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9414 				    offsetof(struct xdp_md, data)),
9415 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9416 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9417 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9418 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9419 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9420 			BPF_MOV64_IMM(BPF_REG_0, 0),
9421 			BPF_EXIT_INSN(),
9422 		},
9423 		.errstr = "R1 offset is outside of the packet",
9424 		.result = REJECT,
9425 		.prog_type = BPF_PROG_TYPE_XDP,
9426 	},
9427 	{
9428 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9429 		.insns = {
9430 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9431 				    offsetof(struct xdp_md, data_meta)),
9432 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9433 				    offsetof(struct xdp_md, data)),
9434 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9435 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9436 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9437 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9438 			BPF_MOV64_IMM(BPF_REG_0, 0),
9439 			BPF_EXIT_INSN(),
9440 		},
9441 		.errstr = "R1 offset is outside of the packet",
9442 		.result = REJECT,
9443 		.prog_type = BPF_PROG_TYPE_XDP,
9444 	},
9445 	{
9446 		"XDP pkt read, pkt_data < pkt_meta', good access",
9447 		.insns = {
9448 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9449 				    offsetof(struct xdp_md, data_meta)),
9450 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9451 				    offsetof(struct xdp_md, data)),
9452 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9453 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9454 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9455 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9456 			BPF_MOV64_IMM(BPF_REG_0, 0),
9457 			BPF_EXIT_INSN(),
9458 		},
9459 		.result = ACCEPT,
9460 		.prog_type = BPF_PROG_TYPE_XDP,
9461 	},
9462 	{
9463 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
9464 		.insns = {
9465 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9466 				    offsetof(struct xdp_md, data_meta)),
9467 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9468 				    offsetof(struct xdp_md, data)),
9469 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9470 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9471 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9472 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9473 			BPF_MOV64_IMM(BPF_REG_0, 0),
9474 			BPF_EXIT_INSN(),
9475 		},
9476 		.errstr = "R1 offset is outside of the packet",
9477 		.result = REJECT,
9478 		.prog_type = BPF_PROG_TYPE_XDP,
9479 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9480 	},
9481 	{
9482 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
9483 		.insns = {
9484 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9485 				    offsetof(struct xdp_md, data_meta)),
9486 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9487 				    offsetof(struct xdp_md, data)),
9488 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9490 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9491 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9492 			BPF_MOV64_IMM(BPF_REG_0, 0),
9493 			BPF_EXIT_INSN(),
9494 		},
9495 		.errstr = "R1 offset is outside of the packet",
9496 		.result = REJECT,
9497 		.prog_type = BPF_PROG_TYPE_XDP,
9498 	},
9499 	{
9500 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
9501 		.insns = {
9502 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9503 				    offsetof(struct xdp_md, data_meta)),
9504 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9505 				    offsetof(struct xdp_md, data)),
9506 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9507 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9508 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9509 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9510 			BPF_MOV64_IMM(BPF_REG_0, 0),
9511 			BPF_EXIT_INSN(),
9512 		},
9513 		.result = ACCEPT,
9514 		.prog_type = BPF_PROG_TYPE_XDP,
9515 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9516 	},
9517 	{
9518 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9519 		.insns = {
9520 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9521 				    offsetof(struct xdp_md, data_meta)),
9522 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9523 				    offsetof(struct xdp_md, data)),
9524 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9525 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9526 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9527 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9528 			BPF_MOV64_IMM(BPF_REG_0, 0),
9529 			BPF_EXIT_INSN(),
9530 		},
9531 		.errstr = "R1 offset is outside of the packet",
9532 		.result = REJECT,
9533 		.prog_type = BPF_PROG_TYPE_XDP,
9534 	},
9535 	{
9536 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9537 		.insns = {
9538 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9539 				    offsetof(struct xdp_md, data_meta)),
9540 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9541 				    offsetof(struct xdp_md, data)),
9542 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9543 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9544 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9545 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9546 			BPF_MOV64_IMM(BPF_REG_0, 0),
9547 			BPF_EXIT_INSN(),
9548 		},
9549 		.errstr = "R1 offset is outside of the packet",
9550 		.result = REJECT,
9551 		.prog_type = BPF_PROG_TYPE_XDP,
9552 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9553 	},
9554 	{
9555 		"XDP pkt read, pkt_data >= pkt_meta', good access",
9556 		.insns = {
9557 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9558 				    offsetof(struct xdp_md, data_meta)),
9559 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9560 				    offsetof(struct xdp_md, data)),
9561 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9562 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9563 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9564 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9565 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9566 			BPF_MOV64_IMM(BPF_REG_0, 0),
9567 			BPF_EXIT_INSN(),
9568 		},
9569 		.result = ACCEPT,
9570 		.prog_type = BPF_PROG_TYPE_XDP,
9571 	},
9572 	{
9573 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9574 		.insns = {
9575 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9576 				    offsetof(struct xdp_md, data_meta)),
9577 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9578 				    offsetof(struct xdp_md, data)),
9579 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9580 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9581 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9582 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9583 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9584 			BPF_MOV64_IMM(BPF_REG_0, 0),
9585 			BPF_EXIT_INSN(),
9586 		},
9587 		.errstr = "R1 offset is outside of the packet",
9588 		.result = REJECT,
9589 		.prog_type = BPF_PROG_TYPE_XDP,
9590 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9591 	},
9592 	{
9593 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9594 		.insns = {
9595 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9596 				    offsetof(struct xdp_md, data_meta)),
9597 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9598 				    offsetof(struct xdp_md, data)),
9599 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9600 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9601 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9602 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9603 			BPF_MOV64_IMM(BPF_REG_0, 0),
9604 			BPF_EXIT_INSN(),
9605 		},
9606 		.errstr = "R1 offset is outside of the packet",
9607 		.result = REJECT,
9608 		.prog_type = BPF_PROG_TYPE_XDP,
9609 	},
9610 	{
9611 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
9612 		.insns = {
9613 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9614 				    offsetof(struct xdp_md, data_meta)),
9615 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9616 				    offsetof(struct xdp_md, data)),
9617 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9619 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9620 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9621 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9622 			BPF_MOV64_IMM(BPF_REG_0, 0),
9623 			BPF_EXIT_INSN(),
9624 		},
9625 		.result = ACCEPT,
9626 		.prog_type = BPF_PROG_TYPE_XDP,
9627 	},
9628 	{
9629 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9630 		.insns = {
9631 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9632 				    offsetof(struct xdp_md, data_meta)),
9633 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9634 				    offsetof(struct xdp_md, data)),
9635 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9636 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9637 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9638 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9639 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9640 			BPF_MOV64_IMM(BPF_REG_0, 0),
9641 			BPF_EXIT_INSN(),
9642 		},
9643 		.errstr = "R1 offset is outside of the packet",
9644 		.result = REJECT,
9645 		.prog_type = BPF_PROG_TYPE_XDP,
9646 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9647 	},
9648 	{
9649 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9650 		.insns = {
9651 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9652 				    offsetof(struct xdp_md, data_meta)),
9653 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9654 				    offsetof(struct xdp_md, data)),
9655 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9656 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9657 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9658 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9659 			BPF_MOV64_IMM(BPF_REG_0, 0),
9660 			BPF_EXIT_INSN(),
9661 		},
9662 		.errstr = "R1 offset is outside of the packet",
9663 		.result = REJECT,
9664 		.prog_type = BPF_PROG_TYPE_XDP,
9665 	},
9666 	{
9667 		"XDP pkt read, pkt_data <= pkt_meta', good access",
9668 		.insns = {
9669 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9670 				    offsetof(struct xdp_md, data_meta)),
9671 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9672 				    offsetof(struct xdp_md, data)),
9673 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9674 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9675 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9676 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9677 			BPF_MOV64_IMM(BPF_REG_0, 0),
9678 			BPF_EXIT_INSN(),
9679 		},
9680 		.result = ACCEPT,
9681 		.prog_type = BPF_PROG_TYPE_XDP,
9682 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9683 	},
9684 	{
9685 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9686 		.insns = {
9687 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9688 				    offsetof(struct xdp_md, data_meta)),
9689 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9690 				    offsetof(struct xdp_md, data)),
9691 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9692 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9693 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9694 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9695 			BPF_MOV64_IMM(BPF_REG_0, 0),
9696 			BPF_EXIT_INSN(),
9697 		},
9698 		.errstr = "R1 offset is outside of the packet",
9699 		.result = REJECT,
9700 		.prog_type = BPF_PROG_TYPE_XDP,
9701 	},
9702 	{
9703 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9704 		.insns = {
9705 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9706 				    offsetof(struct xdp_md, data_meta)),
9707 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9708 				    offsetof(struct xdp_md, data)),
9709 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9710 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9711 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9712 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9713 			BPF_MOV64_IMM(BPF_REG_0, 0),
9714 			BPF_EXIT_INSN(),
9715 		},
9716 		.errstr = "R1 offset is outside of the packet",
9717 		.result = REJECT,
9718 		.prog_type = BPF_PROG_TYPE_XDP,
9719 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9720 	},
9721 	{
9722 		"check deducing bounds from const, 1",
9723 		.insns = {
9724 			BPF_MOV64_IMM(BPF_REG_0, 1),
9725 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9726 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9727 			BPF_EXIT_INSN(),
9728 		},
9729 		.result = REJECT,
9730 		.errstr = "R0 tried to subtract pointer from scalar",
9731 	},
9732 	{
9733 		"check deducing bounds from const, 2",
9734 		.insns = {
9735 			BPF_MOV64_IMM(BPF_REG_0, 1),
9736 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9737 			BPF_EXIT_INSN(),
9738 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9739 			BPF_EXIT_INSN(),
9740 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9741 			BPF_EXIT_INSN(),
9742 		},
9743 		.result = ACCEPT,
9744 		.retval = 1,
9745 	},
9746 	{
9747 		"check deducing bounds from const, 3",
9748 		.insns = {
9749 			BPF_MOV64_IMM(BPF_REG_0, 0),
9750 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9751 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9752 			BPF_EXIT_INSN(),
9753 		},
9754 		.result = REJECT,
9755 		.errstr = "R0 tried to subtract pointer from scalar",
9756 	},
9757 	{
9758 		"check deducing bounds from const, 4",
9759 		.insns = {
9760 			BPF_MOV64_IMM(BPF_REG_0, 0),
9761 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9762 			BPF_EXIT_INSN(),
9763 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9764 			BPF_EXIT_INSN(),
9765 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9766 			BPF_EXIT_INSN(),
9767 		},
9768 		.result = ACCEPT,
9769 	},
9770 	{
9771 		"check deducing bounds from const, 5",
9772 		.insns = {
9773 			BPF_MOV64_IMM(BPF_REG_0, 0),
9774 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9775 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9776 			BPF_EXIT_INSN(),
9777 		},
9778 		.result = REJECT,
9779 		.errstr = "R0 tried to subtract pointer from scalar",
9780 	},
9781 	{
9782 		"check deducing bounds from const, 6",
9783 		.insns = {
9784 			BPF_MOV64_IMM(BPF_REG_0, 0),
9785 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9786 			BPF_EXIT_INSN(),
9787 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9788 			BPF_EXIT_INSN(),
9789 		},
9790 		.result = REJECT,
9791 		.errstr = "R0 tried to subtract pointer from scalar",
9792 	},
9793 	{
9794 		"check deducing bounds from const, 7",
9795 		.insns = {
9796 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9797 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9798 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9799 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9800 				    offsetof(struct __sk_buff, mark)),
9801 			BPF_EXIT_INSN(),
9802 		},
9803 		.result = REJECT,
9804 		.errstr = "dereference of modified ctx ptr",
9805 	},
9806 	{
9807 		"check deducing bounds from const, 8",
9808 		.insns = {
9809 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9810 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9811 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9812 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9813 				    offsetof(struct __sk_buff, mark)),
9814 			BPF_EXIT_INSN(),
9815 		},
9816 		.result = REJECT,
9817 		.errstr = "dereference of modified ctx ptr",
9818 	},
9819 	{
9820 		"check deducing bounds from const, 9",
9821 		.insns = {
9822 			BPF_MOV64_IMM(BPF_REG_0, 0),
9823 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9824 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9825 			BPF_EXIT_INSN(),
9826 		},
9827 		.result = REJECT,
9828 		.errstr = "R0 tried to subtract pointer from scalar",
9829 	},
9830 	{
9831 		"check deducing bounds from const, 10",
9832 		.insns = {
9833 			BPF_MOV64_IMM(BPF_REG_0, 0),
9834 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9835 			/* Marks reg as unknown. */
9836 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9837 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9838 			BPF_EXIT_INSN(),
9839 		},
9840 		.result = REJECT,
9841 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9842 	},
9843 	{
9844 		"bpf_exit with invalid return code. test1",
9845 		.insns = {
9846 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9847 			BPF_EXIT_INSN(),
9848 		},
9849 		.errstr = "R0 has value (0x0; 0xffffffff)",
9850 		.result = REJECT,
9851 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9852 	},
9853 	{
9854 		"bpf_exit with invalid return code. test2",
9855 		.insns = {
9856 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9857 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9858 			BPF_EXIT_INSN(),
9859 		},
9860 		.result = ACCEPT,
9861 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9862 	},
9863 	{
9864 		"bpf_exit with invalid return code. test3",
9865 		.insns = {
9866 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9867 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9868 			BPF_EXIT_INSN(),
9869 		},
9870 		.errstr = "R0 has value (0x0; 0x3)",
9871 		.result = REJECT,
9872 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9873 	},
9874 	{
9875 		"bpf_exit with invalid return code. test4",
9876 		.insns = {
9877 			BPF_MOV64_IMM(BPF_REG_0, 1),
9878 			BPF_EXIT_INSN(),
9879 		},
9880 		.result = ACCEPT,
9881 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9882 	},
9883 	{
9884 		"bpf_exit with invalid return code. test5",
9885 		.insns = {
9886 			BPF_MOV64_IMM(BPF_REG_0, 2),
9887 			BPF_EXIT_INSN(),
9888 		},
9889 		.errstr = "R0 has value (0x2; 0x0)",
9890 		.result = REJECT,
9891 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9892 	},
9893 	{
9894 		"bpf_exit with invalid return code. test6",
9895 		.insns = {
9896 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9897 			BPF_EXIT_INSN(),
9898 		},
9899 		.errstr = "R0 is not a known value (ctx)",
9900 		.result = REJECT,
9901 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9902 	},
9903 	{
9904 		"bpf_exit with invalid return code. test7",
9905 		.insns = {
9906 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9907 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9908 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9909 			BPF_EXIT_INSN(),
9910 		},
9911 		.errstr = "R0 has unknown scalar value",
9912 		.result = REJECT,
9913 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9914 	},
9915 	{
9916 		"calls: basic sanity",
9917 		.insns = {
9918 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9919 			BPF_MOV64_IMM(BPF_REG_0, 1),
9920 			BPF_EXIT_INSN(),
9921 			BPF_MOV64_IMM(BPF_REG_0, 2),
9922 			BPF_EXIT_INSN(),
9923 		},
9924 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9925 		.result = ACCEPT,
9926 	},
9927 	{
9928 		"calls: not on unpriviledged",
9929 		.insns = {
9930 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9931 			BPF_MOV64_IMM(BPF_REG_0, 1),
9932 			BPF_EXIT_INSN(),
9933 			BPF_MOV64_IMM(BPF_REG_0, 2),
9934 			BPF_EXIT_INSN(),
9935 		},
9936 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9937 		.result_unpriv = REJECT,
9938 		.result = ACCEPT,
9939 		.retval = 1,
9940 	},
9941 	{
9942 		"calls: div by 0 in subprog",
9943 		.insns = {
9944 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9945 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9946 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9947 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9948 				    offsetof(struct __sk_buff, data_end)),
9949 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9950 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9951 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9952 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9953 			BPF_MOV64_IMM(BPF_REG_0, 1),
9954 			BPF_EXIT_INSN(),
9955 			BPF_MOV32_IMM(BPF_REG_2, 0),
9956 			BPF_MOV32_IMM(BPF_REG_3, 1),
9957 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9958 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9959 				    offsetof(struct __sk_buff, data)),
9960 			BPF_EXIT_INSN(),
9961 		},
9962 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9963 		.result = ACCEPT,
9964 		.retval = 1,
9965 	},
9966 	{
9967 		"calls: multiple ret types in subprog 1",
9968 		.insns = {
9969 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9970 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9971 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9972 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9973 				    offsetof(struct __sk_buff, data_end)),
9974 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9975 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9976 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9977 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9978 			BPF_MOV64_IMM(BPF_REG_0, 1),
9979 			BPF_EXIT_INSN(),
9980 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9981 				    offsetof(struct __sk_buff, data)),
9982 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9983 			BPF_MOV32_IMM(BPF_REG_0, 42),
9984 			BPF_EXIT_INSN(),
9985 		},
9986 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9987 		.result = REJECT,
9988 		.errstr = "R0 invalid mem access 'inv'",
9989 	},
9990 	{
9991 		"calls: multiple ret types in subprog 2",
9992 		.insns = {
9993 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9994 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9995 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9996 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9997 				    offsetof(struct __sk_buff, data_end)),
9998 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9999 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
10000 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
10001 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
10002 			BPF_MOV64_IMM(BPF_REG_0, 1),
10003 			BPF_EXIT_INSN(),
10004 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10005 				    offsetof(struct __sk_buff, data)),
10006 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10007 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
10008 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10009 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10010 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10011 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10012 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10013 				     BPF_FUNC_map_lookup_elem),
10014 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
10015 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
10016 				    offsetof(struct __sk_buff, data)),
10017 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
10018 			BPF_EXIT_INSN(),
10019 		},
10020 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10021 		.fixup_map1 = { 16 },
10022 		.result = REJECT,
10023 		.errstr = "R0 min value is outside of the array range",
10024 	},
10025 	{
10026 		"calls: overlapping caller/callee",
10027 		.insns = {
10028 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
10029 			BPF_MOV64_IMM(BPF_REG_0, 1),
10030 			BPF_EXIT_INSN(),
10031 		},
10032 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10033 		.errstr = "last insn is not an exit or jmp",
10034 		.result = REJECT,
10035 	},
10036 	{
10037 		"calls: wrong recursive calls",
10038 		.insns = {
10039 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10040 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10041 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10042 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10043 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
10044 			BPF_MOV64_IMM(BPF_REG_0, 1),
10045 			BPF_EXIT_INSN(),
10046 		},
10047 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10048 		.errstr = "jump out of range",
10049 		.result = REJECT,
10050 	},
10051 	{
10052 		"calls: wrong src reg",
10053 		.insns = {
10054 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
10055 			BPF_MOV64_IMM(BPF_REG_0, 1),
10056 			BPF_EXIT_INSN(),
10057 		},
10058 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10059 		.errstr = "BPF_CALL uses reserved fields",
10060 		.result = REJECT,
10061 	},
10062 	{
10063 		"calls: wrong off value",
10064 		.insns = {
10065 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
10066 			BPF_MOV64_IMM(BPF_REG_0, 1),
10067 			BPF_EXIT_INSN(),
10068 			BPF_MOV64_IMM(BPF_REG_0, 2),
10069 			BPF_EXIT_INSN(),
10070 		},
10071 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10072 		.errstr = "BPF_CALL uses reserved fields",
10073 		.result = REJECT,
10074 	},
10075 	{
10076 		"calls: jump back loop",
10077 		.insns = {
10078 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10079 			BPF_MOV64_IMM(BPF_REG_0, 1),
10080 			BPF_EXIT_INSN(),
10081 		},
10082 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10083 		.errstr = "back-edge from insn 0 to 0",
10084 		.result = REJECT,
10085 	},
10086 	{
10087 		"calls: conditional call",
10088 		.insns = {
10089 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10090 				    offsetof(struct __sk_buff, mark)),
10091 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10092 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10093 			BPF_MOV64_IMM(BPF_REG_0, 1),
10094 			BPF_EXIT_INSN(),
10095 			BPF_MOV64_IMM(BPF_REG_0, 2),
10096 			BPF_EXIT_INSN(),
10097 		},
10098 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10099 		.errstr = "jump out of range",
10100 		.result = REJECT,
10101 	},
10102 	{
10103 		"calls: conditional call 2",
10104 		.insns = {
10105 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10106 				    offsetof(struct __sk_buff, mark)),
10107 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10108 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10109 			BPF_MOV64_IMM(BPF_REG_0, 1),
10110 			BPF_EXIT_INSN(),
10111 			BPF_MOV64_IMM(BPF_REG_0, 2),
10112 			BPF_EXIT_INSN(),
10113 			BPF_MOV64_IMM(BPF_REG_0, 3),
10114 			BPF_EXIT_INSN(),
10115 		},
10116 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10117 		.result = ACCEPT,
10118 	},
10119 	{
10120 		"calls: conditional call 3",
10121 		.insns = {
10122 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10123 				    offsetof(struct __sk_buff, mark)),
10124 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10125 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
10126 			BPF_MOV64_IMM(BPF_REG_0, 1),
10127 			BPF_EXIT_INSN(),
10128 			BPF_MOV64_IMM(BPF_REG_0, 1),
10129 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10130 			BPF_MOV64_IMM(BPF_REG_0, 3),
10131 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10132 		},
10133 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10134 		.errstr = "back-edge from insn",
10135 		.result = REJECT,
10136 	},
10137 	{
10138 		"calls: conditional call 4",
10139 		.insns = {
10140 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10141 				    offsetof(struct __sk_buff, mark)),
10142 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10143 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10144 			BPF_MOV64_IMM(BPF_REG_0, 1),
10145 			BPF_EXIT_INSN(),
10146 			BPF_MOV64_IMM(BPF_REG_0, 1),
10147 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
10148 			BPF_MOV64_IMM(BPF_REG_0, 3),
10149 			BPF_EXIT_INSN(),
10150 		},
10151 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10152 		.result = ACCEPT,
10153 	},
10154 	{
10155 		"calls: conditional call 5",
10156 		.insns = {
10157 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10158 				    offsetof(struct __sk_buff, mark)),
10159 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
10160 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10161 			BPF_MOV64_IMM(BPF_REG_0, 1),
10162 			BPF_EXIT_INSN(),
10163 			BPF_MOV64_IMM(BPF_REG_0, 1),
10164 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
10165 			BPF_MOV64_IMM(BPF_REG_0, 3),
10166 			BPF_EXIT_INSN(),
10167 		},
10168 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10169 		.errstr = "back-edge from insn",
10170 		.result = REJECT,
10171 	},
10172 	{
10173 		"calls: conditional call 6",
10174 		.insns = {
10175 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10176 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
10177 			BPF_EXIT_INSN(),
10178 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10179 				    offsetof(struct __sk_buff, mark)),
10180 			BPF_EXIT_INSN(),
10181 		},
10182 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10183 		.errstr = "back-edge from insn",
10184 		.result = REJECT,
10185 	},
10186 	{
10187 		"calls: using r0 returned by callee",
10188 		.insns = {
10189 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10190 			BPF_EXIT_INSN(),
10191 			BPF_MOV64_IMM(BPF_REG_0, 2),
10192 			BPF_EXIT_INSN(),
10193 		},
10194 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10195 		.result = ACCEPT,
10196 	},
10197 	{
10198 		"calls: using uninit r0 from callee",
10199 		.insns = {
10200 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10201 			BPF_EXIT_INSN(),
10202 			BPF_EXIT_INSN(),
10203 		},
10204 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10205 		.errstr = "!read_ok",
10206 		.result = REJECT,
10207 	},
10208 	{
10209 		"calls: callee is using r1",
10210 		.insns = {
10211 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10212 			BPF_EXIT_INSN(),
10213 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10214 				    offsetof(struct __sk_buff, len)),
10215 			BPF_EXIT_INSN(),
10216 		},
10217 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
10218 		.result = ACCEPT,
10219 		.retval = TEST_DATA_LEN,
10220 	},
10221 	{
10222 		"calls: callee using args1",
10223 		.insns = {
10224 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10225 			BPF_EXIT_INSN(),
10226 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10227 			BPF_EXIT_INSN(),
10228 		},
10229 		.errstr_unpriv = "allowed for root only",
10230 		.result_unpriv = REJECT,
10231 		.result = ACCEPT,
10232 		.retval = POINTER_VALUE,
10233 	},
10234 	{
10235 		"calls: callee using wrong args2",
10236 		.insns = {
10237 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10238 			BPF_EXIT_INSN(),
10239 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
10240 			BPF_EXIT_INSN(),
10241 		},
10242 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10243 		.errstr = "R2 !read_ok",
10244 		.result = REJECT,
10245 	},
10246 	{
10247 		"calls: callee using two args",
10248 		.insns = {
10249 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10250 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10251 				    offsetof(struct __sk_buff, len)),
10252 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10253 				    offsetof(struct __sk_buff, len)),
10254 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10255 			BPF_EXIT_INSN(),
10256 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10257 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10258 			BPF_EXIT_INSN(),
10259 		},
10260 		.errstr_unpriv = "allowed for root only",
10261 		.result_unpriv = REJECT,
10262 		.result = ACCEPT,
10263 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10264 	},
10265 	{
10266 		"calls: callee changing pkt pointers",
10267 		.insns = {
10268 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10269 				    offsetof(struct xdp_md, data)),
10270 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10271 				    offsetof(struct xdp_md, data_end)),
10272 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10273 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10274 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10275 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10276 			/* clear_all_pkt_pointers() has to walk all frames
10277 			 * to make sure that pkt pointers in the caller
10278 			 * are cleared when callee is calling a helper that
10279 			 * adjusts packet size
10280 			 */
10281 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10282 			BPF_MOV32_IMM(BPF_REG_0, 0),
10283 			BPF_EXIT_INSN(),
10284 			BPF_MOV64_IMM(BPF_REG_2, 0),
10285 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10286 				     BPF_FUNC_xdp_adjust_head),
10287 			BPF_EXIT_INSN(),
10288 		},
10289 		.result = REJECT,
10290 		.errstr = "R6 invalid mem access 'inv'",
10291 		.prog_type = BPF_PROG_TYPE_XDP,
10292 	},
10293 	{
10294 		"calls: two calls with args",
10295 		.insns = {
10296 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10297 			BPF_EXIT_INSN(),
10298 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10299 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10300 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10301 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10302 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10303 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10304 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10305 			BPF_EXIT_INSN(),
10306 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10307 				    offsetof(struct __sk_buff, len)),
10308 			BPF_EXIT_INSN(),
10309 		},
10310 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10311 		.result = ACCEPT,
10312 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
10313 	},
10314 	{
10315 		"calls: calls with stack arith",
10316 		.insns = {
10317 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10318 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10319 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10320 			BPF_EXIT_INSN(),
10321 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10322 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10323 			BPF_EXIT_INSN(),
10324 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10325 			BPF_MOV64_IMM(BPF_REG_0, 42),
10326 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10327 			BPF_EXIT_INSN(),
10328 		},
10329 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10330 		.result = ACCEPT,
10331 		.retval = 42,
10332 	},
10333 	{
10334 		"calls: calls with misaligned stack access",
10335 		.insns = {
10336 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10337 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10338 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10339 			BPF_EXIT_INSN(),
10340 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10341 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10342 			BPF_EXIT_INSN(),
10343 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10344 			BPF_MOV64_IMM(BPF_REG_0, 42),
10345 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10346 			BPF_EXIT_INSN(),
10347 		},
10348 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10349 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10350 		.errstr = "misaligned stack access",
10351 		.result = REJECT,
10352 	},
10353 	{
10354 		"calls: calls control flow, jump test",
10355 		.insns = {
10356 			BPF_MOV64_IMM(BPF_REG_0, 42),
10357 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10358 			BPF_MOV64_IMM(BPF_REG_0, 43),
10359 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10360 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10361 			BPF_EXIT_INSN(),
10362 		},
10363 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10364 		.result = ACCEPT,
10365 		.retval = 43,
10366 	},
10367 	{
10368 		"calls: calls control flow, jump test 2",
10369 		.insns = {
10370 			BPF_MOV64_IMM(BPF_REG_0, 42),
10371 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10372 			BPF_MOV64_IMM(BPF_REG_0, 43),
10373 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10374 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10375 			BPF_EXIT_INSN(),
10376 		},
10377 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10378 		.errstr = "jump out of range from insn 1 to 4",
10379 		.result = REJECT,
10380 	},
10381 	{
10382 		"calls: two calls with bad jump",
10383 		.insns = {
10384 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10385 			BPF_EXIT_INSN(),
10386 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10387 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10388 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10389 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10390 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10391 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10392 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10393 			BPF_EXIT_INSN(),
10394 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10395 				    offsetof(struct __sk_buff, len)),
10396 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10397 			BPF_EXIT_INSN(),
10398 		},
10399 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10400 		.errstr = "jump out of range from insn 11 to 9",
10401 		.result = REJECT,
10402 	},
10403 	{
10404 		"calls: recursive call. test1",
10405 		.insns = {
10406 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10407 			BPF_EXIT_INSN(),
10408 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10409 			BPF_EXIT_INSN(),
10410 		},
10411 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10412 		.errstr = "back-edge",
10413 		.result = REJECT,
10414 	},
10415 	{
10416 		"calls: recursive call. test2",
10417 		.insns = {
10418 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10419 			BPF_EXIT_INSN(),
10420 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10421 			BPF_EXIT_INSN(),
10422 		},
10423 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10424 		.errstr = "back-edge",
10425 		.result = REJECT,
10426 	},
10427 	{
10428 		"calls: unreachable code",
10429 		.insns = {
10430 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10431 			BPF_EXIT_INSN(),
10432 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10433 			BPF_EXIT_INSN(),
10434 			BPF_MOV64_IMM(BPF_REG_0, 0),
10435 			BPF_EXIT_INSN(),
10436 			BPF_MOV64_IMM(BPF_REG_0, 0),
10437 			BPF_EXIT_INSN(),
10438 		},
10439 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10440 		.errstr = "unreachable insn 6",
10441 		.result = REJECT,
10442 	},
10443 	{
10444 		"calls: invalid call",
10445 		.insns = {
10446 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10447 			BPF_EXIT_INSN(),
10448 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10449 			BPF_EXIT_INSN(),
10450 		},
10451 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10452 		.errstr = "invalid destination",
10453 		.result = REJECT,
10454 	},
10455 	{
10456 		"calls: invalid call 2",
10457 		.insns = {
10458 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10459 			BPF_EXIT_INSN(),
10460 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10461 			BPF_EXIT_INSN(),
10462 		},
10463 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10464 		.errstr = "invalid destination",
10465 		.result = REJECT,
10466 	},
10467 	{
10468 		"calls: jumping across function bodies. test1",
10469 		.insns = {
10470 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10471 			BPF_MOV64_IMM(BPF_REG_0, 0),
10472 			BPF_EXIT_INSN(),
10473 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10474 			BPF_EXIT_INSN(),
10475 		},
10476 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10477 		.errstr = "jump out of range",
10478 		.result = REJECT,
10479 	},
10480 	{
10481 		"calls: jumping across function bodies. test2",
10482 		.insns = {
10483 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10484 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10485 			BPF_MOV64_IMM(BPF_REG_0, 0),
10486 			BPF_EXIT_INSN(),
10487 			BPF_EXIT_INSN(),
10488 		},
10489 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10490 		.errstr = "jump out of range",
10491 		.result = REJECT,
10492 	},
10493 	{
10494 		"calls: call without exit",
10495 		.insns = {
10496 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10497 			BPF_EXIT_INSN(),
10498 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10499 			BPF_EXIT_INSN(),
10500 			BPF_MOV64_IMM(BPF_REG_0, 0),
10501 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10502 		},
10503 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10504 		.errstr = "not an exit",
10505 		.result = REJECT,
10506 	},
10507 	{
10508 		"calls: call into middle of ld_imm64",
10509 		.insns = {
10510 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10511 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10512 			BPF_MOV64_IMM(BPF_REG_0, 0),
10513 			BPF_EXIT_INSN(),
10514 			BPF_LD_IMM64(BPF_REG_0, 0),
10515 			BPF_EXIT_INSN(),
10516 		},
10517 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10518 		.errstr = "last insn",
10519 		.result = REJECT,
10520 	},
10521 	{
10522 		"calls: call into middle of other call",
10523 		.insns = {
10524 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10525 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10526 			BPF_MOV64_IMM(BPF_REG_0, 0),
10527 			BPF_EXIT_INSN(),
10528 			BPF_MOV64_IMM(BPF_REG_0, 0),
10529 			BPF_MOV64_IMM(BPF_REG_0, 0),
10530 			BPF_EXIT_INSN(),
10531 		},
10532 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10533 		.errstr = "last insn",
10534 		.result = REJECT,
10535 	},
10536 	{
10537 		"calls: ld_abs with changing ctx data in callee",
10538 		.insns = {
10539 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10540 			BPF_LD_ABS(BPF_B, 0),
10541 			BPF_LD_ABS(BPF_H, 0),
10542 			BPF_LD_ABS(BPF_W, 0),
10543 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10544 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10545 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10546 			BPF_LD_ABS(BPF_B, 0),
10547 			BPF_LD_ABS(BPF_H, 0),
10548 			BPF_LD_ABS(BPF_W, 0),
10549 			BPF_EXIT_INSN(),
10550 			BPF_MOV64_IMM(BPF_REG_2, 1),
10551 			BPF_MOV64_IMM(BPF_REG_3, 2),
10552 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10553 				     BPF_FUNC_skb_vlan_push),
10554 			BPF_EXIT_INSN(),
10555 		},
10556 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10557 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10558 		.result = REJECT,
10559 	},
10560 	{
10561 		"calls: two calls with bad fallthrough",
10562 		.insns = {
10563 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10564 			BPF_EXIT_INSN(),
10565 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10566 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10567 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10568 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10569 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10570 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10571 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10572 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10573 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10574 				    offsetof(struct __sk_buff, len)),
10575 			BPF_EXIT_INSN(),
10576 		},
10577 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10578 		.errstr = "not an exit",
10579 		.result = REJECT,
10580 	},
10581 	{
10582 		"calls: two calls with stack read",
10583 		.insns = {
10584 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10585 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10586 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10587 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10588 			BPF_EXIT_INSN(),
10589 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10590 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10591 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10592 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10593 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10594 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10595 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10596 			BPF_EXIT_INSN(),
10597 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10598 			BPF_EXIT_INSN(),
10599 		},
10600 		.prog_type = BPF_PROG_TYPE_XDP,
10601 		.result = ACCEPT,
10602 	},
10603 	{
10604 		"calls: two calls with stack write",
10605 		.insns = {
10606 			/* main prog */
10607 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10608 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10609 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10610 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10611 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10612 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10613 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10614 			BPF_EXIT_INSN(),
10615 
10616 			/* subprog 1 */
10617 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10618 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10619 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10620 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10621 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10622 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10623 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10624 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10625 			/* write into stack frame of main prog */
10626 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10627 			BPF_EXIT_INSN(),
10628 
10629 			/* subprog 2 */
10630 			/* read from stack frame of main prog */
10631 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10632 			BPF_EXIT_INSN(),
10633 		},
10634 		.prog_type = BPF_PROG_TYPE_XDP,
10635 		.result = ACCEPT,
10636 	},
10637 	{
10638 		"calls: stack overflow using two frames (pre-call access)",
10639 		.insns = {
10640 			/* prog 1 */
10641 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10642 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10643 			BPF_EXIT_INSN(),
10644 
10645 			/* prog 2 */
10646 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10647 			BPF_MOV64_IMM(BPF_REG_0, 0),
10648 			BPF_EXIT_INSN(),
10649 		},
10650 		.prog_type = BPF_PROG_TYPE_XDP,
10651 		.errstr = "combined stack size",
10652 		.result = REJECT,
10653 	},
10654 	{
10655 		"calls: stack overflow using two frames (post-call access)",
10656 		.insns = {
10657 			/* prog 1 */
10658 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10659 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10660 			BPF_EXIT_INSN(),
10661 
10662 			/* prog 2 */
10663 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10664 			BPF_MOV64_IMM(BPF_REG_0, 0),
10665 			BPF_EXIT_INSN(),
10666 		},
10667 		.prog_type = BPF_PROG_TYPE_XDP,
10668 		.errstr = "combined stack size",
10669 		.result = REJECT,
10670 	},
10671 	{
10672 		"calls: stack depth check using three frames. test1",
10673 		.insns = {
10674 			/* main */
10675 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10676 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10677 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10678 			BPF_MOV64_IMM(BPF_REG_0, 0),
10679 			BPF_EXIT_INSN(),
10680 			/* A */
10681 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10682 			BPF_EXIT_INSN(),
10683 			/* B */
10684 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10685 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10686 			BPF_EXIT_INSN(),
10687 		},
10688 		.prog_type = BPF_PROG_TYPE_XDP,
10689 		/* stack_main=32, stack_A=256, stack_B=64
10690 		 * and max(main+A, main+A+B) < 512
10691 		 */
10692 		.result = ACCEPT,
10693 	},
10694 	{
10695 		"calls: stack depth check using three frames. test2",
10696 		.insns = {
10697 			/* main */
10698 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10699 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10700 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10701 			BPF_MOV64_IMM(BPF_REG_0, 0),
10702 			BPF_EXIT_INSN(),
10703 			/* A */
10704 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10705 			BPF_EXIT_INSN(),
10706 			/* B */
10707 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10708 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10709 			BPF_EXIT_INSN(),
10710 		},
10711 		.prog_type = BPF_PROG_TYPE_XDP,
10712 		/* stack_main=32, stack_A=64, stack_B=256
10713 		 * and max(main+A, main+A+B) < 512
10714 		 */
10715 		.result = ACCEPT,
10716 	},
10717 	{
10718 		"calls: stack depth check using three frames. test3",
10719 		.insns = {
10720 			/* main */
10721 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10722 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10723 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10724 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10725 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10726 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10727 			BPF_MOV64_IMM(BPF_REG_0, 0),
10728 			BPF_EXIT_INSN(),
10729 			/* A */
10730 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10731 			BPF_EXIT_INSN(),
10732 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10733 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10734 			/* B */
10735 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10736 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10737 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10738 			BPF_EXIT_INSN(),
10739 		},
10740 		.prog_type = BPF_PROG_TYPE_XDP,
10741 		/* stack_main=64, stack_A=224, stack_B=256
10742 		 * and max(main+A, main+A+B) > 512
10743 		 */
10744 		.errstr = "combined stack",
10745 		.result = REJECT,
10746 	},
10747 	{
10748 		"calls: stack depth check using three frames. test4",
10749 		/* void main(void) {
10750 		 *   func1(0);
10751 		 *   func1(1);
10752 		 *   func2(1);
10753 		 * }
10754 		 * void func1(int alloc_or_recurse) {
10755 		 *   if (alloc_or_recurse) {
10756 		 *     frame_pointer[-300] = 1;
10757 		 *   } else {
10758 		 *     func2(alloc_or_recurse);
10759 		 *   }
10760 		 * }
10761 		 * void func2(int alloc_or_recurse) {
10762 		 *   if (alloc_or_recurse) {
10763 		 *     frame_pointer[-300] = 1;
10764 		 *   }
10765 		 * }
10766 		 */
10767 		.insns = {
10768 			/* main */
10769 			BPF_MOV64_IMM(BPF_REG_1, 0),
10770 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10771 			BPF_MOV64_IMM(BPF_REG_1, 1),
10772 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10773 			BPF_MOV64_IMM(BPF_REG_1, 1),
10774 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10775 			BPF_MOV64_IMM(BPF_REG_0, 0),
10776 			BPF_EXIT_INSN(),
10777 			/* A */
10778 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10779 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10780 			BPF_EXIT_INSN(),
10781 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10782 			BPF_EXIT_INSN(),
10783 			/* B */
10784 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10785 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10786 			BPF_EXIT_INSN(),
10787 		},
10788 		.prog_type = BPF_PROG_TYPE_XDP,
10789 		.result = REJECT,
10790 		.errstr = "combined stack",
10791 	},
10792 	{
10793 		"calls: stack depth check using three frames. test5",
10794 		.insns = {
10795 			/* main */
10796 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10797 			BPF_EXIT_INSN(),
10798 			/* A */
10799 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10800 			BPF_EXIT_INSN(),
10801 			/* B */
10802 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10803 			BPF_EXIT_INSN(),
10804 			/* C */
10805 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10806 			BPF_EXIT_INSN(),
10807 			/* D */
10808 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10809 			BPF_EXIT_INSN(),
10810 			/* E */
10811 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10812 			BPF_EXIT_INSN(),
10813 			/* F */
10814 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10815 			BPF_EXIT_INSN(),
10816 			/* G */
10817 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10818 			BPF_EXIT_INSN(),
10819 			/* H */
10820 			BPF_MOV64_IMM(BPF_REG_0, 0),
10821 			BPF_EXIT_INSN(),
10822 		},
10823 		.prog_type = BPF_PROG_TYPE_XDP,
10824 		.errstr = "call stack",
10825 		.result = REJECT,
10826 	},
10827 	{
10828 		"calls: spill into caller stack frame",
10829 		.insns = {
10830 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10831 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10832 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10833 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10834 			BPF_EXIT_INSN(),
10835 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10836 			BPF_MOV64_IMM(BPF_REG_0, 0),
10837 			BPF_EXIT_INSN(),
10838 		},
10839 		.prog_type = BPF_PROG_TYPE_XDP,
10840 		.errstr = "cannot spill",
10841 		.result = REJECT,
10842 	},
10843 	{
10844 		"calls: write into caller stack frame",
10845 		.insns = {
10846 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10847 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10848 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10849 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10850 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10851 			BPF_EXIT_INSN(),
10852 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10853 			BPF_MOV64_IMM(BPF_REG_0, 0),
10854 			BPF_EXIT_INSN(),
10855 		},
10856 		.prog_type = BPF_PROG_TYPE_XDP,
10857 		.result = ACCEPT,
10858 		.retval = 42,
10859 	},
10860 	{
10861 		"calls: write into callee stack frame",
10862 		.insns = {
10863 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10864 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10865 			BPF_EXIT_INSN(),
10866 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10867 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10868 			BPF_EXIT_INSN(),
10869 		},
10870 		.prog_type = BPF_PROG_TYPE_XDP,
10871 		.errstr = "cannot return stack pointer",
10872 		.result = REJECT,
10873 	},
10874 	{
10875 		"calls: two calls with stack write and void return",
10876 		.insns = {
10877 			/* main prog */
10878 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10879 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10880 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10881 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10882 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10883 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10884 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10885 			BPF_EXIT_INSN(),
10886 
10887 			/* subprog 1 */
10888 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10889 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10890 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10891 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10892 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10893 			BPF_EXIT_INSN(),
10894 
10895 			/* subprog 2 */
10896 			/* write into stack frame of main prog */
10897 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10898 			BPF_EXIT_INSN(), /* void return */
10899 		},
10900 		.prog_type = BPF_PROG_TYPE_XDP,
10901 		.result = ACCEPT,
10902 	},
10903 	{
10904 		"calls: ambiguous return value",
10905 		.insns = {
10906 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10907 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10908 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10909 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10910 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10911 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10912 			BPF_EXIT_INSN(),
10913 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10914 			BPF_MOV64_IMM(BPF_REG_0, 0),
10915 			BPF_EXIT_INSN(),
10916 		},
10917 		.errstr_unpriv = "allowed for root only",
10918 		.result_unpriv = REJECT,
10919 		.errstr = "R0 !read_ok",
10920 		.result = REJECT,
10921 	},
10922 	{
10923 		"calls: two calls that return map_value",
10924 		.insns = {
10925 			/* main prog */
10926 			/* pass fp-16, fp-8 into a function */
10927 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10928 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10929 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10930 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10931 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10932 
10933 			/* fetch map_value_ptr from the stack of this function */
10934 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10935 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10936 			/* write into map value */
10937 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10938 			/* fetch secound map_value_ptr from the stack */
10939 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10940 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10941 			/* write into map value */
10942 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10943 			BPF_MOV64_IMM(BPF_REG_0, 0),
10944 			BPF_EXIT_INSN(),
10945 
10946 			/* subprog 1 */
10947 			/* call 3rd function twice */
10948 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10949 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10950 			/* first time with fp-8 */
10951 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10952 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10953 			/* second time with fp-16 */
10954 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10955 			BPF_EXIT_INSN(),
10956 
10957 			/* subprog 2 */
10958 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10959 			/* lookup from map */
10960 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10961 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10963 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10964 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10965 				     BPF_FUNC_map_lookup_elem),
10966 			/* write map_value_ptr into stack frame of main prog */
10967 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10968 			BPF_MOV64_IMM(BPF_REG_0, 0),
10969 			BPF_EXIT_INSN(), /* return 0 */
10970 		},
10971 		.prog_type = BPF_PROG_TYPE_XDP,
10972 		.fixup_map1 = { 23 },
10973 		.result = ACCEPT,
10974 	},
10975 	{
10976 		"calls: two calls that return map_value with bool condition",
10977 		.insns = {
10978 			/* main prog */
10979 			/* pass fp-16, fp-8 into a function */
10980 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10982 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10983 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10984 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10985 			BPF_MOV64_IMM(BPF_REG_0, 0),
10986 			BPF_EXIT_INSN(),
10987 
10988 			/* subprog 1 */
10989 			/* call 3rd function twice */
10990 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10991 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10992 			/* first time with fp-8 */
10993 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10994 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10995 			/* fetch map_value_ptr from the stack of this function */
10996 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10997 			/* write into map value */
10998 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10999 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11000 			/* second time with fp-16 */
11001 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11002 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11003 			/* fetch secound map_value_ptr from the stack */
11004 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11005 			/* write into map value */
11006 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11007 			BPF_EXIT_INSN(),
11008 
11009 			/* subprog 2 */
11010 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11011 			/* lookup from map */
11012 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11013 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11014 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11015 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11016 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11017 				     BPF_FUNC_map_lookup_elem),
11018 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11019 			BPF_MOV64_IMM(BPF_REG_0, 0),
11020 			BPF_EXIT_INSN(), /* return 0 */
11021 			/* write map_value_ptr into stack frame of main prog */
11022 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11023 			BPF_MOV64_IMM(BPF_REG_0, 1),
11024 			BPF_EXIT_INSN(), /* return 1 */
11025 		},
11026 		.prog_type = BPF_PROG_TYPE_XDP,
11027 		.fixup_map1 = { 23 },
11028 		.result = ACCEPT,
11029 	},
11030 	{
11031 		"calls: two calls that return map_value with incorrect bool check",
11032 		.insns = {
11033 			/* main prog */
11034 			/* pass fp-16, fp-8 into a function */
11035 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11036 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11037 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11038 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11039 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11040 			BPF_MOV64_IMM(BPF_REG_0, 0),
11041 			BPF_EXIT_INSN(),
11042 
11043 			/* subprog 1 */
11044 			/* call 3rd function twice */
11045 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11046 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11047 			/* first time with fp-8 */
11048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
11049 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
11050 			/* fetch map_value_ptr from the stack of this function */
11051 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
11052 			/* write into map value */
11053 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11054 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11055 			/* second time with fp-16 */
11056 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11057 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11058 			/* fetch secound map_value_ptr from the stack */
11059 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
11060 			/* write into map value */
11061 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11062 			BPF_EXIT_INSN(),
11063 
11064 			/* subprog 2 */
11065 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11066 			/* lookup from map */
11067 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11068 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11069 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11070 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11071 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11072 				     BPF_FUNC_map_lookup_elem),
11073 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11074 			BPF_MOV64_IMM(BPF_REG_0, 0),
11075 			BPF_EXIT_INSN(), /* return 0 */
11076 			/* write map_value_ptr into stack frame of main prog */
11077 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11078 			BPF_MOV64_IMM(BPF_REG_0, 1),
11079 			BPF_EXIT_INSN(), /* return 1 */
11080 		},
11081 		.prog_type = BPF_PROG_TYPE_XDP,
11082 		.fixup_map1 = { 23 },
11083 		.result = REJECT,
11084 		.errstr = "invalid read from stack off -16+0 size 8",
11085 	},
11086 	{
11087 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
11088 		.insns = {
11089 			/* main prog */
11090 			/* pass fp-16, fp-8 into a function */
11091 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11092 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11093 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11094 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11095 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11096 			BPF_MOV64_IMM(BPF_REG_0, 0),
11097 			BPF_EXIT_INSN(),
11098 
11099 			/* subprog 1 */
11100 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11101 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11102 			/* 1st lookup from map */
11103 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11104 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11105 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11106 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11107 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11108 				     BPF_FUNC_map_lookup_elem),
11109 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11110 			BPF_MOV64_IMM(BPF_REG_8, 0),
11111 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11112 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11113 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11114 			BPF_MOV64_IMM(BPF_REG_8, 1),
11115 
11116 			/* 2nd lookup from map */
11117 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11118 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11119 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11120 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11121 				     BPF_FUNC_map_lookup_elem),
11122 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11123 			BPF_MOV64_IMM(BPF_REG_9, 0),
11124 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11125 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11126 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11127 			BPF_MOV64_IMM(BPF_REG_9, 1),
11128 
11129 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11130 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11131 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11132 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11133 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11134 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
11135 			BPF_EXIT_INSN(),
11136 
11137 			/* subprog 2 */
11138 			/* if arg2 == 1 do *arg1 = 0 */
11139 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11140 			/* fetch map_value_ptr from the stack of this function */
11141 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11142 			/* write into map value */
11143 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11144 
11145 			/* if arg4 == 1 do *arg3 = 0 */
11146 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11147 			/* fetch map_value_ptr from the stack of this function */
11148 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11149 			/* write into map value */
11150 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11151 			BPF_EXIT_INSN(),
11152 		},
11153 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11154 		.fixup_map1 = { 12, 22 },
11155 		.result = REJECT,
11156 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11157 	},
11158 	{
11159 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
11160 		.insns = {
11161 			/* main prog */
11162 			/* pass fp-16, fp-8 into a function */
11163 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11165 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11166 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11167 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11168 			BPF_MOV64_IMM(BPF_REG_0, 0),
11169 			BPF_EXIT_INSN(),
11170 
11171 			/* subprog 1 */
11172 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11173 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11174 			/* 1st lookup from map */
11175 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11176 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11177 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11178 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11179 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11180 				     BPF_FUNC_map_lookup_elem),
11181 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11182 			BPF_MOV64_IMM(BPF_REG_8, 0),
11183 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11184 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11185 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11186 			BPF_MOV64_IMM(BPF_REG_8, 1),
11187 
11188 			/* 2nd lookup from map */
11189 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
11190 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11191 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11192 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
11193 				     BPF_FUNC_map_lookup_elem),
11194 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11195 			BPF_MOV64_IMM(BPF_REG_9, 0),
11196 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11197 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11198 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11199 			BPF_MOV64_IMM(BPF_REG_9, 1),
11200 
11201 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11202 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
11203 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11204 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11205 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11206 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
11207 			BPF_EXIT_INSN(),
11208 
11209 			/* subprog 2 */
11210 			/* if arg2 == 1 do *arg1 = 0 */
11211 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11212 			/* fetch map_value_ptr from the stack of this function */
11213 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11214 			/* write into map value */
11215 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11216 
11217 			/* if arg4 == 1 do *arg3 = 0 */
11218 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11219 			/* fetch map_value_ptr from the stack of this function */
11220 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11221 			/* write into map value */
11222 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11223 			BPF_EXIT_INSN(),
11224 		},
11225 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11226 		.fixup_map1 = { 12, 22 },
11227 		.result = ACCEPT,
11228 	},
11229 	{
11230 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
11231 		.insns = {
11232 			/* main prog */
11233 			/* pass fp-16, fp-8 into a function */
11234 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11235 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11236 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11237 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11238 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11239 			BPF_MOV64_IMM(BPF_REG_0, 0),
11240 			BPF_EXIT_INSN(),
11241 
11242 			/* subprog 1 */
11243 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11244 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11245 			/* 1st lookup from map */
11246 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
11247 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11248 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11249 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11250 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11251 				     BPF_FUNC_map_lookup_elem),
11252 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11253 			BPF_MOV64_IMM(BPF_REG_8, 0),
11254 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11255 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11256 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11257 			BPF_MOV64_IMM(BPF_REG_8, 1),
11258 
11259 			/* 2nd lookup from map */
11260 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11261 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11262 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11263 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11264 				     BPF_FUNC_map_lookup_elem),
11265 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11266 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
11267 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11268 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11269 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11270 			BPF_MOV64_IMM(BPF_REG_9, 1),
11271 
11272 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11273 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11274 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11275 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11276 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11277 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11278 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11279 
11280 			/* subprog 2 */
11281 			/* if arg2 == 1 do *arg1 = 0 */
11282 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11283 			/* fetch map_value_ptr from the stack of this function */
11284 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11285 			/* write into map value */
11286 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11287 
11288 			/* if arg4 == 1 do *arg3 = 0 */
11289 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11290 			/* fetch map_value_ptr from the stack of this function */
11291 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11292 			/* write into map value */
11293 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11294 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11295 		},
11296 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11297 		.fixup_map1 = { 12, 22 },
11298 		.result = REJECT,
11299 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11300 	},
11301 	{
11302 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
11303 		.insns = {
11304 			/* main prog */
11305 			/* pass fp-16, fp-8 into a function */
11306 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11307 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11308 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11309 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11310 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11311 			BPF_MOV64_IMM(BPF_REG_0, 0),
11312 			BPF_EXIT_INSN(),
11313 
11314 			/* subprog 1 */
11315 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11316 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11317 			/* 1st lookup from map */
11318 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11319 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11320 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11321 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11322 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11323 				     BPF_FUNC_map_lookup_elem),
11324 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11325 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11326 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11327 			BPF_MOV64_IMM(BPF_REG_8, 0),
11328 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11329 			BPF_MOV64_IMM(BPF_REG_8, 1),
11330 
11331 			/* 2nd lookup from map */
11332 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11333 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11334 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11335 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11336 				     BPF_FUNC_map_lookup_elem),
11337 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11338 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11339 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11340 			BPF_MOV64_IMM(BPF_REG_9, 0),
11341 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11342 			BPF_MOV64_IMM(BPF_REG_9, 1),
11343 
11344 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11345 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11346 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11347 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11348 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11349 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11350 			BPF_EXIT_INSN(),
11351 
11352 			/* subprog 2 */
11353 			/* if arg2 == 1 do *arg1 = 0 */
11354 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11355 			/* fetch map_value_ptr from the stack of this function */
11356 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11357 			/* write into map value */
11358 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11359 
11360 			/* if arg4 == 1 do *arg3 = 0 */
11361 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11362 			/* fetch map_value_ptr from the stack of this function */
11363 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11364 			/* write into map value */
11365 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11366 			BPF_EXIT_INSN(),
11367 		},
11368 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11369 		.fixup_map1 = { 12, 22 },
11370 		.result = ACCEPT,
11371 	},
11372 	{
11373 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
11374 		.insns = {
11375 			/* main prog */
11376 			/* pass fp-16, fp-8 into a function */
11377 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11378 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11379 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11380 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11381 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11382 			BPF_MOV64_IMM(BPF_REG_0, 0),
11383 			BPF_EXIT_INSN(),
11384 
11385 			/* subprog 1 */
11386 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11387 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11388 			/* 1st lookup from map */
11389 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11390 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11391 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11392 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11393 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11394 				     BPF_FUNC_map_lookup_elem),
11395 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11396 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11397 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11398 			BPF_MOV64_IMM(BPF_REG_8, 0),
11399 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11400 			BPF_MOV64_IMM(BPF_REG_8, 1),
11401 
11402 			/* 2nd lookup from map */
11403 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11404 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11405 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11406 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11407 				     BPF_FUNC_map_lookup_elem),
11408 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11409 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11410 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11411 			BPF_MOV64_IMM(BPF_REG_9, 0),
11412 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11413 			BPF_MOV64_IMM(BPF_REG_9, 1),
11414 
11415 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11416 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11417 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11418 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11419 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11420 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11421 			BPF_EXIT_INSN(),
11422 
11423 			/* subprog 2 */
11424 			/* if arg2 == 1 do *arg1 = 0 */
11425 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11426 			/* fetch map_value_ptr from the stack of this function */
11427 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11428 			/* write into map value */
11429 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11430 
11431 			/* if arg4 == 0 do *arg3 = 0 */
11432 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11433 			/* fetch map_value_ptr from the stack of this function */
11434 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11435 			/* write into map value */
11436 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11437 			BPF_EXIT_INSN(),
11438 		},
11439 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11440 		.fixup_map1 = { 12, 22 },
11441 		.result = REJECT,
11442 		.errstr = "R0 invalid mem access 'inv'",
11443 	},
11444 	{
11445 		"calls: pkt_ptr spill into caller stack",
11446 		.insns = {
11447 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11448 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11449 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11450 			BPF_EXIT_INSN(),
11451 
11452 			/* subprog 1 */
11453 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11454 				    offsetof(struct __sk_buff, data)),
11455 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11456 				    offsetof(struct __sk_buff, data_end)),
11457 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11458 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11459 			/* spill unchecked pkt_ptr into stack of caller */
11460 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11461 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11462 			/* now the pkt range is verified, read pkt_ptr from stack */
11463 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11464 			/* write 4 bytes into packet */
11465 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11466 			BPF_EXIT_INSN(),
11467 		},
11468 		.result = ACCEPT,
11469 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11470 		.retval = POINTER_VALUE,
11471 	},
11472 	{
11473 		"calls: pkt_ptr spill into caller stack 2",
11474 		.insns = {
11475 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11476 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11477 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11478 			/* Marking is still kept, but not in all cases safe. */
11479 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11480 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11481 			BPF_EXIT_INSN(),
11482 
11483 			/* subprog 1 */
11484 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11485 				    offsetof(struct __sk_buff, data)),
11486 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11487 				    offsetof(struct __sk_buff, data_end)),
11488 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11489 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11490 			/* spill unchecked pkt_ptr into stack of caller */
11491 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11492 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11493 			/* now the pkt range is verified, read pkt_ptr from stack */
11494 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11495 			/* write 4 bytes into packet */
11496 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11497 			BPF_EXIT_INSN(),
11498 		},
11499 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11500 		.errstr = "invalid access to packet",
11501 		.result = REJECT,
11502 	},
11503 	{
11504 		"calls: pkt_ptr spill into caller stack 3",
11505 		.insns = {
11506 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11507 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11508 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11509 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11510 			/* Marking is still kept and safe here. */
11511 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11512 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11513 			BPF_EXIT_INSN(),
11514 
11515 			/* subprog 1 */
11516 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11517 				    offsetof(struct __sk_buff, data)),
11518 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11519 				    offsetof(struct __sk_buff, data_end)),
11520 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11521 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11522 			/* spill unchecked pkt_ptr into stack of caller */
11523 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11524 			BPF_MOV64_IMM(BPF_REG_5, 0),
11525 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11526 			BPF_MOV64_IMM(BPF_REG_5, 1),
11527 			/* now the pkt range is verified, read pkt_ptr from stack */
11528 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11529 			/* write 4 bytes into packet */
11530 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11531 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11532 			BPF_EXIT_INSN(),
11533 		},
11534 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11535 		.result = ACCEPT,
11536 		.retval = 1,
11537 	},
11538 	{
11539 		"calls: pkt_ptr spill into caller stack 4",
11540 		.insns = {
11541 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11542 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11543 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11544 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11545 			/* Check marking propagated. */
11546 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11547 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11548 			BPF_EXIT_INSN(),
11549 
11550 			/* subprog 1 */
11551 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11552 				    offsetof(struct __sk_buff, data)),
11553 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11554 				    offsetof(struct __sk_buff, data_end)),
11555 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11557 			/* spill unchecked pkt_ptr into stack of caller */
11558 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11559 			BPF_MOV64_IMM(BPF_REG_5, 0),
11560 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11561 			BPF_MOV64_IMM(BPF_REG_5, 1),
11562 			/* don't read back pkt_ptr from stack here */
11563 			/* write 4 bytes into packet */
11564 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11565 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11566 			BPF_EXIT_INSN(),
11567 		},
11568 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11569 		.result = ACCEPT,
11570 		.retval = 1,
11571 	},
11572 	{
11573 		"calls: pkt_ptr spill into caller stack 5",
11574 		.insns = {
11575 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11576 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11577 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11578 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11579 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11580 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11581 			BPF_EXIT_INSN(),
11582 
11583 			/* subprog 1 */
11584 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11585 				    offsetof(struct __sk_buff, data)),
11586 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11587 				    offsetof(struct __sk_buff, data_end)),
11588 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11589 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11590 			BPF_MOV64_IMM(BPF_REG_5, 0),
11591 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11592 			/* spill checked pkt_ptr into stack of caller */
11593 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11594 			BPF_MOV64_IMM(BPF_REG_5, 1),
11595 			/* don't read back pkt_ptr from stack here */
11596 			/* write 4 bytes into packet */
11597 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11598 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11599 			BPF_EXIT_INSN(),
11600 		},
11601 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11602 		.errstr = "same insn cannot be used with different",
11603 		.result = REJECT,
11604 	},
11605 	{
11606 		"calls: pkt_ptr spill into caller stack 6",
11607 		.insns = {
11608 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11609 				    offsetof(struct __sk_buff, data_end)),
11610 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11611 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11612 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11613 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11614 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11615 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11616 			BPF_EXIT_INSN(),
11617 
11618 			/* subprog 1 */
11619 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11620 				    offsetof(struct __sk_buff, data)),
11621 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11622 				    offsetof(struct __sk_buff, data_end)),
11623 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11624 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11625 			BPF_MOV64_IMM(BPF_REG_5, 0),
11626 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11627 			/* spill checked pkt_ptr into stack of caller */
11628 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11629 			BPF_MOV64_IMM(BPF_REG_5, 1),
11630 			/* don't read back pkt_ptr from stack here */
11631 			/* write 4 bytes into packet */
11632 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11633 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11634 			BPF_EXIT_INSN(),
11635 		},
11636 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11637 		.errstr = "R4 invalid mem access",
11638 		.result = REJECT,
11639 	},
11640 	{
11641 		"calls: pkt_ptr spill into caller stack 7",
11642 		.insns = {
11643 			BPF_MOV64_IMM(BPF_REG_2, 0),
11644 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11645 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11646 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11647 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11648 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11649 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11650 			BPF_EXIT_INSN(),
11651 
11652 			/* subprog 1 */
11653 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11654 				    offsetof(struct __sk_buff, data)),
11655 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11656 				    offsetof(struct __sk_buff, data_end)),
11657 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11658 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11659 			BPF_MOV64_IMM(BPF_REG_5, 0),
11660 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11661 			/* spill checked pkt_ptr into stack of caller */
11662 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11663 			BPF_MOV64_IMM(BPF_REG_5, 1),
11664 			/* don't read back pkt_ptr from stack here */
11665 			/* write 4 bytes into packet */
11666 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11667 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11668 			BPF_EXIT_INSN(),
11669 		},
11670 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11671 		.errstr = "R4 invalid mem access",
11672 		.result = REJECT,
11673 	},
11674 	{
11675 		"calls: pkt_ptr spill into caller stack 8",
11676 		.insns = {
11677 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11678 				    offsetof(struct __sk_buff, data)),
11679 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11680 				    offsetof(struct __sk_buff, data_end)),
11681 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11683 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11684 			BPF_EXIT_INSN(),
11685 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11686 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11687 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11688 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11689 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11690 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11691 			BPF_EXIT_INSN(),
11692 
11693 			/* subprog 1 */
11694 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11695 				    offsetof(struct __sk_buff, data)),
11696 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11697 				    offsetof(struct __sk_buff, data_end)),
11698 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11699 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11700 			BPF_MOV64_IMM(BPF_REG_5, 0),
11701 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11702 			/* spill checked pkt_ptr into stack of caller */
11703 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11704 			BPF_MOV64_IMM(BPF_REG_5, 1),
11705 			/* don't read back pkt_ptr from stack here */
11706 			/* write 4 bytes into packet */
11707 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11708 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11709 			BPF_EXIT_INSN(),
11710 		},
11711 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11712 		.result = ACCEPT,
11713 	},
11714 	{
11715 		"calls: pkt_ptr spill into caller stack 9",
11716 		.insns = {
11717 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11718 				    offsetof(struct __sk_buff, data)),
11719 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11720 				    offsetof(struct __sk_buff, data_end)),
11721 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11723 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11724 			BPF_EXIT_INSN(),
11725 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11727 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11729 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11730 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11731 			BPF_EXIT_INSN(),
11732 
11733 			/* subprog 1 */
11734 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11735 				    offsetof(struct __sk_buff, data)),
11736 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11737 				    offsetof(struct __sk_buff, data_end)),
11738 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11739 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11740 			BPF_MOV64_IMM(BPF_REG_5, 0),
11741 			/* spill unchecked pkt_ptr into stack of caller */
11742 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11743 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11744 			BPF_MOV64_IMM(BPF_REG_5, 1),
11745 			/* don't read back pkt_ptr from stack here */
11746 			/* write 4 bytes into packet */
11747 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11748 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11749 			BPF_EXIT_INSN(),
11750 		},
11751 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11752 		.errstr = "invalid access to packet",
11753 		.result = REJECT,
11754 	},
11755 	{
11756 		"calls: caller stack init to zero or map_value_or_null",
11757 		.insns = {
11758 			BPF_MOV64_IMM(BPF_REG_0, 0),
11759 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11760 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11761 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11762 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11763 			/* fetch map_value_or_null or const_zero from stack */
11764 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11765 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11766 			/* store into map_value */
11767 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11768 			BPF_EXIT_INSN(),
11769 
11770 			/* subprog 1 */
11771 			/* if (ctx == 0) return; */
11772 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11773 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
11774 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11775 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11776 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11777 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11778 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11779 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11780 				     BPF_FUNC_map_lookup_elem),
11781 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11782 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11783 			BPF_EXIT_INSN(),
11784 		},
11785 		.fixup_map1 = { 13 },
11786 		.result = ACCEPT,
11787 		.prog_type = BPF_PROG_TYPE_XDP,
11788 	},
11789 	{
11790 		"calls: stack init to zero and pruning",
11791 		.insns = {
11792 			/* first make allocated_stack 16 byte */
11793 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11794 			/* now fork the execution such that the false branch
11795 			 * of JGT insn will be verified second and it skisp zero
11796 			 * init of fp-8 stack slot. If stack liveness marking
11797 			 * is missing live_read marks from call map_lookup
11798 			 * processing then pruning will incorrectly assume
11799 			 * that fp-8 stack slot was unused in the fall-through
11800 			 * branch and will accept the program incorrectly
11801 			 */
11802 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11803 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11804 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11805 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11807 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11808 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11809 				     BPF_FUNC_map_lookup_elem),
11810 			BPF_EXIT_INSN(),
11811 		},
11812 		.fixup_map2 = { 6 },
11813 		.errstr = "invalid indirect read from stack off -8+0 size 8",
11814 		.result = REJECT,
11815 		.prog_type = BPF_PROG_TYPE_XDP,
11816 	},
11817 	{
11818 		"calls: two calls returning different map pointers for lookup (hash, array)",
11819 		.insns = {
11820 			/* main prog */
11821 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11822 			BPF_CALL_REL(11),
11823 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11824 			BPF_CALL_REL(12),
11825 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11826 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11827 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11828 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11829 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11830 				     BPF_FUNC_map_lookup_elem),
11831 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11832 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11833 				   offsetof(struct test_val, foo)),
11834 			BPF_MOV64_IMM(BPF_REG_0, 1),
11835 			BPF_EXIT_INSN(),
11836 			/* subprog 1 */
11837 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11838 			BPF_EXIT_INSN(),
11839 			/* subprog 2 */
11840 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11841 			BPF_EXIT_INSN(),
11842 		},
11843 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11844 		.fixup_map2 = { 13 },
11845 		.fixup_map4 = { 16 },
11846 		.result = ACCEPT,
11847 		.retval = 1,
11848 	},
11849 	{
11850 		"calls: two calls returning different map pointers for lookup (hash, map in map)",
11851 		.insns = {
11852 			/* main prog */
11853 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
11854 			BPF_CALL_REL(11),
11855 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11856 			BPF_CALL_REL(12),
11857 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11858 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11859 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11860 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11861 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11862 				     BPF_FUNC_map_lookup_elem),
11863 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11864 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
11865 				   offsetof(struct test_val, foo)),
11866 			BPF_MOV64_IMM(BPF_REG_0, 1),
11867 			BPF_EXIT_INSN(),
11868 			/* subprog 1 */
11869 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11870 			BPF_EXIT_INSN(),
11871 			/* subprog 2 */
11872 			BPF_LD_MAP_FD(BPF_REG_0, 0),
11873 			BPF_EXIT_INSN(),
11874 		},
11875 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11876 		.fixup_map_in_map = { 16 },
11877 		.fixup_map4 = { 13 },
11878 		.result = REJECT,
11879 		.errstr = "R0 invalid mem access 'map_ptr'",
11880 	},
11881 	{
11882 		"cond: two branches returning different map pointers for lookup (tail, tail)",
11883 		.insns = {
11884 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11885 				    offsetof(struct __sk_buff, mark)),
11886 			BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 3),
11887 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11888 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11889 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11890 			BPF_MOV64_IMM(BPF_REG_3, 7),
11891 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11892 				     BPF_FUNC_tail_call),
11893 			BPF_MOV64_IMM(BPF_REG_0, 1),
11894 			BPF_EXIT_INSN(),
11895 		},
11896 		.fixup_prog1 = { 5 },
11897 		.fixup_prog2 = { 2 },
11898 		.result_unpriv = REJECT,
11899 		.errstr_unpriv = "tail_call abusing map_ptr",
11900 		.result = ACCEPT,
11901 		.retval = 42,
11902 	},
11903 	{
11904 		"cond: two branches returning same map pointers for lookup (tail, tail)",
11905 		.insns = {
11906 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
11907 				    offsetof(struct __sk_buff, mark)),
11908 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_6, 0, 3),
11909 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11910 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11911 			BPF_LD_MAP_FD(BPF_REG_2, 0),
11912 			BPF_MOV64_IMM(BPF_REG_3, 7),
11913 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11914 				     BPF_FUNC_tail_call),
11915 			BPF_MOV64_IMM(BPF_REG_0, 1),
11916 			BPF_EXIT_INSN(),
11917 		},
11918 		.fixup_prog2 = { 2, 5 },
11919 		.result_unpriv = ACCEPT,
11920 		.result = ACCEPT,
11921 		.retval = 42,
11922 	},
11923 	{
11924 		"search pruning: all branches should be verified (nop operation)",
11925 		.insns = {
11926 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11927 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11928 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11929 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11930 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11931 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11932 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11933 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11934 			BPF_MOV64_IMM(BPF_REG_4, 0),
11935 			BPF_JMP_A(1),
11936 			BPF_MOV64_IMM(BPF_REG_4, 1),
11937 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11938 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11939 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11940 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11941 			BPF_MOV64_IMM(BPF_REG_6, 0),
11942 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11943 			BPF_EXIT_INSN(),
11944 		},
11945 		.fixup_map1 = { 3 },
11946 		.errstr = "R6 invalid mem access 'inv'",
11947 		.result = REJECT,
11948 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11949 	},
11950 	{
11951 		"search pruning: all branches should be verified (invalid stack access)",
11952 		.insns = {
11953 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11954 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11955 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11956 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11957 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11958 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11959 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11960 			BPF_MOV64_IMM(BPF_REG_4, 0),
11961 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11962 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11963 			BPF_JMP_A(1),
11964 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11965 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11966 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11967 			BPF_EXIT_INSN(),
11968 		},
11969 		.fixup_map1 = { 3 },
11970 		.errstr = "invalid read from stack off -16+0 size 8",
11971 		.result = REJECT,
11972 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11973 	},
11974 	{
11975 		"jit: lsh, rsh, arsh by 1",
11976 		.insns = {
11977 			BPF_MOV64_IMM(BPF_REG_0, 1),
11978 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
11979 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11980 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11981 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11982 			BPF_EXIT_INSN(),
11983 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11984 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11985 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11986 			BPF_EXIT_INSN(),
11987 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11988 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11989 			BPF_EXIT_INSN(),
11990 			BPF_MOV64_IMM(BPF_REG_0, 2),
11991 			BPF_EXIT_INSN(),
11992 		},
11993 		.result = ACCEPT,
11994 		.retval = 2,
11995 	},
11996 	{
11997 		"jit: mov32 for ldimm64, 1",
11998 		.insns = {
11999 			BPF_MOV64_IMM(BPF_REG_0, 2),
12000 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
12001 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
12002 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
12003 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12004 			BPF_MOV64_IMM(BPF_REG_0, 1),
12005 			BPF_EXIT_INSN(),
12006 		},
12007 		.result = ACCEPT,
12008 		.retval = 2,
12009 	},
12010 	{
12011 		"jit: mov32 for ldimm64, 2",
12012 		.insns = {
12013 			BPF_MOV64_IMM(BPF_REG_0, 1),
12014 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
12015 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
12016 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
12017 			BPF_MOV64_IMM(BPF_REG_0, 2),
12018 			BPF_EXIT_INSN(),
12019 		},
12020 		.result = ACCEPT,
12021 		.retval = 2,
12022 	},
12023 	{
12024 		"jit: various mul tests",
12025 		.insns = {
12026 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12027 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12028 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
12029 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12030 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12031 			BPF_MOV64_IMM(BPF_REG_0, 1),
12032 			BPF_EXIT_INSN(),
12033 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12034 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12035 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12036 			BPF_MOV64_IMM(BPF_REG_0, 1),
12037 			BPF_EXIT_INSN(),
12038 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
12039 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
12040 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
12041 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
12042 			BPF_MOV64_IMM(BPF_REG_0, 1),
12043 			BPF_EXIT_INSN(),
12044 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
12045 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
12046 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
12047 			BPF_MOV64_IMM(BPF_REG_0, 1),
12048 			BPF_EXIT_INSN(),
12049 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
12050 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
12051 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
12052 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
12053 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
12054 			BPF_MOV64_IMM(BPF_REG_0, 1),
12055 			BPF_EXIT_INSN(),
12056 			BPF_MOV64_IMM(BPF_REG_0, 2),
12057 			BPF_EXIT_INSN(),
12058 		},
12059 		.result = ACCEPT,
12060 		.retval = 2,
12061 	},
12062 	{
12063 		"xadd/w check unaligned stack",
12064 		.insns = {
12065 			BPF_MOV64_IMM(BPF_REG_0, 1),
12066 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12067 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
12068 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12069 			BPF_EXIT_INSN(),
12070 		},
12071 		.result = REJECT,
12072 		.errstr = "misaligned stack access off",
12073 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12074 	},
12075 	{
12076 		"xadd/w check unaligned map",
12077 		.insns = {
12078 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12079 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12080 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12081 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12082 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12083 				     BPF_FUNC_map_lookup_elem),
12084 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
12085 			BPF_EXIT_INSN(),
12086 			BPF_MOV64_IMM(BPF_REG_1, 1),
12087 			BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
12088 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
12089 			BPF_EXIT_INSN(),
12090 		},
12091 		.fixup_map1 = { 3 },
12092 		.result = REJECT,
12093 		.errstr = "misaligned value access off",
12094 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12095 	},
12096 	{
12097 		"xadd/w check unaligned pkt",
12098 		.insns = {
12099 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
12100 				    offsetof(struct xdp_md, data)),
12101 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
12102 				    offsetof(struct xdp_md, data_end)),
12103 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
12104 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
12105 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
12106 			BPF_MOV64_IMM(BPF_REG_0, 99),
12107 			BPF_JMP_IMM(BPF_JA, 0, 0, 6),
12108 			BPF_MOV64_IMM(BPF_REG_0, 1),
12109 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
12110 			BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
12111 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
12112 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
12113 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
12114 			BPF_EXIT_INSN(),
12115 		},
12116 		.result = REJECT,
12117 		.errstr = "BPF_XADD stores into R2 packet",
12118 		.prog_type = BPF_PROG_TYPE_XDP,
12119 	},
12120 	{
12121 		"xadd/w check whether src/dst got mangled, 1",
12122 		.insns = {
12123 			BPF_MOV64_IMM(BPF_REG_0, 1),
12124 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12125 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12126 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12127 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12128 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
12129 			BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12130 			BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12131 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
12132 			BPF_EXIT_INSN(),
12133 			BPF_MOV64_IMM(BPF_REG_0, 42),
12134 			BPF_EXIT_INSN(),
12135 		},
12136 		.result = ACCEPT,
12137 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12138 		.retval = 3,
12139 	},
12140 	{
12141 		"xadd/w check whether src/dst got mangled, 2",
12142 		.insns = {
12143 			BPF_MOV64_IMM(BPF_REG_0, 1),
12144 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
12145 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
12146 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12147 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12148 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -8),
12149 			BPF_JMP_REG(BPF_JNE, BPF_REG_6, BPF_REG_0, 3),
12150 			BPF_JMP_REG(BPF_JNE, BPF_REG_7, BPF_REG_10, 2),
12151 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
12152 			BPF_EXIT_INSN(),
12153 			BPF_MOV64_IMM(BPF_REG_0, 42),
12154 			BPF_EXIT_INSN(),
12155 		},
12156 		.result = ACCEPT,
12157 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12158 		.retval = 3,
12159 	},
12160 	{
12161 		"bpf_get_stack return R0 within range",
12162 		.insns = {
12163 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12164 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
12165 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
12166 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
12167 			BPF_LD_MAP_FD(BPF_REG_1, 0),
12168 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12169 				     BPF_FUNC_map_lookup_elem),
12170 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
12171 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
12172 			BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
12173 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12174 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12175 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
12176 			BPF_MOV64_IMM(BPF_REG_4, 256),
12177 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
12178 			BPF_MOV64_IMM(BPF_REG_1, 0),
12179 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
12180 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
12181 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
12182 			BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
12183 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
12184 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
12185 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
12186 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
12187 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
12188 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
12189 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
12190 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
12191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12192 			BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
12193 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
12194 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
12195 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
12196 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
12197 			BPF_MOV64_IMM(BPF_REG_4, 0),
12198 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
12199 			BPF_EXIT_INSN(),
12200 		},
12201 		.fixup_map2 = { 4 },
12202 		.result = ACCEPT,
12203 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
12204 	},
12205 	{
12206 		"ld_abs: invalid op 1",
12207 		.insns = {
12208 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12209 			BPF_LD_ABS(BPF_DW, 0),
12210 			BPF_EXIT_INSN(),
12211 		},
12212 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12213 		.result = REJECT,
12214 		.errstr = "unknown opcode",
12215 	},
12216 	{
12217 		"ld_abs: invalid op 2",
12218 		.insns = {
12219 			BPF_MOV32_IMM(BPF_REG_0, 256),
12220 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12221 			BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
12222 			BPF_EXIT_INSN(),
12223 		},
12224 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12225 		.result = REJECT,
12226 		.errstr = "unknown opcode",
12227 	},
12228 	{
12229 		"ld_abs: nmap reduced",
12230 		.insns = {
12231 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12232 			BPF_LD_ABS(BPF_H, 12),
12233 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
12234 			BPF_LD_ABS(BPF_H, 12),
12235 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
12236 			BPF_MOV32_IMM(BPF_REG_0, 18),
12237 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
12238 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
12239 			BPF_LD_IND(BPF_W, BPF_REG_7, 14),
12240 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
12241 			BPF_MOV32_IMM(BPF_REG_0, 280971478),
12242 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12243 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12244 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
12245 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12246 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
12247 			BPF_LD_ABS(BPF_H, 12),
12248 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
12249 			BPF_MOV32_IMM(BPF_REG_0, 22),
12250 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
12251 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
12252 			BPF_LD_IND(BPF_H, BPF_REG_7, 14),
12253 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
12254 			BPF_MOV32_IMM(BPF_REG_0, 17366),
12255 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
12256 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
12257 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
12258 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
12259 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
12260 			BPF_MOV32_IMM(BPF_REG_0, 256),
12261 			BPF_EXIT_INSN(),
12262 			BPF_MOV32_IMM(BPF_REG_0, 0),
12263 			BPF_EXIT_INSN(),
12264 		},
12265 		.data = {
12266 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
12267 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
12268 			0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
12269 		},
12270 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12271 		.result = ACCEPT,
12272 		.retval = 256,
12273 	},
12274 	{
12275 		"ld_abs: div + abs, test 1",
12276 		.insns = {
12277 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12278 			BPF_LD_ABS(BPF_B, 3),
12279 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12280 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12281 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12282 			BPF_LD_ABS(BPF_B, 4),
12283 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12284 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12285 			BPF_EXIT_INSN(),
12286 		},
12287 		.data = {
12288 			10, 20, 30, 40, 50,
12289 		},
12290 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12291 		.result = ACCEPT,
12292 		.retval = 10,
12293 	},
12294 	{
12295 		"ld_abs: div + abs, test 2",
12296 		.insns = {
12297 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12298 			BPF_LD_ABS(BPF_B, 3),
12299 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
12300 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
12301 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
12302 			BPF_LD_ABS(BPF_B, 128),
12303 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
12304 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
12305 			BPF_EXIT_INSN(),
12306 		},
12307 		.data = {
12308 			10, 20, 30, 40, 50,
12309 		},
12310 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12311 		.result = ACCEPT,
12312 		.retval = 0,
12313 	},
12314 	{
12315 		"ld_abs: div + abs, test 3",
12316 		.insns = {
12317 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12318 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12319 			BPF_LD_ABS(BPF_B, 3),
12320 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12321 			BPF_EXIT_INSN(),
12322 		},
12323 		.data = {
12324 			10, 20, 30, 40, 50,
12325 		},
12326 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12327 		.result = ACCEPT,
12328 		.retval = 0,
12329 	},
12330 	{
12331 		"ld_abs: div + abs, test 4",
12332 		.insns = {
12333 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
12334 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
12335 			BPF_LD_ABS(BPF_B, 256),
12336 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
12337 			BPF_EXIT_INSN(),
12338 		},
12339 		.data = {
12340 			10, 20, 30, 40, 50,
12341 		},
12342 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12343 		.result = ACCEPT,
12344 		.retval = 0,
12345 	},
12346 	{
12347 		"ld_abs: vlan + abs, test 1",
12348 		.insns = { },
12349 		.data = {
12350 			0x34,
12351 		},
12352 		.fill_helper = bpf_fill_ld_abs_vlan_push_pop,
12353 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12354 		.result = ACCEPT,
12355 		.retval = 0xbef,
12356 	},
12357 	{
12358 		"ld_abs: vlan + abs, test 2",
12359 		.insns = {
12360 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
12361 			BPF_LD_ABS(BPF_B, 0),
12362 			BPF_LD_ABS(BPF_H, 0),
12363 			BPF_LD_ABS(BPF_W, 0),
12364 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
12365 			BPF_MOV64_IMM(BPF_REG_6, 0),
12366 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
12367 			BPF_MOV64_IMM(BPF_REG_2, 1),
12368 			BPF_MOV64_IMM(BPF_REG_3, 2),
12369 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12370 				     BPF_FUNC_skb_vlan_push),
12371 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
12372 			BPF_LD_ABS(BPF_B, 0),
12373 			BPF_LD_ABS(BPF_H, 0),
12374 			BPF_LD_ABS(BPF_W, 0),
12375 			BPF_MOV64_IMM(BPF_REG_0, 42),
12376 			BPF_EXIT_INSN(),
12377 		},
12378 		.data = {
12379 			0x34,
12380 		},
12381 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12382 		.result = ACCEPT,
12383 		.retval = 42,
12384 	},
12385 	{
12386 		"ld_abs: jump around ld_abs",
12387 		.insns = { },
12388 		.data = {
12389 			10, 11,
12390 		},
12391 		.fill_helper = bpf_fill_jump_around_ld_abs,
12392 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12393 		.result = ACCEPT,
12394 		.retval = 10,
12395 	},
12396 	{
12397 		"ld_dw: xor semi-random 64 bit imms, test 1",
12398 		.insns = { },
12399 		.data = { },
12400 		.fill_helper = bpf_fill_rand_ld_dw,
12401 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12402 		.result = ACCEPT,
12403 		.retval = 4090,
12404 	},
12405 	{
12406 		"ld_dw: xor semi-random 64 bit imms, test 2",
12407 		.insns = { },
12408 		.data = { },
12409 		.fill_helper = bpf_fill_rand_ld_dw,
12410 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12411 		.result = ACCEPT,
12412 		.retval = 2047,
12413 	},
12414 	{
12415 		"ld_dw: xor semi-random 64 bit imms, test 3",
12416 		.insns = { },
12417 		.data = { },
12418 		.fill_helper = bpf_fill_rand_ld_dw,
12419 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12420 		.result = ACCEPT,
12421 		.retval = 511,
12422 	},
12423 	{
12424 		"ld_dw: xor semi-random 64 bit imms, test 4",
12425 		.insns = { },
12426 		.data = { },
12427 		.fill_helper = bpf_fill_rand_ld_dw,
12428 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12429 		.result = ACCEPT,
12430 		.retval = 5,
12431 	},
12432 	{
12433 		"pass unmodified ctx pointer to helper",
12434 		.insns = {
12435 			BPF_MOV64_IMM(BPF_REG_2, 0),
12436 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12437 				     BPF_FUNC_csum_update),
12438 			BPF_MOV64_IMM(BPF_REG_0, 0),
12439 			BPF_EXIT_INSN(),
12440 		},
12441 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12442 		.result = ACCEPT,
12443 	},
12444 	{
12445 		"pass modified ctx pointer to helper, 1",
12446 		.insns = {
12447 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12448 			BPF_MOV64_IMM(BPF_REG_2, 0),
12449 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12450 				     BPF_FUNC_csum_update),
12451 			BPF_MOV64_IMM(BPF_REG_0, 0),
12452 			BPF_EXIT_INSN(),
12453 		},
12454 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12455 		.result = REJECT,
12456 		.errstr = "dereference of modified ctx ptr",
12457 	},
12458 	{
12459 		"pass modified ctx pointer to helper, 2",
12460 		.insns = {
12461 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -612),
12462 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12463 				     BPF_FUNC_get_socket_cookie),
12464 			BPF_MOV64_IMM(BPF_REG_0, 0),
12465 			BPF_EXIT_INSN(),
12466 		},
12467 		.result_unpriv = REJECT,
12468 		.result = REJECT,
12469 		.errstr_unpriv = "dereference of modified ctx ptr",
12470 		.errstr = "dereference of modified ctx ptr",
12471 	},
12472 	{
12473 		"pass modified ctx pointer to helper, 3",
12474 		.insns = {
12475 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, 0),
12476 			BPF_ALU64_IMM(BPF_AND, BPF_REG_3, 4),
12477 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
12478 			BPF_MOV64_IMM(BPF_REG_2, 0),
12479 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12480 				     BPF_FUNC_csum_update),
12481 			BPF_MOV64_IMM(BPF_REG_0, 0),
12482 			BPF_EXIT_INSN(),
12483 		},
12484 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12485 		.result = REJECT,
12486 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
12487 	},
12488 	{
12489 		"mov64 src == dst",
12490 		.insns = {
12491 			BPF_MOV64_IMM(BPF_REG_2, 0),
12492 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_2),
12493 			// Check bounds are OK
12494 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12495 			BPF_MOV64_IMM(BPF_REG_0, 0),
12496 			BPF_EXIT_INSN(),
12497 		},
12498 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12499 		.result = ACCEPT,
12500 	},
12501 	{
12502 		"mov64 src != dst",
12503 		.insns = {
12504 			BPF_MOV64_IMM(BPF_REG_3, 0),
12505 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
12506 			// Check bounds are OK
12507 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
12508 			BPF_MOV64_IMM(BPF_REG_0, 0),
12509 			BPF_EXIT_INSN(),
12510 		},
12511 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12512 		.result = ACCEPT,
12513 	},
12514 };
12515 
12516 static int probe_filter_length(const struct bpf_insn *fp)
12517 {
12518 	int len;
12519 
12520 	for (len = MAX_INSNS - 1; len > 0; --len)
12521 		if (fp[len].code != 0 || fp[len].imm != 0)
12522 			break;
12523 	return len + 1;
12524 }
12525 
12526 static int create_map(uint32_t type, uint32_t size_key,
12527 		      uint32_t size_value, uint32_t max_elem)
12528 {
12529 	int fd;
12530 
12531 	fd = bpf_create_map(type, size_key, size_value, max_elem,
12532 			    type == BPF_MAP_TYPE_HASH ? BPF_F_NO_PREALLOC : 0);
12533 	if (fd < 0)
12534 		printf("Failed to create hash map '%s'!\n", strerror(errno));
12535 
12536 	return fd;
12537 }
12538 
12539 static int create_prog_dummy1(void)
12540 {
12541 	struct bpf_insn prog[] = {
12542 		BPF_MOV64_IMM(BPF_REG_0, 42),
12543 		BPF_EXIT_INSN(),
12544 	};
12545 
12546 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12547 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12548 }
12549 
12550 static int create_prog_dummy2(int mfd, int idx)
12551 {
12552 	struct bpf_insn prog[] = {
12553 		BPF_MOV64_IMM(BPF_REG_3, idx),
12554 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
12555 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12556 			     BPF_FUNC_tail_call),
12557 		BPF_MOV64_IMM(BPF_REG_0, 41),
12558 		BPF_EXIT_INSN(),
12559 	};
12560 
12561 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12562 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12563 }
12564 
12565 static int create_prog_array(uint32_t max_elem, int p1key)
12566 {
12567 	int p2key = 1;
12568 	int mfd, p1fd, p2fd;
12569 
12570 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12571 			     sizeof(int), max_elem, 0);
12572 	if (mfd < 0) {
12573 		printf("Failed to create prog array '%s'!\n", strerror(errno));
12574 		return -1;
12575 	}
12576 
12577 	p1fd = create_prog_dummy1();
12578 	p2fd = create_prog_dummy2(mfd, p2key);
12579 	if (p1fd < 0 || p2fd < 0)
12580 		goto out;
12581 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12582 		goto out;
12583 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12584 		goto out;
12585 	close(p2fd);
12586 	close(p1fd);
12587 
12588 	return mfd;
12589 out:
12590 	close(p2fd);
12591 	close(p1fd);
12592 	close(mfd);
12593 	return -1;
12594 }
12595 
12596 static int create_map_in_map(void)
12597 {
12598 	int inner_map_fd, outer_map_fd;
12599 
12600 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12601 				      sizeof(int), 1, 0);
12602 	if (inner_map_fd < 0) {
12603 		printf("Failed to create array '%s'!\n", strerror(errno));
12604 		return inner_map_fd;
12605 	}
12606 
12607 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12608 					     sizeof(int), inner_map_fd, 1, 0);
12609 	if (outer_map_fd < 0)
12610 		printf("Failed to create array of maps '%s'!\n",
12611 		       strerror(errno));
12612 
12613 	close(inner_map_fd);
12614 
12615 	return outer_map_fd;
12616 }
12617 
12618 static int create_cgroup_storage(void)
12619 {
12620 	int fd;
12621 
12622 	fd = bpf_create_map(BPF_MAP_TYPE_CGROUP_STORAGE,
12623 			    sizeof(struct bpf_cgroup_storage_key),
12624 			    TEST_DATA_LEN, 0, 0);
12625 	if (fd < 0)
12626 		printf("Failed to create array '%s'!\n", strerror(errno));
12627 
12628 	return fd;
12629 }
12630 
12631 static char bpf_vlog[UINT_MAX >> 8];
12632 
12633 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12634 			  int *map_fds)
12635 {
12636 	int *fixup_map1 = test->fixup_map1;
12637 	int *fixup_map2 = test->fixup_map2;
12638 	int *fixup_map3 = test->fixup_map3;
12639 	int *fixup_map4 = test->fixup_map4;
12640 	int *fixup_prog1 = test->fixup_prog1;
12641 	int *fixup_prog2 = test->fixup_prog2;
12642 	int *fixup_map_in_map = test->fixup_map_in_map;
12643 	int *fixup_cgroup_storage = test->fixup_cgroup_storage;
12644 
12645 	if (test->fill_helper)
12646 		test->fill_helper(test);
12647 
12648 	/* Allocating HTs with 1 elem is fine here, since we only test
12649 	 * for verifier and not do a runtime lookup, so the only thing
12650 	 * that really matters is value size in this case.
12651 	 */
12652 	if (*fixup_map1) {
12653 		map_fds[0] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12654 					sizeof(long long), 1);
12655 		do {
12656 			prog[*fixup_map1].imm = map_fds[0];
12657 			fixup_map1++;
12658 		} while (*fixup_map1);
12659 	}
12660 
12661 	if (*fixup_map2) {
12662 		map_fds[1] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12663 					sizeof(struct test_val), 1);
12664 		do {
12665 			prog[*fixup_map2].imm = map_fds[1];
12666 			fixup_map2++;
12667 		} while (*fixup_map2);
12668 	}
12669 
12670 	if (*fixup_map3) {
12671 		map_fds[2] = create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12672 					sizeof(struct other_val), 1);
12673 		do {
12674 			prog[*fixup_map3].imm = map_fds[2];
12675 			fixup_map3++;
12676 		} while (*fixup_map3);
12677 	}
12678 
12679 	if (*fixup_map4) {
12680 		map_fds[3] = create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12681 					sizeof(struct test_val), 1);
12682 		do {
12683 			prog[*fixup_map4].imm = map_fds[3];
12684 			fixup_map4++;
12685 		} while (*fixup_map4);
12686 	}
12687 
12688 	if (*fixup_prog1) {
12689 		map_fds[4] = create_prog_array(4, 0);
12690 		do {
12691 			prog[*fixup_prog1].imm = map_fds[4];
12692 			fixup_prog1++;
12693 		} while (*fixup_prog1);
12694 	}
12695 
12696 	if (*fixup_prog2) {
12697 		map_fds[5] = create_prog_array(8, 7);
12698 		do {
12699 			prog[*fixup_prog2].imm = map_fds[5];
12700 			fixup_prog2++;
12701 		} while (*fixup_prog2);
12702 	}
12703 
12704 	if (*fixup_map_in_map) {
12705 		map_fds[6] = create_map_in_map();
12706 		do {
12707 			prog[*fixup_map_in_map].imm = map_fds[6];
12708 			fixup_map_in_map++;
12709 		} while (*fixup_map_in_map);
12710 	}
12711 
12712 	if (*fixup_cgroup_storage) {
12713 		map_fds[7] = create_cgroup_storage();
12714 		do {
12715 			prog[*fixup_cgroup_storage].imm = map_fds[7];
12716 			fixup_cgroup_storage++;
12717 		} while (*fixup_cgroup_storage);
12718 	}
12719 }
12720 
12721 static void do_test_single(struct bpf_test *test, bool unpriv,
12722 			   int *passes, int *errors)
12723 {
12724 	int fd_prog, expected_ret, reject_from_alignment;
12725 	int prog_len, prog_type = test->prog_type;
12726 	struct bpf_insn *prog = test->insns;
12727 	int map_fds[MAX_NR_MAPS];
12728 	const char *expected_err;
12729 	uint32_t retval;
12730 	int i, err;
12731 
12732 	for (i = 0; i < MAX_NR_MAPS; i++)
12733 		map_fds[i] = -1;
12734 
12735 	do_test_fixup(test, prog, map_fds);
12736 	prog_len = probe_filter_length(prog);
12737 
12738 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12739 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12740 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12741 
12742 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
12743 		       test->result_unpriv : test->result;
12744 	expected_err = unpriv && test->errstr_unpriv ?
12745 		       test->errstr_unpriv : test->errstr;
12746 
12747 	reject_from_alignment = fd_prog < 0 &&
12748 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12749 				strstr(bpf_vlog, "Unknown alignment.");
12750 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12751 	if (reject_from_alignment) {
12752 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12753 		       strerror(errno));
12754 		goto fail_log;
12755 	}
12756 #endif
12757 	if (expected_ret == ACCEPT) {
12758 		if (fd_prog < 0 && !reject_from_alignment) {
12759 			printf("FAIL\nFailed to load prog '%s'!\n",
12760 			       strerror(errno));
12761 			goto fail_log;
12762 		}
12763 	} else {
12764 		if (fd_prog >= 0) {
12765 			printf("FAIL\nUnexpected success to load!\n");
12766 			goto fail_log;
12767 		}
12768 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12769 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12770 			      expected_err, bpf_vlog);
12771 			goto fail_log;
12772 		}
12773 	}
12774 
12775 	if (fd_prog >= 0) {
12776 		__u8 tmp[TEST_DATA_LEN << 2];
12777 		__u32 size_tmp = sizeof(tmp);
12778 
12779 		err = bpf_prog_test_run(fd_prog, 1, test->data,
12780 					sizeof(test->data), tmp, &size_tmp,
12781 					&retval, NULL);
12782 		if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12783 			printf("Unexpected bpf_prog_test_run error\n");
12784 			goto fail_log;
12785 		}
12786 		if (!err && retval != test->retval &&
12787 		    test->retval != POINTER_VALUE) {
12788 			printf("FAIL retval %d != %d\n", retval, test->retval);
12789 			goto fail_log;
12790 		}
12791 	}
12792 	(*passes)++;
12793 	printf("OK%s\n", reject_from_alignment ?
12794 	       " (NOTE: reject due to unknown alignment)" : "");
12795 close_fds:
12796 	close(fd_prog);
12797 	for (i = 0; i < MAX_NR_MAPS; i++)
12798 		close(map_fds[i]);
12799 	sched_yield();
12800 	return;
12801 fail_log:
12802 	(*errors)++;
12803 	printf("%s", bpf_vlog);
12804 	goto close_fds;
12805 }
12806 
12807 static bool is_admin(void)
12808 {
12809 	cap_t caps;
12810 	cap_flag_value_t sysadmin = CAP_CLEAR;
12811 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12812 
12813 #ifdef CAP_IS_SUPPORTED
12814 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12815 		perror("cap_get_flag");
12816 		return false;
12817 	}
12818 #endif
12819 	caps = cap_get_proc();
12820 	if (!caps) {
12821 		perror("cap_get_proc");
12822 		return false;
12823 	}
12824 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12825 		perror("cap_get_flag");
12826 	if (cap_free(caps))
12827 		perror("cap_free");
12828 	return (sysadmin == CAP_SET);
12829 }
12830 
12831 static int set_admin(bool admin)
12832 {
12833 	cap_t caps;
12834 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12835 	int ret = -1;
12836 
12837 	caps = cap_get_proc();
12838 	if (!caps) {
12839 		perror("cap_get_proc");
12840 		return -1;
12841 	}
12842 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12843 				admin ? CAP_SET : CAP_CLEAR)) {
12844 		perror("cap_set_flag");
12845 		goto out;
12846 	}
12847 	if (cap_set_proc(caps)) {
12848 		perror("cap_set_proc");
12849 		goto out;
12850 	}
12851 	ret = 0;
12852 out:
12853 	if (cap_free(caps))
12854 		perror("cap_free");
12855 	return ret;
12856 }
12857 
12858 static void get_unpriv_disabled()
12859 {
12860 	char buf[2];
12861 	FILE *fd;
12862 
12863 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12864 	if (!fd) {
12865 		perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12866 		unpriv_disabled = true;
12867 		return;
12868 	}
12869 	if (fgets(buf, 2, fd) == buf && atoi(buf))
12870 		unpriv_disabled = true;
12871 	fclose(fd);
12872 }
12873 
12874 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12875 {
12876 	int i, passes = 0, errors = 0, skips = 0;
12877 
12878 	for (i = from; i < to; i++) {
12879 		struct bpf_test *test = &tests[i];
12880 
12881 		/* Program types that are not supported by non-root we
12882 		 * skip right away.
12883 		 */
12884 		if (!test->prog_type && unpriv_disabled) {
12885 			printf("#%d/u %s SKIP\n", i, test->descr);
12886 			skips++;
12887 		} else if (!test->prog_type) {
12888 			if (!unpriv)
12889 				set_admin(false);
12890 			printf("#%d/u %s ", i, test->descr);
12891 			do_test_single(test, true, &passes, &errors);
12892 			if (!unpriv)
12893 				set_admin(true);
12894 		}
12895 
12896 		if (unpriv) {
12897 			printf("#%d/p %s SKIP\n", i, test->descr);
12898 			skips++;
12899 		} else {
12900 			printf("#%d/p %s ", i, test->descr);
12901 			do_test_single(test, false, &passes, &errors);
12902 		}
12903 	}
12904 
12905 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12906 	       skips, errors);
12907 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12908 }
12909 
12910 int main(int argc, char **argv)
12911 {
12912 	unsigned int from = 0, to = ARRAY_SIZE(tests);
12913 	bool unpriv = !is_admin();
12914 
12915 	if (argc == 3) {
12916 		unsigned int l = atoi(argv[argc - 2]);
12917 		unsigned int u = atoi(argv[argc - 1]);
12918 
12919 		if (l < to && u < to) {
12920 			from = l;
12921 			to   = u + 1;
12922 		}
12923 	} else if (argc == 2) {
12924 		unsigned int t = atoi(argv[argc - 1]);
12925 
12926 		if (t < to) {
12927 			from = t;
12928 			to   = t + 1;
12929 		}
12930 	}
12931 
12932 	get_unpriv_disabled();
12933 	if (unpriv && unpriv_disabled) {
12934 		printf("Cannot run as unprivileged user with sysctl %s.\n",
12935 		       UNPRIV_SYSCTL);
12936 		return EXIT_FAILURE;
12937 	}
12938 
12939 	bpf_semi_rand_init();
12940 	return do_test(unpriv, from, to);
12941 }
12942