xref: /openbmc/linux/tools/testing/selftests/bpf/test_verifier.c (revision c4c8f39a57bf5057fc51a848d42b7e348ecfa31d) 
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  *
7  * This program is free software; you can redistribute it and/or
8  * modify it under the terms of version 2 of the GNU General Public
9  * License as published by the Free Software Foundation.
10  */
11 
12 #include <endian.h>
13 #include <asm/types.h>
14 #include <linux/types.h>
15 #include <stdint.h>
16 #include <stdio.h>
17 #include <stdlib.h>
18 #include <unistd.h>
19 #include <errno.h>
20 #include <string.h>
21 #include <stddef.h>
22 #include <stdbool.h>
23 #include <sched.h>
24 #include <limits.h>
25 
26 #include <sys/capability.h>
27 
28 #include <linux/unistd.h>
29 #include <linux/filter.h>
30 #include <linux/bpf_perf_event.h>
31 #include <linux/bpf.h>
32 #include <linux/if_ether.h>
33 
34 #include <bpf/bpf.h>
35 
36 #ifdef HAVE_GENHDR
37 # include "autoconf.h"
38 #else
39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
41 # endif
42 #endif
43 #include "bpf_rlimit.h"
44 #include "bpf_rand.h"
45 #include "../../../include/linux/filter.h"
46 
47 #ifndef ARRAY_SIZE
48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
49 #endif
50 
51 #define MAX_INSNS	BPF_MAXINSNS
52 #define MAX_FIXUPS	8
53 #define MAX_NR_MAPS	4
54 #define POINTER_VALUE	0xcafe4all
55 #define TEST_DATA_LEN	64
56 
57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS	(1 << 0)
58 #define F_LOAD_WITH_STRICT_ALIGNMENT		(1 << 1)
59 
60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
61 static bool unpriv_disabled = false;
62 
63 struct bpf_test {
64 	const char *descr;
65 	struct bpf_insn	insns[MAX_INSNS];
66 	int fixup_map1[MAX_FIXUPS];
67 	int fixup_map2[MAX_FIXUPS];
68 	int fixup_map3[MAX_FIXUPS];
69 	int fixup_prog[MAX_FIXUPS];
70 	int fixup_map_in_map[MAX_FIXUPS];
71 	const char *errstr;
72 	const char *errstr_unpriv;
73 	uint32_t retval;
74 	enum {
75 		UNDEF,
76 		ACCEPT,
77 		REJECT
78 	} result, result_unpriv;
79 	enum bpf_prog_type prog_type;
80 	uint8_t flags;
81 	__u8 data[TEST_DATA_LEN];
82 	void (*fill_helper)(struct bpf_test *self);
83 };
84 
85 /* Note we want this to be 64 bit aligned so that the end of our array is
86  * actually the end of the structure.
87  */
88 #define MAX_ENTRIES 11
89 
90 struct test_val {
91 	unsigned int index;
92 	int foo[MAX_ENTRIES];
93 };
94 
95 struct other_val {
96 	long long foo;
97 	long long bar;
98 };
99 
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
101 {
102 	/* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
103 #define PUSH_CNT 51
104 	unsigned int len = BPF_MAXINSNS;
105 	struct bpf_insn *insn = self->insns;
106 	int i = 0, j, k = 0;
107 
108 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
109 loop:
110 	for (j = 0; j < PUSH_CNT; j++) {
111 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
112 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
113 		i++;
114 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115 		insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116 		insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118 					 BPF_FUNC_skb_vlan_push),
119 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
120 		i++;
121 	}
122 
123 	for (j = 0; j < PUSH_CNT; j++) {
124 		insn[i++] = BPF_LD_ABS(BPF_B, 0);
125 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
126 		i++;
127 		insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128 		insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129 					 BPF_FUNC_skb_vlan_pop),
130 		insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
131 		i++;
132 	}
133 	if (++k < 5)
134 		goto loop;
135 
136 	for (; i < len - 1; i++)
137 		insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138 	insn[len - 1] = BPF_EXIT_INSN();
139 }
140 
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
142 {
143 	struct bpf_insn *insn = self->insns;
144 	unsigned int len = BPF_MAXINSNS;
145 	int i = 0;
146 
147 	insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148 	insn[i++] = BPF_LD_ABS(BPF_B, 0);
149 	insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
150 	i++;
151 	while (i < len - 1)
152 		insn[i++] = BPF_LD_ABS(BPF_B, 1);
153 	insn[i] = BPF_EXIT_INSN();
154 }
155 
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
157 {
158 	struct bpf_insn *insn = self->insns;
159 	uint64_t res = 0;
160 	int i = 0;
161 
162 	insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163 	while (i < self->retval) {
164 		uint64_t val = bpf_semi_rand_get();
165 		struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
166 
167 		res ^= val;
168 		insn[i++] = tmp[0];
169 		insn[i++] = tmp[1];
170 		insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
171 	}
172 	insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173 	insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174 	insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175 	insn[i] = BPF_EXIT_INSN();
176 	res ^= (res >> 32);
177 	self->retval = (uint32_t)res;
178 }
179 
180 static struct bpf_test tests[] = {
181 	{
182 		"add+sub+mul",
183 		.insns = {
184 			BPF_MOV64_IMM(BPF_REG_1, 1),
185 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186 			BPF_MOV64_IMM(BPF_REG_2, 3),
187 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
191 			BPF_EXIT_INSN(),
192 		},
193 		.result = ACCEPT,
194 		.retval = -3,
195 	},
196 	{
197 		"DIV32 by 0, zero check 1",
198 		.insns = {
199 			BPF_MOV32_IMM(BPF_REG_0, 42),
200 			BPF_MOV32_IMM(BPF_REG_1, 0),
201 			BPF_MOV32_IMM(BPF_REG_2, 1),
202 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
203 			BPF_EXIT_INSN(),
204 		},
205 		.result = ACCEPT,
206 		.retval = 42,
207 	},
208 	{
209 		"DIV32 by 0, zero check 2",
210 		.insns = {
211 			BPF_MOV32_IMM(BPF_REG_0, 42),
212 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213 			BPF_MOV32_IMM(BPF_REG_2, 1),
214 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
215 			BPF_EXIT_INSN(),
216 		},
217 		.result = ACCEPT,
218 		.retval = 42,
219 	},
220 	{
221 		"DIV64 by 0, zero check",
222 		.insns = {
223 			BPF_MOV32_IMM(BPF_REG_0, 42),
224 			BPF_MOV32_IMM(BPF_REG_1, 0),
225 			BPF_MOV32_IMM(BPF_REG_2, 1),
226 			BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227 			BPF_EXIT_INSN(),
228 		},
229 		.result = ACCEPT,
230 		.retval = 42,
231 	},
232 	{
233 		"MOD32 by 0, zero check 1",
234 		.insns = {
235 			BPF_MOV32_IMM(BPF_REG_0, 42),
236 			BPF_MOV32_IMM(BPF_REG_1, 0),
237 			BPF_MOV32_IMM(BPF_REG_2, 1),
238 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
239 			BPF_EXIT_INSN(),
240 		},
241 		.result = ACCEPT,
242 		.retval = 42,
243 	},
244 	{
245 		"MOD32 by 0, zero check 2",
246 		.insns = {
247 			BPF_MOV32_IMM(BPF_REG_0, 42),
248 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249 			BPF_MOV32_IMM(BPF_REG_2, 1),
250 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
251 			BPF_EXIT_INSN(),
252 		},
253 		.result = ACCEPT,
254 		.retval = 42,
255 	},
256 	{
257 		"MOD64 by 0, zero check",
258 		.insns = {
259 			BPF_MOV32_IMM(BPF_REG_0, 42),
260 			BPF_MOV32_IMM(BPF_REG_1, 0),
261 			BPF_MOV32_IMM(BPF_REG_2, 1),
262 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263 			BPF_EXIT_INSN(),
264 		},
265 		.result = ACCEPT,
266 		.retval = 42,
267 	},
268 	{
269 		"DIV32 by 0, zero check ok, cls",
270 		.insns = {
271 			BPF_MOV32_IMM(BPF_REG_0, 42),
272 			BPF_MOV32_IMM(BPF_REG_1, 2),
273 			BPF_MOV32_IMM(BPF_REG_2, 16),
274 			BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
276 			BPF_EXIT_INSN(),
277 		},
278 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
279 		.result = ACCEPT,
280 		.retval = 8,
281 	},
282 	{
283 		"DIV32 by 0, zero check 1, cls",
284 		.insns = {
285 			BPF_MOV32_IMM(BPF_REG_1, 0),
286 			BPF_MOV32_IMM(BPF_REG_0, 1),
287 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
288 			BPF_EXIT_INSN(),
289 		},
290 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
291 		.result = ACCEPT,
292 		.retval = 0,
293 	},
294 	{
295 		"DIV32 by 0, zero check 2, cls",
296 		.insns = {
297 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298 			BPF_MOV32_IMM(BPF_REG_0, 1),
299 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
300 			BPF_EXIT_INSN(),
301 		},
302 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
303 		.result = ACCEPT,
304 		.retval = 0,
305 	},
306 	{
307 		"DIV64 by 0, zero check, cls",
308 		.insns = {
309 			BPF_MOV32_IMM(BPF_REG_1, 0),
310 			BPF_MOV32_IMM(BPF_REG_0, 1),
311 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312 			BPF_EXIT_INSN(),
313 		},
314 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
315 		.result = ACCEPT,
316 		.retval = 0,
317 	},
318 	{
319 		"MOD32 by 0, zero check ok, cls",
320 		.insns = {
321 			BPF_MOV32_IMM(BPF_REG_0, 42),
322 			BPF_MOV32_IMM(BPF_REG_1, 3),
323 			BPF_MOV32_IMM(BPF_REG_2, 5),
324 			BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
326 			BPF_EXIT_INSN(),
327 		},
328 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
329 		.result = ACCEPT,
330 		.retval = 2,
331 	},
332 	{
333 		"MOD32 by 0, zero check 1, cls",
334 		.insns = {
335 			BPF_MOV32_IMM(BPF_REG_1, 0),
336 			BPF_MOV32_IMM(BPF_REG_0, 1),
337 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
338 			BPF_EXIT_INSN(),
339 		},
340 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
341 		.result = ACCEPT,
342 		.retval = 1,
343 	},
344 	{
345 		"MOD32 by 0, zero check 2, cls",
346 		.insns = {
347 			BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348 			BPF_MOV32_IMM(BPF_REG_0, 1),
349 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
350 			BPF_EXIT_INSN(),
351 		},
352 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
353 		.result = ACCEPT,
354 		.retval = 1,
355 	},
356 	{
357 		"MOD64 by 0, zero check 1, cls",
358 		.insns = {
359 			BPF_MOV32_IMM(BPF_REG_1, 0),
360 			BPF_MOV32_IMM(BPF_REG_0, 2),
361 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362 			BPF_EXIT_INSN(),
363 		},
364 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 		.result = ACCEPT,
366 		.retval = 2,
367 	},
368 	{
369 		"MOD64 by 0, zero check 2, cls",
370 		.insns = {
371 			BPF_MOV32_IMM(BPF_REG_1, 0),
372 			BPF_MOV32_IMM(BPF_REG_0, -1),
373 			BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374 			BPF_EXIT_INSN(),
375 		},
376 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
377 		.result = ACCEPT,
378 		.retval = -1,
379 	},
380 	/* Just make sure that JITs used udiv/umod as otherwise we get
381 	 * an exception from INT_MIN/-1 overflow similarly as with div
382 	 * by zero.
383 	 */
384 	{
385 		"DIV32 overflow, check 1",
386 		.insns = {
387 			BPF_MOV32_IMM(BPF_REG_1, -1),
388 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
390 			BPF_EXIT_INSN(),
391 		},
392 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
393 		.result = ACCEPT,
394 		.retval = 0,
395 	},
396 	{
397 		"DIV32 overflow, check 2",
398 		.insns = {
399 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400 			BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
401 			BPF_EXIT_INSN(),
402 		},
403 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
404 		.result = ACCEPT,
405 		.retval = 0,
406 	},
407 	{
408 		"DIV64 overflow, check 1",
409 		.insns = {
410 			BPF_MOV64_IMM(BPF_REG_1, -1),
411 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412 			BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
413 			BPF_EXIT_INSN(),
414 		},
415 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
416 		.result = ACCEPT,
417 		.retval = 0,
418 	},
419 	{
420 		"DIV64 overflow, check 2",
421 		.insns = {
422 			BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
424 			BPF_EXIT_INSN(),
425 		},
426 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
427 		.result = ACCEPT,
428 		.retval = 0,
429 	},
430 	{
431 		"MOD32 overflow, check 1",
432 		.insns = {
433 			BPF_MOV32_IMM(BPF_REG_1, -1),
434 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435 			BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
436 			BPF_EXIT_INSN(),
437 		},
438 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
439 		.result = ACCEPT,
440 		.retval = INT_MIN,
441 	},
442 	{
443 		"MOD32 overflow, check 2",
444 		.insns = {
445 			BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
447 			BPF_EXIT_INSN(),
448 		},
449 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
450 		.result = ACCEPT,
451 		.retval = INT_MIN,
452 	},
453 	{
454 		"MOD64 overflow, check 1",
455 		.insns = {
456 			BPF_MOV64_IMM(BPF_REG_1, -1),
457 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459 			BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460 			BPF_MOV32_IMM(BPF_REG_0, 0),
461 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462 			BPF_MOV32_IMM(BPF_REG_0, 1),
463 			BPF_EXIT_INSN(),
464 		},
465 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
466 		.result = ACCEPT,
467 		.retval = 1,
468 	},
469 	{
470 		"MOD64 overflow, check 2",
471 		.insns = {
472 			BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474 			BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475 			BPF_MOV32_IMM(BPF_REG_0, 0),
476 			BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477 			BPF_MOV32_IMM(BPF_REG_0, 1),
478 			BPF_EXIT_INSN(),
479 		},
480 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
481 		.result = ACCEPT,
482 		.retval = 1,
483 	},
484 	{
485 		"xor32 zero extend check",
486 		.insns = {
487 			BPF_MOV32_IMM(BPF_REG_2, -1),
488 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490 			BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491 			BPF_MOV32_IMM(BPF_REG_0, 2),
492 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493 			BPF_MOV32_IMM(BPF_REG_0, 1),
494 			BPF_EXIT_INSN(),
495 		},
496 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
497 		.result = ACCEPT,
498 		.retval = 1,
499 	},
500 	{
501 		"empty prog",
502 		.insns = {
503 		},
504 		.errstr = "unknown opcode 00",
505 		.result = REJECT,
506 	},
507 	{
508 		"only exit insn",
509 		.insns = {
510 			BPF_EXIT_INSN(),
511 		},
512 		.errstr = "R0 !read_ok",
513 		.result = REJECT,
514 	},
515 	{
516 		"unreachable",
517 		.insns = {
518 			BPF_EXIT_INSN(),
519 			BPF_EXIT_INSN(),
520 		},
521 		.errstr = "unreachable",
522 		.result = REJECT,
523 	},
524 	{
525 		"unreachable2",
526 		.insns = {
527 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
529 			BPF_EXIT_INSN(),
530 		},
531 		.errstr = "unreachable",
532 		.result = REJECT,
533 	},
534 	{
535 		"out of range jump",
536 		.insns = {
537 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
538 			BPF_EXIT_INSN(),
539 		},
540 		.errstr = "jump out of range",
541 		.result = REJECT,
542 	},
543 	{
544 		"out of range jump2",
545 		.insns = {
546 			BPF_JMP_IMM(BPF_JA, 0, 0, -2),
547 			BPF_EXIT_INSN(),
548 		},
549 		.errstr = "jump out of range",
550 		.result = REJECT,
551 	},
552 	{
553 		"test1 ld_imm64",
554 		.insns = {
555 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556 			BPF_LD_IMM64(BPF_REG_0, 0),
557 			BPF_LD_IMM64(BPF_REG_0, 0),
558 			BPF_LD_IMM64(BPF_REG_0, 1),
559 			BPF_LD_IMM64(BPF_REG_0, 1),
560 			BPF_MOV64_IMM(BPF_REG_0, 2),
561 			BPF_EXIT_INSN(),
562 		},
563 		.errstr = "invalid BPF_LD_IMM insn",
564 		.errstr_unpriv = "R1 pointer comparison",
565 		.result = REJECT,
566 	},
567 	{
568 		"test2 ld_imm64",
569 		.insns = {
570 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571 			BPF_LD_IMM64(BPF_REG_0, 0),
572 			BPF_LD_IMM64(BPF_REG_0, 0),
573 			BPF_LD_IMM64(BPF_REG_0, 1),
574 			BPF_LD_IMM64(BPF_REG_0, 1),
575 			BPF_EXIT_INSN(),
576 		},
577 		.errstr = "invalid BPF_LD_IMM insn",
578 		.errstr_unpriv = "R1 pointer comparison",
579 		.result = REJECT,
580 	},
581 	{
582 		"test3 ld_imm64",
583 		.insns = {
584 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586 			BPF_LD_IMM64(BPF_REG_0, 0),
587 			BPF_LD_IMM64(BPF_REG_0, 0),
588 			BPF_LD_IMM64(BPF_REG_0, 1),
589 			BPF_LD_IMM64(BPF_REG_0, 1),
590 			BPF_EXIT_INSN(),
591 		},
592 		.errstr = "invalid bpf_ld_imm64 insn",
593 		.result = REJECT,
594 	},
595 	{
596 		"test4 ld_imm64",
597 		.insns = {
598 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
599 			BPF_EXIT_INSN(),
600 		},
601 		.errstr = "invalid bpf_ld_imm64 insn",
602 		.result = REJECT,
603 	},
604 	{
605 		"test5 ld_imm64",
606 		.insns = {
607 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
608 		},
609 		.errstr = "invalid bpf_ld_imm64 insn",
610 		.result = REJECT,
611 	},
612 	{
613 		"test6 ld_imm64",
614 		.insns = {
615 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616 			BPF_RAW_INSN(0, 0, 0, 0, 0),
617 			BPF_EXIT_INSN(),
618 		},
619 		.result = ACCEPT,
620 	},
621 	{
622 		"test7 ld_imm64",
623 		.insns = {
624 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625 			BPF_RAW_INSN(0, 0, 0, 0, 1),
626 			BPF_EXIT_INSN(),
627 		},
628 		.result = ACCEPT,
629 		.retval = 1,
630 	},
631 	{
632 		"test8 ld_imm64",
633 		.insns = {
634 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635 			BPF_RAW_INSN(0, 0, 0, 0, 1),
636 			BPF_EXIT_INSN(),
637 		},
638 		.errstr = "uses reserved fields",
639 		.result = REJECT,
640 	},
641 	{
642 		"test9 ld_imm64",
643 		.insns = {
644 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645 			BPF_RAW_INSN(0, 0, 0, 1, 1),
646 			BPF_EXIT_INSN(),
647 		},
648 		.errstr = "invalid bpf_ld_imm64 insn",
649 		.result = REJECT,
650 	},
651 	{
652 		"test10 ld_imm64",
653 		.insns = {
654 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655 			BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
656 			BPF_EXIT_INSN(),
657 		},
658 		.errstr = "invalid bpf_ld_imm64 insn",
659 		.result = REJECT,
660 	},
661 	{
662 		"test11 ld_imm64",
663 		.insns = {
664 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
666 			BPF_EXIT_INSN(),
667 		},
668 		.errstr = "invalid bpf_ld_imm64 insn",
669 		.result = REJECT,
670 	},
671 	{
672 		"test12 ld_imm64",
673 		.insns = {
674 			BPF_MOV64_IMM(BPF_REG_1, 0),
675 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676 			BPF_RAW_INSN(0, 0, 0, 0, 1),
677 			BPF_EXIT_INSN(),
678 		},
679 		.errstr = "not pointing to valid bpf_map",
680 		.result = REJECT,
681 	},
682 	{
683 		"test13 ld_imm64",
684 		.insns = {
685 			BPF_MOV64_IMM(BPF_REG_1, 0),
686 			BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687 			BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
688 			BPF_EXIT_INSN(),
689 		},
690 		.errstr = "invalid bpf_ld_imm64 insn",
691 		.result = REJECT,
692 	},
693 	{
694 		"arsh32 on imm",
695 		.insns = {
696 			BPF_MOV64_IMM(BPF_REG_0, 1),
697 			BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
698 			BPF_EXIT_INSN(),
699 		},
700 		.result = REJECT,
701 		.errstr = "unknown opcode c4",
702 	},
703 	{
704 		"arsh32 on reg",
705 		.insns = {
706 			BPF_MOV64_IMM(BPF_REG_0, 1),
707 			BPF_MOV64_IMM(BPF_REG_1, 5),
708 			BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
709 			BPF_EXIT_INSN(),
710 		},
711 		.result = REJECT,
712 		.errstr = "unknown opcode cc",
713 	},
714 	{
715 		"arsh64 on imm",
716 		.insns = {
717 			BPF_MOV64_IMM(BPF_REG_0, 1),
718 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
719 			BPF_EXIT_INSN(),
720 		},
721 		.result = ACCEPT,
722 	},
723 	{
724 		"arsh64 on reg",
725 		.insns = {
726 			BPF_MOV64_IMM(BPF_REG_0, 1),
727 			BPF_MOV64_IMM(BPF_REG_1, 5),
728 			BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
729 			BPF_EXIT_INSN(),
730 		},
731 		.result = ACCEPT,
732 	},
733 	{
734 		"no bpf_exit",
735 		.insns = {
736 			BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
737 		},
738 		.errstr = "not an exit",
739 		.result = REJECT,
740 	},
741 	{
742 		"loop (back-edge)",
743 		.insns = {
744 			BPF_JMP_IMM(BPF_JA, 0, 0, -1),
745 			BPF_EXIT_INSN(),
746 		},
747 		.errstr = "back-edge",
748 		.result = REJECT,
749 	},
750 	{
751 		"loop2 (back-edge)",
752 		.insns = {
753 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
757 			BPF_EXIT_INSN(),
758 		},
759 		.errstr = "back-edge",
760 		.result = REJECT,
761 	},
762 	{
763 		"conditional loop",
764 		.insns = {
765 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
769 			BPF_EXIT_INSN(),
770 		},
771 		.errstr = "back-edge",
772 		.result = REJECT,
773 	},
774 	{
775 		"read uninitialized register",
776 		.insns = {
777 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
778 			BPF_EXIT_INSN(),
779 		},
780 		.errstr = "R2 !read_ok",
781 		.result = REJECT,
782 	},
783 	{
784 		"read invalid register",
785 		.insns = {
786 			BPF_MOV64_REG(BPF_REG_0, -1),
787 			BPF_EXIT_INSN(),
788 		},
789 		.errstr = "R15 is invalid",
790 		.result = REJECT,
791 	},
792 	{
793 		"program doesn't init R0 before exit",
794 		.insns = {
795 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
796 			BPF_EXIT_INSN(),
797 		},
798 		.errstr = "R0 !read_ok",
799 		.result = REJECT,
800 	},
801 	{
802 		"program doesn't init R0 before exit in all branches",
803 		.insns = {
804 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805 			BPF_MOV64_IMM(BPF_REG_0, 1),
806 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
807 			BPF_EXIT_INSN(),
808 		},
809 		.errstr = "R0 !read_ok",
810 		.errstr_unpriv = "R1 pointer comparison",
811 		.result = REJECT,
812 	},
813 	{
814 		"stack out of bounds",
815 		.insns = {
816 			BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
817 			BPF_EXIT_INSN(),
818 		},
819 		.errstr = "invalid stack",
820 		.result = REJECT,
821 	},
822 	{
823 		"invalid call insn1",
824 		.insns = {
825 			BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
826 			BPF_EXIT_INSN(),
827 		},
828 		.errstr = "unknown opcode 8d",
829 		.result = REJECT,
830 	},
831 	{
832 		"invalid call insn2",
833 		.insns = {
834 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
835 			BPF_EXIT_INSN(),
836 		},
837 		.errstr = "BPF_CALL uses reserved",
838 		.result = REJECT,
839 	},
840 	{
841 		"invalid function call",
842 		.insns = {
843 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
844 			BPF_EXIT_INSN(),
845 		},
846 		.errstr = "invalid func unknown#1234567",
847 		.result = REJECT,
848 	},
849 	{
850 		"uninitialized stack1",
851 		.insns = {
852 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854 			BPF_LD_MAP_FD(BPF_REG_1, 0),
855 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856 				     BPF_FUNC_map_lookup_elem),
857 			BPF_EXIT_INSN(),
858 		},
859 		.fixup_map1 = { 2 },
860 		.errstr = "invalid indirect read from stack",
861 		.result = REJECT,
862 	},
863 	{
864 		"uninitialized stack2",
865 		.insns = {
866 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
868 			BPF_EXIT_INSN(),
869 		},
870 		.errstr = "invalid read from stack",
871 		.result = REJECT,
872 	},
873 	{
874 		"invalid fp arithmetic",
875 		/* If this gets ever changed, make sure JITs can deal with it. */
876 		.insns = {
877 			BPF_MOV64_IMM(BPF_REG_0, 0),
878 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
881 			BPF_EXIT_INSN(),
882 		},
883 		.errstr = "R1 subtraction from stack pointer",
884 		.result = REJECT,
885 	},
886 	{
887 		"non-invalid fp arithmetic",
888 		.insns = {
889 			BPF_MOV64_IMM(BPF_REG_0, 0),
890 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
891 			BPF_EXIT_INSN(),
892 		},
893 		.result = ACCEPT,
894 	},
895 	{
896 		"invalid argument register",
897 		.insns = {
898 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899 				     BPF_FUNC_get_cgroup_classid),
900 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901 				     BPF_FUNC_get_cgroup_classid),
902 			BPF_EXIT_INSN(),
903 		},
904 		.errstr = "R1 !read_ok",
905 		.result = REJECT,
906 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
907 	},
908 	{
909 		"non-invalid argument register",
910 		.insns = {
911 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913 				     BPF_FUNC_get_cgroup_classid),
914 			BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916 				     BPF_FUNC_get_cgroup_classid),
917 			BPF_EXIT_INSN(),
918 		},
919 		.result = ACCEPT,
920 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
921 	},
922 	{
923 		"check valid spill/fill",
924 		.insns = {
925 			/* spill R1(ctx) into stack */
926 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927 			/* fill it back into R2 */
928 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929 			/* should be able to access R0 = *(R2 + 8) */
930 			/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
932 			BPF_EXIT_INSN(),
933 		},
934 		.errstr_unpriv = "R0 leaks addr",
935 		.result = ACCEPT,
936 		.result_unpriv = REJECT,
937 		.retval = POINTER_VALUE,
938 	},
939 	{
940 		"check valid spill/fill, skb mark",
941 		.insns = {
942 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946 				    offsetof(struct __sk_buff, mark)),
947 			BPF_EXIT_INSN(),
948 		},
949 		.result = ACCEPT,
950 		.result_unpriv = ACCEPT,
951 	},
952 	{
953 		"check corrupted spill/fill",
954 		.insns = {
955 			/* spill R1(ctx) into stack */
956 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957 			/* mess up with R1 pointer on stack */
958 			BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959 			/* fill back into R0 should fail */
960 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
961 			BPF_EXIT_INSN(),
962 		},
963 		.errstr_unpriv = "attempt to corrupt spilled",
964 		.errstr = "corrupted spill",
965 		.result = REJECT,
966 	},
967 	{
968 		"invalid src register in STX",
969 		.insns = {
970 			BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
971 			BPF_EXIT_INSN(),
972 		},
973 		.errstr = "R15 is invalid",
974 		.result = REJECT,
975 	},
976 	{
977 		"invalid dst register in STX",
978 		.insns = {
979 			BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
980 			BPF_EXIT_INSN(),
981 		},
982 		.errstr = "R14 is invalid",
983 		.result = REJECT,
984 	},
985 	{
986 		"invalid dst register in ST",
987 		.insns = {
988 			BPF_ST_MEM(BPF_B, 14, -1, -1),
989 			BPF_EXIT_INSN(),
990 		},
991 		.errstr = "R14 is invalid",
992 		.result = REJECT,
993 	},
994 	{
995 		"invalid src register in LDX",
996 		.insns = {
997 			BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
998 			BPF_EXIT_INSN(),
999 		},
1000 		.errstr = "R12 is invalid",
1001 		.result = REJECT,
1002 	},
1003 	{
1004 		"invalid dst register in LDX",
1005 		.insns = {
1006 			BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1007 			BPF_EXIT_INSN(),
1008 		},
1009 		.errstr = "R11 is invalid",
1010 		.result = REJECT,
1011 	},
1012 	{
1013 		"junk insn",
1014 		.insns = {
1015 			BPF_RAW_INSN(0, 0, 0, 0, 0),
1016 			BPF_EXIT_INSN(),
1017 		},
1018 		.errstr = "unknown opcode 00",
1019 		.result = REJECT,
1020 	},
1021 	{
1022 		"junk insn2",
1023 		.insns = {
1024 			BPF_RAW_INSN(1, 0, 0, 0, 0),
1025 			BPF_EXIT_INSN(),
1026 		},
1027 		.errstr = "BPF_LDX uses reserved fields",
1028 		.result = REJECT,
1029 	},
1030 	{
1031 		"junk insn3",
1032 		.insns = {
1033 			BPF_RAW_INSN(-1, 0, 0, 0, 0),
1034 			BPF_EXIT_INSN(),
1035 		},
1036 		.errstr = "unknown opcode ff",
1037 		.result = REJECT,
1038 	},
1039 	{
1040 		"junk insn4",
1041 		.insns = {
1042 			BPF_RAW_INSN(-1, -1, -1, -1, -1),
1043 			BPF_EXIT_INSN(),
1044 		},
1045 		.errstr = "unknown opcode ff",
1046 		.result = REJECT,
1047 	},
1048 	{
1049 		"junk insn5",
1050 		.insns = {
1051 			BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1052 			BPF_EXIT_INSN(),
1053 		},
1054 		.errstr = "BPF_ALU uses reserved fields",
1055 		.result = REJECT,
1056 	},
1057 	{
1058 		"misaligned read from stack",
1059 		.insns = {
1060 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1062 			BPF_EXIT_INSN(),
1063 		},
1064 		.errstr = "misaligned stack access",
1065 		.result = REJECT,
1066 	},
1067 	{
1068 		"invalid map_fd for function call",
1069 		.insns = {
1070 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071 			BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075 				     BPF_FUNC_map_delete_elem),
1076 			BPF_EXIT_INSN(),
1077 		},
1078 		.errstr = "fd 0 is not pointing to valid bpf_map",
1079 		.result = REJECT,
1080 	},
1081 	{
1082 		"don't check return value before access",
1083 		.insns = {
1084 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1088 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089 				     BPF_FUNC_map_lookup_elem),
1090 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1091 			BPF_EXIT_INSN(),
1092 		},
1093 		.fixup_map1 = { 3 },
1094 		.errstr = "R0 invalid mem access 'map_value_or_null'",
1095 		.result = REJECT,
1096 	},
1097 	{
1098 		"access memory with incorrect alignment",
1099 		.insns = {
1100 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1104 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105 				     BPF_FUNC_map_lookup_elem),
1106 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1108 			BPF_EXIT_INSN(),
1109 		},
1110 		.fixup_map1 = { 3 },
1111 		.errstr = "misaligned value access",
1112 		.result = REJECT,
1113 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1114 	},
1115 	{
1116 		"sometimes access memory with incorrect alignment",
1117 		.insns = {
1118 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1122 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123 				     BPF_FUNC_map_lookup_elem),
1124 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1126 			BPF_EXIT_INSN(),
1127 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1128 			BPF_EXIT_INSN(),
1129 		},
1130 		.fixup_map1 = { 3 },
1131 		.errstr = "R0 invalid mem access",
1132 		.errstr_unpriv = "R0 leaks addr",
1133 		.result = REJECT,
1134 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1135 	},
1136 	{
1137 		"jump test 1",
1138 		.insns = {
1139 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153 			BPF_MOV64_IMM(BPF_REG_0, 0),
1154 			BPF_EXIT_INSN(),
1155 		},
1156 		.errstr_unpriv = "R1 pointer comparison",
1157 		.result_unpriv = REJECT,
1158 		.result = ACCEPT,
1159 	},
1160 	{
1161 		"jump test 2",
1162 		.insns = {
1163 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166 			BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172 			BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175 			BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181 			BPF_MOV64_IMM(BPF_REG_0, 0),
1182 			BPF_EXIT_INSN(),
1183 		},
1184 		.errstr_unpriv = "R1 pointer comparison",
1185 		.result_unpriv = REJECT,
1186 		.result = ACCEPT,
1187 	},
1188 	{
1189 		"jump test 3",
1190 		.insns = {
1191 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195 			BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199 			BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203 			BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207 			BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211 			BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213 			BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1216 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217 				     BPF_FUNC_map_delete_elem),
1218 			BPF_EXIT_INSN(),
1219 		},
1220 		.fixup_map1 = { 24 },
1221 		.errstr_unpriv = "R1 pointer comparison",
1222 		.result_unpriv = REJECT,
1223 		.result = ACCEPT,
1224 		.retval = -ENOENT,
1225 	},
1226 	{
1227 		"jump test 4",
1228 		.insns = {
1229 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269 			BPF_MOV64_IMM(BPF_REG_0, 0),
1270 			BPF_EXIT_INSN(),
1271 		},
1272 		.errstr_unpriv = "R1 pointer comparison",
1273 		.result_unpriv = REJECT,
1274 		.result = ACCEPT,
1275 	},
1276 	{
1277 		"jump test 5",
1278 		.insns = {
1279 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286 			BPF_MOV64_IMM(BPF_REG_0, 0),
1287 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292 			BPF_MOV64_IMM(BPF_REG_0, 0),
1293 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298 			BPF_MOV64_IMM(BPF_REG_0, 0),
1299 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304 			BPF_MOV64_IMM(BPF_REG_0, 0),
1305 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310 			BPF_MOV64_IMM(BPF_REG_0, 0),
1311 			BPF_EXIT_INSN(),
1312 		},
1313 		.errstr_unpriv = "R1 pointer comparison",
1314 		.result_unpriv = REJECT,
1315 		.result = ACCEPT,
1316 	},
1317 	{
1318 		"access skb fields ok",
1319 		.insns = {
1320 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321 				    offsetof(struct __sk_buff, len)),
1322 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324 				    offsetof(struct __sk_buff, mark)),
1325 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327 				    offsetof(struct __sk_buff, pkt_type)),
1328 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330 				    offsetof(struct __sk_buff, queue_mapping)),
1331 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333 				    offsetof(struct __sk_buff, protocol)),
1334 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336 				    offsetof(struct __sk_buff, vlan_present)),
1337 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339 				    offsetof(struct __sk_buff, vlan_tci)),
1340 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342 				    offsetof(struct __sk_buff, napi_id)),
1343 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1344 			BPF_EXIT_INSN(),
1345 		},
1346 		.result = ACCEPT,
1347 	},
1348 	{
1349 		"access skb fields bad1",
1350 		.insns = {
1351 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1352 			BPF_EXIT_INSN(),
1353 		},
1354 		.errstr = "invalid bpf_context access",
1355 		.result = REJECT,
1356 	},
1357 	{
1358 		"access skb fields bad2",
1359 		.insns = {
1360 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1365 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366 				     BPF_FUNC_map_lookup_elem),
1367 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1368 			BPF_EXIT_INSN(),
1369 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371 				    offsetof(struct __sk_buff, pkt_type)),
1372 			BPF_EXIT_INSN(),
1373 		},
1374 		.fixup_map1 = { 4 },
1375 		.errstr = "different pointers",
1376 		.errstr_unpriv = "R1 pointer comparison",
1377 		.result = REJECT,
1378 	},
1379 	{
1380 		"access skb fields bad3",
1381 		.insns = {
1382 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384 				    offsetof(struct __sk_buff, pkt_type)),
1385 			BPF_EXIT_INSN(),
1386 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1390 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391 				     BPF_FUNC_map_lookup_elem),
1392 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393 			BPF_EXIT_INSN(),
1394 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395 			BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1396 		},
1397 		.fixup_map1 = { 6 },
1398 		.errstr = "different pointers",
1399 		.errstr_unpriv = "R1 pointer comparison",
1400 		.result = REJECT,
1401 	},
1402 	{
1403 		"access skb fields bad4",
1404 		.insns = {
1405 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407 				    offsetof(struct __sk_buff, len)),
1408 			BPF_MOV64_IMM(BPF_REG_0, 0),
1409 			BPF_EXIT_INSN(),
1410 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413 			BPF_LD_MAP_FD(BPF_REG_1, 0),
1414 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415 				     BPF_FUNC_map_lookup_elem),
1416 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417 			BPF_EXIT_INSN(),
1418 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419 			BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1420 		},
1421 		.fixup_map1 = { 7 },
1422 		.errstr = "different pointers",
1423 		.errstr_unpriv = "R1 pointer comparison",
1424 		.result = REJECT,
1425 	},
1426 	{
1427 		"invalid access __sk_buff family",
1428 		.insns = {
1429 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430 				    offsetof(struct __sk_buff, family)),
1431 			BPF_EXIT_INSN(),
1432 		},
1433 		.errstr = "invalid bpf_context access",
1434 		.result = REJECT,
1435 	},
1436 	{
1437 		"invalid access __sk_buff remote_ip4",
1438 		.insns = {
1439 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440 				    offsetof(struct __sk_buff, remote_ip4)),
1441 			BPF_EXIT_INSN(),
1442 		},
1443 		.errstr = "invalid bpf_context access",
1444 		.result = REJECT,
1445 	},
1446 	{
1447 		"invalid access __sk_buff local_ip4",
1448 		.insns = {
1449 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450 				    offsetof(struct __sk_buff, local_ip4)),
1451 			BPF_EXIT_INSN(),
1452 		},
1453 		.errstr = "invalid bpf_context access",
1454 		.result = REJECT,
1455 	},
1456 	{
1457 		"invalid access __sk_buff remote_ip6",
1458 		.insns = {
1459 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460 				    offsetof(struct __sk_buff, remote_ip6)),
1461 			BPF_EXIT_INSN(),
1462 		},
1463 		.errstr = "invalid bpf_context access",
1464 		.result = REJECT,
1465 	},
1466 	{
1467 		"invalid access __sk_buff local_ip6",
1468 		.insns = {
1469 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470 				    offsetof(struct __sk_buff, local_ip6)),
1471 			BPF_EXIT_INSN(),
1472 		},
1473 		.errstr = "invalid bpf_context access",
1474 		.result = REJECT,
1475 	},
1476 	{
1477 		"invalid access __sk_buff remote_port",
1478 		.insns = {
1479 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480 				    offsetof(struct __sk_buff, remote_port)),
1481 			BPF_EXIT_INSN(),
1482 		},
1483 		.errstr = "invalid bpf_context access",
1484 		.result = REJECT,
1485 	},
1486 	{
1487 		"invalid access __sk_buff remote_port",
1488 		.insns = {
1489 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490 				    offsetof(struct __sk_buff, local_port)),
1491 			BPF_EXIT_INSN(),
1492 		},
1493 		.errstr = "invalid bpf_context access",
1494 		.result = REJECT,
1495 	},
1496 	{
1497 		"valid access __sk_buff family",
1498 		.insns = {
1499 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500 				    offsetof(struct __sk_buff, family)),
1501 			BPF_EXIT_INSN(),
1502 		},
1503 		.result = ACCEPT,
1504 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1505 	},
1506 	{
1507 		"valid access __sk_buff remote_ip4",
1508 		.insns = {
1509 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510 				    offsetof(struct __sk_buff, remote_ip4)),
1511 			BPF_EXIT_INSN(),
1512 		},
1513 		.result = ACCEPT,
1514 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1515 	},
1516 	{
1517 		"valid access __sk_buff local_ip4",
1518 		.insns = {
1519 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520 				    offsetof(struct __sk_buff, local_ip4)),
1521 			BPF_EXIT_INSN(),
1522 		},
1523 		.result = ACCEPT,
1524 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1525 	},
1526 	{
1527 		"valid access __sk_buff remote_ip6",
1528 		.insns = {
1529 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530 				    offsetof(struct __sk_buff, remote_ip6[0])),
1531 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532 				    offsetof(struct __sk_buff, remote_ip6[1])),
1533 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534 				    offsetof(struct __sk_buff, remote_ip6[2])),
1535 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536 				    offsetof(struct __sk_buff, remote_ip6[3])),
1537 			BPF_EXIT_INSN(),
1538 		},
1539 		.result = ACCEPT,
1540 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1541 	},
1542 	{
1543 		"valid access __sk_buff local_ip6",
1544 		.insns = {
1545 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546 				    offsetof(struct __sk_buff, local_ip6[0])),
1547 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548 				    offsetof(struct __sk_buff, local_ip6[1])),
1549 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550 				    offsetof(struct __sk_buff, local_ip6[2])),
1551 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552 				    offsetof(struct __sk_buff, local_ip6[3])),
1553 			BPF_EXIT_INSN(),
1554 		},
1555 		.result = ACCEPT,
1556 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1557 	},
1558 	{
1559 		"valid access __sk_buff remote_port",
1560 		.insns = {
1561 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562 				    offsetof(struct __sk_buff, remote_port)),
1563 			BPF_EXIT_INSN(),
1564 		},
1565 		.result = ACCEPT,
1566 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1567 	},
1568 	{
1569 		"valid access __sk_buff remote_port",
1570 		.insns = {
1571 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572 				    offsetof(struct __sk_buff, local_port)),
1573 			BPF_EXIT_INSN(),
1574 		},
1575 		.result = ACCEPT,
1576 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1577 	},
1578 	{
1579 		"invalid access of tc_classid for SK_SKB",
1580 		.insns = {
1581 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582 				    offsetof(struct __sk_buff, tc_classid)),
1583 			BPF_EXIT_INSN(),
1584 		},
1585 		.result = REJECT,
1586 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1587 		.errstr = "invalid bpf_context access",
1588 	},
1589 	{
1590 		"invalid access of skb->mark for SK_SKB",
1591 		.insns = {
1592 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593 				    offsetof(struct __sk_buff, mark)),
1594 			BPF_EXIT_INSN(),
1595 		},
1596 		.result =  REJECT,
1597 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1598 		.errstr = "invalid bpf_context access",
1599 	},
1600 	{
1601 		"check skb->mark is not writeable by SK_SKB",
1602 		.insns = {
1603 			BPF_MOV64_IMM(BPF_REG_0, 0),
1604 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605 				    offsetof(struct __sk_buff, mark)),
1606 			BPF_EXIT_INSN(),
1607 		},
1608 		.result =  REJECT,
1609 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1610 		.errstr = "invalid bpf_context access",
1611 	},
1612 	{
1613 		"check skb->tc_index is writeable by SK_SKB",
1614 		.insns = {
1615 			BPF_MOV64_IMM(BPF_REG_0, 0),
1616 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617 				    offsetof(struct __sk_buff, tc_index)),
1618 			BPF_EXIT_INSN(),
1619 		},
1620 		.result = ACCEPT,
1621 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1622 	},
1623 	{
1624 		"check skb->priority is writeable by SK_SKB",
1625 		.insns = {
1626 			BPF_MOV64_IMM(BPF_REG_0, 0),
1627 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628 				    offsetof(struct __sk_buff, priority)),
1629 			BPF_EXIT_INSN(),
1630 		},
1631 		.result = ACCEPT,
1632 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1633 	},
1634 	{
1635 		"direct packet read for SK_SKB",
1636 		.insns = {
1637 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638 				    offsetof(struct __sk_buff, data)),
1639 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640 				    offsetof(struct __sk_buff, data_end)),
1641 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645 			BPF_MOV64_IMM(BPF_REG_0, 0),
1646 			BPF_EXIT_INSN(),
1647 		},
1648 		.result = ACCEPT,
1649 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1650 	},
1651 	{
1652 		"direct packet write for SK_SKB",
1653 		.insns = {
1654 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655 				    offsetof(struct __sk_buff, data)),
1656 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657 				    offsetof(struct __sk_buff, data_end)),
1658 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662 			BPF_MOV64_IMM(BPF_REG_0, 0),
1663 			BPF_EXIT_INSN(),
1664 		},
1665 		.result = ACCEPT,
1666 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1667 	},
1668 	{
1669 		"overlapping checks for direct packet access SK_SKB",
1670 		.insns = {
1671 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672 				    offsetof(struct __sk_buff, data)),
1673 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674 				    offsetof(struct __sk_buff, data_end)),
1675 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682 			BPF_MOV64_IMM(BPF_REG_0, 0),
1683 			BPF_EXIT_INSN(),
1684 		},
1685 		.result = ACCEPT,
1686 		.prog_type = BPF_PROG_TYPE_SK_SKB,
1687 	},
1688 	{
1689 		"direct packet read for SK_MSG",
1690 		.insns = {
1691 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1692 				    offsetof(struct sk_msg_md, data)),
1693 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1694 				    offsetof(struct sk_msg_md, data_end)),
1695 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1696 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1697 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1698 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1699 			BPF_MOV64_IMM(BPF_REG_0, 0),
1700 			BPF_EXIT_INSN(),
1701 		},
1702 		.result = ACCEPT,
1703 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1704 	},
1705 	{
1706 		"direct packet write for SK_MSG",
1707 		.insns = {
1708 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1709 				    offsetof(struct sk_msg_md, data)),
1710 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1711 				    offsetof(struct sk_msg_md, data_end)),
1712 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1713 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1714 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1715 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1716 			BPF_MOV64_IMM(BPF_REG_0, 0),
1717 			BPF_EXIT_INSN(),
1718 		},
1719 		.result = ACCEPT,
1720 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1721 	},
1722 	{
1723 		"overlapping checks for direct packet access SK_MSG",
1724 		.insns = {
1725 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1726 				    offsetof(struct sk_msg_md, data)),
1727 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1728 				    offsetof(struct sk_msg_md, data_end)),
1729 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1731 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1732 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1733 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1734 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1735 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1736 			BPF_MOV64_IMM(BPF_REG_0, 0),
1737 			BPF_EXIT_INSN(),
1738 		},
1739 		.result = ACCEPT,
1740 		.prog_type = BPF_PROG_TYPE_SK_MSG,
1741 	},
1742 	{
1743 		"check skb->mark is not writeable by sockets",
1744 		.insns = {
1745 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1746 				    offsetof(struct __sk_buff, mark)),
1747 			BPF_EXIT_INSN(),
1748 		},
1749 		.errstr = "invalid bpf_context access",
1750 		.errstr_unpriv = "R1 leaks addr",
1751 		.result = REJECT,
1752 	},
1753 	{
1754 		"check skb->tc_index is not writeable by sockets",
1755 		.insns = {
1756 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1757 				    offsetof(struct __sk_buff, tc_index)),
1758 			BPF_EXIT_INSN(),
1759 		},
1760 		.errstr = "invalid bpf_context access",
1761 		.errstr_unpriv = "R1 leaks addr",
1762 		.result = REJECT,
1763 	},
1764 	{
1765 		"check cb access: byte",
1766 		.insns = {
1767 			BPF_MOV64_IMM(BPF_REG_0, 0),
1768 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1769 				    offsetof(struct __sk_buff, cb[0])),
1770 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1771 				    offsetof(struct __sk_buff, cb[0]) + 1),
1772 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1773 				    offsetof(struct __sk_buff, cb[0]) + 2),
1774 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1775 				    offsetof(struct __sk_buff, cb[0]) + 3),
1776 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1777 				    offsetof(struct __sk_buff, cb[1])),
1778 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1779 				    offsetof(struct __sk_buff, cb[1]) + 1),
1780 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1781 				    offsetof(struct __sk_buff, cb[1]) + 2),
1782 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1783 				    offsetof(struct __sk_buff, cb[1]) + 3),
1784 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1785 				    offsetof(struct __sk_buff, cb[2])),
1786 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1787 				    offsetof(struct __sk_buff, cb[2]) + 1),
1788 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1789 				    offsetof(struct __sk_buff, cb[2]) + 2),
1790 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1791 				    offsetof(struct __sk_buff, cb[2]) + 3),
1792 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1793 				    offsetof(struct __sk_buff, cb[3])),
1794 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1795 				    offsetof(struct __sk_buff, cb[3]) + 1),
1796 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1797 				    offsetof(struct __sk_buff, cb[3]) + 2),
1798 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1799 				    offsetof(struct __sk_buff, cb[3]) + 3),
1800 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1801 				    offsetof(struct __sk_buff, cb[4])),
1802 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1803 				    offsetof(struct __sk_buff, cb[4]) + 1),
1804 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1805 				    offsetof(struct __sk_buff, cb[4]) + 2),
1806 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1807 				    offsetof(struct __sk_buff, cb[4]) + 3),
1808 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1809 				    offsetof(struct __sk_buff, cb[0])),
1810 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1811 				    offsetof(struct __sk_buff, cb[0]) + 1),
1812 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1813 				    offsetof(struct __sk_buff, cb[0]) + 2),
1814 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1815 				    offsetof(struct __sk_buff, cb[0]) + 3),
1816 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1817 				    offsetof(struct __sk_buff, cb[1])),
1818 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1819 				    offsetof(struct __sk_buff, cb[1]) + 1),
1820 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1821 				    offsetof(struct __sk_buff, cb[1]) + 2),
1822 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1823 				    offsetof(struct __sk_buff, cb[1]) + 3),
1824 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1825 				    offsetof(struct __sk_buff, cb[2])),
1826 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1827 				    offsetof(struct __sk_buff, cb[2]) + 1),
1828 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1829 				    offsetof(struct __sk_buff, cb[2]) + 2),
1830 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1831 				    offsetof(struct __sk_buff, cb[2]) + 3),
1832 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1833 				    offsetof(struct __sk_buff, cb[3])),
1834 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1835 				    offsetof(struct __sk_buff, cb[3]) + 1),
1836 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1837 				    offsetof(struct __sk_buff, cb[3]) + 2),
1838 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1839 				    offsetof(struct __sk_buff, cb[3]) + 3),
1840 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1841 				    offsetof(struct __sk_buff, cb[4])),
1842 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1843 				    offsetof(struct __sk_buff, cb[4]) + 1),
1844 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1845 				    offsetof(struct __sk_buff, cb[4]) + 2),
1846 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1847 				    offsetof(struct __sk_buff, cb[4]) + 3),
1848 			BPF_EXIT_INSN(),
1849 		},
1850 		.result = ACCEPT,
1851 	},
1852 	{
1853 		"__sk_buff->hash, offset 0, byte store not permitted",
1854 		.insns = {
1855 			BPF_MOV64_IMM(BPF_REG_0, 0),
1856 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1857 				    offsetof(struct __sk_buff, hash)),
1858 			BPF_EXIT_INSN(),
1859 		},
1860 		.errstr = "invalid bpf_context access",
1861 		.result = REJECT,
1862 	},
1863 	{
1864 		"__sk_buff->tc_index, offset 3, byte store not permitted",
1865 		.insns = {
1866 			BPF_MOV64_IMM(BPF_REG_0, 0),
1867 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1868 				    offsetof(struct __sk_buff, tc_index) + 3),
1869 			BPF_EXIT_INSN(),
1870 		},
1871 		.errstr = "invalid bpf_context access",
1872 		.result = REJECT,
1873 	},
1874 	{
1875 		"check skb->hash byte load permitted",
1876 		.insns = {
1877 			BPF_MOV64_IMM(BPF_REG_0, 0),
1878 #if __BYTE_ORDER == __LITTLE_ENDIAN
1879 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1880 				    offsetof(struct __sk_buff, hash)),
1881 #else
1882 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1883 				    offsetof(struct __sk_buff, hash) + 3),
1884 #endif
1885 			BPF_EXIT_INSN(),
1886 		},
1887 		.result = ACCEPT,
1888 	},
1889 	{
1890 		"check skb->hash byte load not permitted 1",
1891 		.insns = {
1892 			BPF_MOV64_IMM(BPF_REG_0, 0),
1893 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1894 				    offsetof(struct __sk_buff, hash) + 1),
1895 			BPF_EXIT_INSN(),
1896 		},
1897 		.errstr = "invalid bpf_context access",
1898 		.result = REJECT,
1899 	},
1900 	{
1901 		"check skb->hash byte load not permitted 2",
1902 		.insns = {
1903 			BPF_MOV64_IMM(BPF_REG_0, 0),
1904 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1905 				    offsetof(struct __sk_buff, hash) + 2),
1906 			BPF_EXIT_INSN(),
1907 		},
1908 		.errstr = "invalid bpf_context access",
1909 		.result = REJECT,
1910 	},
1911 	{
1912 		"check skb->hash byte load not permitted 3",
1913 		.insns = {
1914 			BPF_MOV64_IMM(BPF_REG_0, 0),
1915 #if __BYTE_ORDER == __LITTLE_ENDIAN
1916 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1917 				    offsetof(struct __sk_buff, hash) + 3),
1918 #else
1919 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1920 				    offsetof(struct __sk_buff, hash)),
1921 #endif
1922 			BPF_EXIT_INSN(),
1923 		},
1924 		.errstr = "invalid bpf_context access",
1925 		.result = REJECT,
1926 	},
1927 	{
1928 		"check cb access: byte, wrong type",
1929 		.insns = {
1930 			BPF_MOV64_IMM(BPF_REG_0, 0),
1931 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932 				    offsetof(struct __sk_buff, cb[0])),
1933 			BPF_EXIT_INSN(),
1934 		},
1935 		.errstr = "invalid bpf_context access",
1936 		.result = REJECT,
1937 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1938 	},
1939 	{
1940 		"check cb access: half",
1941 		.insns = {
1942 			BPF_MOV64_IMM(BPF_REG_0, 0),
1943 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1944 				    offsetof(struct __sk_buff, cb[0])),
1945 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1946 				    offsetof(struct __sk_buff, cb[0]) + 2),
1947 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1948 				    offsetof(struct __sk_buff, cb[1])),
1949 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1950 				    offsetof(struct __sk_buff, cb[1]) + 2),
1951 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1952 				    offsetof(struct __sk_buff, cb[2])),
1953 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1954 				    offsetof(struct __sk_buff, cb[2]) + 2),
1955 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1956 				    offsetof(struct __sk_buff, cb[3])),
1957 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1958 				    offsetof(struct __sk_buff, cb[3]) + 2),
1959 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1960 				    offsetof(struct __sk_buff, cb[4])),
1961 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1962 				    offsetof(struct __sk_buff, cb[4]) + 2),
1963 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1964 				    offsetof(struct __sk_buff, cb[0])),
1965 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1966 				    offsetof(struct __sk_buff, cb[0]) + 2),
1967 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1968 				    offsetof(struct __sk_buff, cb[1])),
1969 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1970 				    offsetof(struct __sk_buff, cb[1]) + 2),
1971 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1972 				    offsetof(struct __sk_buff, cb[2])),
1973 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1974 				    offsetof(struct __sk_buff, cb[2]) + 2),
1975 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1976 				    offsetof(struct __sk_buff, cb[3])),
1977 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1978 				    offsetof(struct __sk_buff, cb[3]) + 2),
1979 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1980 				    offsetof(struct __sk_buff, cb[4])),
1981 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1982 				    offsetof(struct __sk_buff, cb[4]) + 2),
1983 			BPF_EXIT_INSN(),
1984 		},
1985 		.result = ACCEPT,
1986 	},
1987 	{
1988 		"check cb access: half, unaligned",
1989 		.insns = {
1990 			BPF_MOV64_IMM(BPF_REG_0, 0),
1991 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1992 				    offsetof(struct __sk_buff, cb[0]) + 1),
1993 			BPF_EXIT_INSN(),
1994 		},
1995 		.errstr = "misaligned context access",
1996 		.result = REJECT,
1997 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1998 	},
1999 	{
2000 		"check __sk_buff->hash, offset 0, half store not permitted",
2001 		.insns = {
2002 			BPF_MOV64_IMM(BPF_REG_0, 0),
2003 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2004 				    offsetof(struct __sk_buff, hash)),
2005 			BPF_EXIT_INSN(),
2006 		},
2007 		.errstr = "invalid bpf_context access",
2008 		.result = REJECT,
2009 	},
2010 	{
2011 		"check __sk_buff->tc_index, offset 2, half store not permitted",
2012 		.insns = {
2013 			BPF_MOV64_IMM(BPF_REG_0, 0),
2014 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2015 				    offsetof(struct __sk_buff, tc_index) + 2),
2016 			BPF_EXIT_INSN(),
2017 		},
2018 		.errstr = "invalid bpf_context access",
2019 		.result = REJECT,
2020 	},
2021 	{
2022 		"check skb->hash half load permitted",
2023 		.insns = {
2024 			BPF_MOV64_IMM(BPF_REG_0, 0),
2025 #if __BYTE_ORDER == __LITTLE_ENDIAN
2026 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2027 				    offsetof(struct __sk_buff, hash)),
2028 #else
2029 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2030 				    offsetof(struct __sk_buff, hash) + 2),
2031 #endif
2032 			BPF_EXIT_INSN(),
2033 		},
2034 		.result = ACCEPT,
2035 	},
2036 	{
2037 		"check skb->hash half load not permitted",
2038 		.insns = {
2039 			BPF_MOV64_IMM(BPF_REG_0, 0),
2040 #if __BYTE_ORDER == __LITTLE_ENDIAN
2041 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2042 				    offsetof(struct __sk_buff, hash) + 2),
2043 #else
2044 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2045 				    offsetof(struct __sk_buff, hash)),
2046 #endif
2047 			BPF_EXIT_INSN(),
2048 		},
2049 		.errstr = "invalid bpf_context access",
2050 		.result = REJECT,
2051 	},
2052 	{
2053 		"check cb access: half, wrong type",
2054 		.insns = {
2055 			BPF_MOV64_IMM(BPF_REG_0, 0),
2056 			BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2057 				    offsetof(struct __sk_buff, cb[0])),
2058 			BPF_EXIT_INSN(),
2059 		},
2060 		.errstr = "invalid bpf_context access",
2061 		.result = REJECT,
2062 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2063 	},
2064 	{
2065 		"check cb access: word",
2066 		.insns = {
2067 			BPF_MOV64_IMM(BPF_REG_0, 0),
2068 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2069 				    offsetof(struct __sk_buff, cb[0])),
2070 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2071 				    offsetof(struct __sk_buff, cb[1])),
2072 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2073 				    offsetof(struct __sk_buff, cb[2])),
2074 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2075 				    offsetof(struct __sk_buff, cb[3])),
2076 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2077 				    offsetof(struct __sk_buff, cb[4])),
2078 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2079 				    offsetof(struct __sk_buff, cb[0])),
2080 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2081 				    offsetof(struct __sk_buff, cb[1])),
2082 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2083 				    offsetof(struct __sk_buff, cb[2])),
2084 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2085 				    offsetof(struct __sk_buff, cb[3])),
2086 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2087 				    offsetof(struct __sk_buff, cb[4])),
2088 			BPF_EXIT_INSN(),
2089 		},
2090 		.result = ACCEPT,
2091 	},
2092 	{
2093 		"check cb access: word, unaligned 1",
2094 		.insns = {
2095 			BPF_MOV64_IMM(BPF_REG_0, 0),
2096 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2097 				    offsetof(struct __sk_buff, cb[0]) + 2),
2098 			BPF_EXIT_INSN(),
2099 		},
2100 		.errstr = "misaligned context access",
2101 		.result = REJECT,
2102 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2103 	},
2104 	{
2105 		"check cb access: word, unaligned 2",
2106 		.insns = {
2107 			BPF_MOV64_IMM(BPF_REG_0, 0),
2108 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2109 				    offsetof(struct __sk_buff, cb[4]) + 1),
2110 			BPF_EXIT_INSN(),
2111 		},
2112 		.errstr = "misaligned context access",
2113 		.result = REJECT,
2114 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2115 	},
2116 	{
2117 		"check cb access: word, unaligned 3",
2118 		.insns = {
2119 			BPF_MOV64_IMM(BPF_REG_0, 0),
2120 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2121 				    offsetof(struct __sk_buff, cb[4]) + 2),
2122 			BPF_EXIT_INSN(),
2123 		},
2124 		.errstr = "misaligned context access",
2125 		.result = REJECT,
2126 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2127 	},
2128 	{
2129 		"check cb access: word, unaligned 4",
2130 		.insns = {
2131 			BPF_MOV64_IMM(BPF_REG_0, 0),
2132 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2133 				    offsetof(struct __sk_buff, cb[4]) + 3),
2134 			BPF_EXIT_INSN(),
2135 		},
2136 		.errstr = "misaligned context access",
2137 		.result = REJECT,
2138 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2139 	},
2140 	{
2141 		"check cb access: double",
2142 		.insns = {
2143 			BPF_MOV64_IMM(BPF_REG_0, 0),
2144 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2145 				    offsetof(struct __sk_buff, cb[0])),
2146 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2147 				    offsetof(struct __sk_buff, cb[2])),
2148 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2149 				    offsetof(struct __sk_buff, cb[0])),
2150 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2151 				    offsetof(struct __sk_buff, cb[2])),
2152 			BPF_EXIT_INSN(),
2153 		},
2154 		.result = ACCEPT,
2155 	},
2156 	{
2157 		"check cb access: double, unaligned 1",
2158 		.insns = {
2159 			BPF_MOV64_IMM(BPF_REG_0, 0),
2160 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2161 				    offsetof(struct __sk_buff, cb[1])),
2162 			BPF_EXIT_INSN(),
2163 		},
2164 		.errstr = "misaligned context access",
2165 		.result = REJECT,
2166 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2167 	},
2168 	{
2169 		"check cb access: double, unaligned 2",
2170 		.insns = {
2171 			BPF_MOV64_IMM(BPF_REG_0, 0),
2172 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2173 				    offsetof(struct __sk_buff, cb[3])),
2174 			BPF_EXIT_INSN(),
2175 		},
2176 		.errstr = "misaligned context access",
2177 		.result = REJECT,
2178 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2179 	},
2180 	{
2181 		"check cb access: double, oob 1",
2182 		.insns = {
2183 			BPF_MOV64_IMM(BPF_REG_0, 0),
2184 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2185 				    offsetof(struct __sk_buff, cb[4])),
2186 			BPF_EXIT_INSN(),
2187 		},
2188 		.errstr = "invalid bpf_context access",
2189 		.result = REJECT,
2190 	},
2191 	{
2192 		"check cb access: double, oob 2",
2193 		.insns = {
2194 			BPF_MOV64_IMM(BPF_REG_0, 0),
2195 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2196 				    offsetof(struct __sk_buff, cb[4])),
2197 			BPF_EXIT_INSN(),
2198 		},
2199 		.errstr = "invalid bpf_context access",
2200 		.result = REJECT,
2201 	},
2202 	{
2203 		"check __sk_buff->ifindex dw store not permitted",
2204 		.insns = {
2205 			BPF_MOV64_IMM(BPF_REG_0, 0),
2206 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2207 				    offsetof(struct __sk_buff, ifindex)),
2208 			BPF_EXIT_INSN(),
2209 		},
2210 		.errstr = "invalid bpf_context access",
2211 		.result = REJECT,
2212 	},
2213 	{
2214 		"check __sk_buff->ifindex dw load not permitted",
2215 		.insns = {
2216 			BPF_MOV64_IMM(BPF_REG_0, 0),
2217 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2218 				    offsetof(struct __sk_buff, ifindex)),
2219 			BPF_EXIT_INSN(),
2220 		},
2221 		.errstr = "invalid bpf_context access",
2222 		.result = REJECT,
2223 	},
2224 	{
2225 		"check cb access: double, wrong type",
2226 		.insns = {
2227 			BPF_MOV64_IMM(BPF_REG_0, 0),
2228 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2229 				    offsetof(struct __sk_buff, cb[0])),
2230 			BPF_EXIT_INSN(),
2231 		},
2232 		.errstr = "invalid bpf_context access",
2233 		.result = REJECT,
2234 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2235 	},
2236 	{
2237 		"check out of range skb->cb access",
2238 		.insns = {
2239 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2240 				    offsetof(struct __sk_buff, cb[0]) + 256),
2241 			BPF_EXIT_INSN(),
2242 		},
2243 		.errstr = "invalid bpf_context access",
2244 		.errstr_unpriv = "",
2245 		.result = REJECT,
2246 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
2247 	},
2248 	{
2249 		"write skb fields from socket prog",
2250 		.insns = {
2251 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2252 				    offsetof(struct __sk_buff, cb[4])),
2253 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2254 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2255 				    offsetof(struct __sk_buff, mark)),
2256 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2257 				    offsetof(struct __sk_buff, tc_index)),
2258 			BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2259 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2260 				    offsetof(struct __sk_buff, cb[0])),
2261 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2262 				    offsetof(struct __sk_buff, cb[2])),
2263 			BPF_EXIT_INSN(),
2264 		},
2265 		.result = ACCEPT,
2266 		.errstr_unpriv = "R1 leaks addr",
2267 		.result_unpriv = REJECT,
2268 	},
2269 	{
2270 		"write skb fields from tc_cls_act prog",
2271 		.insns = {
2272 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2273 				    offsetof(struct __sk_buff, cb[0])),
2274 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2275 				    offsetof(struct __sk_buff, mark)),
2276 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2277 				    offsetof(struct __sk_buff, tc_index)),
2278 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2279 				    offsetof(struct __sk_buff, tc_index)),
2280 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2281 				    offsetof(struct __sk_buff, cb[3])),
2282 			BPF_EXIT_INSN(),
2283 		},
2284 		.errstr_unpriv = "",
2285 		.result_unpriv = REJECT,
2286 		.result = ACCEPT,
2287 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2288 	},
2289 	{
2290 		"PTR_TO_STACK store/load",
2291 		.insns = {
2292 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2293 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2294 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2295 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2296 			BPF_EXIT_INSN(),
2297 		},
2298 		.result = ACCEPT,
2299 		.retval = 0xfaceb00c,
2300 	},
2301 	{
2302 		"PTR_TO_STACK store/load - bad alignment on off",
2303 		.insns = {
2304 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2305 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2306 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2307 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2308 			BPF_EXIT_INSN(),
2309 		},
2310 		.result = REJECT,
2311 		.errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2312 	},
2313 	{
2314 		"PTR_TO_STACK store/load - bad alignment on reg",
2315 		.insns = {
2316 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2317 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2318 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2319 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2320 			BPF_EXIT_INSN(),
2321 		},
2322 		.result = REJECT,
2323 		.errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2324 	},
2325 	{
2326 		"PTR_TO_STACK store/load - out of bounds low",
2327 		.insns = {
2328 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2329 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2330 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2331 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2332 			BPF_EXIT_INSN(),
2333 		},
2334 		.result = REJECT,
2335 		.errstr = "invalid stack off=-79992 size=8",
2336 	},
2337 	{
2338 		"PTR_TO_STACK store/load - out of bounds high",
2339 		.insns = {
2340 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2342 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2343 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2344 			BPF_EXIT_INSN(),
2345 		},
2346 		.result = REJECT,
2347 		.errstr = "invalid stack off=0 size=8",
2348 	},
2349 	{
2350 		"unpriv: return pointer",
2351 		.insns = {
2352 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2353 			BPF_EXIT_INSN(),
2354 		},
2355 		.result = ACCEPT,
2356 		.result_unpriv = REJECT,
2357 		.errstr_unpriv = "R0 leaks addr",
2358 		.retval = POINTER_VALUE,
2359 	},
2360 	{
2361 		"unpriv: add const to pointer",
2362 		.insns = {
2363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2364 			BPF_MOV64_IMM(BPF_REG_0, 0),
2365 			BPF_EXIT_INSN(),
2366 		},
2367 		.result = ACCEPT,
2368 	},
2369 	{
2370 		"unpriv: add pointer to pointer",
2371 		.insns = {
2372 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2373 			BPF_MOV64_IMM(BPF_REG_0, 0),
2374 			BPF_EXIT_INSN(),
2375 		},
2376 		.result = REJECT,
2377 		.errstr = "R1 pointer += pointer",
2378 	},
2379 	{
2380 		"unpriv: neg pointer",
2381 		.insns = {
2382 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2383 			BPF_MOV64_IMM(BPF_REG_0, 0),
2384 			BPF_EXIT_INSN(),
2385 		},
2386 		.result = ACCEPT,
2387 		.result_unpriv = REJECT,
2388 		.errstr_unpriv = "R1 pointer arithmetic",
2389 	},
2390 	{
2391 		"unpriv: cmp pointer with const",
2392 		.insns = {
2393 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2394 			BPF_MOV64_IMM(BPF_REG_0, 0),
2395 			BPF_EXIT_INSN(),
2396 		},
2397 		.result = ACCEPT,
2398 		.result_unpriv = REJECT,
2399 		.errstr_unpriv = "R1 pointer comparison",
2400 	},
2401 	{
2402 		"unpriv: cmp pointer with pointer",
2403 		.insns = {
2404 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2405 			BPF_MOV64_IMM(BPF_REG_0, 0),
2406 			BPF_EXIT_INSN(),
2407 		},
2408 		.result = ACCEPT,
2409 		.result_unpriv = REJECT,
2410 		.errstr_unpriv = "R10 pointer comparison",
2411 	},
2412 	{
2413 		"unpriv: check that printk is disallowed",
2414 		.insns = {
2415 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2416 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2417 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2418 			BPF_MOV64_IMM(BPF_REG_2, 8),
2419 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2420 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2421 				     BPF_FUNC_trace_printk),
2422 			BPF_MOV64_IMM(BPF_REG_0, 0),
2423 			BPF_EXIT_INSN(),
2424 		},
2425 		.errstr_unpriv = "unknown func bpf_trace_printk#6",
2426 		.result_unpriv = REJECT,
2427 		.result = ACCEPT,
2428 	},
2429 	{
2430 		"unpriv: pass pointer to helper function",
2431 		.insns = {
2432 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2433 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2434 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2435 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2436 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2437 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2438 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2439 				     BPF_FUNC_map_update_elem),
2440 			BPF_MOV64_IMM(BPF_REG_0, 0),
2441 			BPF_EXIT_INSN(),
2442 		},
2443 		.fixup_map1 = { 3 },
2444 		.errstr_unpriv = "R4 leaks addr",
2445 		.result_unpriv = REJECT,
2446 		.result = ACCEPT,
2447 	},
2448 	{
2449 		"unpriv: indirectly pass pointer on stack to helper function",
2450 		.insns = {
2451 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2452 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2453 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2454 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2455 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2456 				     BPF_FUNC_map_lookup_elem),
2457 			BPF_MOV64_IMM(BPF_REG_0, 0),
2458 			BPF_EXIT_INSN(),
2459 		},
2460 		.fixup_map1 = { 3 },
2461 		.errstr = "invalid indirect read from stack off -8+0 size 8",
2462 		.result = REJECT,
2463 	},
2464 	{
2465 		"unpriv: mangle pointer on stack 1",
2466 		.insns = {
2467 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2468 			BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2469 			BPF_MOV64_IMM(BPF_REG_0, 0),
2470 			BPF_EXIT_INSN(),
2471 		},
2472 		.errstr_unpriv = "attempt to corrupt spilled",
2473 		.result_unpriv = REJECT,
2474 		.result = ACCEPT,
2475 	},
2476 	{
2477 		"unpriv: mangle pointer on stack 2",
2478 		.insns = {
2479 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2480 			BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2481 			BPF_MOV64_IMM(BPF_REG_0, 0),
2482 			BPF_EXIT_INSN(),
2483 		},
2484 		.errstr_unpriv = "attempt to corrupt spilled",
2485 		.result_unpriv = REJECT,
2486 		.result = ACCEPT,
2487 	},
2488 	{
2489 		"unpriv: read pointer from stack in small chunks",
2490 		.insns = {
2491 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2492 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2493 			BPF_MOV64_IMM(BPF_REG_0, 0),
2494 			BPF_EXIT_INSN(),
2495 		},
2496 		.errstr = "invalid size",
2497 		.result = REJECT,
2498 	},
2499 	{
2500 		"unpriv: write pointer into ctx",
2501 		.insns = {
2502 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2503 			BPF_MOV64_IMM(BPF_REG_0, 0),
2504 			BPF_EXIT_INSN(),
2505 		},
2506 		.errstr_unpriv = "R1 leaks addr",
2507 		.result_unpriv = REJECT,
2508 		.errstr = "invalid bpf_context access",
2509 		.result = REJECT,
2510 	},
2511 	{
2512 		"unpriv: spill/fill of ctx",
2513 		.insns = {
2514 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2515 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2516 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2517 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2518 			BPF_MOV64_IMM(BPF_REG_0, 0),
2519 			BPF_EXIT_INSN(),
2520 		},
2521 		.result = ACCEPT,
2522 	},
2523 	{
2524 		"unpriv: spill/fill of ctx 2",
2525 		.insns = {
2526 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2527 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2528 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2529 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2530 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2531 				     BPF_FUNC_get_hash_recalc),
2532 			BPF_MOV64_IMM(BPF_REG_0, 0),
2533 			BPF_EXIT_INSN(),
2534 		},
2535 		.result = ACCEPT,
2536 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2537 	},
2538 	{
2539 		"unpriv: spill/fill of ctx 3",
2540 		.insns = {
2541 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2542 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2543 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2544 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2545 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2546 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2547 				     BPF_FUNC_get_hash_recalc),
2548 			BPF_EXIT_INSN(),
2549 		},
2550 		.result = REJECT,
2551 		.errstr = "R1 type=fp expected=ctx",
2552 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2553 	},
2554 	{
2555 		"unpriv: spill/fill of ctx 4",
2556 		.insns = {
2557 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2558 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2559 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2560 			BPF_MOV64_IMM(BPF_REG_0, 1),
2561 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2562 				     BPF_REG_0, -8, 0),
2563 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2564 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2565 				     BPF_FUNC_get_hash_recalc),
2566 			BPF_EXIT_INSN(),
2567 		},
2568 		.result = REJECT,
2569 		.errstr = "R1 type=inv expected=ctx",
2570 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2571 	},
2572 	{
2573 		"unpriv: spill/fill of different pointers stx",
2574 		.insns = {
2575 			BPF_MOV64_IMM(BPF_REG_3, 42),
2576 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2577 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2578 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2579 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2580 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2581 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2582 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2583 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2584 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2585 			BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2586 				    offsetof(struct __sk_buff, mark)),
2587 			BPF_MOV64_IMM(BPF_REG_0, 0),
2588 			BPF_EXIT_INSN(),
2589 		},
2590 		.result = REJECT,
2591 		.errstr = "same insn cannot be used with different pointers",
2592 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2593 	},
2594 	{
2595 		"unpriv: spill/fill of different pointers ldx",
2596 		.insns = {
2597 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2598 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2599 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2600 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2601 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2602 				      -(__s32)offsetof(struct bpf_perf_event_data,
2603 						       sample_period) - 8),
2604 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2605 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2606 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2607 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2608 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2609 				    offsetof(struct bpf_perf_event_data,
2610 					     sample_period)),
2611 			BPF_MOV64_IMM(BPF_REG_0, 0),
2612 			BPF_EXIT_INSN(),
2613 		},
2614 		.result = REJECT,
2615 		.errstr = "same insn cannot be used with different pointers",
2616 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
2617 	},
2618 	{
2619 		"unpriv: write pointer into map elem value",
2620 		.insns = {
2621 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2622 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2623 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2624 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2625 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2626 				     BPF_FUNC_map_lookup_elem),
2627 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2628 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2629 			BPF_EXIT_INSN(),
2630 		},
2631 		.fixup_map1 = { 3 },
2632 		.errstr_unpriv = "R0 leaks addr",
2633 		.result_unpriv = REJECT,
2634 		.result = ACCEPT,
2635 	},
2636 	{
2637 		"unpriv: partial copy of pointer",
2638 		.insns = {
2639 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2640 			BPF_MOV64_IMM(BPF_REG_0, 0),
2641 			BPF_EXIT_INSN(),
2642 		},
2643 		.errstr_unpriv = "R10 partial copy",
2644 		.result_unpriv = REJECT,
2645 		.result = ACCEPT,
2646 	},
2647 	{
2648 		"unpriv: pass pointer to tail_call",
2649 		.insns = {
2650 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2651 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2652 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2653 				     BPF_FUNC_tail_call),
2654 			BPF_MOV64_IMM(BPF_REG_0, 0),
2655 			BPF_EXIT_INSN(),
2656 		},
2657 		.fixup_prog = { 1 },
2658 		.errstr_unpriv = "R3 leaks addr into helper",
2659 		.result_unpriv = REJECT,
2660 		.result = ACCEPT,
2661 	},
2662 	{
2663 		"unpriv: cmp map pointer with zero",
2664 		.insns = {
2665 			BPF_MOV64_IMM(BPF_REG_1, 0),
2666 			BPF_LD_MAP_FD(BPF_REG_1, 0),
2667 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2668 			BPF_MOV64_IMM(BPF_REG_0, 0),
2669 			BPF_EXIT_INSN(),
2670 		},
2671 		.fixup_map1 = { 1 },
2672 		.errstr_unpriv = "R1 pointer comparison",
2673 		.result_unpriv = REJECT,
2674 		.result = ACCEPT,
2675 	},
2676 	{
2677 		"unpriv: write into frame pointer",
2678 		.insns = {
2679 			BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2680 			BPF_MOV64_IMM(BPF_REG_0, 0),
2681 			BPF_EXIT_INSN(),
2682 		},
2683 		.errstr = "frame pointer is read only",
2684 		.result = REJECT,
2685 	},
2686 	{
2687 		"unpriv: spill/fill frame pointer",
2688 		.insns = {
2689 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2690 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2691 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2692 			BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2693 			BPF_MOV64_IMM(BPF_REG_0, 0),
2694 			BPF_EXIT_INSN(),
2695 		},
2696 		.errstr = "frame pointer is read only",
2697 		.result = REJECT,
2698 	},
2699 	{
2700 		"unpriv: cmp of frame pointer",
2701 		.insns = {
2702 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2703 			BPF_MOV64_IMM(BPF_REG_0, 0),
2704 			BPF_EXIT_INSN(),
2705 		},
2706 		.errstr_unpriv = "R10 pointer comparison",
2707 		.result_unpriv = REJECT,
2708 		.result = ACCEPT,
2709 	},
2710 	{
2711 		"unpriv: adding of fp",
2712 		.insns = {
2713 			BPF_MOV64_IMM(BPF_REG_0, 0),
2714 			BPF_MOV64_IMM(BPF_REG_1, 0),
2715 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2716 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2717 			BPF_EXIT_INSN(),
2718 		},
2719 		.result = ACCEPT,
2720 	},
2721 	{
2722 		"unpriv: cmp of stack pointer",
2723 		.insns = {
2724 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2725 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2726 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2727 			BPF_MOV64_IMM(BPF_REG_0, 0),
2728 			BPF_EXIT_INSN(),
2729 		},
2730 		.errstr_unpriv = "R2 pointer comparison",
2731 		.result_unpriv = REJECT,
2732 		.result = ACCEPT,
2733 	},
2734 	{
2735 		"runtime/jit: tail_call within bounds, prog once",
2736 		.insns = {
2737 			BPF_MOV64_IMM(BPF_REG_3, 0),
2738 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2739 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2740 				     BPF_FUNC_tail_call),
2741 			BPF_MOV64_IMM(BPF_REG_0, 1),
2742 			BPF_EXIT_INSN(),
2743 		},
2744 		.fixup_prog = { 1 },
2745 		.result = ACCEPT,
2746 		.retval = 42,
2747 	},
2748 	{
2749 		"runtime/jit: tail_call within bounds, prog loop",
2750 		.insns = {
2751 			BPF_MOV64_IMM(BPF_REG_3, 1),
2752 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2753 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2754 				     BPF_FUNC_tail_call),
2755 			BPF_MOV64_IMM(BPF_REG_0, 1),
2756 			BPF_EXIT_INSN(),
2757 		},
2758 		.fixup_prog = { 1 },
2759 		.result = ACCEPT,
2760 		.retval = 41,
2761 	},
2762 	{
2763 		"runtime/jit: tail_call within bounds, no prog",
2764 		.insns = {
2765 			BPF_MOV64_IMM(BPF_REG_3, 2),
2766 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2767 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2768 				     BPF_FUNC_tail_call),
2769 			BPF_MOV64_IMM(BPF_REG_0, 1),
2770 			BPF_EXIT_INSN(),
2771 		},
2772 		.fixup_prog = { 1 },
2773 		.result = ACCEPT,
2774 		.retval = 1,
2775 	},
2776 	{
2777 		"runtime/jit: tail_call out of bounds",
2778 		.insns = {
2779 			BPF_MOV64_IMM(BPF_REG_3, 256),
2780 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2781 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2782 				     BPF_FUNC_tail_call),
2783 			BPF_MOV64_IMM(BPF_REG_0, 2),
2784 			BPF_EXIT_INSN(),
2785 		},
2786 		.fixup_prog = { 1 },
2787 		.result = ACCEPT,
2788 		.retval = 2,
2789 	},
2790 	{
2791 		"runtime/jit: pass negative index to tail_call",
2792 		.insns = {
2793 			BPF_MOV64_IMM(BPF_REG_3, -1),
2794 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2795 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2796 				     BPF_FUNC_tail_call),
2797 			BPF_MOV64_IMM(BPF_REG_0, 2),
2798 			BPF_EXIT_INSN(),
2799 		},
2800 		.fixup_prog = { 1 },
2801 		.result = ACCEPT,
2802 		.retval = 2,
2803 	},
2804 	{
2805 		"runtime/jit: pass > 32bit index to tail_call",
2806 		.insns = {
2807 			BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2808 			BPF_LD_MAP_FD(BPF_REG_2, 0),
2809 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2810 				     BPF_FUNC_tail_call),
2811 			BPF_MOV64_IMM(BPF_REG_0, 2),
2812 			BPF_EXIT_INSN(),
2813 		},
2814 		.fixup_prog = { 2 },
2815 		.result = ACCEPT,
2816 		.retval = 42,
2817 	},
2818 	{
2819 		"stack pointer arithmetic",
2820 		.insns = {
2821 			BPF_MOV64_IMM(BPF_REG_1, 4),
2822 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2823 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2825 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2826 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2827 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2828 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2829 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2830 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2831 			BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2832 			BPF_MOV64_IMM(BPF_REG_0, 0),
2833 			BPF_EXIT_INSN(),
2834 		},
2835 		.result = ACCEPT,
2836 	},
2837 	{
2838 		"raw_stack: no skb_load_bytes",
2839 		.insns = {
2840 			BPF_MOV64_IMM(BPF_REG_2, 4),
2841 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2842 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2843 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2844 			BPF_MOV64_IMM(BPF_REG_4, 8),
2845 			/* Call to skb_load_bytes() omitted. */
2846 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2847 			BPF_EXIT_INSN(),
2848 		},
2849 		.result = REJECT,
2850 		.errstr = "invalid read from stack off -8+0 size 8",
2851 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2852 	},
2853 	{
2854 		"raw_stack: skb_load_bytes, negative len",
2855 		.insns = {
2856 			BPF_MOV64_IMM(BPF_REG_2, 4),
2857 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2858 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2859 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2860 			BPF_MOV64_IMM(BPF_REG_4, -8),
2861 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2862 				     BPF_FUNC_skb_load_bytes),
2863 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2864 			BPF_EXIT_INSN(),
2865 		},
2866 		.result = REJECT,
2867 		.errstr = "R4 min value is negative",
2868 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2869 	},
2870 	{
2871 		"raw_stack: skb_load_bytes, negative len 2",
2872 		.insns = {
2873 			BPF_MOV64_IMM(BPF_REG_2, 4),
2874 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2875 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2876 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2877 			BPF_MOV64_IMM(BPF_REG_4, ~0),
2878 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2879 				     BPF_FUNC_skb_load_bytes),
2880 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2881 			BPF_EXIT_INSN(),
2882 		},
2883 		.result = REJECT,
2884 		.errstr = "R4 min value is negative",
2885 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2886 	},
2887 	{
2888 		"raw_stack: skb_load_bytes, zero len",
2889 		.insns = {
2890 			BPF_MOV64_IMM(BPF_REG_2, 4),
2891 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2892 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2893 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2894 			BPF_MOV64_IMM(BPF_REG_4, 0),
2895 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2896 				     BPF_FUNC_skb_load_bytes),
2897 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2898 			BPF_EXIT_INSN(),
2899 		},
2900 		.result = REJECT,
2901 		.errstr = "invalid stack type R3",
2902 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2903 	},
2904 	{
2905 		"raw_stack: skb_load_bytes, no init",
2906 		.insns = {
2907 			BPF_MOV64_IMM(BPF_REG_2, 4),
2908 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2909 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2910 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2911 			BPF_MOV64_IMM(BPF_REG_4, 8),
2912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2913 				     BPF_FUNC_skb_load_bytes),
2914 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2915 			BPF_EXIT_INSN(),
2916 		},
2917 		.result = ACCEPT,
2918 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2919 	},
2920 	{
2921 		"raw_stack: skb_load_bytes, init",
2922 		.insns = {
2923 			BPF_MOV64_IMM(BPF_REG_2, 4),
2924 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2925 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2926 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2927 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2928 			BPF_MOV64_IMM(BPF_REG_4, 8),
2929 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2930 				     BPF_FUNC_skb_load_bytes),
2931 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2932 			BPF_EXIT_INSN(),
2933 		},
2934 		.result = ACCEPT,
2935 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2936 	},
2937 	{
2938 		"raw_stack: skb_load_bytes, spilled regs around bounds",
2939 		.insns = {
2940 			BPF_MOV64_IMM(BPF_REG_2, 4),
2941 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2943 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2944 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2945 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2946 			BPF_MOV64_IMM(BPF_REG_4, 8),
2947 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2948 				     BPF_FUNC_skb_load_bytes),
2949 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2950 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2951 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2952 				    offsetof(struct __sk_buff, mark)),
2953 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2954 				    offsetof(struct __sk_buff, priority)),
2955 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2956 			BPF_EXIT_INSN(),
2957 		},
2958 		.result = ACCEPT,
2959 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2960 	},
2961 	{
2962 		"raw_stack: skb_load_bytes, spilled regs corruption",
2963 		.insns = {
2964 			BPF_MOV64_IMM(BPF_REG_2, 4),
2965 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2966 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2967 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2968 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2969 			BPF_MOV64_IMM(BPF_REG_4, 8),
2970 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2971 				     BPF_FUNC_skb_load_bytes),
2972 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2973 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2974 				    offsetof(struct __sk_buff, mark)),
2975 			BPF_EXIT_INSN(),
2976 		},
2977 		.result = REJECT,
2978 		.errstr = "R0 invalid mem access 'inv'",
2979 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
2980 	},
2981 	{
2982 		"raw_stack: skb_load_bytes, spilled regs corruption 2",
2983 		.insns = {
2984 			BPF_MOV64_IMM(BPF_REG_2, 4),
2985 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2986 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2987 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2988 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2989 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2990 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2991 			BPF_MOV64_IMM(BPF_REG_4, 8),
2992 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2993 				     BPF_FUNC_skb_load_bytes),
2994 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2995 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2996 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2997 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2998 				    offsetof(struct __sk_buff, mark)),
2999 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3000 				    offsetof(struct __sk_buff, priority)),
3001 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3002 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3003 				    offsetof(struct __sk_buff, pkt_type)),
3004 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3005 			BPF_EXIT_INSN(),
3006 		},
3007 		.result = REJECT,
3008 		.errstr = "R3 invalid mem access 'inv'",
3009 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3010 	},
3011 	{
3012 		"raw_stack: skb_load_bytes, spilled regs + data",
3013 		.insns = {
3014 			BPF_MOV64_IMM(BPF_REG_2, 4),
3015 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3016 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3017 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3018 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3019 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3020 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3021 			BPF_MOV64_IMM(BPF_REG_4, 8),
3022 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3023 				     BPF_FUNC_skb_load_bytes),
3024 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3025 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3026 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3027 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3028 				    offsetof(struct __sk_buff, mark)),
3029 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3030 				    offsetof(struct __sk_buff, priority)),
3031 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3032 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3033 			BPF_EXIT_INSN(),
3034 		},
3035 		.result = ACCEPT,
3036 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3037 	},
3038 	{
3039 		"raw_stack: skb_load_bytes, invalid access 1",
3040 		.insns = {
3041 			BPF_MOV64_IMM(BPF_REG_2, 4),
3042 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3043 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3044 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3045 			BPF_MOV64_IMM(BPF_REG_4, 8),
3046 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3047 				     BPF_FUNC_skb_load_bytes),
3048 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3049 			BPF_EXIT_INSN(),
3050 		},
3051 		.result = REJECT,
3052 		.errstr = "invalid stack type R3 off=-513 access_size=8",
3053 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3054 	},
3055 	{
3056 		"raw_stack: skb_load_bytes, invalid access 2",
3057 		.insns = {
3058 			BPF_MOV64_IMM(BPF_REG_2, 4),
3059 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3060 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3061 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3062 			BPF_MOV64_IMM(BPF_REG_4, 8),
3063 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3064 				     BPF_FUNC_skb_load_bytes),
3065 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3066 			BPF_EXIT_INSN(),
3067 		},
3068 		.result = REJECT,
3069 		.errstr = "invalid stack type R3 off=-1 access_size=8",
3070 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3071 	},
3072 	{
3073 		"raw_stack: skb_load_bytes, invalid access 3",
3074 		.insns = {
3075 			BPF_MOV64_IMM(BPF_REG_2, 4),
3076 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3077 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3078 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3079 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3080 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3081 				     BPF_FUNC_skb_load_bytes),
3082 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3083 			BPF_EXIT_INSN(),
3084 		},
3085 		.result = REJECT,
3086 		.errstr = "R4 min value is negative",
3087 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3088 	},
3089 	{
3090 		"raw_stack: skb_load_bytes, invalid access 4",
3091 		.insns = {
3092 			BPF_MOV64_IMM(BPF_REG_2, 4),
3093 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3094 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3095 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3096 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3097 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3098 				     BPF_FUNC_skb_load_bytes),
3099 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3100 			BPF_EXIT_INSN(),
3101 		},
3102 		.result = REJECT,
3103 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3104 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3105 	},
3106 	{
3107 		"raw_stack: skb_load_bytes, invalid access 5",
3108 		.insns = {
3109 			BPF_MOV64_IMM(BPF_REG_2, 4),
3110 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3111 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3112 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3113 			BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3114 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3115 				     BPF_FUNC_skb_load_bytes),
3116 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3117 			BPF_EXIT_INSN(),
3118 		},
3119 		.result = REJECT,
3120 		.errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3121 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3122 	},
3123 	{
3124 		"raw_stack: skb_load_bytes, invalid access 6",
3125 		.insns = {
3126 			BPF_MOV64_IMM(BPF_REG_2, 4),
3127 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3128 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3129 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3130 			BPF_MOV64_IMM(BPF_REG_4, 0),
3131 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132 				     BPF_FUNC_skb_load_bytes),
3133 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3134 			BPF_EXIT_INSN(),
3135 		},
3136 		.result = REJECT,
3137 		.errstr = "invalid stack type R3 off=-512 access_size=0",
3138 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3139 	},
3140 	{
3141 		"raw_stack: skb_load_bytes, large access",
3142 		.insns = {
3143 			BPF_MOV64_IMM(BPF_REG_2, 4),
3144 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3145 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3146 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3147 			BPF_MOV64_IMM(BPF_REG_4, 512),
3148 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3149 				     BPF_FUNC_skb_load_bytes),
3150 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3151 			BPF_EXIT_INSN(),
3152 		},
3153 		.result = ACCEPT,
3154 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3155 	},
3156 	{
3157 		"context stores via ST",
3158 		.insns = {
3159 			BPF_MOV64_IMM(BPF_REG_0, 0),
3160 			BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3161 			BPF_EXIT_INSN(),
3162 		},
3163 		.errstr = "BPF_ST stores into R1 context is not allowed",
3164 		.result = REJECT,
3165 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3166 	},
3167 	{
3168 		"context stores via XADD",
3169 		.insns = {
3170 			BPF_MOV64_IMM(BPF_REG_0, 0),
3171 			BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3172 				     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3173 			BPF_EXIT_INSN(),
3174 		},
3175 		.errstr = "BPF_XADD stores into R1 context is not allowed",
3176 		.result = REJECT,
3177 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3178 	},
3179 	{
3180 		"direct packet access: test1",
3181 		.insns = {
3182 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3183 				    offsetof(struct __sk_buff, data)),
3184 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3185 				    offsetof(struct __sk_buff, data_end)),
3186 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3188 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3189 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3190 			BPF_MOV64_IMM(BPF_REG_0, 0),
3191 			BPF_EXIT_INSN(),
3192 		},
3193 		.result = ACCEPT,
3194 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3195 	},
3196 	{
3197 		"direct packet access: test2",
3198 		.insns = {
3199 			BPF_MOV64_IMM(BPF_REG_0, 1),
3200 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3201 				    offsetof(struct __sk_buff, data_end)),
3202 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3203 				    offsetof(struct __sk_buff, data)),
3204 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3206 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3207 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3208 			BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3209 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3210 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3211 				    offsetof(struct __sk_buff, data)),
3212 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3213 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3214 				    offsetof(struct __sk_buff, len)),
3215 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3216 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3217 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3218 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3219 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3220 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3221 				    offsetof(struct __sk_buff, data_end)),
3222 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3223 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3224 			BPF_MOV64_IMM(BPF_REG_0, 0),
3225 			BPF_EXIT_INSN(),
3226 		},
3227 		.result = ACCEPT,
3228 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3229 	},
3230 	{
3231 		"direct packet access: test3",
3232 		.insns = {
3233 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3234 				    offsetof(struct __sk_buff, data)),
3235 			BPF_MOV64_IMM(BPF_REG_0, 0),
3236 			BPF_EXIT_INSN(),
3237 		},
3238 		.errstr = "invalid bpf_context access off=76",
3239 		.result = REJECT,
3240 		.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3241 	},
3242 	{
3243 		"direct packet access: test4 (write)",
3244 		.insns = {
3245 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3246 				    offsetof(struct __sk_buff, data)),
3247 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3248 				    offsetof(struct __sk_buff, data_end)),
3249 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3250 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3251 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3252 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3253 			BPF_MOV64_IMM(BPF_REG_0, 0),
3254 			BPF_EXIT_INSN(),
3255 		},
3256 		.result = ACCEPT,
3257 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3258 	},
3259 	{
3260 		"direct packet access: test5 (pkt_end >= reg, good access)",
3261 		.insns = {
3262 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3263 				    offsetof(struct __sk_buff, data)),
3264 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3265 				    offsetof(struct __sk_buff, data_end)),
3266 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3267 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3268 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3269 			BPF_MOV64_IMM(BPF_REG_0, 1),
3270 			BPF_EXIT_INSN(),
3271 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3272 			BPF_MOV64_IMM(BPF_REG_0, 0),
3273 			BPF_EXIT_INSN(),
3274 		},
3275 		.result = ACCEPT,
3276 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3277 	},
3278 	{
3279 		"direct packet access: test6 (pkt_end >= reg, bad access)",
3280 		.insns = {
3281 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3282 				    offsetof(struct __sk_buff, data)),
3283 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3284 				    offsetof(struct __sk_buff, data_end)),
3285 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3286 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3287 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3288 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3289 			BPF_MOV64_IMM(BPF_REG_0, 1),
3290 			BPF_EXIT_INSN(),
3291 			BPF_MOV64_IMM(BPF_REG_0, 0),
3292 			BPF_EXIT_INSN(),
3293 		},
3294 		.errstr = "invalid access to packet",
3295 		.result = REJECT,
3296 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3297 	},
3298 	{
3299 		"direct packet access: test7 (pkt_end >= reg, both accesses)",
3300 		.insns = {
3301 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3302 				    offsetof(struct __sk_buff, data)),
3303 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3304 				    offsetof(struct __sk_buff, data_end)),
3305 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3306 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3307 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3308 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3309 			BPF_MOV64_IMM(BPF_REG_0, 1),
3310 			BPF_EXIT_INSN(),
3311 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3312 			BPF_MOV64_IMM(BPF_REG_0, 0),
3313 			BPF_EXIT_INSN(),
3314 		},
3315 		.errstr = "invalid access to packet",
3316 		.result = REJECT,
3317 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3318 	},
3319 	{
3320 		"direct packet access: test8 (double test, variant 1)",
3321 		.insns = {
3322 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3323 				    offsetof(struct __sk_buff, data)),
3324 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3325 				    offsetof(struct __sk_buff, data_end)),
3326 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3327 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3328 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3329 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3330 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3331 			BPF_MOV64_IMM(BPF_REG_0, 1),
3332 			BPF_EXIT_INSN(),
3333 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3334 			BPF_MOV64_IMM(BPF_REG_0, 0),
3335 			BPF_EXIT_INSN(),
3336 		},
3337 		.result = ACCEPT,
3338 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3339 	},
3340 	{
3341 		"direct packet access: test9 (double test, variant 2)",
3342 		.insns = {
3343 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3344 				    offsetof(struct __sk_buff, data)),
3345 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3346 				    offsetof(struct __sk_buff, data_end)),
3347 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3348 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3349 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3350 			BPF_MOV64_IMM(BPF_REG_0, 1),
3351 			BPF_EXIT_INSN(),
3352 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3353 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3354 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3355 			BPF_MOV64_IMM(BPF_REG_0, 0),
3356 			BPF_EXIT_INSN(),
3357 		},
3358 		.result = ACCEPT,
3359 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3360 	},
3361 	{
3362 		"direct packet access: test10 (write invalid)",
3363 		.insns = {
3364 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3365 				    offsetof(struct __sk_buff, data)),
3366 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3367 				    offsetof(struct __sk_buff, data_end)),
3368 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3369 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3370 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3371 			BPF_MOV64_IMM(BPF_REG_0, 0),
3372 			BPF_EXIT_INSN(),
3373 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3374 			BPF_MOV64_IMM(BPF_REG_0, 0),
3375 			BPF_EXIT_INSN(),
3376 		},
3377 		.errstr = "invalid access to packet",
3378 		.result = REJECT,
3379 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3380 	},
3381 	{
3382 		"direct packet access: test11 (shift, good access)",
3383 		.insns = {
3384 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3385 				    offsetof(struct __sk_buff, data)),
3386 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3387 				    offsetof(struct __sk_buff, data_end)),
3388 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3389 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3390 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3391 			BPF_MOV64_IMM(BPF_REG_3, 144),
3392 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3393 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3394 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3395 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3396 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3397 			BPF_MOV64_IMM(BPF_REG_0, 1),
3398 			BPF_EXIT_INSN(),
3399 			BPF_MOV64_IMM(BPF_REG_0, 0),
3400 			BPF_EXIT_INSN(),
3401 		},
3402 		.result = ACCEPT,
3403 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3404 		.retval = 1,
3405 	},
3406 	{
3407 		"direct packet access: test12 (and, good access)",
3408 		.insns = {
3409 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3410 				    offsetof(struct __sk_buff, data)),
3411 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3412 				    offsetof(struct __sk_buff, data_end)),
3413 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3414 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3415 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3416 			BPF_MOV64_IMM(BPF_REG_3, 144),
3417 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3418 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3419 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3420 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3421 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3422 			BPF_MOV64_IMM(BPF_REG_0, 1),
3423 			BPF_EXIT_INSN(),
3424 			BPF_MOV64_IMM(BPF_REG_0, 0),
3425 			BPF_EXIT_INSN(),
3426 		},
3427 		.result = ACCEPT,
3428 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3429 		.retval = 1,
3430 	},
3431 	{
3432 		"direct packet access: test13 (branches, good access)",
3433 		.insns = {
3434 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3435 				    offsetof(struct __sk_buff, data)),
3436 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3437 				    offsetof(struct __sk_buff, data_end)),
3438 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3439 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3440 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3441 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3442 				    offsetof(struct __sk_buff, mark)),
3443 			BPF_MOV64_IMM(BPF_REG_4, 1),
3444 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3445 			BPF_MOV64_IMM(BPF_REG_3, 14),
3446 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3447 			BPF_MOV64_IMM(BPF_REG_3, 24),
3448 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3449 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3450 			BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3451 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3452 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3453 			BPF_MOV64_IMM(BPF_REG_0, 1),
3454 			BPF_EXIT_INSN(),
3455 			BPF_MOV64_IMM(BPF_REG_0, 0),
3456 			BPF_EXIT_INSN(),
3457 		},
3458 		.result = ACCEPT,
3459 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3460 		.retval = 1,
3461 	},
3462 	{
3463 		"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3464 		.insns = {
3465 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3466 				    offsetof(struct __sk_buff, data)),
3467 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3468 				    offsetof(struct __sk_buff, data_end)),
3469 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3470 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3471 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3472 			BPF_MOV64_IMM(BPF_REG_5, 12),
3473 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3474 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3475 			BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3476 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3477 			BPF_MOV64_IMM(BPF_REG_0, 1),
3478 			BPF_EXIT_INSN(),
3479 			BPF_MOV64_IMM(BPF_REG_0, 0),
3480 			BPF_EXIT_INSN(),
3481 		},
3482 		.result = ACCEPT,
3483 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3484 		.retval = 1,
3485 	},
3486 	{
3487 		"direct packet access: test15 (spill with xadd)",
3488 		.insns = {
3489 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3490 				    offsetof(struct __sk_buff, data)),
3491 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3492 				    offsetof(struct __sk_buff, data_end)),
3493 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3494 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3495 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3496 			BPF_MOV64_IMM(BPF_REG_5, 4096),
3497 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3498 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3499 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3500 			BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3501 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3502 			BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3503 			BPF_MOV64_IMM(BPF_REG_0, 0),
3504 			BPF_EXIT_INSN(),
3505 		},
3506 		.errstr = "R2 invalid mem access 'inv'",
3507 		.result = REJECT,
3508 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3509 	},
3510 	{
3511 		"direct packet access: test16 (arith on data_end)",
3512 		.insns = {
3513 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3514 				    offsetof(struct __sk_buff, data)),
3515 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3516 				    offsetof(struct __sk_buff, data_end)),
3517 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3518 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3520 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3521 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3522 			BPF_MOV64_IMM(BPF_REG_0, 0),
3523 			BPF_EXIT_INSN(),
3524 		},
3525 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3526 		.result = REJECT,
3527 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3528 	},
3529 	{
3530 		"direct packet access: test17 (pruning, alignment)",
3531 		.insns = {
3532 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3533 				    offsetof(struct __sk_buff, data)),
3534 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3535 				    offsetof(struct __sk_buff, data_end)),
3536 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3537 				    offsetof(struct __sk_buff, mark)),
3538 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3539 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3540 			BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3541 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3542 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3543 			BPF_MOV64_IMM(BPF_REG_0, 0),
3544 			BPF_EXIT_INSN(),
3545 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3546 			BPF_JMP_A(-6),
3547 		},
3548 		.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3549 		.result = REJECT,
3550 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3551 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3552 	},
3553 	{
3554 		"direct packet access: test18 (imm += pkt_ptr, 1)",
3555 		.insns = {
3556 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3557 				    offsetof(struct __sk_buff, data)),
3558 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3559 				    offsetof(struct __sk_buff, data_end)),
3560 			BPF_MOV64_IMM(BPF_REG_0, 8),
3561 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3562 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3563 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3564 			BPF_MOV64_IMM(BPF_REG_0, 0),
3565 			BPF_EXIT_INSN(),
3566 		},
3567 		.result = ACCEPT,
3568 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3569 	},
3570 	{
3571 		"direct packet access: test19 (imm += pkt_ptr, 2)",
3572 		.insns = {
3573 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3574 				    offsetof(struct __sk_buff, data)),
3575 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3576 				    offsetof(struct __sk_buff, data_end)),
3577 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3579 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3580 			BPF_MOV64_IMM(BPF_REG_4, 4),
3581 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3582 			BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3583 			BPF_MOV64_IMM(BPF_REG_0, 0),
3584 			BPF_EXIT_INSN(),
3585 		},
3586 		.result = ACCEPT,
3587 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3588 	},
3589 	{
3590 		"direct packet access: test20 (x += pkt_ptr, 1)",
3591 		.insns = {
3592 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3593 				    offsetof(struct __sk_buff, data)),
3594 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3595 				    offsetof(struct __sk_buff, data_end)),
3596 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3597 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3598 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3599 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3600 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3601 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3602 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3604 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3605 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3606 			BPF_MOV64_IMM(BPF_REG_0, 0),
3607 			BPF_EXIT_INSN(),
3608 		},
3609 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3610 		.result = ACCEPT,
3611 	},
3612 	{
3613 		"direct packet access: test21 (x += pkt_ptr, 2)",
3614 		.insns = {
3615 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616 				    offsetof(struct __sk_buff, data)),
3617 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3618 				    offsetof(struct __sk_buff, data_end)),
3619 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3620 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3621 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3622 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3623 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3624 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3625 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3626 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3627 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3628 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3629 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3630 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3631 			BPF_MOV64_IMM(BPF_REG_0, 0),
3632 			BPF_EXIT_INSN(),
3633 		},
3634 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3635 		.result = ACCEPT,
3636 	},
3637 	{
3638 		"direct packet access: test22 (x += pkt_ptr, 3)",
3639 		.insns = {
3640 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3641 				    offsetof(struct __sk_buff, data)),
3642 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3643 				    offsetof(struct __sk_buff, data_end)),
3644 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3645 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3646 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3647 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3648 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3649 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3650 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3651 			BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3652 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3653 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3654 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3655 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3656 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3657 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3658 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3659 			BPF_MOV64_IMM(BPF_REG_2, 1),
3660 			BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3661 			BPF_MOV64_IMM(BPF_REG_0, 0),
3662 			BPF_EXIT_INSN(),
3663 		},
3664 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3665 		.result = ACCEPT,
3666 	},
3667 	{
3668 		"direct packet access: test23 (x += pkt_ptr, 4)",
3669 		.insns = {
3670 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3671 				    offsetof(struct __sk_buff, data)),
3672 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3673 				    offsetof(struct __sk_buff, data_end)),
3674 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3675 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3676 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3677 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3678 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3679 			BPF_MOV64_IMM(BPF_REG_0, 31),
3680 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3681 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3682 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3683 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3684 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3685 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3686 			BPF_MOV64_IMM(BPF_REG_0, 0),
3687 			BPF_EXIT_INSN(),
3688 		},
3689 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3690 		.result = REJECT,
3691 		.errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3692 	},
3693 	{
3694 		"direct packet access: test24 (x += pkt_ptr, 5)",
3695 		.insns = {
3696 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3697 				    offsetof(struct __sk_buff, data)),
3698 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3699 				    offsetof(struct __sk_buff, data_end)),
3700 			BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3701 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3702 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3703 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3704 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3705 			BPF_MOV64_IMM(BPF_REG_0, 64),
3706 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3707 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3708 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3709 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3710 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3711 			BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3712 			BPF_MOV64_IMM(BPF_REG_0, 0),
3713 			BPF_EXIT_INSN(),
3714 		},
3715 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3716 		.result = ACCEPT,
3717 	},
3718 	{
3719 		"direct packet access: test25 (marking on <, good access)",
3720 		.insns = {
3721 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3722 				    offsetof(struct __sk_buff, data)),
3723 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3724 				    offsetof(struct __sk_buff, data_end)),
3725 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3727 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3728 			BPF_MOV64_IMM(BPF_REG_0, 0),
3729 			BPF_EXIT_INSN(),
3730 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3731 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3732 		},
3733 		.result = ACCEPT,
3734 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3735 	},
3736 	{
3737 		"direct packet access: test26 (marking on <, bad access)",
3738 		.insns = {
3739 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3740 				    offsetof(struct __sk_buff, data)),
3741 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3742 				    offsetof(struct __sk_buff, data_end)),
3743 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3745 			BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3746 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3747 			BPF_MOV64_IMM(BPF_REG_0, 0),
3748 			BPF_EXIT_INSN(),
3749 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3750 		},
3751 		.result = REJECT,
3752 		.errstr = "invalid access to packet",
3753 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3754 	},
3755 	{
3756 		"direct packet access: test27 (marking on <=, good access)",
3757 		.insns = {
3758 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3759 				    offsetof(struct __sk_buff, data)),
3760 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3761 				    offsetof(struct __sk_buff, data_end)),
3762 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3763 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3764 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3765 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3766 			BPF_MOV64_IMM(BPF_REG_0, 1),
3767 			BPF_EXIT_INSN(),
3768 		},
3769 		.result = ACCEPT,
3770 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3771 		.retval = 1,
3772 	},
3773 	{
3774 		"direct packet access: test28 (marking on <=, bad access)",
3775 		.insns = {
3776 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3777 				    offsetof(struct __sk_buff, data)),
3778 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3779 				    offsetof(struct __sk_buff, data_end)),
3780 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3781 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3782 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3783 			BPF_MOV64_IMM(BPF_REG_0, 1),
3784 			BPF_EXIT_INSN(),
3785 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3786 			BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3787 		},
3788 		.result = REJECT,
3789 		.errstr = "invalid access to packet",
3790 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3791 	},
3792 	{
3793 		"helper access to packet: test1, valid packet_ptr range",
3794 		.insns = {
3795 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3796 				    offsetof(struct xdp_md, data)),
3797 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3798 				    offsetof(struct xdp_md, data_end)),
3799 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3800 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3801 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3802 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3803 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3804 			BPF_MOV64_IMM(BPF_REG_4, 0),
3805 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3806 				     BPF_FUNC_map_update_elem),
3807 			BPF_MOV64_IMM(BPF_REG_0, 0),
3808 			BPF_EXIT_INSN(),
3809 		},
3810 		.fixup_map1 = { 5 },
3811 		.result_unpriv = ACCEPT,
3812 		.result = ACCEPT,
3813 		.prog_type = BPF_PROG_TYPE_XDP,
3814 	},
3815 	{
3816 		"helper access to packet: test2, unchecked packet_ptr",
3817 		.insns = {
3818 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3819 				    offsetof(struct xdp_md, data)),
3820 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3821 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3822 				     BPF_FUNC_map_lookup_elem),
3823 			BPF_MOV64_IMM(BPF_REG_0, 0),
3824 			BPF_EXIT_INSN(),
3825 		},
3826 		.fixup_map1 = { 1 },
3827 		.result = REJECT,
3828 		.errstr = "invalid access to packet",
3829 		.prog_type = BPF_PROG_TYPE_XDP,
3830 	},
3831 	{
3832 		"helper access to packet: test3, variable add",
3833 		.insns = {
3834 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3835 					offsetof(struct xdp_md, data)),
3836 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3837 					offsetof(struct xdp_md, data_end)),
3838 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3839 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3840 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3841 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3842 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3843 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3844 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3846 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3847 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3848 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3849 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3850 				     BPF_FUNC_map_lookup_elem),
3851 			BPF_MOV64_IMM(BPF_REG_0, 0),
3852 			BPF_EXIT_INSN(),
3853 		},
3854 		.fixup_map1 = { 11 },
3855 		.result = ACCEPT,
3856 		.prog_type = BPF_PROG_TYPE_XDP,
3857 	},
3858 	{
3859 		"helper access to packet: test4, packet_ptr with bad range",
3860 		.insns = {
3861 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3862 				    offsetof(struct xdp_md, data)),
3863 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3864 				    offsetof(struct xdp_md, data_end)),
3865 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3866 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3867 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3868 			BPF_MOV64_IMM(BPF_REG_0, 0),
3869 			BPF_EXIT_INSN(),
3870 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3871 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3872 				     BPF_FUNC_map_lookup_elem),
3873 			BPF_MOV64_IMM(BPF_REG_0, 0),
3874 			BPF_EXIT_INSN(),
3875 		},
3876 		.fixup_map1 = { 7 },
3877 		.result = REJECT,
3878 		.errstr = "invalid access to packet",
3879 		.prog_type = BPF_PROG_TYPE_XDP,
3880 	},
3881 	{
3882 		"helper access to packet: test5, packet_ptr with too short range",
3883 		.insns = {
3884 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3885 				    offsetof(struct xdp_md, data)),
3886 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3887 				    offsetof(struct xdp_md, data_end)),
3888 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3889 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3891 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3892 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3893 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3894 				     BPF_FUNC_map_lookup_elem),
3895 			BPF_MOV64_IMM(BPF_REG_0, 0),
3896 			BPF_EXIT_INSN(),
3897 		},
3898 		.fixup_map1 = { 6 },
3899 		.result = REJECT,
3900 		.errstr = "invalid access to packet",
3901 		.prog_type = BPF_PROG_TYPE_XDP,
3902 	},
3903 	{
3904 		"helper access to packet: test6, cls valid packet_ptr range",
3905 		.insns = {
3906 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3907 				    offsetof(struct __sk_buff, data)),
3908 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3909 				    offsetof(struct __sk_buff, data_end)),
3910 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3911 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3912 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3913 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3914 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3915 			BPF_MOV64_IMM(BPF_REG_4, 0),
3916 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3917 				     BPF_FUNC_map_update_elem),
3918 			BPF_MOV64_IMM(BPF_REG_0, 0),
3919 			BPF_EXIT_INSN(),
3920 		},
3921 		.fixup_map1 = { 5 },
3922 		.result = ACCEPT,
3923 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3924 	},
3925 	{
3926 		"helper access to packet: test7, cls unchecked packet_ptr",
3927 		.insns = {
3928 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3929 				    offsetof(struct __sk_buff, data)),
3930 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3931 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3932 				     BPF_FUNC_map_lookup_elem),
3933 			BPF_MOV64_IMM(BPF_REG_0, 0),
3934 			BPF_EXIT_INSN(),
3935 		},
3936 		.fixup_map1 = { 1 },
3937 		.result = REJECT,
3938 		.errstr = "invalid access to packet",
3939 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3940 	},
3941 	{
3942 		"helper access to packet: test8, cls variable add",
3943 		.insns = {
3944 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3945 					offsetof(struct __sk_buff, data)),
3946 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3947 					offsetof(struct __sk_buff, data_end)),
3948 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3949 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3950 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3951 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3952 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3953 			BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3954 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3955 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3956 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3957 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3958 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3959 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3960 				     BPF_FUNC_map_lookup_elem),
3961 			BPF_MOV64_IMM(BPF_REG_0, 0),
3962 			BPF_EXIT_INSN(),
3963 		},
3964 		.fixup_map1 = { 11 },
3965 		.result = ACCEPT,
3966 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3967 	},
3968 	{
3969 		"helper access to packet: test9, cls packet_ptr with bad range",
3970 		.insns = {
3971 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3972 				    offsetof(struct __sk_buff, data)),
3973 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3974 				    offsetof(struct __sk_buff, data_end)),
3975 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3976 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3977 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3978 			BPF_MOV64_IMM(BPF_REG_0, 0),
3979 			BPF_EXIT_INSN(),
3980 			BPF_LD_MAP_FD(BPF_REG_1, 0),
3981 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3982 				     BPF_FUNC_map_lookup_elem),
3983 			BPF_MOV64_IMM(BPF_REG_0, 0),
3984 			BPF_EXIT_INSN(),
3985 		},
3986 		.fixup_map1 = { 7 },
3987 		.result = REJECT,
3988 		.errstr = "invalid access to packet",
3989 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
3990 	},
3991 	{
3992 		"helper access to packet: test10, cls packet_ptr with too short range",
3993 		.insns = {
3994 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3995 				    offsetof(struct __sk_buff, data)),
3996 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3997 				    offsetof(struct __sk_buff, data_end)),
3998 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3999 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4001 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4002 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4003 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4004 				     BPF_FUNC_map_lookup_elem),
4005 			BPF_MOV64_IMM(BPF_REG_0, 0),
4006 			BPF_EXIT_INSN(),
4007 		},
4008 		.fixup_map1 = { 6 },
4009 		.result = REJECT,
4010 		.errstr = "invalid access to packet",
4011 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4012 	},
4013 	{
4014 		"helper access to packet: test11, cls unsuitable helper 1",
4015 		.insns = {
4016 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4017 				    offsetof(struct __sk_buff, data)),
4018 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4019 				    offsetof(struct __sk_buff, data_end)),
4020 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4021 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4022 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4023 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4024 			BPF_MOV64_IMM(BPF_REG_2, 0),
4025 			BPF_MOV64_IMM(BPF_REG_4, 42),
4026 			BPF_MOV64_IMM(BPF_REG_5, 0),
4027 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4028 				     BPF_FUNC_skb_store_bytes),
4029 			BPF_MOV64_IMM(BPF_REG_0, 0),
4030 			BPF_EXIT_INSN(),
4031 		},
4032 		.result = REJECT,
4033 		.errstr = "helper access to the packet",
4034 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4035 	},
4036 	{
4037 		"helper access to packet: test12, cls unsuitable helper 2",
4038 		.insns = {
4039 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4040 				    offsetof(struct __sk_buff, data)),
4041 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4042 				    offsetof(struct __sk_buff, data_end)),
4043 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4044 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4045 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4046 			BPF_MOV64_IMM(BPF_REG_2, 0),
4047 			BPF_MOV64_IMM(BPF_REG_4, 4),
4048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4049 				     BPF_FUNC_skb_load_bytes),
4050 			BPF_MOV64_IMM(BPF_REG_0, 0),
4051 			BPF_EXIT_INSN(),
4052 		},
4053 		.result = REJECT,
4054 		.errstr = "helper access to the packet",
4055 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4056 	},
4057 	{
4058 		"helper access to packet: test13, cls helper ok",
4059 		.insns = {
4060 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4061 				    offsetof(struct __sk_buff, data)),
4062 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4063 				    offsetof(struct __sk_buff, data_end)),
4064 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4065 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4066 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4067 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4068 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4069 			BPF_MOV64_IMM(BPF_REG_2, 4),
4070 			BPF_MOV64_IMM(BPF_REG_3, 0),
4071 			BPF_MOV64_IMM(BPF_REG_4, 0),
4072 			BPF_MOV64_IMM(BPF_REG_5, 0),
4073 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4074 				     BPF_FUNC_csum_diff),
4075 			BPF_MOV64_IMM(BPF_REG_0, 0),
4076 			BPF_EXIT_INSN(),
4077 		},
4078 		.result = ACCEPT,
4079 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4080 	},
4081 	{
4082 		"helper access to packet: test14, cls helper ok sub",
4083 		.insns = {
4084 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4085 				    offsetof(struct __sk_buff, data)),
4086 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4087 				    offsetof(struct __sk_buff, data_end)),
4088 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4089 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4090 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4091 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4092 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4093 			BPF_MOV64_IMM(BPF_REG_2, 4),
4094 			BPF_MOV64_IMM(BPF_REG_3, 0),
4095 			BPF_MOV64_IMM(BPF_REG_4, 0),
4096 			BPF_MOV64_IMM(BPF_REG_5, 0),
4097 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4098 				     BPF_FUNC_csum_diff),
4099 			BPF_MOV64_IMM(BPF_REG_0, 0),
4100 			BPF_EXIT_INSN(),
4101 		},
4102 		.result = ACCEPT,
4103 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4104 	},
4105 	{
4106 		"helper access to packet: test15, cls helper fail sub",
4107 		.insns = {
4108 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4109 				    offsetof(struct __sk_buff, data)),
4110 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4111 				    offsetof(struct __sk_buff, data_end)),
4112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4113 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4114 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4115 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4116 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4117 			BPF_MOV64_IMM(BPF_REG_2, 4),
4118 			BPF_MOV64_IMM(BPF_REG_3, 0),
4119 			BPF_MOV64_IMM(BPF_REG_4, 0),
4120 			BPF_MOV64_IMM(BPF_REG_5, 0),
4121 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4122 				     BPF_FUNC_csum_diff),
4123 			BPF_MOV64_IMM(BPF_REG_0, 0),
4124 			BPF_EXIT_INSN(),
4125 		},
4126 		.result = REJECT,
4127 		.errstr = "invalid access to packet",
4128 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4129 	},
4130 	{
4131 		"helper access to packet: test16, cls helper fail range 1",
4132 		.insns = {
4133 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4134 				    offsetof(struct __sk_buff, data)),
4135 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4136 				    offsetof(struct __sk_buff, data_end)),
4137 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4138 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4139 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4140 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4141 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4142 			BPF_MOV64_IMM(BPF_REG_2, 8),
4143 			BPF_MOV64_IMM(BPF_REG_3, 0),
4144 			BPF_MOV64_IMM(BPF_REG_4, 0),
4145 			BPF_MOV64_IMM(BPF_REG_5, 0),
4146 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4147 				     BPF_FUNC_csum_diff),
4148 			BPF_MOV64_IMM(BPF_REG_0, 0),
4149 			BPF_EXIT_INSN(),
4150 		},
4151 		.result = REJECT,
4152 		.errstr = "invalid access to packet",
4153 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4154 	},
4155 	{
4156 		"helper access to packet: test17, cls helper fail range 2",
4157 		.insns = {
4158 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4159 				    offsetof(struct __sk_buff, data)),
4160 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4161 				    offsetof(struct __sk_buff, data_end)),
4162 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4163 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4165 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4166 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4167 			BPF_MOV64_IMM(BPF_REG_2, -9),
4168 			BPF_MOV64_IMM(BPF_REG_3, 0),
4169 			BPF_MOV64_IMM(BPF_REG_4, 0),
4170 			BPF_MOV64_IMM(BPF_REG_5, 0),
4171 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4172 				     BPF_FUNC_csum_diff),
4173 			BPF_MOV64_IMM(BPF_REG_0, 0),
4174 			BPF_EXIT_INSN(),
4175 		},
4176 		.result = REJECT,
4177 		.errstr = "R2 min value is negative",
4178 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4179 	},
4180 	{
4181 		"helper access to packet: test18, cls helper fail range 3",
4182 		.insns = {
4183 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4184 				    offsetof(struct __sk_buff, data)),
4185 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4186 				    offsetof(struct __sk_buff, data_end)),
4187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4188 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4189 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4190 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4191 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4192 			BPF_MOV64_IMM(BPF_REG_2, ~0),
4193 			BPF_MOV64_IMM(BPF_REG_3, 0),
4194 			BPF_MOV64_IMM(BPF_REG_4, 0),
4195 			BPF_MOV64_IMM(BPF_REG_5, 0),
4196 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4197 				     BPF_FUNC_csum_diff),
4198 			BPF_MOV64_IMM(BPF_REG_0, 0),
4199 			BPF_EXIT_INSN(),
4200 		},
4201 		.result = REJECT,
4202 		.errstr = "R2 min value is negative",
4203 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4204 	},
4205 	{
4206 		"helper access to packet: test19, cls helper range zero",
4207 		.insns = {
4208 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4209 				    offsetof(struct __sk_buff, data)),
4210 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4211 				    offsetof(struct __sk_buff, data_end)),
4212 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4213 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4214 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4215 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4216 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4217 			BPF_MOV64_IMM(BPF_REG_2, 0),
4218 			BPF_MOV64_IMM(BPF_REG_3, 0),
4219 			BPF_MOV64_IMM(BPF_REG_4, 0),
4220 			BPF_MOV64_IMM(BPF_REG_5, 0),
4221 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4222 				     BPF_FUNC_csum_diff),
4223 			BPF_MOV64_IMM(BPF_REG_0, 0),
4224 			BPF_EXIT_INSN(),
4225 		},
4226 		.result = ACCEPT,
4227 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4228 	},
4229 	{
4230 		"helper access to packet: test20, pkt end as input",
4231 		.insns = {
4232 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4233 				    offsetof(struct __sk_buff, data)),
4234 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4235 				    offsetof(struct __sk_buff, data_end)),
4236 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4237 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4238 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4239 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4240 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4241 			BPF_MOV64_IMM(BPF_REG_2, 4),
4242 			BPF_MOV64_IMM(BPF_REG_3, 0),
4243 			BPF_MOV64_IMM(BPF_REG_4, 0),
4244 			BPF_MOV64_IMM(BPF_REG_5, 0),
4245 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4246 				     BPF_FUNC_csum_diff),
4247 			BPF_MOV64_IMM(BPF_REG_0, 0),
4248 			BPF_EXIT_INSN(),
4249 		},
4250 		.result = REJECT,
4251 		.errstr = "R1 type=pkt_end expected=fp",
4252 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4253 	},
4254 	{
4255 		"helper access to packet: test21, wrong reg",
4256 		.insns = {
4257 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4258 				    offsetof(struct __sk_buff, data)),
4259 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4260 				    offsetof(struct __sk_buff, data_end)),
4261 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4262 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4263 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4264 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4265 			BPF_MOV64_IMM(BPF_REG_2, 4),
4266 			BPF_MOV64_IMM(BPF_REG_3, 0),
4267 			BPF_MOV64_IMM(BPF_REG_4, 0),
4268 			BPF_MOV64_IMM(BPF_REG_5, 0),
4269 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4270 				     BPF_FUNC_csum_diff),
4271 			BPF_MOV64_IMM(BPF_REG_0, 0),
4272 			BPF_EXIT_INSN(),
4273 		},
4274 		.result = REJECT,
4275 		.errstr = "invalid access to packet",
4276 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
4277 	},
4278 	{
4279 		"valid map access into an array with a constant",
4280 		.insns = {
4281 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4282 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4283 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4284 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4285 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4286 				     BPF_FUNC_map_lookup_elem),
4287 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4288 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4289 				   offsetof(struct test_val, foo)),
4290 			BPF_EXIT_INSN(),
4291 		},
4292 		.fixup_map2 = { 3 },
4293 		.errstr_unpriv = "R0 leaks addr",
4294 		.result_unpriv = REJECT,
4295 		.result = ACCEPT,
4296 	},
4297 	{
4298 		"valid map access into an array with a register",
4299 		.insns = {
4300 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4301 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4302 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4303 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4304 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4305 				     BPF_FUNC_map_lookup_elem),
4306 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4307 			BPF_MOV64_IMM(BPF_REG_1, 4),
4308 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4309 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4310 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4311 				   offsetof(struct test_val, foo)),
4312 			BPF_EXIT_INSN(),
4313 		},
4314 		.fixup_map2 = { 3 },
4315 		.errstr_unpriv = "R0 leaks addr",
4316 		.result_unpriv = REJECT,
4317 		.result = ACCEPT,
4318 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4319 	},
4320 	{
4321 		"valid map access into an array with a variable",
4322 		.insns = {
4323 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4324 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4325 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4326 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4327 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4328 				     BPF_FUNC_map_lookup_elem),
4329 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4330 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4331 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4332 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4333 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4334 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4335 				   offsetof(struct test_val, foo)),
4336 			BPF_EXIT_INSN(),
4337 		},
4338 		.fixup_map2 = { 3 },
4339 		.errstr_unpriv = "R0 leaks addr",
4340 		.result_unpriv = REJECT,
4341 		.result = ACCEPT,
4342 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4343 	},
4344 	{
4345 		"valid map access into an array with a signed variable",
4346 		.insns = {
4347 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4348 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4349 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4350 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4351 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4352 				     BPF_FUNC_map_lookup_elem),
4353 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4354 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4355 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4356 			BPF_MOV32_IMM(BPF_REG_1, 0),
4357 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4358 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4359 			BPF_MOV32_IMM(BPF_REG_1, 0),
4360 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4361 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4362 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4363 				   offsetof(struct test_val, foo)),
4364 			BPF_EXIT_INSN(),
4365 		},
4366 		.fixup_map2 = { 3 },
4367 		.errstr_unpriv = "R0 leaks addr",
4368 		.result_unpriv = REJECT,
4369 		.result = ACCEPT,
4370 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4371 	},
4372 	{
4373 		"invalid map access into an array with a constant",
4374 		.insns = {
4375 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4376 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4377 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4378 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4379 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4380 				     BPF_FUNC_map_lookup_elem),
4381 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4382 			BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4383 				   offsetof(struct test_val, foo)),
4384 			BPF_EXIT_INSN(),
4385 		},
4386 		.fixup_map2 = { 3 },
4387 		.errstr = "invalid access to map value, value_size=48 off=48 size=8",
4388 		.result = REJECT,
4389 	},
4390 	{
4391 		"invalid map access into an array with a register",
4392 		.insns = {
4393 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4394 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4395 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4396 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4397 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4398 				     BPF_FUNC_map_lookup_elem),
4399 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4400 			BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4401 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4402 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4403 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4404 				   offsetof(struct test_val, foo)),
4405 			BPF_EXIT_INSN(),
4406 		},
4407 		.fixup_map2 = { 3 },
4408 		.errstr = "R0 min value is outside of the array range",
4409 		.result = REJECT,
4410 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4411 	},
4412 	{
4413 		"invalid map access into an array with a variable",
4414 		.insns = {
4415 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4416 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4417 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4418 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4419 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4420 				     BPF_FUNC_map_lookup_elem),
4421 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4422 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4423 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4424 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4425 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4426 				   offsetof(struct test_val, foo)),
4427 			BPF_EXIT_INSN(),
4428 		},
4429 		.fixup_map2 = { 3 },
4430 		.errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4431 		.result = REJECT,
4432 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4433 	},
4434 	{
4435 		"invalid map access into an array with no floor check",
4436 		.insns = {
4437 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4438 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4439 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4440 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4441 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4442 				     BPF_FUNC_map_lookup_elem),
4443 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4444 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4445 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4446 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4447 			BPF_MOV32_IMM(BPF_REG_1, 0),
4448 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4449 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4450 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4451 				   offsetof(struct test_val, foo)),
4452 			BPF_EXIT_INSN(),
4453 		},
4454 		.fixup_map2 = { 3 },
4455 		.errstr_unpriv = "R0 leaks addr",
4456 		.errstr = "R0 unbounded memory access",
4457 		.result_unpriv = REJECT,
4458 		.result = REJECT,
4459 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4460 	},
4461 	{
4462 		"invalid map access into an array with a invalid max check",
4463 		.insns = {
4464 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4465 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4466 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4467 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4468 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469 				     BPF_FUNC_map_lookup_elem),
4470 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4471 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4472 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4473 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4474 			BPF_MOV32_IMM(BPF_REG_1, 0),
4475 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4476 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4477 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4478 				   offsetof(struct test_val, foo)),
4479 			BPF_EXIT_INSN(),
4480 		},
4481 		.fixup_map2 = { 3 },
4482 		.errstr_unpriv = "R0 leaks addr",
4483 		.errstr = "invalid access to map value, value_size=48 off=44 size=8",
4484 		.result_unpriv = REJECT,
4485 		.result = REJECT,
4486 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4487 	},
4488 	{
4489 		"invalid map access into an array with a invalid max check",
4490 		.insns = {
4491 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4492 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4493 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4494 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4495 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4496 				     BPF_FUNC_map_lookup_elem),
4497 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4498 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4499 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4500 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4501 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4502 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4503 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4504 				     BPF_FUNC_map_lookup_elem),
4505 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4506 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4507 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4508 				    offsetof(struct test_val, foo)),
4509 			BPF_EXIT_INSN(),
4510 		},
4511 		.fixup_map2 = { 3, 11 },
4512 		.errstr = "R0 pointer += pointer",
4513 		.result = REJECT,
4514 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4515 	},
4516 	{
4517 		"multiple registers share map_lookup_elem result",
4518 		.insns = {
4519 			BPF_MOV64_IMM(BPF_REG_1, 10),
4520 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4521 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4522 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4523 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4524 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4525 				     BPF_FUNC_map_lookup_elem),
4526 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4527 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4528 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4529 			BPF_EXIT_INSN(),
4530 		},
4531 		.fixup_map1 = { 4 },
4532 		.result = ACCEPT,
4533 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4534 	},
4535 	{
4536 		"alu ops on ptr_to_map_value_or_null, 1",
4537 		.insns = {
4538 			BPF_MOV64_IMM(BPF_REG_1, 10),
4539 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4540 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4541 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4542 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4543 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4544 				     BPF_FUNC_map_lookup_elem),
4545 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4546 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4547 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4548 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4549 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4550 			BPF_EXIT_INSN(),
4551 		},
4552 		.fixup_map1 = { 4 },
4553 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4554 		.result = REJECT,
4555 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4556 	},
4557 	{
4558 		"alu ops on ptr_to_map_value_or_null, 2",
4559 		.insns = {
4560 			BPF_MOV64_IMM(BPF_REG_1, 10),
4561 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4562 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4563 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4564 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4565 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4566 				     BPF_FUNC_map_lookup_elem),
4567 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4568 			BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4569 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4570 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4571 			BPF_EXIT_INSN(),
4572 		},
4573 		.fixup_map1 = { 4 },
4574 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4575 		.result = REJECT,
4576 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4577 	},
4578 	{
4579 		"alu ops on ptr_to_map_value_or_null, 3",
4580 		.insns = {
4581 			BPF_MOV64_IMM(BPF_REG_1, 10),
4582 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4583 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4584 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4585 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4586 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4587 				     BPF_FUNC_map_lookup_elem),
4588 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4589 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4590 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4591 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4592 			BPF_EXIT_INSN(),
4593 		},
4594 		.fixup_map1 = { 4 },
4595 		.errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4596 		.result = REJECT,
4597 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4598 	},
4599 	{
4600 		"invalid memory access with multiple map_lookup_elem calls",
4601 		.insns = {
4602 			BPF_MOV64_IMM(BPF_REG_1, 10),
4603 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4604 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4605 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4606 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4607 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4608 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4609 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4610 				     BPF_FUNC_map_lookup_elem),
4611 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4612 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4613 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4614 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4615 				     BPF_FUNC_map_lookup_elem),
4616 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4617 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4618 			BPF_EXIT_INSN(),
4619 		},
4620 		.fixup_map1 = { 4 },
4621 		.result = REJECT,
4622 		.errstr = "R4 !read_ok",
4623 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4624 	},
4625 	{
4626 		"valid indirect map_lookup_elem access with 2nd lookup in branch",
4627 		.insns = {
4628 			BPF_MOV64_IMM(BPF_REG_1, 10),
4629 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4630 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4631 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4632 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4633 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4634 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4635 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4636 				     BPF_FUNC_map_lookup_elem),
4637 			BPF_MOV64_IMM(BPF_REG_2, 10),
4638 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4639 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4640 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4641 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4642 				     BPF_FUNC_map_lookup_elem),
4643 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4644 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4645 			BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4646 			BPF_EXIT_INSN(),
4647 		},
4648 		.fixup_map1 = { 4 },
4649 		.result = ACCEPT,
4650 		.prog_type = BPF_PROG_TYPE_SCHED_CLS
4651 	},
4652 	{
4653 		"invalid map access from else condition",
4654 		.insns = {
4655 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4656 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4657 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4658 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4659 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4660 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4661 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4662 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4663 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4664 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4665 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4666 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4667 			BPF_EXIT_INSN(),
4668 		},
4669 		.fixup_map2 = { 3 },
4670 		.errstr = "R0 unbounded memory access",
4671 		.result = REJECT,
4672 		.errstr_unpriv = "R0 leaks addr",
4673 		.result_unpriv = REJECT,
4674 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4675 	},
4676 	{
4677 		"constant register |= constant should keep constant type",
4678 		.insns = {
4679 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4680 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4681 			BPF_MOV64_IMM(BPF_REG_2, 34),
4682 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4683 			BPF_MOV64_IMM(BPF_REG_3, 0),
4684 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4685 			BPF_EXIT_INSN(),
4686 		},
4687 		.result = ACCEPT,
4688 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4689 	},
4690 	{
4691 		"constant register |= constant should not bypass stack boundary checks",
4692 		.insns = {
4693 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4694 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4695 			BPF_MOV64_IMM(BPF_REG_2, 34),
4696 			BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4697 			BPF_MOV64_IMM(BPF_REG_3, 0),
4698 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4699 			BPF_EXIT_INSN(),
4700 		},
4701 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4702 		.result = REJECT,
4703 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4704 	},
4705 	{
4706 		"constant register |= constant register should keep constant type",
4707 		.insns = {
4708 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4709 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4710 			BPF_MOV64_IMM(BPF_REG_2, 34),
4711 			BPF_MOV64_IMM(BPF_REG_4, 13),
4712 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4713 			BPF_MOV64_IMM(BPF_REG_3, 0),
4714 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4715 			BPF_EXIT_INSN(),
4716 		},
4717 		.result = ACCEPT,
4718 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4719 	},
4720 	{
4721 		"constant register |= constant register should not bypass stack boundary checks",
4722 		.insns = {
4723 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4724 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4725 			BPF_MOV64_IMM(BPF_REG_2, 34),
4726 			BPF_MOV64_IMM(BPF_REG_4, 24),
4727 			BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4728 			BPF_MOV64_IMM(BPF_REG_3, 0),
4729 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4730 			BPF_EXIT_INSN(),
4731 		},
4732 		.errstr = "invalid stack type R1 off=-48 access_size=58",
4733 		.result = REJECT,
4734 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4735 	},
4736 	{
4737 		"invalid direct packet write for LWT_IN",
4738 		.insns = {
4739 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4740 				    offsetof(struct __sk_buff, data)),
4741 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4742 				    offsetof(struct __sk_buff, data_end)),
4743 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4744 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4745 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4746 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4747 			BPF_MOV64_IMM(BPF_REG_0, 0),
4748 			BPF_EXIT_INSN(),
4749 		},
4750 		.errstr = "cannot write into packet",
4751 		.result = REJECT,
4752 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4753 	},
4754 	{
4755 		"invalid direct packet write for LWT_OUT",
4756 		.insns = {
4757 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4758 				    offsetof(struct __sk_buff, data)),
4759 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4760 				    offsetof(struct __sk_buff, data_end)),
4761 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4762 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4763 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4764 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4765 			BPF_MOV64_IMM(BPF_REG_0, 0),
4766 			BPF_EXIT_INSN(),
4767 		},
4768 		.errstr = "cannot write into packet",
4769 		.result = REJECT,
4770 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4771 	},
4772 	{
4773 		"direct packet write for LWT_XMIT",
4774 		.insns = {
4775 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4776 				    offsetof(struct __sk_buff, data)),
4777 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4778 				    offsetof(struct __sk_buff, data_end)),
4779 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4780 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4781 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4782 			BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4783 			BPF_MOV64_IMM(BPF_REG_0, 0),
4784 			BPF_EXIT_INSN(),
4785 		},
4786 		.result = ACCEPT,
4787 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4788 	},
4789 	{
4790 		"direct packet read for LWT_IN",
4791 		.insns = {
4792 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4793 				    offsetof(struct __sk_buff, data)),
4794 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4795 				    offsetof(struct __sk_buff, data_end)),
4796 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4797 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4798 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4799 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4800 			BPF_MOV64_IMM(BPF_REG_0, 0),
4801 			BPF_EXIT_INSN(),
4802 		},
4803 		.result = ACCEPT,
4804 		.prog_type = BPF_PROG_TYPE_LWT_IN,
4805 	},
4806 	{
4807 		"direct packet read for LWT_OUT",
4808 		.insns = {
4809 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4810 				    offsetof(struct __sk_buff, data)),
4811 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4812 				    offsetof(struct __sk_buff, data_end)),
4813 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4814 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4815 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4816 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4817 			BPF_MOV64_IMM(BPF_REG_0, 0),
4818 			BPF_EXIT_INSN(),
4819 		},
4820 		.result = ACCEPT,
4821 		.prog_type = BPF_PROG_TYPE_LWT_OUT,
4822 	},
4823 	{
4824 		"direct packet read for LWT_XMIT",
4825 		.insns = {
4826 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4827 				    offsetof(struct __sk_buff, data)),
4828 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4829 				    offsetof(struct __sk_buff, data_end)),
4830 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4832 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4833 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4834 			BPF_MOV64_IMM(BPF_REG_0, 0),
4835 			BPF_EXIT_INSN(),
4836 		},
4837 		.result = ACCEPT,
4838 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4839 	},
4840 	{
4841 		"overlapping checks for direct packet access",
4842 		.insns = {
4843 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4844 				    offsetof(struct __sk_buff, data)),
4845 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4846 				    offsetof(struct __sk_buff, data_end)),
4847 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4848 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4849 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4850 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4851 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4852 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4853 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4854 			BPF_MOV64_IMM(BPF_REG_0, 0),
4855 			BPF_EXIT_INSN(),
4856 		},
4857 		.result = ACCEPT,
4858 		.prog_type = BPF_PROG_TYPE_LWT_XMIT,
4859 	},
4860 	{
4861 		"invalid access of tc_classid for LWT_IN",
4862 		.insns = {
4863 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4864 				    offsetof(struct __sk_buff, tc_classid)),
4865 			BPF_EXIT_INSN(),
4866 		},
4867 		.result = REJECT,
4868 		.errstr = "invalid bpf_context access",
4869 	},
4870 	{
4871 		"invalid access of tc_classid for LWT_OUT",
4872 		.insns = {
4873 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4874 				    offsetof(struct __sk_buff, tc_classid)),
4875 			BPF_EXIT_INSN(),
4876 		},
4877 		.result = REJECT,
4878 		.errstr = "invalid bpf_context access",
4879 	},
4880 	{
4881 		"invalid access of tc_classid for LWT_XMIT",
4882 		.insns = {
4883 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4884 				    offsetof(struct __sk_buff, tc_classid)),
4885 			BPF_EXIT_INSN(),
4886 		},
4887 		.result = REJECT,
4888 		.errstr = "invalid bpf_context access",
4889 	},
4890 	{
4891 		"leak pointer into ctx 1",
4892 		.insns = {
4893 			BPF_MOV64_IMM(BPF_REG_0, 0),
4894 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4895 				    offsetof(struct __sk_buff, cb[0])),
4896 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4897 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4898 				      offsetof(struct __sk_buff, cb[0])),
4899 			BPF_EXIT_INSN(),
4900 		},
4901 		.fixup_map1 = { 2 },
4902 		.errstr_unpriv = "R2 leaks addr into mem",
4903 		.result_unpriv = REJECT,
4904 		.result = REJECT,
4905 		.errstr = "BPF_XADD stores into R1 context is not allowed",
4906 	},
4907 	{
4908 		"leak pointer into ctx 2",
4909 		.insns = {
4910 			BPF_MOV64_IMM(BPF_REG_0, 0),
4911 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4912 				    offsetof(struct __sk_buff, cb[0])),
4913 			BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4914 				      offsetof(struct __sk_buff, cb[0])),
4915 			BPF_EXIT_INSN(),
4916 		},
4917 		.errstr_unpriv = "R10 leaks addr into mem",
4918 		.result_unpriv = REJECT,
4919 		.result = REJECT,
4920 		.errstr = "BPF_XADD stores into R1 context is not allowed",
4921 	},
4922 	{
4923 		"leak pointer into ctx 3",
4924 		.insns = {
4925 			BPF_MOV64_IMM(BPF_REG_0, 0),
4926 			BPF_LD_MAP_FD(BPF_REG_2, 0),
4927 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4928 				      offsetof(struct __sk_buff, cb[0])),
4929 			BPF_EXIT_INSN(),
4930 		},
4931 		.fixup_map1 = { 1 },
4932 		.errstr_unpriv = "R2 leaks addr into ctx",
4933 		.result_unpriv = REJECT,
4934 		.result = ACCEPT,
4935 	},
4936 	{
4937 		"leak pointer into map val",
4938 		.insns = {
4939 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4940 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4941 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4943 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4944 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4945 				     BPF_FUNC_map_lookup_elem),
4946 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4947 			BPF_MOV64_IMM(BPF_REG_3, 0),
4948 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4949 			BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4950 			BPF_MOV64_IMM(BPF_REG_0, 0),
4951 			BPF_EXIT_INSN(),
4952 		},
4953 		.fixup_map1 = { 4 },
4954 		.errstr_unpriv = "R6 leaks addr into mem",
4955 		.result_unpriv = REJECT,
4956 		.result = ACCEPT,
4957 	},
4958 	{
4959 		"helper access to map: full range",
4960 		.insns = {
4961 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4963 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4964 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4965 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4966 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4967 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4968 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4969 			BPF_MOV64_IMM(BPF_REG_3, 0),
4970 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4971 			BPF_EXIT_INSN(),
4972 		},
4973 		.fixup_map2 = { 3 },
4974 		.result = ACCEPT,
4975 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4976 	},
4977 	{
4978 		"helper access to map: partial range",
4979 		.insns = {
4980 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4981 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4982 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4983 			BPF_LD_MAP_FD(BPF_REG_1, 0),
4984 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4985 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4986 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4987 			BPF_MOV64_IMM(BPF_REG_2, 8),
4988 			BPF_MOV64_IMM(BPF_REG_3, 0),
4989 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
4990 			BPF_EXIT_INSN(),
4991 		},
4992 		.fixup_map2 = { 3 },
4993 		.result = ACCEPT,
4994 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
4995 	},
4996 	{
4997 		"helper access to map: empty range",
4998 		.insns = {
4999 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5001 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5002 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5003 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5004 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5005 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5006 			BPF_MOV64_IMM(BPF_REG_2, 0),
5007 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5008 			BPF_EXIT_INSN(),
5009 		},
5010 		.fixup_map2 = { 3 },
5011 		.errstr = "invalid access to map value, value_size=48 off=0 size=0",
5012 		.result = REJECT,
5013 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5014 	},
5015 	{
5016 		"helper access to map: out-of-bound range",
5017 		.insns = {
5018 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5019 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5020 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5021 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5022 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5023 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5024 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5025 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5026 			BPF_MOV64_IMM(BPF_REG_3, 0),
5027 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5028 			BPF_EXIT_INSN(),
5029 		},
5030 		.fixup_map2 = { 3 },
5031 		.errstr = "invalid access to map value, value_size=48 off=0 size=56",
5032 		.result = REJECT,
5033 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5034 	},
5035 	{
5036 		"helper access to map: negative range",
5037 		.insns = {
5038 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5039 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5040 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5041 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5042 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5043 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5044 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5045 			BPF_MOV64_IMM(BPF_REG_2, -8),
5046 			BPF_MOV64_IMM(BPF_REG_3, 0),
5047 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5048 			BPF_EXIT_INSN(),
5049 		},
5050 		.fixup_map2 = { 3 },
5051 		.errstr = "R2 min value is negative",
5052 		.result = REJECT,
5053 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5054 	},
5055 	{
5056 		"helper access to adjusted map (via const imm): full range",
5057 		.insns = {
5058 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5061 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5062 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5063 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5064 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5065 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5066 				offsetof(struct test_val, foo)),
5067 			BPF_MOV64_IMM(BPF_REG_2,
5068 				sizeof(struct test_val) -
5069 				offsetof(struct test_val, foo)),
5070 			BPF_MOV64_IMM(BPF_REG_3, 0),
5071 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5072 			BPF_EXIT_INSN(),
5073 		},
5074 		.fixup_map2 = { 3 },
5075 		.result = ACCEPT,
5076 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5077 	},
5078 	{
5079 		"helper access to adjusted map (via const imm): partial range",
5080 		.insns = {
5081 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5082 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5083 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5084 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5085 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5086 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5087 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5088 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5089 				offsetof(struct test_val, foo)),
5090 			BPF_MOV64_IMM(BPF_REG_2, 8),
5091 			BPF_MOV64_IMM(BPF_REG_3, 0),
5092 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5093 			BPF_EXIT_INSN(),
5094 		},
5095 		.fixup_map2 = { 3 },
5096 		.result = ACCEPT,
5097 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5098 	},
5099 	{
5100 		"helper access to adjusted map (via const imm): empty range",
5101 		.insns = {
5102 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5103 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5104 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5105 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5106 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5107 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5108 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5109 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5110 				offsetof(struct test_val, foo)),
5111 			BPF_MOV64_IMM(BPF_REG_2, 0),
5112 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5113 			BPF_EXIT_INSN(),
5114 		},
5115 		.fixup_map2 = { 3 },
5116 		.errstr = "invalid access to map value, value_size=48 off=4 size=0",
5117 		.result = REJECT,
5118 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5119 	},
5120 	{
5121 		"helper access to adjusted map (via const imm): out-of-bound range",
5122 		.insns = {
5123 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5124 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5125 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5126 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5127 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5128 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5129 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5130 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5131 				offsetof(struct test_val, foo)),
5132 			BPF_MOV64_IMM(BPF_REG_2,
5133 				sizeof(struct test_val) -
5134 				offsetof(struct test_val, foo) + 8),
5135 			BPF_MOV64_IMM(BPF_REG_3, 0),
5136 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5137 			BPF_EXIT_INSN(),
5138 		},
5139 		.fixup_map2 = { 3 },
5140 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5141 		.result = REJECT,
5142 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5143 	},
5144 	{
5145 		"helper access to adjusted map (via const imm): negative range (> adjustment)",
5146 		.insns = {
5147 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5148 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5149 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5150 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5151 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5152 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5153 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5154 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5155 				offsetof(struct test_val, foo)),
5156 			BPF_MOV64_IMM(BPF_REG_2, -8),
5157 			BPF_MOV64_IMM(BPF_REG_3, 0),
5158 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5159 			BPF_EXIT_INSN(),
5160 		},
5161 		.fixup_map2 = { 3 },
5162 		.errstr = "R2 min value is negative",
5163 		.result = REJECT,
5164 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5165 	},
5166 	{
5167 		"helper access to adjusted map (via const imm): negative range (< adjustment)",
5168 		.insns = {
5169 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5170 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5171 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5172 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5173 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5174 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5175 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5176 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5177 				offsetof(struct test_val, foo)),
5178 			BPF_MOV64_IMM(BPF_REG_2, -1),
5179 			BPF_MOV64_IMM(BPF_REG_3, 0),
5180 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5181 			BPF_EXIT_INSN(),
5182 		},
5183 		.fixup_map2 = { 3 },
5184 		.errstr = "R2 min value is negative",
5185 		.result = REJECT,
5186 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5187 	},
5188 	{
5189 		"helper access to adjusted map (via const reg): full range",
5190 		.insns = {
5191 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5192 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5193 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5194 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5195 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5196 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5197 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5198 			BPF_MOV64_IMM(BPF_REG_3,
5199 				offsetof(struct test_val, foo)),
5200 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5201 			BPF_MOV64_IMM(BPF_REG_2,
5202 				sizeof(struct test_val) -
5203 				offsetof(struct test_val, foo)),
5204 			BPF_MOV64_IMM(BPF_REG_3, 0),
5205 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5206 			BPF_EXIT_INSN(),
5207 		},
5208 		.fixup_map2 = { 3 },
5209 		.result = ACCEPT,
5210 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5211 	},
5212 	{
5213 		"helper access to adjusted map (via const reg): partial range",
5214 		.insns = {
5215 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5216 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5217 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5218 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5219 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5220 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5221 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5222 			BPF_MOV64_IMM(BPF_REG_3,
5223 				offsetof(struct test_val, foo)),
5224 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5225 			BPF_MOV64_IMM(BPF_REG_2, 8),
5226 			BPF_MOV64_IMM(BPF_REG_3, 0),
5227 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5228 			BPF_EXIT_INSN(),
5229 		},
5230 		.fixup_map2 = { 3 },
5231 		.result = ACCEPT,
5232 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5233 	},
5234 	{
5235 		"helper access to adjusted map (via const reg): empty range",
5236 		.insns = {
5237 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5238 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5239 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5240 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5241 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5242 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5243 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5244 			BPF_MOV64_IMM(BPF_REG_3, 0),
5245 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5246 			BPF_MOV64_IMM(BPF_REG_2, 0),
5247 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5248 			BPF_EXIT_INSN(),
5249 		},
5250 		.fixup_map2 = { 3 },
5251 		.errstr = "R1 min value is outside of the array range",
5252 		.result = REJECT,
5253 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5254 	},
5255 	{
5256 		"helper access to adjusted map (via const reg): out-of-bound range",
5257 		.insns = {
5258 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5260 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5261 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5262 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5263 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5264 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5265 			BPF_MOV64_IMM(BPF_REG_3,
5266 				offsetof(struct test_val, foo)),
5267 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5268 			BPF_MOV64_IMM(BPF_REG_2,
5269 				sizeof(struct test_val) -
5270 				offsetof(struct test_val, foo) + 8),
5271 			BPF_MOV64_IMM(BPF_REG_3, 0),
5272 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5273 			BPF_EXIT_INSN(),
5274 		},
5275 		.fixup_map2 = { 3 },
5276 		.errstr = "invalid access to map value, value_size=48 off=4 size=52",
5277 		.result = REJECT,
5278 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5279 	},
5280 	{
5281 		"helper access to adjusted map (via const reg): negative range (> adjustment)",
5282 		.insns = {
5283 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5284 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5285 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5286 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5287 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5288 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5289 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5290 			BPF_MOV64_IMM(BPF_REG_3,
5291 				offsetof(struct test_val, foo)),
5292 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5293 			BPF_MOV64_IMM(BPF_REG_2, -8),
5294 			BPF_MOV64_IMM(BPF_REG_3, 0),
5295 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5296 			BPF_EXIT_INSN(),
5297 		},
5298 		.fixup_map2 = { 3 },
5299 		.errstr = "R2 min value is negative",
5300 		.result = REJECT,
5301 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5302 	},
5303 	{
5304 		"helper access to adjusted map (via const reg): negative range (< adjustment)",
5305 		.insns = {
5306 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5307 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5308 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5309 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5310 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5311 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5312 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5313 			BPF_MOV64_IMM(BPF_REG_3,
5314 				offsetof(struct test_val, foo)),
5315 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5316 			BPF_MOV64_IMM(BPF_REG_2, -1),
5317 			BPF_MOV64_IMM(BPF_REG_3, 0),
5318 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5319 			BPF_EXIT_INSN(),
5320 		},
5321 		.fixup_map2 = { 3 },
5322 		.errstr = "R2 min value is negative",
5323 		.result = REJECT,
5324 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5325 	},
5326 	{
5327 		"helper access to adjusted map (via variable): full range",
5328 		.insns = {
5329 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5330 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5331 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5332 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5333 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5334 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5335 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5336 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5337 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5338 				offsetof(struct test_val, foo), 4),
5339 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5340 			BPF_MOV64_IMM(BPF_REG_2,
5341 				sizeof(struct test_val) -
5342 				offsetof(struct test_val, foo)),
5343 			BPF_MOV64_IMM(BPF_REG_3, 0),
5344 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5345 			BPF_EXIT_INSN(),
5346 		},
5347 		.fixup_map2 = { 3 },
5348 		.result = ACCEPT,
5349 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5350 	},
5351 	{
5352 		"helper access to adjusted map (via variable): partial range",
5353 		.insns = {
5354 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5355 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5356 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5357 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5358 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5359 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5360 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5361 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5362 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5363 				offsetof(struct test_val, foo), 4),
5364 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5365 			BPF_MOV64_IMM(BPF_REG_2, 8),
5366 			BPF_MOV64_IMM(BPF_REG_3, 0),
5367 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5368 			BPF_EXIT_INSN(),
5369 		},
5370 		.fixup_map2 = { 3 },
5371 		.result = ACCEPT,
5372 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5373 	},
5374 	{
5375 		"helper access to adjusted map (via variable): empty range",
5376 		.insns = {
5377 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5378 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5379 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5380 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5381 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5382 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5383 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5384 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5385 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5386 				offsetof(struct test_val, foo), 3),
5387 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5388 			BPF_MOV64_IMM(BPF_REG_2, 0),
5389 			BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5390 			BPF_EXIT_INSN(),
5391 		},
5392 		.fixup_map2 = { 3 },
5393 		.errstr = "R1 min value is outside of the array range",
5394 		.result = REJECT,
5395 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5396 	},
5397 	{
5398 		"helper access to adjusted map (via variable): no max check",
5399 		.insns = {
5400 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5401 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5402 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5403 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5404 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5405 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5406 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5407 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5408 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5409 			BPF_MOV64_IMM(BPF_REG_2, 1),
5410 			BPF_MOV64_IMM(BPF_REG_3, 0),
5411 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5412 			BPF_EXIT_INSN(),
5413 		},
5414 		.fixup_map2 = { 3 },
5415 		.errstr = "R1 unbounded memory access",
5416 		.result = REJECT,
5417 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5418 	},
5419 	{
5420 		"helper access to adjusted map (via variable): wrong max check",
5421 		.insns = {
5422 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5423 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5424 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5425 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5426 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5427 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5428 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5429 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5430 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5431 				offsetof(struct test_val, foo), 4),
5432 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5433 			BPF_MOV64_IMM(BPF_REG_2,
5434 				sizeof(struct test_val) -
5435 				offsetof(struct test_val, foo) + 1),
5436 			BPF_MOV64_IMM(BPF_REG_3, 0),
5437 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
5438 			BPF_EXIT_INSN(),
5439 		},
5440 		.fixup_map2 = { 3 },
5441 		.errstr = "invalid access to map value, value_size=48 off=4 size=45",
5442 		.result = REJECT,
5443 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5444 	},
5445 	{
5446 		"helper access to map: bounds check using <, good access",
5447 		.insns = {
5448 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5449 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5450 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5451 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5452 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5453 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5454 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5455 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5456 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5457 			BPF_MOV64_IMM(BPF_REG_0, 0),
5458 			BPF_EXIT_INSN(),
5459 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5460 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5461 			BPF_MOV64_IMM(BPF_REG_0, 0),
5462 			BPF_EXIT_INSN(),
5463 		},
5464 		.fixup_map2 = { 3 },
5465 		.result = ACCEPT,
5466 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5467 	},
5468 	{
5469 		"helper access to map: bounds check using <, bad access",
5470 		.insns = {
5471 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5472 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5473 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5474 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5475 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5476 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5477 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5478 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5479 			BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5480 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5481 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5482 			BPF_MOV64_IMM(BPF_REG_0, 0),
5483 			BPF_EXIT_INSN(),
5484 			BPF_MOV64_IMM(BPF_REG_0, 0),
5485 			BPF_EXIT_INSN(),
5486 		},
5487 		.fixup_map2 = { 3 },
5488 		.result = REJECT,
5489 		.errstr = "R1 unbounded memory access",
5490 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5491 	},
5492 	{
5493 		"helper access to map: bounds check using <=, good access",
5494 		.insns = {
5495 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5496 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5497 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5498 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5499 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5500 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5501 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5502 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5503 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5504 			BPF_MOV64_IMM(BPF_REG_0, 0),
5505 			BPF_EXIT_INSN(),
5506 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5507 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5508 			BPF_MOV64_IMM(BPF_REG_0, 0),
5509 			BPF_EXIT_INSN(),
5510 		},
5511 		.fixup_map2 = { 3 },
5512 		.result = ACCEPT,
5513 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5514 	},
5515 	{
5516 		"helper access to map: bounds check using <=, bad access",
5517 		.insns = {
5518 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5519 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5520 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5521 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5522 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5523 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5524 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5525 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5526 			BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5527 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5528 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5529 			BPF_MOV64_IMM(BPF_REG_0, 0),
5530 			BPF_EXIT_INSN(),
5531 			BPF_MOV64_IMM(BPF_REG_0, 0),
5532 			BPF_EXIT_INSN(),
5533 		},
5534 		.fixup_map2 = { 3 },
5535 		.result = REJECT,
5536 		.errstr = "R1 unbounded memory access",
5537 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5538 	},
5539 	{
5540 		"helper access to map: bounds check using s<, good access",
5541 		.insns = {
5542 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5543 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5544 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5545 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5546 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5547 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5548 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5549 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5550 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5551 			BPF_MOV64_IMM(BPF_REG_0, 0),
5552 			BPF_EXIT_INSN(),
5553 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5554 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5555 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5556 			BPF_MOV64_IMM(BPF_REG_0, 0),
5557 			BPF_EXIT_INSN(),
5558 		},
5559 		.fixup_map2 = { 3 },
5560 		.result = ACCEPT,
5561 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5562 	},
5563 	{
5564 		"helper access to map: bounds check using s<, good access 2",
5565 		.insns = {
5566 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5567 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5568 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5569 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5570 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5571 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5572 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5573 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5574 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5575 			BPF_MOV64_IMM(BPF_REG_0, 0),
5576 			BPF_EXIT_INSN(),
5577 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5578 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5579 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5580 			BPF_MOV64_IMM(BPF_REG_0, 0),
5581 			BPF_EXIT_INSN(),
5582 		},
5583 		.fixup_map2 = { 3 },
5584 		.result = ACCEPT,
5585 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5586 	},
5587 	{
5588 		"helper access to map: bounds check using s<, bad access",
5589 		.insns = {
5590 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5591 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5592 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5593 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5594 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5595 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5596 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5597 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5598 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5599 			BPF_MOV64_IMM(BPF_REG_0, 0),
5600 			BPF_EXIT_INSN(),
5601 			BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5602 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5603 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5604 			BPF_MOV64_IMM(BPF_REG_0, 0),
5605 			BPF_EXIT_INSN(),
5606 		},
5607 		.fixup_map2 = { 3 },
5608 		.result = REJECT,
5609 		.errstr = "R1 min value is negative",
5610 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5611 	},
5612 	{
5613 		"helper access to map: bounds check using s<=, good access",
5614 		.insns = {
5615 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5616 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5617 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5618 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5619 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5620 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5621 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5622 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5623 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5624 			BPF_MOV64_IMM(BPF_REG_0, 0),
5625 			BPF_EXIT_INSN(),
5626 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5627 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5628 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5629 			BPF_MOV64_IMM(BPF_REG_0, 0),
5630 			BPF_EXIT_INSN(),
5631 		},
5632 		.fixup_map2 = { 3 },
5633 		.result = ACCEPT,
5634 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5635 	},
5636 	{
5637 		"helper access to map: bounds check using s<=, good access 2",
5638 		.insns = {
5639 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5640 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5641 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5642 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5643 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5644 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5645 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5646 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5647 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5648 			BPF_MOV64_IMM(BPF_REG_0, 0),
5649 			BPF_EXIT_INSN(),
5650 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5651 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5652 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5653 			BPF_MOV64_IMM(BPF_REG_0, 0),
5654 			BPF_EXIT_INSN(),
5655 		},
5656 		.fixup_map2 = { 3 },
5657 		.result = ACCEPT,
5658 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5659 	},
5660 	{
5661 		"helper access to map: bounds check using s<=, bad access",
5662 		.insns = {
5663 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5664 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5665 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5666 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5667 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5668 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5669 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5670 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5671 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5672 			BPF_MOV64_IMM(BPF_REG_0, 0),
5673 			BPF_EXIT_INSN(),
5674 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5675 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5676 			BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5677 			BPF_MOV64_IMM(BPF_REG_0, 0),
5678 			BPF_EXIT_INSN(),
5679 		},
5680 		.fixup_map2 = { 3 },
5681 		.result = REJECT,
5682 		.errstr = "R1 min value is negative",
5683 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5684 	},
5685 	{
5686 		"map lookup helper access to map",
5687 		.insns = {
5688 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5689 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5690 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5691 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5692 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5693 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5694 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5695 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5696 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5697 			BPF_EXIT_INSN(),
5698 		},
5699 		.fixup_map3 = { 3, 8 },
5700 		.result = ACCEPT,
5701 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5702 	},
5703 	{
5704 		"map update helper access to map",
5705 		.insns = {
5706 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5707 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5708 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5709 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5710 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5711 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5712 			BPF_MOV64_IMM(BPF_REG_4, 0),
5713 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5714 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5715 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5716 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5717 			BPF_EXIT_INSN(),
5718 		},
5719 		.fixup_map3 = { 3, 10 },
5720 		.result = ACCEPT,
5721 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5722 	},
5723 	{
5724 		"map update helper access to map: wrong size",
5725 		.insns = {
5726 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5727 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5728 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5729 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5730 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5731 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5732 			BPF_MOV64_IMM(BPF_REG_4, 0),
5733 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5734 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5735 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5736 			BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5737 			BPF_EXIT_INSN(),
5738 		},
5739 		.fixup_map1 = { 3 },
5740 		.fixup_map3 = { 10 },
5741 		.result = REJECT,
5742 		.errstr = "invalid access to map value, value_size=8 off=0 size=16",
5743 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5744 	},
5745 	{
5746 		"map helper access to adjusted map (via const imm)",
5747 		.insns = {
5748 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5749 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5750 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5751 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5752 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5753 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5754 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5756 				      offsetof(struct other_val, bar)),
5757 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5758 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5759 			BPF_EXIT_INSN(),
5760 		},
5761 		.fixup_map3 = { 3, 9 },
5762 		.result = ACCEPT,
5763 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5764 	},
5765 	{
5766 		"map helper access to adjusted map (via const imm): out-of-bound 1",
5767 		.insns = {
5768 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5769 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5770 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5771 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5772 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5773 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5774 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5775 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5776 				      sizeof(struct other_val) - 4),
5777 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5778 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5779 			BPF_EXIT_INSN(),
5780 		},
5781 		.fixup_map3 = { 3, 9 },
5782 		.result = REJECT,
5783 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
5784 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5785 	},
5786 	{
5787 		"map helper access to adjusted map (via const imm): out-of-bound 2",
5788 		.insns = {
5789 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5790 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5791 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5792 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5793 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5794 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5795 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5796 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5797 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5798 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5799 			BPF_EXIT_INSN(),
5800 		},
5801 		.fixup_map3 = { 3, 9 },
5802 		.result = REJECT,
5803 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5804 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5805 	},
5806 	{
5807 		"map helper access to adjusted map (via const reg)",
5808 		.insns = {
5809 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5810 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5811 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5812 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5813 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5814 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5815 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5816 			BPF_MOV64_IMM(BPF_REG_3,
5817 				      offsetof(struct other_val, bar)),
5818 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5819 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5820 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5821 			BPF_EXIT_INSN(),
5822 		},
5823 		.fixup_map3 = { 3, 10 },
5824 		.result = ACCEPT,
5825 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5826 	},
5827 	{
5828 		"map helper access to adjusted map (via const reg): out-of-bound 1",
5829 		.insns = {
5830 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5831 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5832 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5833 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5834 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5835 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5836 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5837 			BPF_MOV64_IMM(BPF_REG_3,
5838 				      sizeof(struct other_val) - 4),
5839 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5840 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5841 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5842 			BPF_EXIT_INSN(),
5843 		},
5844 		.fixup_map3 = { 3, 10 },
5845 		.result = REJECT,
5846 		.errstr = "invalid access to map value, value_size=16 off=12 size=8",
5847 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5848 	},
5849 	{
5850 		"map helper access to adjusted map (via const reg): out-of-bound 2",
5851 		.insns = {
5852 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5853 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5854 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5855 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5856 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5857 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5858 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5859 			BPF_MOV64_IMM(BPF_REG_3, -4),
5860 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5861 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5862 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5863 			BPF_EXIT_INSN(),
5864 		},
5865 		.fixup_map3 = { 3, 10 },
5866 		.result = REJECT,
5867 		.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5868 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5869 	},
5870 	{
5871 		"map helper access to adjusted map (via variable)",
5872 		.insns = {
5873 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5874 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5875 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5876 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5877 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5878 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5879 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5880 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5881 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5882 				    offsetof(struct other_val, bar), 4),
5883 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5884 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5885 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5886 			BPF_EXIT_INSN(),
5887 		},
5888 		.fixup_map3 = { 3, 11 },
5889 		.result = ACCEPT,
5890 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5891 	},
5892 	{
5893 		"map helper access to adjusted map (via variable): no max check",
5894 		.insns = {
5895 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5896 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5897 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5898 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5899 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5900 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5901 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5902 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5903 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5904 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5905 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5906 			BPF_EXIT_INSN(),
5907 		},
5908 		.fixup_map3 = { 3, 10 },
5909 		.result = REJECT,
5910 		.errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
5911 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5912 	},
5913 	{
5914 		"map helper access to adjusted map (via variable): wrong max check",
5915 		.insns = {
5916 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5917 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5918 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5919 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5920 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5921 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5922 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5923 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5924 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5925 				    offsetof(struct other_val, bar) + 1, 4),
5926 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5927 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5928 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5929 			BPF_EXIT_INSN(),
5930 		},
5931 		.fixup_map3 = { 3, 11 },
5932 		.result = REJECT,
5933 		.errstr = "invalid access to map value, value_size=16 off=9 size=8",
5934 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
5935 	},
5936 	{
5937 		"map element value is preserved across register spilling",
5938 		.insns = {
5939 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5940 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5941 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5942 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5943 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5944 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5945 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
5946 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5947 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
5948 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5949 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5950 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5951 			BPF_EXIT_INSN(),
5952 		},
5953 		.fixup_map2 = { 3 },
5954 		.errstr_unpriv = "R0 leaks addr",
5955 		.result = ACCEPT,
5956 		.result_unpriv = REJECT,
5957 	},
5958 	{
5959 		"map element value or null is marked on register spilling",
5960 		.insns = {
5961 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5962 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5963 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5964 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5965 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5966 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5967 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
5968 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5969 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5970 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
5971 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
5972 			BPF_EXIT_INSN(),
5973 		},
5974 		.fixup_map2 = { 3 },
5975 		.errstr_unpriv = "R0 leaks addr",
5976 		.result = ACCEPT,
5977 		.result_unpriv = REJECT,
5978 	},
5979 	{
5980 		"map element value store of cleared call register",
5981 		.insns = {
5982 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5983 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5984 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5985 			BPF_LD_MAP_FD(BPF_REG_1, 0),
5986 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5987 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5988 			BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
5989 			BPF_EXIT_INSN(),
5990 		},
5991 		.fixup_map2 = { 3 },
5992 		.errstr_unpriv = "R1 !read_ok",
5993 		.errstr = "R1 !read_ok",
5994 		.result = REJECT,
5995 		.result_unpriv = REJECT,
5996 	},
5997 	{
5998 		"map element value with unaligned store",
5999 		.insns = {
6000 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6002 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6003 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6004 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6005 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6006 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6007 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6008 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6009 			BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6010 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6011 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6012 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6013 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6014 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6015 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6016 			BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6017 			BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6018 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6019 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6020 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6021 			BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6022 			BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6023 			BPF_EXIT_INSN(),
6024 		},
6025 		.fixup_map2 = { 3 },
6026 		.errstr_unpriv = "R0 leaks addr",
6027 		.result = ACCEPT,
6028 		.result_unpriv = REJECT,
6029 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6030 	},
6031 	{
6032 		"map element value with unaligned load",
6033 		.insns = {
6034 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6035 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6036 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6037 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6038 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6039 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6040 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6041 			BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6042 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6043 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6044 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6045 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6046 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6047 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6048 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6049 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6050 			BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6051 			BPF_EXIT_INSN(),
6052 		},
6053 		.fixup_map2 = { 3 },
6054 		.errstr_unpriv = "R0 leaks addr",
6055 		.result = ACCEPT,
6056 		.result_unpriv = REJECT,
6057 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6058 	},
6059 	{
6060 		"map element value illegal alu op, 1",
6061 		.insns = {
6062 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6063 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6064 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6065 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6066 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6067 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6068 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6069 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6070 			BPF_EXIT_INSN(),
6071 		},
6072 		.fixup_map2 = { 3 },
6073 		.errstr = "R0 bitwise operator &= on pointer",
6074 		.result = REJECT,
6075 	},
6076 	{
6077 		"map element value illegal alu op, 2",
6078 		.insns = {
6079 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6080 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6081 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6082 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6083 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6084 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6085 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6086 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6087 			BPF_EXIT_INSN(),
6088 		},
6089 		.fixup_map2 = { 3 },
6090 		.errstr = "R0 32-bit pointer arithmetic prohibited",
6091 		.result = REJECT,
6092 	},
6093 	{
6094 		"map element value illegal alu op, 3",
6095 		.insns = {
6096 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6097 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6098 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6099 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6100 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6101 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6102 			BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6103 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6104 			BPF_EXIT_INSN(),
6105 		},
6106 		.fixup_map2 = { 3 },
6107 		.errstr = "R0 pointer arithmetic with /= operator",
6108 		.result = REJECT,
6109 	},
6110 	{
6111 		"map element value illegal alu op, 4",
6112 		.insns = {
6113 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6114 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6115 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6116 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6117 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6118 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6119 			BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
6120 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6121 			BPF_EXIT_INSN(),
6122 		},
6123 		.fixup_map2 = { 3 },
6124 		.errstr_unpriv = "R0 pointer arithmetic prohibited",
6125 		.errstr = "invalid mem access 'inv'",
6126 		.result = REJECT,
6127 		.result_unpriv = REJECT,
6128 	},
6129 	{
6130 		"map element value illegal alu op, 5",
6131 		.insns = {
6132 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6133 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6134 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6135 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6136 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6137 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6138 			BPF_MOV64_IMM(BPF_REG_3, 4096),
6139 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6140 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6141 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6142 			BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
6143 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
6144 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6145 			BPF_EXIT_INSN(),
6146 		},
6147 		.fixup_map2 = { 3 },
6148 		.errstr = "R0 invalid mem access 'inv'",
6149 		.result = REJECT,
6150 	},
6151 	{
6152 		"map element value is preserved across register spilling",
6153 		.insns = {
6154 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6155 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6156 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6157 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6158 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6159 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6160 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
6161 				offsetof(struct test_val, foo)),
6162 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6163 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6164 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6165 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6166 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6167 			BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6168 			BPF_EXIT_INSN(),
6169 		},
6170 		.fixup_map2 = { 3 },
6171 		.errstr_unpriv = "R0 leaks addr",
6172 		.result = ACCEPT,
6173 		.result_unpriv = REJECT,
6174 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6175 	},
6176 	{
6177 		"helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
6178 		.insns = {
6179 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6180 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6181 			BPF_MOV64_IMM(BPF_REG_0, 0),
6182 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6183 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6184 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6185 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6186 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6187 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6188 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6189 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6190 			BPF_MOV64_IMM(BPF_REG_2, 16),
6191 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6192 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6193 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6194 			BPF_MOV64_IMM(BPF_REG_4, 0),
6195 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6196 			BPF_MOV64_IMM(BPF_REG_3, 0),
6197 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6198 			BPF_MOV64_IMM(BPF_REG_0, 0),
6199 			BPF_EXIT_INSN(),
6200 		},
6201 		.result = ACCEPT,
6202 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6203 	},
6204 	{
6205 		"helper access to variable memory: stack, bitwise AND, zero included",
6206 		.insns = {
6207 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6208 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6209 			BPF_MOV64_IMM(BPF_REG_2, 16),
6210 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6211 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6212 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6213 			BPF_MOV64_IMM(BPF_REG_3, 0),
6214 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6215 			BPF_EXIT_INSN(),
6216 		},
6217 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6218 		.result = REJECT,
6219 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6220 	},
6221 	{
6222 		"helper access to variable memory: stack, bitwise AND + JMP, wrong max",
6223 		.insns = {
6224 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6225 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6226 			BPF_MOV64_IMM(BPF_REG_2, 16),
6227 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6228 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6229 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
6230 			BPF_MOV64_IMM(BPF_REG_4, 0),
6231 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6232 			BPF_MOV64_IMM(BPF_REG_3, 0),
6233 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6234 			BPF_MOV64_IMM(BPF_REG_0, 0),
6235 			BPF_EXIT_INSN(),
6236 		},
6237 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6238 		.result = REJECT,
6239 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6240 	},
6241 	{
6242 		"helper access to variable memory: stack, JMP, correct bounds",
6243 		.insns = {
6244 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6245 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6246 			BPF_MOV64_IMM(BPF_REG_0, 0),
6247 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6248 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6249 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6250 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6251 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6252 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6253 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6254 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6255 			BPF_MOV64_IMM(BPF_REG_2, 16),
6256 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6257 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6258 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
6259 			BPF_MOV64_IMM(BPF_REG_4, 0),
6260 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6261 			BPF_MOV64_IMM(BPF_REG_3, 0),
6262 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6263 			BPF_MOV64_IMM(BPF_REG_0, 0),
6264 			BPF_EXIT_INSN(),
6265 		},
6266 		.result = ACCEPT,
6267 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6268 	},
6269 	{
6270 		"helper access to variable memory: stack, JMP (signed), correct bounds",
6271 		.insns = {
6272 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6273 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6274 			BPF_MOV64_IMM(BPF_REG_0, 0),
6275 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6276 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6277 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6278 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6279 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6280 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6281 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6282 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6283 			BPF_MOV64_IMM(BPF_REG_2, 16),
6284 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6285 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6286 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
6287 			BPF_MOV64_IMM(BPF_REG_4, 0),
6288 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6289 			BPF_MOV64_IMM(BPF_REG_3, 0),
6290 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6291 			BPF_MOV64_IMM(BPF_REG_0, 0),
6292 			BPF_EXIT_INSN(),
6293 		},
6294 		.result = ACCEPT,
6295 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6296 	},
6297 	{
6298 		"helper access to variable memory: stack, JMP, bounds + offset",
6299 		.insns = {
6300 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6301 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6302 			BPF_MOV64_IMM(BPF_REG_2, 16),
6303 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6304 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6305 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
6306 			BPF_MOV64_IMM(BPF_REG_4, 0),
6307 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
6308 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6309 			BPF_MOV64_IMM(BPF_REG_3, 0),
6310 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6311 			BPF_MOV64_IMM(BPF_REG_0, 0),
6312 			BPF_EXIT_INSN(),
6313 		},
6314 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6315 		.result = REJECT,
6316 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6317 	},
6318 	{
6319 		"helper access to variable memory: stack, JMP, wrong max",
6320 		.insns = {
6321 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6322 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6323 			BPF_MOV64_IMM(BPF_REG_2, 16),
6324 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6325 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6326 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
6327 			BPF_MOV64_IMM(BPF_REG_4, 0),
6328 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6329 			BPF_MOV64_IMM(BPF_REG_3, 0),
6330 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6331 			BPF_MOV64_IMM(BPF_REG_0, 0),
6332 			BPF_EXIT_INSN(),
6333 		},
6334 		.errstr = "invalid stack type R1 off=-64 access_size=65",
6335 		.result = REJECT,
6336 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6337 	},
6338 	{
6339 		"helper access to variable memory: stack, JMP, no max check",
6340 		.insns = {
6341 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6342 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6343 			BPF_MOV64_IMM(BPF_REG_2, 16),
6344 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6345 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6346 			BPF_MOV64_IMM(BPF_REG_4, 0),
6347 			BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
6348 			BPF_MOV64_IMM(BPF_REG_3, 0),
6349 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6350 			BPF_MOV64_IMM(BPF_REG_0, 0),
6351 			BPF_EXIT_INSN(),
6352 		},
6353 		/* because max wasn't checked, signed min is negative */
6354 		.errstr = "R2 min value is negative, either use unsigned or 'var &= const'",
6355 		.result = REJECT,
6356 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6357 	},
6358 	{
6359 		"helper access to variable memory: stack, JMP, no min check",
6360 		.insns = {
6361 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6362 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6363 			BPF_MOV64_IMM(BPF_REG_2, 16),
6364 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6365 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6366 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
6367 			BPF_MOV64_IMM(BPF_REG_3, 0),
6368 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6369 			BPF_MOV64_IMM(BPF_REG_0, 0),
6370 			BPF_EXIT_INSN(),
6371 		},
6372 		.errstr = "invalid indirect read from stack off -64+0 size 64",
6373 		.result = REJECT,
6374 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6375 	},
6376 	{
6377 		"helper access to variable memory: stack, JMP (signed), no min check",
6378 		.insns = {
6379 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6380 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6381 			BPF_MOV64_IMM(BPF_REG_2, 16),
6382 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
6383 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
6384 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
6385 			BPF_MOV64_IMM(BPF_REG_3, 0),
6386 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6387 			BPF_MOV64_IMM(BPF_REG_0, 0),
6388 			BPF_EXIT_INSN(),
6389 		},
6390 		.errstr = "R2 min value is negative",
6391 		.result = REJECT,
6392 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6393 	},
6394 	{
6395 		"helper access to variable memory: map, JMP, correct bounds",
6396 		.insns = {
6397 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6398 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6399 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6400 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6401 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6402 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6403 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6404 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6405 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6406 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6407 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6408 				sizeof(struct test_val), 4),
6409 			BPF_MOV64_IMM(BPF_REG_4, 0),
6410 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6411 			BPF_MOV64_IMM(BPF_REG_3, 0),
6412 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6413 			BPF_MOV64_IMM(BPF_REG_0, 0),
6414 			BPF_EXIT_INSN(),
6415 		},
6416 		.fixup_map2 = { 3 },
6417 		.result = ACCEPT,
6418 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6419 	},
6420 	{
6421 		"helper access to variable memory: map, JMP, wrong max",
6422 		.insns = {
6423 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6424 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6425 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6426 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6427 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6428 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
6429 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6430 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6431 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6432 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6433 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6434 				sizeof(struct test_val) + 1, 4),
6435 			BPF_MOV64_IMM(BPF_REG_4, 0),
6436 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6437 			BPF_MOV64_IMM(BPF_REG_3, 0),
6438 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6439 			BPF_MOV64_IMM(BPF_REG_0, 0),
6440 			BPF_EXIT_INSN(),
6441 		},
6442 		.fixup_map2 = { 3 },
6443 		.errstr = "invalid access to map value, value_size=48 off=0 size=49",
6444 		.result = REJECT,
6445 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6446 	},
6447 	{
6448 		"helper access to variable memory: map adjusted, JMP, correct bounds",
6449 		.insns = {
6450 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6452 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6453 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6454 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6455 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6456 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6457 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6458 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6459 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6460 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6461 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6462 				sizeof(struct test_val) - 20, 4),
6463 			BPF_MOV64_IMM(BPF_REG_4, 0),
6464 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6465 			BPF_MOV64_IMM(BPF_REG_3, 0),
6466 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6467 			BPF_MOV64_IMM(BPF_REG_0, 0),
6468 			BPF_EXIT_INSN(),
6469 		},
6470 		.fixup_map2 = { 3 },
6471 		.result = ACCEPT,
6472 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6473 	},
6474 	{
6475 		"helper access to variable memory: map adjusted, JMP, wrong max",
6476 		.insns = {
6477 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6479 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6480 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6481 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6482 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6483 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6484 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
6485 			BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6486 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6487 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6488 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
6489 				sizeof(struct test_val) - 19, 4),
6490 			BPF_MOV64_IMM(BPF_REG_4, 0),
6491 			BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
6492 			BPF_MOV64_IMM(BPF_REG_3, 0),
6493 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6494 			BPF_MOV64_IMM(BPF_REG_0, 0),
6495 			BPF_EXIT_INSN(),
6496 		},
6497 		.fixup_map2 = { 3 },
6498 		.errstr = "R1 min value is outside of the array range",
6499 		.result = REJECT,
6500 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6501 	},
6502 	{
6503 		"helper access to variable memory: size = 0 allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6504 		.insns = {
6505 			BPF_MOV64_IMM(BPF_REG_1, 0),
6506 			BPF_MOV64_IMM(BPF_REG_2, 0),
6507 			BPF_MOV64_IMM(BPF_REG_3, 0),
6508 			BPF_MOV64_IMM(BPF_REG_4, 0),
6509 			BPF_MOV64_IMM(BPF_REG_5, 0),
6510 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6511 			BPF_EXIT_INSN(),
6512 		},
6513 		.result = ACCEPT,
6514 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6515 	},
6516 	{
6517 		"helper access to variable memory: size > 0 not allowed on NULL (ARG_PTR_TO_MEM_OR_NULL)",
6518 		.insns = {
6519 			BPF_MOV64_IMM(BPF_REG_1, 0),
6520 			BPF_MOV64_IMM(BPF_REG_2, 1),
6521 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6522 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6523 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
6524 			BPF_MOV64_IMM(BPF_REG_3, 0),
6525 			BPF_MOV64_IMM(BPF_REG_4, 0),
6526 			BPF_MOV64_IMM(BPF_REG_5, 0),
6527 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6528 			BPF_EXIT_INSN(),
6529 		},
6530 		.errstr = "R1 type=inv expected=fp",
6531 		.result = REJECT,
6532 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6533 	},
6534 	{
6535 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6536 		.insns = {
6537 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6538 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6539 			BPF_MOV64_IMM(BPF_REG_2, 0),
6540 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6541 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
6542 			BPF_MOV64_IMM(BPF_REG_3, 0),
6543 			BPF_MOV64_IMM(BPF_REG_4, 0),
6544 			BPF_MOV64_IMM(BPF_REG_5, 0),
6545 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6546 			BPF_EXIT_INSN(),
6547 		},
6548 		.result = ACCEPT,
6549 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6550 	},
6551 	{
6552 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6553 		.insns = {
6554 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6555 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6556 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6557 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6558 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6559 				     BPF_FUNC_map_lookup_elem),
6560 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6561 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6562 			BPF_MOV64_IMM(BPF_REG_2, 0),
6563 			BPF_MOV64_IMM(BPF_REG_3, 0),
6564 			BPF_MOV64_IMM(BPF_REG_4, 0),
6565 			BPF_MOV64_IMM(BPF_REG_5, 0),
6566 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6567 			BPF_EXIT_INSN(),
6568 		},
6569 		.fixup_map1 = { 3 },
6570 		.result = ACCEPT,
6571 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6572 	},
6573 	{
6574 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (ARG_PTR_TO_MEM_OR_NULL)",
6575 		.insns = {
6576 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6577 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6579 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6580 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6581 				     BPF_FUNC_map_lookup_elem),
6582 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
6583 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6584 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 7),
6585 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6586 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6587 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
6588 			BPF_MOV64_IMM(BPF_REG_3, 0),
6589 			BPF_MOV64_IMM(BPF_REG_4, 0),
6590 			BPF_MOV64_IMM(BPF_REG_5, 0),
6591 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6592 			BPF_EXIT_INSN(),
6593 		},
6594 		.fixup_map1 = { 3 },
6595 		.result = ACCEPT,
6596 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6597 	},
6598 	{
6599 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (ARG_PTR_TO_MEM_OR_NULL)",
6600 		.insns = {
6601 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6602 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6603 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6604 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6605 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6606 				     BPF_FUNC_map_lookup_elem),
6607 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6608 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6609 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6610 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6611 			BPF_MOV64_IMM(BPF_REG_3, 0),
6612 			BPF_MOV64_IMM(BPF_REG_4, 0),
6613 			BPF_MOV64_IMM(BPF_REG_5, 0),
6614 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6615 			BPF_EXIT_INSN(),
6616 		},
6617 		.fixup_map1 = { 3 },
6618 		.result = ACCEPT,
6619 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6620 	},
6621 	{
6622 		"helper access to variable memory: size possible = 0 allowed on != NULL packet pointer (ARG_PTR_TO_MEM_OR_NULL)",
6623 		.insns = {
6624 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
6625 				    offsetof(struct __sk_buff, data)),
6626 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
6627 				    offsetof(struct __sk_buff, data_end)),
6628 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),
6629 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
6630 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
6631 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6632 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6, 0),
6633 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6634 			BPF_MOV64_IMM(BPF_REG_3, 0),
6635 			BPF_MOV64_IMM(BPF_REG_4, 0),
6636 			BPF_MOV64_IMM(BPF_REG_5, 0),
6637 			BPF_EMIT_CALL(BPF_FUNC_csum_diff),
6638 			BPF_EXIT_INSN(),
6639 		},
6640 		.result = ACCEPT,
6641 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6642 		.retval = 0 /* csum_diff of 64-byte packet */,
6643 	},
6644 	{
6645 		"helper access to variable memory: size = 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6646 		.insns = {
6647 			BPF_MOV64_IMM(BPF_REG_1, 0),
6648 			BPF_MOV64_IMM(BPF_REG_2, 0),
6649 			BPF_MOV64_IMM(BPF_REG_3, 0),
6650 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6651 			BPF_EXIT_INSN(),
6652 		},
6653 		.errstr = "R1 type=inv expected=fp",
6654 		.result = REJECT,
6655 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6656 	},
6657 	{
6658 		"helper access to variable memory: size > 0 not allowed on NULL (!ARG_PTR_TO_MEM_OR_NULL)",
6659 		.insns = {
6660 			BPF_MOV64_IMM(BPF_REG_1, 0),
6661 			BPF_MOV64_IMM(BPF_REG_2, 1),
6662 			BPF_MOV64_IMM(BPF_REG_3, 0),
6663 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6664 			BPF_EXIT_INSN(),
6665 		},
6666 		.errstr = "R1 type=inv expected=fp",
6667 		.result = REJECT,
6668 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6669 	},
6670 	{
6671 		"helper access to variable memory: size = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6672 		.insns = {
6673 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6674 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6675 			BPF_MOV64_IMM(BPF_REG_2, 0),
6676 			BPF_MOV64_IMM(BPF_REG_3, 0),
6677 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6678 			BPF_EXIT_INSN(),
6679 		},
6680 		.result = ACCEPT,
6681 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6682 	},
6683 	{
6684 		"helper access to variable memory: size = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6685 		.insns = {
6686 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6687 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6688 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6689 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6690 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6691 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6692 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6693 			BPF_MOV64_IMM(BPF_REG_2, 0),
6694 			BPF_MOV64_IMM(BPF_REG_3, 0),
6695 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6696 			BPF_EXIT_INSN(),
6697 		},
6698 		.fixup_map1 = { 3 },
6699 		.result = ACCEPT,
6700 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6701 	},
6702 	{
6703 		"helper access to variable memory: size possible = 0 allowed on != NULL stack pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6704 		.insns = {
6705 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6706 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6707 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6708 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6709 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6710 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6711 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6712 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 4),
6713 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6714 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
6715 			BPF_MOV64_IMM(BPF_REG_3, 0),
6716 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6717 			BPF_EXIT_INSN(),
6718 		},
6719 		.fixup_map1 = { 3 },
6720 		.result = ACCEPT,
6721 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6722 	},
6723 	{
6724 		"helper access to variable memory: size possible = 0 allowed on != NULL map pointer (!ARG_PTR_TO_MEM_OR_NULL)",
6725 		.insns = {
6726 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6727 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6728 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6729 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6730 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6731 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6732 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6733 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
6734 			BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 8, 2),
6735 			BPF_MOV64_IMM(BPF_REG_3, 0),
6736 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6737 			BPF_EXIT_INSN(),
6738 		},
6739 		.fixup_map1 = { 3 },
6740 		.result = ACCEPT,
6741 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6742 	},
6743 	{
6744 		"helper access to variable memory: 8 bytes leak",
6745 		.insns = {
6746 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6747 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6748 			BPF_MOV64_IMM(BPF_REG_0, 0),
6749 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6750 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6751 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6752 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6753 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6754 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6755 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6756 			BPF_MOV64_IMM(BPF_REG_2, 1),
6757 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
6758 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
6759 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
6760 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
6761 			BPF_MOV64_IMM(BPF_REG_3, 0),
6762 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6763 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6764 			BPF_EXIT_INSN(),
6765 		},
6766 		.errstr = "invalid indirect read from stack off -64+32 size 64",
6767 		.result = REJECT,
6768 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6769 	},
6770 	{
6771 		"helper access to variable memory: 8 bytes no leak (init memory)",
6772 		.insns = {
6773 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6774 			BPF_MOV64_IMM(BPF_REG_0, 0),
6775 			BPF_MOV64_IMM(BPF_REG_0, 0),
6776 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
6777 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
6778 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
6779 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
6780 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
6781 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
6782 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
6783 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
6784 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
6785 			BPF_MOV64_IMM(BPF_REG_2, 0),
6786 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
6787 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
6788 			BPF_MOV64_IMM(BPF_REG_3, 0),
6789 			BPF_EMIT_CALL(BPF_FUNC_probe_read),
6790 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
6791 			BPF_EXIT_INSN(),
6792 		},
6793 		.result = ACCEPT,
6794 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
6795 	},
6796 	{
6797 		"invalid and of negative number",
6798 		.insns = {
6799 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6800 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6801 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6802 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6803 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6804 				     BPF_FUNC_map_lookup_elem),
6805 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6806 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
6807 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
6808 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
6809 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
6810 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
6811 				   offsetof(struct test_val, foo)),
6812 			BPF_EXIT_INSN(),
6813 		},
6814 		.fixup_map2 = { 3 },
6815 		.errstr = "R0 max value is outside of the array range",
6816 		.result = REJECT,
6817 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6818 	},
6819 	{
6820 		"invalid range check",
6821 		.insns = {
6822 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6823 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6824 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6825 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6826 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6827 				     BPF_FUNC_map_lookup_elem),
6828 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
6829 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6830 			BPF_MOV64_IMM(BPF_REG_9, 1),
6831 			BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
6832 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
6833 			BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
6834 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
6835 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
6836 			BPF_MOV32_IMM(BPF_REG_3, 1),
6837 			BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
6838 			BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
6839 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
6840 			BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
6841 			BPF_MOV64_REG(BPF_REG_0, 0),
6842 			BPF_EXIT_INSN(),
6843 		},
6844 		.fixup_map2 = { 3 },
6845 		.errstr = "R0 max value is outside of the array range",
6846 		.result = REJECT,
6847 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6848 	},
6849 	{
6850 		"map in map access",
6851 		.insns = {
6852 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6853 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6854 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6855 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6856 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6857 				     BPF_FUNC_map_lookup_elem),
6858 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6859 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6860 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6861 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6862 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6863 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6864 				     BPF_FUNC_map_lookup_elem),
6865 			BPF_MOV64_REG(BPF_REG_0, 0),
6866 			BPF_EXIT_INSN(),
6867 		},
6868 		.fixup_map_in_map = { 3 },
6869 		.result = ACCEPT,
6870 	},
6871 	{
6872 		"invalid inner map pointer",
6873 		.insns = {
6874 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6875 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6876 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6877 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6878 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6879 				     BPF_FUNC_map_lookup_elem),
6880 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6881 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6882 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6883 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6884 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6885 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
6886 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6887 				     BPF_FUNC_map_lookup_elem),
6888 			BPF_MOV64_REG(BPF_REG_0, 0),
6889 			BPF_EXIT_INSN(),
6890 		},
6891 		.fixup_map_in_map = { 3 },
6892 		.errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited",
6893 		.result = REJECT,
6894 	},
6895 	{
6896 		"forgot null checking on the inner map pointer",
6897 		.insns = {
6898 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6899 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6900 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6901 			BPF_LD_MAP_FD(BPF_REG_1, 0),
6902 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6903 				     BPF_FUNC_map_lookup_elem),
6904 			BPF_ST_MEM(0, BPF_REG_10, -4, 0),
6905 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6906 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6907 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6908 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6909 				     BPF_FUNC_map_lookup_elem),
6910 			BPF_MOV64_REG(BPF_REG_0, 0),
6911 			BPF_EXIT_INSN(),
6912 		},
6913 		.fixup_map_in_map = { 3 },
6914 		.errstr = "R1 type=map_value_or_null expected=map_ptr",
6915 		.result = REJECT,
6916 	},
6917 	{
6918 		"ld_abs: check calling conv, r1",
6919 		.insns = {
6920 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6921 			BPF_MOV64_IMM(BPF_REG_1, 0),
6922 			BPF_LD_ABS(BPF_W, -0x200000),
6923 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
6924 			BPF_EXIT_INSN(),
6925 		},
6926 		.errstr = "R1 !read_ok",
6927 		.result = REJECT,
6928 	},
6929 	{
6930 		"ld_abs: check calling conv, r2",
6931 		.insns = {
6932 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6933 			BPF_MOV64_IMM(BPF_REG_2, 0),
6934 			BPF_LD_ABS(BPF_W, -0x200000),
6935 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
6936 			BPF_EXIT_INSN(),
6937 		},
6938 		.errstr = "R2 !read_ok",
6939 		.result = REJECT,
6940 	},
6941 	{
6942 		"ld_abs: check calling conv, r3",
6943 		.insns = {
6944 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6945 			BPF_MOV64_IMM(BPF_REG_3, 0),
6946 			BPF_LD_ABS(BPF_W, -0x200000),
6947 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
6948 			BPF_EXIT_INSN(),
6949 		},
6950 		.errstr = "R3 !read_ok",
6951 		.result = REJECT,
6952 	},
6953 	{
6954 		"ld_abs: check calling conv, r4",
6955 		.insns = {
6956 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6957 			BPF_MOV64_IMM(BPF_REG_4, 0),
6958 			BPF_LD_ABS(BPF_W, -0x200000),
6959 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
6960 			BPF_EXIT_INSN(),
6961 		},
6962 		.errstr = "R4 !read_ok",
6963 		.result = REJECT,
6964 	},
6965 	{
6966 		"ld_abs: check calling conv, r5",
6967 		.insns = {
6968 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6969 			BPF_MOV64_IMM(BPF_REG_5, 0),
6970 			BPF_LD_ABS(BPF_W, -0x200000),
6971 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
6972 			BPF_EXIT_INSN(),
6973 		},
6974 		.errstr = "R5 !read_ok",
6975 		.result = REJECT,
6976 	},
6977 	{
6978 		"ld_abs: check calling conv, r7",
6979 		.insns = {
6980 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6981 			BPF_MOV64_IMM(BPF_REG_7, 0),
6982 			BPF_LD_ABS(BPF_W, -0x200000),
6983 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
6984 			BPF_EXIT_INSN(),
6985 		},
6986 		.result = ACCEPT,
6987 	},
6988 	{
6989 		"ld_abs: tests on r6 and skb data reload helper",
6990 		.insns = {
6991 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6992 			BPF_LD_ABS(BPF_B, 0),
6993 			BPF_LD_ABS(BPF_H, 0),
6994 			BPF_LD_ABS(BPF_W, 0),
6995 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
6996 			BPF_MOV64_IMM(BPF_REG_6, 0),
6997 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
6998 			BPF_MOV64_IMM(BPF_REG_2, 1),
6999 			BPF_MOV64_IMM(BPF_REG_3, 2),
7000 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7001 				     BPF_FUNC_skb_vlan_push),
7002 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
7003 			BPF_LD_ABS(BPF_B, 0),
7004 			BPF_LD_ABS(BPF_H, 0),
7005 			BPF_LD_ABS(BPF_W, 0),
7006 			BPF_MOV64_IMM(BPF_REG_0, 42),
7007 			BPF_EXIT_INSN(),
7008 		},
7009 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7010 		.result = ACCEPT,
7011 		.retval = 42 /* ultimate return value */,
7012 	},
7013 	{
7014 		"ld_ind: check calling conv, r1",
7015 		.insns = {
7016 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7017 			BPF_MOV64_IMM(BPF_REG_1, 1),
7018 			BPF_LD_IND(BPF_W, BPF_REG_1, -0x200000),
7019 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
7020 			BPF_EXIT_INSN(),
7021 		},
7022 		.errstr = "R1 !read_ok",
7023 		.result = REJECT,
7024 	},
7025 	{
7026 		"ld_ind: check calling conv, r2",
7027 		.insns = {
7028 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7029 			BPF_MOV64_IMM(BPF_REG_2, 1),
7030 			BPF_LD_IND(BPF_W, BPF_REG_2, -0x200000),
7031 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
7032 			BPF_EXIT_INSN(),
7033 		},
7034 		.errstr = "R2 !read_ok",
7035 		.result = REJECT,
7036 	},
7037 	{
7038 		"ld_ind: check calling conv, r3",
7039 		.insns = {
7040 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7041 			BPF_MOV64_IMM(BPF_REG_3, 1),
7042 			BPF_LD_IND(BPF_W, BPF_REG_3, -0x200000),
7043 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
7044 			BPF_EXIT_INSN(),
7045 		},
7046 		.errstr = "R3 !read_ok",
7047 		.result = REJECT,
7048 	},
7049 	{
7050 		"ld_ind: check calling conv, r4",
7051 		.insns = {
7052 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7053 			BPF_MOV64_IMM(BPF_REG_4, 1),
7054 			BPF_LD_IND(BPF_W, BPF_REG_4, -0x200000),
7055 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
7056 			BPF_EXIT_INSN(),
7057 		},
7058 		.errstr = "R4 !read_ok",
7059 		.result = REJECT,
7060 	},
7061 	{
7062 		"ld_ind: check calling conv, r5",
7063 		.insns = {
7064 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7065 			BPF_MOV64_IMM(BPF_REG_5, 1),
7066 			BPF_LD_IND(BPF_W, BPF_REG_5, -0x200000),
7067 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
7068 			BPF_EXIT_INSN(),
7069 		},
7070 		.errstr = "R5 !read_ok",
7071 		.result = REJECT,
7072 	},
7073 	{
7074 		"ld_ind: check calling conv, r7",
7075 		.insns = {
7076 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
7077 			BPF_MOV64_IMM(BPF_REG_7, 1),
7078 			BPF_LD_IND(BPF_W, BPF_REG_7, -0x200000),
7079 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
7080 			BPF_EXIT_INSN(),
7081 		},
7082 		.result = ACCEPT,
7083 		.retval = 1,
7084 	},
7085 	{
7086 		"check bpf_perf_event_data->sample_period byte load permitted",
7087 		.insns = {
7088 			BPF_MOV64_IMM(BPF_REG_0, 0),
7089 #if __BYTE_ORDER == __LITTLE_ENDIAN
7090 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7091 				    offsetof(struct bpf_perf_event_data, sample_period)),
7092 #else
7093 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
7094 				    offsetof(struct bpf_perf_event_data, sample_period) + 7),
7095 #endif
7096 			BPF_EXIT_INSN(),
7097 		},
7098 		.result = ACCEPT,
7099 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7100 	},
7101 	{
7102 		"check bpf_perf_event_data->sample_period half load permitted",
7103 		.insns = {
7104 			BPF_MOV64_IMM(BPF_REG_0, 0),
7105 #if __BYTE_ORDER == __LITTLE_ENDIAN
7106 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7107 				    offsetof(struct bpf_perf_event_data, sample_period)),
7108 #else
7109 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7110 				    offsetof(struct bpf_perf_event_data, sample_period) + 6),
7111 #endif
7112 			BPF_EXIT_INSN(),
7113 		},
7114 		.result = ACCEPT,
7115 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7116 	},
7117 	{
7118 		"check bpf_perf_event_data->sample_period word load permitted",
7119 		.insns = {
7120 			BPF_MOV64_IMM(BPF_REG_0, 0),
7121 #if __BYTE_ORDER == __LITTLE_ENDIAN
7122 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7123 				    offsetof(struct bpf_perf_event_data, sample_period)),
7124 #else
7125 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
7126 				    offsetof(struct bpf_perf_event_data, sample_period) + 4),
7127 #endif
7128 			BPF_EXIT_INSN(),
7129 		},
7130 		.result = ACCEPT,
7131 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7132 	},
7133 	{
7134 		"check bpf_perf_event_data->sample_period dword load permitted",
7135 		.insns = {
7136 			BPF_MOV64_IMM(BPF_REG_0, 0),
7137 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
7138 				    offsetof(struct bpf_perf_event_data, sample_period)),
7139 			BPF_EXIT_INSN(),
7140 		},
7141 		.result = ACCEPT,
7142 		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
7143 	},
7144 	{
7145 		"check skb->data half load not permitted",
7146 		.insns = {
7147 			BPF_MOV64_IMM(BPF_REG_0, 0),
7148 #if __BYTE_ORDER == __LITTLE_ENDIAN
7149 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7150 				    offsetof(struct __sk_buff, data)),
7151 #else
7152 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7153 				    offsetof(struct __sk_buff, data) + 2),
7154 #endif
7155 			BPF_EXIT_INSN(),
7156 		},
7157 		.result = REJECT,
7158 		.errstr = "invalid bpf_context access",
7159 	},
7160 	{
7161 		"check skb->tc_classid half load not permitted for lwt prog",
7162 		.insns = {
7163 			BPF_MOV64_IMM(BPF_REG_0, 0),
7164 #if __BYTE_ORDER == __LITTLE_ENDIAN
7165 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7166 				    offsetof(struct __sk_buff, tc_classid)),
7167 #else
7168 			BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
7169 				    offsetof(struct __sk_buff, tc_classid) + 2),
7170 #endif
7171 			BPF_EXIT_INSN(),
7172 		},
7173 		.result = REJECT,
7174 		.errstr = "invalid bpf_context access",
7175 		.prog_type = BPF_PROG_TYPE_LWT_IN,
7176 	},
7177 	{
7178 		"bounds checks mixing signed and unsigned, positive bounds",
7179 		.insns = {
7180 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7181 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7182 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7183 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7184 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7185 				     BPF_FUNC_map_lookup_elem),
7186 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7187 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7188 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7189 			BPF_MOV64_IMM(BPF_REG_2, 2),
7190 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 3),
7191 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 4, 2),
7192 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7193 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7194 			BPF_MOV64_IMM(BPF_REG_0, 0),
7195 			BPF_EXIT_INSN(),
7196 		},
7197 		.fixup_map1 = { 3 },
7198 		.errstr = "unbounded min value",
7199 		.result = REJECT,
7200 	},
7201 	{
7202 		"bounds checks mixing signed and unsigned",
7203 		.insns = {
7204 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7205 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7206 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7207 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7208 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7209 				     BPF_FUNC_map_lookup_elem),
7210 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7211 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7212 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7213 			BPF_MOV64_IMM(BPF_REG_2, -1),
7214 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7215 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7216 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7217 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7218 			BPF_MOV64_IMM(BPF_REG_0, 0),
7219 			BPF_EXIT_INSN(),
7220 		},
7221 		.fixup_map1 = { 3 },
7222 		.errstr = "unbounded min value",
7223 		.result = REJECT,
7224 	},
7225 	{
7226 		"bounds checks mixing signed and unsigned, variant 2",
7227 		.insns = {
7228 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7229 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7230 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7231 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7232 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7233 				     BPF_FUNC_map_lookup_elem),
7234 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7235 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7236 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7237 			BPF_MOV64_IMM(BPF_REG_2, -1),
7238 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7239 			BPF_MOV64_IMM(BPF_REG_8, 0),
7240 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_1),
7241 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7242 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7243 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7244 			BPF_MOV64_IMM(BPF_REG_0, 0),
7245 			BPF_EXIT_INSN(),
7246 		},
7247 		.fixup_map1 = { 3 },
7248 		.errstr = "unbounded min value",
7249 		.result = REJECT,
7250 	},
7251 	{
7252 		"bounds checks mixing signed and unsigned, variant 3",
7253 		.insns = {
7254 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7255 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7256 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7257 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7258 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7259 				     BPF_FUNC_map_lookup_elem),
7260 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7261 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7262 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7263 			BPF_MOV64_IMM(BPF_REG_2, -1),
7264 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 4),
7265 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
7266 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 1, 2),
7267 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
7268 			BPF_ST_MEM(BPF_B, BPF_REG_8, 0, 0),
7269 			BPF_MOV64_IMM(BPF_REG_0, 0),
7270 			BPF_EXIT_INSN(),
7271 		},
7272 		.fixup_map1 = { 3 },
7273 		.errstr = "unbounded min value",
7274 		.result = REJECT,
7275 	},
7276 	{
7277 		"bounds checks mixing signed and unsigned, variant 4",
7278 		.insns = {
7279 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7280 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7281 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7282 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7283 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7284 				     BPF_FUNC_map_lookup_elem),
7285 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7286 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7287 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7288 			BPF_MOV64_IMM(BPF_REG_2, 1),
7289 			BPF_ALU64_REG(BPF_AND, BPF_REG_1, BPF_REG_2),
7290 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7291 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7292 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7293 			BPF_MOV64_IMM(BPF_REG_0, 0),
7294 			BPF_EXIT_INSN(),
7295 		},
7296 		.fixup_map1 = { 3 },
7297 		.result = ACCEPT,
7298 	},
7299 	{
7300 		"bounds checks mixing signed and unsigned, variant 5",
7301 		.insns = {
7302 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7303 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7304 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7305 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7306 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7307 				     BPF_FUNC_map_lookup_elem),
7308 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7309 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7310 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7311 			BPF_MOV64_IMM(BPF_REG_2, -1),
7312 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 5),
7313 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 4),
7314 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 4),
7315 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
7316 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7317 			BPF_MOV64_IMM(BPF_REG_0, 0),
7318 			BPF_EXIT_INSN(),
7319 		},
7320 		.fixup_map1 = { 3 },
7321 		.errstr = "unbounded min value",
7322 		.result = REJECT,
7323 	},
7324 	{
7325 		"bounds checks mixing signed and unsigned, variant 6",
7326 		.insns = {
7327 			BPF_MOV64_IMM(BPF_REG_2, 0),
7328 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_10),
7329 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, -512),
7330 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7331 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -16),
7332 			BPF_MOV64_IMM(BPF_REG_6, -1),
7333 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_6, 5),
7334 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_4, 1, 4),
7335 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
7336 			BPF_MOV64_IMM(BPF_REG_5, 0),
7337 			BPF_ST_MEM(BPF_H, BPF_REG_10, -512, 0),
7338 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7339 				     BPF_FUNC_skb_load_bytes),
7340 			BPF_MOV64_IMM(BPF_REG_0, 0),
7341 			BPF_EXIT_INSN(),
7342 		},
7343 		.errstr = "R4 min value is negative, either use unsigned",
7344 		.result = REJECT,
7345 	},
7346 	{
7347 		"bounds checks mixing signed and unsigned, variant 7",
7348 		.insns = {
7349 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7350 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7351 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7352 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7353 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7354 				     BPF_FUNC_map_lookup_elem),
7355 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
7356 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7357 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7358 			BPF_MOV64_IMM(BPF_REG_2, 1024 * 1024 * 1024),
7359 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 3),
7360 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7361 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7362 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7363 			BPF_MOV64_IMM(BPF_REG_0, 0),
7364 			BPF_EXIT_INSN(),
7365 		},
7366 		.fixup_map1 = { 3 },
7367 		.result = ACCEPT,
7368 	},
7369 	{
7370 		"bounds checks mixing signed and unsigned, variant 8",
7371 		.insns = {
7372 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7373 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7374 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7375 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7376 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7377 				     BPF_FUNC_map_lookup_elem),
7378 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7379 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7380 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7381 			BPF_MOV64_IMM(BPF_REG_2, -1),
7382 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7383 			BPF_MOV64_IMM(BPF_REG_0, 0),
7384 			BPF_EXIT_INSN(),
7385 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7386 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7387 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7388 			BPF_MOV64_IMM(BPF_REG_0, 0),
7389 			BPF_EXIT_INSN(),
7390 		},
7391 		.fixup_map1 = { 3 },
7392 		.errstr = "unbounded min value",
7393 		.result = REJECT,
7394 	},
7395 	{
7396 		"bounds checks mixing signed and unsigned, variant 9",
7397 		.insns = {
7398 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7399 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7400 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7401 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7402 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7403 				     BPF_FUNC_map_lookup_elem),
7404 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
7405 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7406 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7407 			BPF_LD_IMM64(BPF_REG_2, -9223372036854775808ULL),
7408 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7409 			BPF_MOV64_IMM(BPF_REG_0, 0),
7410 			BPF_EXIT_INSN(),
7411 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7412 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7413 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7414 			BPF_MOV64_IMM(BPF_REG_0, 0),
7415 			BPF_EXIT_INSN(),
7416 		},
7417 		.fixup_map1 = { 3 },
7418 		.result = ACCEPT,
7419 	},
7420 	{
7421 		"bounds checks mixing signed and unsigned, variant 10",
7422 		.insns = {
7423 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7424 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7425 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7426 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7427 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7428 				     BPF_FUNC_map_lookup_elem),
7429 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7430 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7431 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7432 			BPF_MOV64_IMM(BPF_REG_2, 0),
7433 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 2),
7434 			BPF_MOV64_IMM(BPF_REG_0, 0),
7435 			BPF_EXIT_INSN(),
7436 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7437 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7438 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7439 			BPF_MOV64_IMM(BPF_REG_0, 0),
7440 			BPF_EXIT_INSN(),
7441 		},
7442 		.fixup_map1 = { 3 },
7443 		.errstr = "unbounded min value",
7444 		.result = REJECT,
7445 	},
7446 	{
7447 		"bounds checks mixing signed and unsigned, variant 11",
7448 		.insns = {
7449 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7450 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7452 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7453 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7454 				     BPF_FUNC_map_lookup_elem),
7455 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7456 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7457 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7458 			BPF_MOV64_IMM(BPF_REG_2, -1),
7459 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7460 			/* Dead branch. */
7461 			BPF_MOV64_IMM(BPF_REG_0, 0),
7462 			BPF_EXIT_INSN(),
7463 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7464 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7465 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7466 			BPF_MOV64_IMM(BPF_REG_0, 0),
7467 			BPF_EXIT_INSN(),
7468 		},
7469 		.fixup_map1 = { 3 },
7470 		.errstr = "unbounded min value",
7471 		.result = REJECT,
7472 	},
7473 	{
7474 		"bounds checks mixing signed and unsigned, variant 12",
7475 		.insns = {
7476 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7477 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7479 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7480 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7481 				     BPF_FUNC_map_lookup_elem),
7482 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7483 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7484 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7485 			BPF_MOV64_IMM(BPF_REG_2, -6),
7486 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7487 			BPF_MOV64_IMM(BPF_REG_0, 0),
7488 			BPF_EXIT_INSN(),
7489 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7490 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7491 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7492 			BPF_MOV64_IMM(BPF_REG_0, 0),
7493 			BPF_EXIT_INSN(),
7494 		},
7495 		.fixup_map1 = { 3 },
7496 		.errstr = "unbounded min value",
7497 		.result = REJECT,
7498 	},
7499 	{
7500 		"bounds checks mixing signed and unsigned, variant 13",
7501 		.insns = {
7502 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7503 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7504 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7505 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7506 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7507 				     BPF_FUNC_map_lookup_elem),
7508 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7509 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7510 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7511 			BPF_MOV64_IMM(BPF_REG_2, 2),
7512 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7513 			BPF_MOV64_IMM(BPF_REG_7, 1),
7514 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 0, 2),
7515 			BPF_MOV64_IMM(BPF_REG_0, 0),
7516 			BPF_EXIT_INSN(),
7517 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_1),
7518 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_7, 4, 2),
7519 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_7),
7520 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7521 			BPF_MOV64_IMM(BPF_REG_0, 0),
7522 			BPF_EXIT_INSN(),
7523 		},
7524 		.fixup_map1 = { 3 },
7525 		.errstr = "unbounded min value",
7526 		.result = REJECT,
7527 	},
7528 	{
7529 		"bounds checks mixing signed and unsigned, variant 14",
7530 		.insns = {
7531 			BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
7532 				    offsetof(struct __sk_buff, mark)),
7533 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7534 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7535 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7536 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7537 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7538 				     BPF_FUNC_map_lookup_elem),
7539 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7540 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7541 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7542 			BPF_MOV64_IMM(BPF_REG_2, -1),
7543 			BPF_MOV64_IMM(BPF_REG_8, 2),
7544 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_9, 42, 6),
7545 			BPF_JMP_REG(BPF_JSGT, BPF_REG_8, BPF_REG_1, 3),
7546 			BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 1, 2),
7547 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7548 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7549 			BPF_MOV64_IMM(BPF_REG_0, 0),
7550 			BPF_EXIT_INSN(),
7551 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, -3),
7552 			BPF_JMP_IMM(BPF_JA, 0, 0, -7),
7553 		},
7554 		.fixup_map1 = { 4 },
7555 		.errstr = "R0 invalid mem access 'inv'",
7556 		.result = REJECT,
7557 	},
7558 	{
7559 		"bounds checks mixing signed and unsigned, variant 15",
7560 		.insns = {
7561 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7562 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7563 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7564 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7565 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7566 				     BPF_FUNC_map_lookup_elem),
7567 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7568 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, -8),
7569 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
7570 			BPF_MOV64_IMM(BPF_REG_2, -6),
7571 			BPF_JMP_REG(BPF_JGE, BPF_REG_2, BPF_REG_1, 2),
7572 			BPF_MOV64_IMM(BPF_REG_0, 0),
7573 			BPF_EXIT_INSN(),
7574 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7575 			BPF_JMP_IMM(BPF_JGT, BPF_REG_0, 1, 2),
7576 			BPF_MOV64_IMM(BPF_REG_0, 0),
7577 			BPF_EXIT_INSN(),
7578 			BPF_ST_MEM(BPF_B, BPF_REG_0, 0, 0),
7579 			BPF_MOV64_IMM(BPF_REG_0, 0),
7580 			BPF_EXIT_INSN(),
7581 		},
7582 		.fixup_map1 = { 3 },
7583 		.errstr = "unbounded min value",
7584 		.result = REJECT,
7585 		.result_unpriv = REJECT,
7586 	},
7587 	{
7588 		"subtraction bounds (map value) variant 1",
7589 		.insns = {
7590 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7591 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7592 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7593 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7594 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7595 				     BPF_FUNC_map_lookup_elem),
7596 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7597 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7598 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 7),
7599 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7600 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 5),
7601 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7602 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 56),
7603 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7604 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7605 			BPF_EXIT_INSN(),
7606 			BPF_MOV64_IMM(BPF_REG_0, 0),
7607 			BPF_EXIT_INSN(),
7608 		},
7609 		.fixup_map1 = { 3 },
7610 		.errstr = "R0 max value is outside of the array range",
7611 		.result = REJECT,
7612 	},
7613 	{
7614 		"subtraction bounds (map value) variant 2",
7615 		.insns = {
7616 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7617 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7618 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7619 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7620 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7621 				     BPF_FUNC_map_lookup_elem),
7622 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
7623 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7624 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 0xff, 6),
7625 			BPF_LDX_MEM(BPF_B, BPF_REG_3, BPF_REG_0, 1),
7626 			BPF_JMP_IMM(BPF_JGT, BPF_REG_3, 0xff, 4),
7627 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_3),
7628 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7629 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7630 			BPF_EXIT_INSN(),
7631 			BPF_MOV64_IMM(BPF_REG_0, 0),
7632 			BPF_EXIT_INSN(),
7633 		},
7634 		.fixup_map1 = { 3 },
7635 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
7636 		.result = REJECT,
7637 	},
7638 	{
7639 		"bounds check based on zero-extended MOV",
7640 		.insns = {
7641 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7642 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7643 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7644 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7645 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7646 				     BPF_FUNC_map_lookup_elem),
7647 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7648 			/* r2 = 0x0000'0000'ffff'ffff */
7649 			BPF_MOV32_IMM(BPF_REG_2, 0xffffffff),
7650 			/* r2 = 0 */
7651 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7652 			/* no-op */
7653 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7654 			/* access at offset 0 */
7655 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7656 			/* exit */
7657 			BPF_MOV64_IMM(BPF_REG_0, 0),
7658 			BPF_EXIT_INSN(),
7659 		},
7660 		.fixup_map1 = { 3 },
7661 		.result = ACCEPT
7662 	},
7663 	{
7664 		"bounds check based on sign-extended MOV. test1",
7665 		.insns = {
7666 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7667 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7668 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7669 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7670 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7671 				     BPF_FUNC_map_lookup_elem),
7672 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7673 			/* r2 = 0xffff'ffff'ffff'ffff */
7674 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7675 			/* r2 = 0xffff'ffff */
7676 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 32),
7677 			/* r0 = <oob pointer> */
7678 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7679 			/* access to OOB pointer */
7680 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7681 			/* exit */
7682 			BPF_MOV64_IMM(BPF_REG_0, 0),
7683 			BPF_EXIT_INSN(),
7684 		},
7685 		.fixup_map1 = { 3 },
7686 		.errstr = "map_value pointer and 4294967295",
7687 		.result = REJECT
7688 	},
7689 	{
7690 		"bounds check based on sign-extended MOV. test2",
7691 		.insns = {
7692 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7693 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7694 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7695 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7696 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7697 				     BPF_FUNC_map_lookup_elem),
7698 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7699 			/* r2 = 0xffff'ffff'ffff'ffff */
7700 			BPF_MOV64_IMM(BPF_REG_2, 0xffffffff),
7701 			/* r2 = 0xfff'ffff */
7702 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 36),
7703 			/* r0 = <oob pointer> */
7704 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
7705 			/* access to OOB pointer */
7706 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7707 			/* exit */
7708 			BPF_MOV64_IMM(BPF_REG_0, 0),
7709 			BPF_EXIT_INSN(),
7710 		},
7711 		.fixup_map1 = { 3 },
7712 		.errstr = "R0 min value is outside of the array range",
7713 		.result = REJECT
7714 	},
7715 	{
7716 		"bounds check based on reg_off + var_off + insn_off. test1",
7717 		.insns = {
7718 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7719 				    offsetof(struct __sk_buff, mark)),
7720 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7721 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7722 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7723 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7724 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7725 				     BPF_FUNC_map_lookup_elem),
7726 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7727 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7728 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 29) - 1),
7729 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7730 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7731 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7732 			BPF_MOV64_IMM(BPF_REG_0, 0),
7733 			BPF_EXIT_INSN(),
7734 		},
7735 		.fixup_map1 = { 4 },
7736 		.errstr = "value_size=8 off=1073741825",
7737 		.result = REJECT,
7738 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7739 	},
7740 	{
7741 		"bounds check based on reg_off + var_off + insn_off. test2",
7742 		.insns = {
7743 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
7744 				    offsetof(struct __sk_buff, mark)),
7745 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7746 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7747 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7748 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7749 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7750 				     BPF_FUNC_map_lookup_elem),
7751 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
7752 			BPF_ALU64_IMM(BPF_AND, BPF_REG_6, 1),
7753 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, (1 << 30) - 1),
7754 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_6),
7755 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, (1 << 29) - 1),
7756 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 3),
7757 			BPF_MOV64_IMM(BPF_REG_0, 0),
7758 			BPF_EXIT_INSN(),
7759 		},
7760 		.fixup_map1 = { 4 },
7761 		.errstr = "value 1073741823",
7762 		.result = REJECT,
7763 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
7764 	},
7765 	{
7766 		"bounds check after truncation of non-boundary-crossing range",
7767 		.insns = {
7768 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7769 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7770 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7771 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7772 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7773 				     BPF_FUNC_map_lookup_elem),
7774 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7775 			/* r1 = [0x00, 0xff] */
7776 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7777 			BPF_MOV64_IMM(BPF_REG_2, 1),
7778 			/* r2 = 0x10'0000'0000 */
7779 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 36),
7780 			/* r1 = [0x10'0000'0000, 0x10'0000'00ff] */
7781 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
7782 			/* r1 = [0x10'7fff'ffff, 0x10'8000'00fe] */
7783 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7784 			/* r1 = [0x00, 0xff] */
7785 			BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 0x7fffffff),
7786 			/* r1 = 0 */
7787 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7788 			/* no-op */
7789 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7790 			/* access at offset 0 */
7791 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7792 			/* exit */
7793 			BPF_MOV64_IMM(BPF_REG_0, 0),
7794 			BPF_EXIT_INSN(),
7795 		},
7796 		.fixup_map1 = { 3 },
7797 		.result = ACCEPT
7798 	},
7799 	{
7800 		"bounds check after truncation of boundary-crossing range (1)",
7801 		.insns = {
7802 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7803 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7804 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7805 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7806 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7807 				     BPF_FUNC_map_lookup_elem),
7808 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7809 			/* r1 = [0x00, 0xff] */
7810 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7811 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7812 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7813 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7814 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7815 			 *      [0x0000'0000, 0x0000'007f]
7816 			 */
7817 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 0),
7818 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7819 			/* r1 = [0x00, 0xff] or
7820 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7821 			 */
7822 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7823 			/* r1 = 0 or
7824 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7825 			 */
7826 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7827 			/* no-op or OOB pointer computation */
7828 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7829 			/* potentially OOB access */
7830 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7831 			/* exit */
7832 			BPF_MOV64_IMM(BPF_REG_0, 0),
7833 			BPF_EXIT_INSN(),
7834 		},
7835 		.fixup_map1 = { 3 },
7836 		/* not actually fully unbounded, but the bound is very high */
7837 		.errstr = "R0 unbounded memory access",
7838 		.result = REJECT
7839 	},
7840 	{
7841 		"bounds check after truncation of boundary-crossing range (2)",
7842 		.insns = {
7843 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7844 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7845 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7846 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7847 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7848 				     BPF_FUNC_map_lookup_elem),
7849 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
7850 			/* r1 = [0x00, 0xff] */
7851 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7852 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7853 			/* r1 = [0xffff'ff80, 0x1'0000'007f] */
7854 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0xffffff80 >> 1),
7855 			/* r1 = [0xffff'ff80, 0xffff'ffff] or
7856 			 *      [0x0000'0000, 0x0000'007f]
7857 			 * difference to previous test: truncation via MOV32
7858 			 * instead of ALU32.
7859 			 */
7860 			BPF_MOV32_REG(BPF_REG_1, BPF_REG_1),
7861 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7862 			/* r1 = [0x00, 0xff] or
7863 			 *      [0xffff'ffff'0000'0080, 0xffff'ffff'ffff'ffff]
7864 			 */
7865 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 0xffffff80 >> 1),
7866 			/* r1 = 0 or
7867 			 *      [0x00ff'ffff'ff00'0000, 0x00ff'ffff'ffff'ffff]
7868 			 */
7869 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7870 			/* no-op or OOB pointer computation */
7871 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7872 			/* potentially OOB access */
7873 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7874 			/* exit */
7875 			BPF_MOV64_IMM(BPF_REG_0, 0),
7876 			BPF_EXIT_INSN(),
7877 		},
7878 		.fixup_map1 = { 3 },
7879 		/* not actually fully unbounded, but the bound is very high */
7880 		.errstr = "R0 unbounded memory access",
7881 		.result = REJECT
7882 	},
7883 	{
7884 		"bounds check after wrapping 32-bit addition",
7885 		.insns = {
7886 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7887 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7888 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7889 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7890 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7891 				     BPF_FUNC_map_lookup_elem),
7892 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
7893 			/* r1 = 0x7fff'ffff */
7894 			BPF_MOV64_IMM(BPF_REG_1, 0x7fffffff),
7895 			/* r1 = 0xffff'fffe */
7896 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
7897 			/* r1 = 0 */
7898 			BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 2),
7899 			/* no-op */
7900 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7901 			/* access at offset 0 */
7902 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7903 			/* exit */
7904 			BPF_MOV64_IMM(BPF_REG_0, 0),
7905 			BPF_EXIT_INSN(),
7906 		},
7907 		.fixup_map1 = { 3 },
7908 		.result = ACCEPT
7909 	},
7910 	{
7911 		"bounds check after shift with oversized count operand",
7912 		.insns = {
7913 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7914 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7915 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7916 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7917 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7918 				     BPF_FUNC_map_lookup_elem),
7919 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7920 			BPF_MOV64_IMM(BPF_REG_2, 32),
7921 			BPF_MOV64_IMM(BPF_REG_1, 1),
7922 			/* r1 = (u32)1 << (u32)32 = ? */
7923 			BPF_ALU32_REG(BPF_LSH, BPF_REG_1, BPF_REG_2),
7924 			/* r1 = [0x0000, 0xffff] */
7925 			BPF_ALU64_IMM(BPF_AND, BPF_REG_1, 0xffff),
7926 			/* computes unknown pointer, potentially OOB */
7927 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7928 			/* potentially OOB access */
7929 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7930 			/* exit */
7931 			BPF_MOV64_IMM(BPF_REG_0, 0),
7932 			BPF_EXIT_INSN(),
7933 		},
7934 		.fixup_map1 = { 3 },
7935 		.errstr = "R0 max value is outside of the array range",
7936 		.result = REJECT
7937 	},
7938 	{
7939 		"bounds check after right shift of maybe-negative number",
7940 		.insns = {
7941 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7942 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7943 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7944 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7945 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7946 				     BPF_FUNC_map_lookup_elem),
7947 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
7948 			/* r1 = [0x00, 0xff] */
7949 			BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
7950 			/* r1 = [-0x01, 0xfe] */
7951 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 1),
7952 			/* r1 = 0 or 0xff'ffff'ffff'ffff */
7953 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7954 			/* r1 = 0 or 0xffff'ffff'ffff */
7955 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 8),
7956 			/* computes unknown pointer, potentially OOB */
7957 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
7958 			/* potentially OOB access */
7959 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
7960 			/* exit */
7961 			BPF_MOV64_IMM(BPF_REG_0, 0),
7962 			BPF_EXIT_INSN(),
7963 		},
7964 		.fixup_map1 = { 3 },
7965 		.errstr = "R0 unbounded memory access",
7966 		.result = REJECT
7967 	},
7968 	{
7969 		"bounds check map access with off+size signed 32bit overflow. test1",
7970 		.insns = {
7971 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7972 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7973 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7974 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7975 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7976 				     BPF_FUNC_map_lookup_elem),
7977 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7978 			BPF_EXIT_INSN(),
7979 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7ffffffe),
7980 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
7981 			BPF_JMP_A(0),
7982 			BPF_EXIT_INSN(),
7983 		},
7984 		.fixup_map1 = { 3 },
7985 		.errstr = "map_value pointer and 2147483646",
7986 		.result = REJECT
7987 	},
7988 	{
7989 		"bounds check map access with off+size signed 32bit overflow. test2",
7990 		.insns = {
7991 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
7992 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
7993 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
7994 			BPF_LD_MAP_FD(BPF_REG_1, 0),
7995 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
7996 				     BPF_FUNC_map_lookup_elem),
7997 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
7998 			BPF_EXIT_INSN(),
7999 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8001 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x1fffffff),
8002 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8003 			BPF_JMP_A(0),
8004 			BPF_EXIT_INSN(),
8005 		},
8006 		.fixup_map1 = { 3 },
8007 		.errstr = "pointer offset 1073741822",
8008 		.result = REJECT
8009 	},
8010 	{
8011 		"bounds check map access with off+size signed 32bit overflow. test3",
8012 		.insns = {
8013 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8014 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8015 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8016 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8017 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8018 				     BPF_FUNC_map_lookup_elem),
8019 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8020 			BPF_EXIT_INSN(),
8021 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8022 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 0x1fffffff),
8023 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8024 			BPF_JMP_A(0),
8025 			BPF_EXIT_INSN(),
8026 		},
8027 		.fixup_map1 = { 3 },
8028 		.errstr = "pointer offset -1073741822",
8029 		.result = REJECT
8030 	},
8031 	{
8032 		"bounds check map access with off+size signed 32bit overflow. test4",
8033 		.insns = {
8034 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8035 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8036 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8037 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8038 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8039 				     BPF_FUNC_map_lookup_elem),
8040 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
8041 			BPF_EXIT_INSN(),
8042 			BPF_MOV64_IMM(BPF_REG_1, 1000000),
8043 			BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 1000000),
8044 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8045 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 2),
8046 			BPF_JMP_A(0),
8047 			BPF_EXIT_INSN(),
8048 		},
8049 		.fixup_map1 = { 3 },
8050 		.errstr = "map_value pointer and 1000000000000",
8051 		.result = REJECT
8052 	},
8053 	{
8054 		"pointer/scalar confusion in state equality check (way 1)",
8055 		.insns = {
8056 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8057 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8058 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8059 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8060 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8061 				     BPF_FUNC_map_lookup_elem),
8062 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
8063 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8064 			BPF_JMP_A(1),
8065 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8066 			BPF_JMP_A(0),
8067 			BPF_EXIT_INSN(),
8068 		},
8069 		.fixup_map1 = { 3 },
8070 		.result = ACCEPT,
8071 		.retval = POINTER_VALUE,
8072 		.result_unpriv = REJECT,
8073 		.errstr_unpriv = "R0 leaks addr as return value"
8074 	},
8075 	{
8076 		"pointer/scalar confusion in state equality check (way 2)",
8077 		.insns = {
8078 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8079 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8080 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8081 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8082 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8083 				     BPF_FUNC_map_lookup_elem),
8084 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
8085 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
8086 			BPF_JMP_A(1),
8087 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
8088 			BPF_EXIT_INSN(),
8089 		},
8090 		.fixup_map1 = { 3 },
8091 		.result = ACCEPT,
8092 		.retval = POINTER_VALUE,
8093 		.result_unpriv = REJECT,
8094 		.errstr_unpriv = "R0 leaks addr as return value"
8095 	},
8096 	{
8097 		"variable-offset ctx access",
8098 		.insns = {
8099 			/* Get an unknown value */
8100 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8101 			/* Make it small and 4-byte aligned */
8102 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8103 			/* add it to skb.  We now have either &skb->len or
8104 			 * &skb->pkt_type, but we don't know which
8105 			 */
8106 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
8107 			/* dereference it */
8108 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
8109 			BPF_EXIT_INSN(),
8110 		},
8111 		.errstr = "variable ctx access var_off=(0x0; 0x4)",
8112 		.result = REJECT,
8113 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8114 	},
8115 	{
8116 		"variable-offset stack access",
8117 		.insns = {
8118 			/* Fill the top 8 bytes of the stack */
8119 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8120 			/* Get an unknown value */
8121 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8122 			/* Make it small and 4-byte aligned */
8123 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8124 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8125 			/* add it to fp.  We now have either fp-4 or fp-8, but
8126 			 * we don't know which
8127 			 */
8128 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8129 			/* dereference it */
8130 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 0),
8131 			BPF_EXIT_INSN(),
8132 		},
8133 		.errstr = "variable stack access var_off=(0xfffffffffffffff8; 0x4)",
8134 		.result = REJECT,
8135 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8136 	},
8137 	{
8138 		"indirect variable-offset stack access",
8139 		.insns = {
8140 			/* Fill the top 8 bytes of the stack */
8141 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8142 			/* Get an unknown value */
8143 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8144 			/* Make it small and 4-byte aligned */
8145 			BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 4),
8146 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_2, 8),
8147 			/* add it to fp.  We now have either fp-4 or fp-8, but
8148 			 * we don't know which
8149 			 */
8150 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_10),
8151 			/* dereference it indirectly */
8152 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8153 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8154 				     BPF_FUNC_map_lookup_elem),
8155 			BPF_MOV64_IMM(BPF_REG_0, 0),
8156 			BPF_EXIT_INSN(),
8157 		},
8158 		.fixup_map1 = { 5 },
8159 		.errstr = "variable stack read R2",
8160 		.result = REJECT,
8161 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8162 	},
8163 	{
8164 		"direct stack access with 32-bit wraparound. test1",
8165 		.insns = {
8166 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8167 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8168 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x7fffffff),
8169 			BPF_MOV32_IMM(BPF_REG_0, 0),
8170 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8171 			BPF_EXIT_INSN()
8172 		},
8173 		.errstr = "fp pointer and 2147483647",
8174 		.result = REJECT
8175 	},
8176 	{
8177 		"direct stack access with 32-bit wraparound. test2",
8178 		.insns = {
8179 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8180 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8181 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x3fffffff),
8182 			BPF_MOV32_IMM(BPF_REG_0, 0),
8183 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8184 			BPF_EXIT_INSN()
8185 		},
8186 		.errstr = "fp pointer and 1073741823",
8187 		.result = REJECT
8188 	},
8189 	{
8190 		"direct stack access with 32-bit wraparound. test3",
8191 		.insns = {
8192 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
8193 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8194 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0x1fffffff),
8195 			BPF_MOV32_IMM(BPF_REG_0, 0),
8196 			BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0, 0),
8197 			BPF_EXIT_INSN()
8198 		},
8199 		.errstr = "fp pointer offset 1073741822",
8200 		.result = REJECT
8201 	},
8202 	{
8203 		"liveness pruning and write screening",
8204 		.insns = {
8205 			/* Get an unknown value */
8206 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 0),
8207 			/* branch conditions teach us nothing about R2 */
8208 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8209 			BPF_MOV64_IMM(BPF_REG_0, 0),
8210 			BPF_JMP_IMM(BPF_JGE, BPF_REG_2, 0, 1),
8211 			BPF_MOV64_IMM(BPF_REG_0, 0),
8212 			BPF_EXIT_INSN(),
8213 		},
8214 		.errstr = "R0 !read_ok",
8215 		.result = REJECT,
8216 		.prog_type = BPF_PROG_TYPE_LWT_IN,
8217 	},
8218 	{
8219 		"varlen_map_value_access pruning",
8220 		.insns = {
8221 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
8222 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
8223 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
8224 			BPF_LD_MAP_FD(BPF_REG_1, 0),
8225 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8226 				     BPF_FUNC_map_lookup_elem),
8227 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
8228 			BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
8229 			BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
8230 			BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
8231 			BPF_MOV32_IMM(BPF_REG_1, 0),
8232 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
8233 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
8234 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
8235 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
8236 				   offsetof(struct test_val, foo)),
8237 			BPF_EXIT_INSN(),
8238 		},
8239 		.fixup_map2 = { 3 },
8240 		.errstr_unpriv = "R0 leaks addr",
8241 		.errstr = "R0 unbounded memory access",
8242 		.result_unpriv = REJECT,
8243 		.result = REJECT,
8244 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8245 	},
8246 	{
8247 		"invalid 64-bit BPF_END",
8248 		.insns = {
8249 			BPF_MOV32_IMM(BPF_REG_0, 0),
8250 			{
8251 				.code  = BPF_ALU64 | BPF_END | BPF_TO_LE,
8252 				.dst_reg = BPF_REG_0,
8253 				.src_reg = 0,
8254 				.off   = 0,
8255 				.imm   = 32,
8256 			},
8257 			BPF_EXIT_INSN(),
8258 		},
8259 		.errstr = "unknown opcode d7",
8260 		.result = REJECT,
8261 	},
8262 	{
8263 		"XDP, using ifindex from netdev",
8264 		.insns = {
8265 			BPF_MOV64_IMM(BPF_REG_0, 0),
8266 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8267 				    offsetof(struct xdp_md, ingress_ifindex)),
8268 			BPF_JMP_IMM(BPF_JLT, BPF_REG_2, 1, 1),
8269 			BPF_MOV64_IMM(BPF_REG_0, 1),
8270 			BPF_EXIT_INSN(),
8271 		},
8272 		.result = ACCEPT,
8273 		.prog_type = BPF_PROG_TYPE_XDP,
8274 		.retval = 1,
8275 	},
8276 	{
8277 		"meta access, test1",
8278 		.insns = {
8279 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8280 				    offsetof(struct xdp_md, data_meta)),
8281 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8282 				    offsetof(struct xdp_md, data)),
8283 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8284 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8285 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8286 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8287 			BPF_MOV64_IMM(BPF_REG_0, 0),
8288 			BPF_EXIT_INSN(),
8289 		},
8290 		.result = ACCEPT,
8291 		.prog_type = BPF_PROG_TYPE_XDP,
8292 	},
8293 	{
8294 		"meta access, test2",
8295 		.insns = {
8296 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8297 				    offsetof(struct xdp_md, data_meta)),
8298 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8299 				    offsetof(struct xdp_md, data)),
8300 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8301 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_0, 8),
8302 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8303 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8304 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8305 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
8306 			BPF_MOV64_IMM(BPF_REG_0, 0),
8307 			BPF_EXIT_INSN(),
8308 		},
8309 		.result = REJECT,
8310 		.errstr = "invalid access to packet, off=-8",
8311 		.prog_type = BPF_PROG_TYPE_XDP,
8312 	},
8313 	{
8314 		"meta access, test3",
8315 		.insns = {
8316 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8317 				    offsetof(struct xdp_md, data_meta)),
8318 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8319 				    offsetof(struct xdp_md, data_end)),
8320 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
8321 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8322 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8323 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8324 			BPF_MOV64_IMM(BPF_REG_0, 0),
8325 			BPF_EXIT_INSN(),
8326 		},
8327 		.result = REJECT,
8328 		.errstr = "invalid access to packet",
8329 		.prog_type = BPF_PROG_TYPE_XDP,
8330 	},
8331 	{
8332 		"meta access, test4",
8333 		.insns = {
8334 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8335 				    offsetof(struct xdp_md, data_meta)),
8336 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8337 				    offsetof(struct xdp_md, data_end)),
8338 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8339 				    offsetof(struct xdp_md, data)),
8340 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
8341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8342 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
8343 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8344 			BPF_MOV64_IMM(BPF_REG_0, 0),
8345 			BPF_EXIT_INSN(),
8346 		},
8347 		.result = REJECT,
8348 		.errstr = "invalid access to packet",
8349 		.prog_type = BPF_PROG_TYPE_XDP,
8350 	},
8351 	{
8352 		"meta access, test5",
8353 		.insns = {
8354 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8355 				    offsetof(struct xdp_md, data_meta)),
8356 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8357 				    offsetof(struct xdp_md, data)),
8358 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8359 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8360 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_4, 3),
8361 			BPF_MOV64_IMM(BPF_REG_2, -8),
8362 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
8363 				     BPF_FUNC_xdp_adjust_meta),
8364 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8365 			BPF_MOV64_IMM(BPF_REG_0, 0),
8366 			BPF_EXIT_INSN(),
8367 		},
8368 		.result = REJECT,
8369 		.errstr = "R3 !read_ok",
8370 		.prog_type = BPF_PROG_TYPE_XDP,
8371 	},
8372 	{
8373 		"meta access, test6",
8374 		.insns = {
8375 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8376 				    offsetof(struct xdp_md, data_meta)),
8377 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8378 				    offsetof(struct xdp_md, data)),
8379 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8380 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8381 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8382 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8383 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_0, 1),
8384 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8385 			BPF_MOV64_IMM(BPF_REG_0, 0),
8386 			BPF_EXIT_INSN(),
8387 		},
8388 		.result = REJECT,
8389 		.errstr = "invalid access to packet",
8390 		.prog_type = BPF_PROG_TYPE_XDP,
8391 	},
8392 	{
8393 		"meta access, test7",
8394 		.insns = {
8395 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8396 				    offsetof(struct xdp_md, data_meta)),
8397 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8398 				    offsetof(struct xdp_md, data)),
8399 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_3),
8400 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
8401 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8402 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
8403 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8404 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8405 			BPF_MOV64_IMM(BPF_REG_0, 0),
8406 			BPF_EXIT_INSN(),
8407 		},
8408 		.result = ACCEPT,
8409 		.prog_type = BPF_PROG_TYPE_XDP,
8410 	},
8411 	{
8412 		"meta access, test8",
8413 		.insns = {
8414 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8415 				    offsetof(struct xdp_md, data_meta)),
8416 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8417 				    offsetof(struct xdp_md, data)),
8418 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8419 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8420 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8421 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8422 			BPF_MOV64_IMM(BPF_REG_0, 0),
8423 			BPF_EXIT_INSN(),
8424 		},
8425 		.result = ACCEPT,
8426 		.prog_type = BPF_PROG_TYPE_XDP,
8427 	},
8428 	{
8429 		"meta access, test9",
8430 		.insns = {
8431 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8432 				    offsetof(struct xdp_md, data_meta)),
8433 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8434 				    offsetof(struct xdp_md, data)),
8435 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
8436 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0xFFFF),
8437 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 1),
8438 			BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
8439 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8440 			BPF_MOV64_IMM(BPF_REG_0, 0),
8441 			BPF_EXIT_INSN(),
8442 		},
8443 		.result = REJECT,
8444 		.errstr = "invalid access to packet",
8445 		.prog_type = BPF_PROG_TYPE_XDP,
8446 	},
8447 	{
8448 		"meta access, test10",
8449 		.insns = {
8450 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8451 				    offsetof(struct xdp_md, data_meta)),
8452 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8453 				    offsetof(struct xdp_md, data)),
8454 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8455 				    offsetof(struct xdp_md, data_end)),
8456 			BPF_MOV64_IMM(BPF_REG_5, 42),
8457 			BPF_MOV64_IMM(BPF_REG_6, 24),
8458 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8459 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8460 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8461 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8462 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_5),
8463 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8464 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8465 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8466 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_5, 1),
8467 			BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
8468 			BPF_MOV64_IMM(BPF_REG_0, 0),
8469 			BPF_EXIT_INSN(),
8470 		},
8471 		.result = REJECT,
8472 		.errstr = "invalid access to packet",
8473 		.prog_type = BPF_PROG_TYPE_XDP,
8474 	},
8475 	{
8476 		"meta access, test11",
8477 		.insns = {
8478 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8479 				    offsetof(struct xdp_md, data_meta)),
8480 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8481 				    offsetof(struct xdp_md, data)),
8482 			BPF_MOV64_IMM(BPF_REG_5, 42),
8483 			BPF_MOV64_IMM(BPF_REG_6, 24),
8484 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_5, -8),
8485 			BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
8486 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -8),
8487 			BPF_JMP_IMM(BPF_JGT, BPF_REG_5, 100, 6),
8488 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_5),
8489 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8490 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
8491 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
8492 			BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_3, 1),
8493 			BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_5, 0),
8494 			BPF_MOV64_IMM(BPF_REG_0, 0),
8495 			BPF_EXIT_INSN(),
8496 		},
8497 		.result = ACCEPT,
8498 		.prog_type = BPF_PROG_TYPE_XDP,
8499 	},
8500 	{
8501 		"meta access, test12",
8502 		.insns = {
8503 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8504 				    offsetof(struct xdp_md, data_meta)),
8505 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8506 				    offsetof(struct xdp_md, data)),
8507 			BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
8508 				    offsetof(struct xdp_md, data_end)),
8509 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
8510 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8511 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 5),
8512 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 0),
8513 			BPF_MOV64_REG(BPF_REG_5, BPF_REG_2),
8514 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 16),
8515 			BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 1),
8516 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
8517 			BPF_MOV64_IMM(BPF_REG_0, 0),
8518 			BPF_EXIT_INSN(),
8519 		},
8520 		.result = ACCEPT,
8521 		.prog_type = BPF_PROG_TYPE_XDP,
8522 	},
8523 	{
8524 		"arithmetic ops make PTR_TO_CTX unusable",
8525 		.insns = {
8526 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
8527 				      offsetof(struct __sk_buff, data) -
8528 				      offsetof(struct __sk_buff, mark)),
8529 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8530 				    offsetof(struct __sk_buff, mark)),
8531 			BPF_EXIT_INSN(),
8532 		},
8533 		.errstr = "dereference of modified ctx ptr R1 off=68+8, ctx+const is allowed, ctx+const+const is not",
8534 		.result = REJECT,
8535 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8536 	},
8537 	{
8538 		"pkt_end - pkt_start is allowed",
8539 		.insns = {
8540 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
8541 				    offsetof(struct __sk_buff, data_end)),
8542 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8543 				    offsetof(struct __sk_buff, data)),
8544 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
8545 			BPF_EXIT_INSN(),
8546 		},
8547 		.result = ACCEPT,
8548 		.retval = TEST_DATA_LEN,
8549 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
8550 	},
8551 	{
8552 		"XDP pkt read, pkt_end mangling, bad access 1",
8553 		.insns = {
8554 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8555 				    offsetof(struct xdp_md, data)),
8556 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8557 				    offsetof(struct xdp_md, data_end)),
8558 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8559 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8560 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
8561 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8562 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8563 			BPF_MOV64_IMM(BPF_REG_0, 0),
8564 			BPF_EXIT_INSN(),
8565 		},
8566 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8567 		.result = REJECT,
8568 		.prog_type = BPF_PROG_TYPE_XDP,
8569 	},
8570 	{
8571 		"XDP pkt read, pkt_end mangling, bad access 2",
8572 		.insns = {
8573 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8574 				    offsetof(struct xdp_md, data)),
8575 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8576 				    offsetof(struct xdp_md, data_end)),
8577 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8578 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8579 			BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
8580 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8581 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8582 			BPF_MOV64_IMM(BPF_REG_0, 0),
8583 			BPF_EXIT_INSN(),
8584 		},
8585 		.errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
8586 		.result = REJECT,
8587 		.prog_type = BPF_PROG_TYPE_XDP,
8588 	},
8589 	{
8590 		"XDP pkt read, pkt_data' > pkt_end, good access",
8591 		.insns = {
8592 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8593 				    offsetof(struct xdp_md, data)),
8594 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8595 				    offsetof(struct xdp_md, data_end)),
8596 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8597 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8598 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8599 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8600 			BPF_MOV64_IMM(BPF_REG_0, 0),
8601 			BPF_EXIT_INSN(),
8602 		},
8603 		.result = ACCEPT,
8604 		.prog_type = BPF_PROG_TYPE_XDP,
8605 	},
8606 	{
8607 		"XDP pkt read, pkt_data' > pkt_end, bad access 1",
8608 		.insns = {
8609 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8610 				    offsetof(struct xdp_md, data)),
8611 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8612 				    offsetof(struct xdp_md, data_end)),
8613 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8614 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8615 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
8616 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8617 			BPF_MOV64_IMM(BPF_REG_0, 0),
8618 			BPF_EXIT_INSN(),
8619 		},
8620 		.errstr = "R1 offset is outside of the packet",
8621 		.result = REJECT,
8622 		.prog_type = BPF_PROG_TYPE_XDP,
8623 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8624 	},
8625 	{
8626 		"XDP pkt read, pkt_data' > pkt_end, bad access 2",
8627 		.insns = {
8628 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8629 				    offsetof(struct xdp_md, data)),
8630 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8631 				    offsetof(struct xdp_md, data_end)),
8632 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8633 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8634 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
8635 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8636 			BPF_MOV64_IMM(BPF_REG_0, 0),
8637 			BPF_EXIT_INSN(),
8638 		},
8639 		.errstr = "R1 offset is outside of the packet",
8640 		.result = REJECT,
8641 		.prog_type = BPF_PROG_TYPE_XDP,
8642 	},
8643 	{
8644 		"XDP pkt read, pkt_end > pkt_data', good access",
8645 		.insns = {
8646 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8647 				    offsetof(struct xdp_md, data)),
8648 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8649 				    offsetof(struct xdp_md, data_end)),
8650 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8651 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8652 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8653 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8654 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8655 			BPF_MOV64_IMM(BPF_REG_0, 0),
8656 			BPF_EXIT_INSN(),
8657 		},
8658 		.result = ACCEPT,
8659 		.prog_type = BPF_PROG_TYPE_XDP,
8660 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8661 	},
8662 	{
8663 		"XDP pkt read, pkt_end > pkt_data', bad access 1",
8664 		.insns = {
8665 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8666 				    offsetof(struct xdp_md, data)),
8667 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8668 				    offsetof(struct xdp_md, data_end)),
8669 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8670 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8671 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8672 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8673 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8674 			BPF_MOV64_IMM(BPF_REG_0, 0),
8675 			BPF_EXIT_INSN(),
8676 		},
8677 		.errstr = "R1 offset is outside of the packet",
8678 		.result = REJECT,
8679 		.prog_type = BPF_PROG_TYPE_XDP,
8680 	},
8681 	{
8682 		"XDP pkt read, pkt_end > pkt_data', bad access 2",
8683 		.insns = {
8684 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8685 				    offsetof(struct xdp_md, data)),
8686 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8687 				    offsetof(struct xdp_md, data_end)),
8688 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8689 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8690 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
8691 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8692 			BPF_MOV64_IMM(BPF_REG_0, 0),
8693 			BPF_EXIT_INSN(),
8694 		},
8695 		.errstr = "R1 offset is outside of the packet",
8696 		.result = REJECT,
8697 		.prog_type = BPF_PROG_TYPE_XDP,
8698 	},
8699 	{
8700 		"XDP pkt read, pkt_data' < pkt_end, good access",
8701 		.insns = {
8702 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8703 				    offsetof(struct xdp_md, data)),
8704 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8705 				    offsetof(struct xdp_md, data_end)),
8706 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8707 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8708 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8709 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8710 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8711 			BPF_MOV64_IMM(BPF_REG_0, 0),
8712 			BPF_EXIT_INSN(),
8713 		},
8714 		.result = ACCEPT,
8715 		.prog_type = BPF_PROG_TYPE_XDP,
8716 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8717 	},
8718 	{
8719 		"XDP pkt read, pkt_data' < pkt_end, bad access 1",
8720 		.insns = {
8721 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8722 				    offsetof(struct xdp_md, data)),
8723 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8724 				    offsetof(struct xdp_md, data_end)),
8725 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8727 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8728 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8729 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8730 			BPF_MOV64_IMM(BPF_REG_0, 0),
8731 			BPF_EXIT_INSN(),
8732 		},
8733 		.errstr = "R1 offset is outside of the packet",
8734 		.result = REJECT,
8735 		.prog_type = BPF_PROG_TYPE_XDP,
8736 	},
8737 	{
8738 		"XDP pkt read, pkt_data' < pkt_end, bad access 2",
8739 		.insns = {
8740 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8741 				    offsetof(struct xdp_md, data)),
8742 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8743 				    offsetof(struct xdp_md, data_end)),
8744 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8745 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8746 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
8747 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8748 			BPF_MOV64_IMM(BPF_REG_0, 0),
8749 			BPF_EXIT_INSN(),
8750 		},
8751 		.errstr = "R1 offset is outside of the packet",
8752 		.result = REJECT,
8753 		.prog_type = BPF_PROG_TYPE_XDP,
8754 	},
8755 	{
8756 		"XDP pkt read, pkt_end < pkt_data', good access",
8757 		.insns = {
8758 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8759 				    offsetof(struct xdp_md, data)),
8760 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8761 				    offsetof(struct xdp_md, data_end)),
8762 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8763 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8764 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8765 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8766 			BPF_MOV64_IMM(BPF_REG_0, 0),
8767 			BPF_EXIT_INSN(),
8768 		},
8769 		.result = ACCEPT,
8770 		.prog_type = BPF_PROG_TYPE_XDP,
8771 	},
8772 	{
8773 		"XDP pkt read, pkt_end < pkt_data', bad access 1",
8774 		.insns = {
8775 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8776 				    offsetof(struct xdp_md, data)),
8777 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8778 				    offsetof(struct xdp_md, data_end)),
8779 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8780 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8781 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
8782 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8783 			BPF_MOV64_IMM(BPF_REG_0, 0),
8784 			BPF_EXIT_INSN(),
8785 		},
8786 		.errstr = "R1 offset is outside of the packet",
8787 		.result = REJECT,
8788 		.prog_type = BPF_PROG_TYPE_XDP,
8789 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8790 	},
8791 	{
8792 		"XDP pkt read, pkt_end < pkt_data', bad access 2",
8793 		.insns = {
8794 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8795 				    offsetof(struct xdp_md, data)),
8796 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8797 				    offsetof(struct xdp_md, data_end)),
8798 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8799 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8800 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
8801 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8802 			BPF_MOV64_IMM(BPF_REG_0, 0),
8803 			BPF_EXIT_INSN(),
8804 		},
8805 		.errstr = "R1 offset is outside of the packet",
8806 		.result = REJECT,
8807 		.prog_type = BPF_PROG_TYPE_XDP,
8808 	},
8809 	{
8810 		"XDP pkt read, pkt_data' >= pkt_end, good access",
8811 		.insns = {
8812 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8813 				    offsetof(struct xdp_md, data)),
8814 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8815 				    offsetof(struct xdp_md, data_end)),
8816 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8817 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8818 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8819 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8820 			BPF_MOV64_IMM(BPF_REG_0, 0),
8821 			BPF_EXIT_INSN(),
8822 		},
8823 		.result = ACCEPT,
8824 		.prog_type = BPF_PROG_TYPE_XDP,
8825 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8826 	},
8827 	{
8828 		"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
8829 		.insns = {
8830 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8831 				    offsetof(struct xdp_md, data)),
8832 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8833 				    offsetof(struct xdp_md, data_end)),
8834 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8835 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8836 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
8837 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8838 			BPF_MOV64_IMM(BPF_REG_0, 0),
8839 			BPF_EXIT_INSN(),
8840 		},
8841 		.errstr = "R1 offset is outside of the packet",
8842 		.result = REJECT,
8843 		.prog_type = BPF_PROG_TYPE_XDP,
8844 	},
8845 	{
8846 		"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
8847 		.insns = {
8848 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8849 				    offsetof(struct xdp_md, data)),
8850 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8851 				    offsetof(struct xdp_md, data_end)),
8852 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8853 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8854 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
8855 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8856 			BPF_MOV64_IMM(BPF_REG_0, 0),
8857 			BPF_EXIT_INSN(),
8858 		},
8859 		.errstr = "R1 offset is outside of the packet",
8860 		.result = REJECT,
8861 		.prog_type = BPF_PROG_TYPE_XDP,
8862 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8863 	},
8864 	{
8865 		"XDP pkt read, pkt_end >= pkt_data', good access",
8866 		.insns = {
8867 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8868 				    offsetof(struct xdp_md, data)),
8869 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8870 				    offsetof(struct xdp_md, data_end)),
8871 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8872 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8873 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8874 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8875 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8876 			BPF_MOV64_IMM(BPF_REG_0, 0),
8877 			BPF_EXIT_INSN(),
8878 		},
8879 		.result = ACCEPT,
8880 		.prog_type = BPF_PROG_TYPE_XDP,
8881 	},
8882 	{
8883 		"XDP pkt read, pkt_end >= pkt_data', bad access 1",
8884 		.insns = {
8885 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8886 				    offsetof(struct xdp_md, data)),
8887 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8888 				    offsetof(struct xdp_md, data_end)),
8889 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8890 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8891 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8892 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8893 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8894 			BPF_MOV64_IMM(BPF_REG_0, 0),
8895 			BPF_EXIT_INSN(),
8896 		},
8897 		.errstr = "R1 offset is outside of the packet",
8898 		.result = REJECT,
8899 		.prog_type = BPF_PROG_TYPE_XDP,
8900 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8901 	},
8902 	{
8903 		"XDP pkt read, pkt_end >= pkt_data', bad access 2",
8904 		.insns = {
8905 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8906 				    offsetof(struct xdp_md, data)),
8907 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8908 				    offsetof(struct xdp_md, data_end)),
8909 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8910 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8911 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
8912 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8913 			BPF_MOV64_IMM(BPF_REG_0, 0),
8914 			BPF_EXIT_INSN(),
8915 		},
8916 		.errstr = "R1 offset is outside of the packet",
8917 		.result = REJECT,
8918 		.prog_type = BPF_PROG_TYPE_XDP,
8919 	},
8920 	{
8921 		"XDP pkt read, pkt_data' <= pkt_end, good access",
8922 		.insns = {
8923 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8924 				    offsetof(struct xdp_md, data)),
8925 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8926 				    offsetof(struct xdp_md, data_end)),
8927 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8928 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8929 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8930 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8931 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8932 			BPF_MOV64_IMM(BPF_REG_0, 0),
8933 			BPF_EXIT_INSN(),
8934 		},
8935 		.result = ACCEPT,
8936 		.prog_type = BPF_PROG_TYPE_XDP,
8937 	},
8938 	{
8939 		"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
8940 		.insns = {
8941 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8942 				    offsetof(struct xdp_md, data)),
8943 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8944 				    offsetof(struct xdp_md, data_end)),
8945 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8946 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8947 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8948 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
8949 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
8950 			BPF_MOV64_IMM(BPF_REG_0, 0),
8951 			BPF_EXIT_INSN(),
8952 		},
8953 		.errstr = "R1 offset is outside of the packet",
8954 		.result = REJECT,
8955 		.prog_type = BPF_PROG_TYPE_XDP,
8956 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8957 	},
8958 	{
8959 		"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
8960 		.insns = {
8961 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8962 				    offsetof(struct xdp_md, data)),
8963 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8964 				    offsetof(struct xdp_md, data_end)),
8965 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8966 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8967 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
8968 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
8969 			BPF_MOV64_IMM(BPF_REG_0, 0),
8970 			BPF_EXIT_INSN(),
8971 		},
8972 		.errstr = "R1 offset is outside of the packet",
8973 		.result = REJECT,
8974 		.prog_type = BPF_PROG_TYPE_XDP,
8975 	},
8976 	{
8977 		"XDP pkt read, pkt_end <= pkt_data', good access",
8978 		.insns = {
8979 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8980 				    offsetof(struct xdp_md, data)),
8981 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
8982 				    offsetof(struct xdp_md, data_end)),
8983 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
8984 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
8985 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
8986 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
8987 			BPF_MOV64_IMM(BPF_REG_0, 0),
8988 			BPF_EXIT_INSN(),
8989 		},
8990 		.result = ACCEPT,
8991 		.prog_type = BPF_PROG_TYPE_XDP,
8992 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
8993 	},
8994 	{
8995 		"XDP pkt read, pkt_end <= pkt_data', bad access 1",
8996 		.insns = {
8997 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
8998 				    offsetof(struct xdp_md, data)),
8999 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9000 				    offsetof(struct xdp_md, data_end)),
9001 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9002 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9003 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9004 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9005 			BPF_MOV64_IMM(BPF_REG_0, 0),
9006 			BPF_EXIT_INSN(),
9007 		},
9008 		.errstr = "R1 offset is outside of the packet",
9009 		.result = REJECT,
9010 		.prog_type = BPF_PROG_TYPE_XDP,
9011 	},
9012 	{
9013 		"XDP pkt read, pkt_end <= pkt_data', bad access 2",
9014 		.insns = {
9015 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9016 				    offsetof(struct xdp_md, data)),
9017 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9018 				    offsetof(struct xdp_md, data_end)),
9019 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9020 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9021 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9022 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9023 			BPF_MOV64_IMM(BPF_REG_0, 0),
9024 			BPF_EXIT_INSN(),
9025 		},
9026 		.errstr = "R1 offset is outside of the packet",
9027 		.result = REJECT,
9028 		.prog_type = BPF_PROG_TYPE_XDP,
9029 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9030 	},
9031 	{
9032 		"XDP pkt read, pkt_meta' > pkt_data, good access",
9033 		.insns = {
9034 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9035 				    offsetof(struct xdp_md, data_meta)),
9036 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9037 				    offsetof(struct xdp_md, data)),
9038 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9039 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9040 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9041 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9042 			BPF_MOV64_IMM(BPF_REG_0, 0),
9043 			BPF_EXIT_INSN(),
9044 		},
9045 		.result = ACCEPT,
9046 		.prog_type = BPF_PROG_TYPE_XDP,
9047 	},
9048 	{
9049 		"XDP pkt read, pkt_meta' > pkt_data, bad access 1",
9050 		.insns = {
9051 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9052 				    offsetof(struct xdp_md, data_meta)),
9053 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9054 				    offsetof(struct xdp_md, data)),
9055 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9056 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9057 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
9058 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9059 			BPF_MOV64_IMM(BPF_REG_0, 0),
9060 			BPF_EXIT_INSN(),
9061 		},
9062 		.errstr = "R1 offset is outside of the packet",
9063 		.result = REJECT,
9064 		.prog_type = BPF_PROG_TYPE_XDP,
9065 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9066 	},
9067 	{
9068 		"XDP pkt read, pkt_meta' > pkt_data, bad access 2",
9069 		.insns = {
9070 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9071 				    offsetof(struct xdp_md, data_meta)),
9072 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9073 				    offsetof(struct xdp_md, data)),
9074 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9075 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9076 			BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
9077 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9078 			BPF_MOV64_IMM(BPF_REG_0, 0),
9079 			BPF_EXIT_INSN(),
9080 		},
9081 		.errstr = "R1 offset is outside of the packet",
9082 		.result = REJECT,
9083 		.prog_type = BPF_PROG_TYPE_XDP,
9084 	},
9085 	{
9086 		"XDP pkt read, pkt_data > pkt_meta', good access",
9087 		.insns = {
9088 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9089 				    offsetof(struct xdp_md, data_meta)),
9090 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9091 				    offsetof(struct xdp_md, data)),
9092 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9093 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9094 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9095 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9096 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9097 			BPF_MOV64_IMM(BPF_REG_0, 0),
9098 			BPF_EXIT_INSN(),
9099 		},
9100 		.result = ACCEPT,
9101 		.prog_type = BPF_PROG_TYPE_XDP,
9102 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9103 	},
9104 	{
9105 		"XDP pkt read, pkt_data > pkt_meta', bad access 1",
9106 		.insns = {
9107 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9108 				    offsetof(struct xdp_md, data_meta)),
9109 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9110 				    offsetof(struct xdp_md, data)),
9111 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9112 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9113 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9114 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9115 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9116 			BPF_MOV64_IMM(BPF_REG_0, 0),
9117 			BPF_EXIT_INSN(),
9118 		},
9119 		.errstr = "R1 offset is outside of the packet",
9120 		.result = REJECT,
9121 		.prog_type = BPF_PROG_TYPE_XDP,
9122 	},
9123 	{
9124 		"XDP pkt read, pkt_data > pkt_meta', bad access 2",
9125 		.insns = {
9126 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9127 				    offsetof(struct xdp_md, data_meta)),
9128 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9129 				    offsetof(struct xdp_md, data)),
9130 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9131 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9132 			BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
9133 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9134 			BPF_MOV64_IMM(BPF_REG_0, 0),
9135 			BPF_EXIT_INSN(),
9136 		},
9137 		.errstr = "R1 offset is outside of the packet",
9138 		.result = REJECT,
9139 		.prog_type = BPF_PROG_TYPE_XDP,
9140 	},
9141 	{
9142 		"XDP pkt read, pkt_meta' < pkt_data, good access",
9143 		.insns = {
9144 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9145 				    offsetof(struct xdp_md, data_meta)),
9146 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9147 				    offsetof(struct xdp_md, data)),
9148 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9149 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9150 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9151 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9152 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9153 			BPF_MOV64_IMM(BPF_REG_0, 0),
9154 			BPF_EXIT_INSN(),
9155 		},
9156 		.result = ACCEPT,
9157 		.prog_type = BPF_PROG_TYPE_XDP,
9158 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9159 	},
9160 	{
9161 		"XDP pkt read, pkt_meta' < pkt_data, bad access 1",
9162 		.insns = {
9163 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9164 				    offsetof(struct xdp_md, data_meta)),
9165 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9166 				    offsetof(struct xdp_md, data)),
9167 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9168 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9169 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9170 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9171 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9172 			BPF_MOV64_IMM(BPF_REG_0, 0),
9173 			BPF_EXIT_INSN(),
9174 		},
9175 		.errstr = "R1 offset is outside of the packet",
9176 		.result = REJECT,
9177 		.prog_type = BPF_PROG_TYPE_XDP,
9178 	},
9179 	{
9180 		"XDP pkt read, pkt_meta' < pkt_data, bad access 2",
9181 		.insns = {
9182 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9183 				    offsetof(struct xdp_md, data_meta)),
9184 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9185 				    offsetof(struct xdp_md, data)),
9186 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9187 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9188 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
9189 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9190 			BPF_MOV64_IMM(BPF_REG_0, 0),
9191 			BPF_EXIT_INSN(),
9192 		},
9193 		.errstr = "R1 offset is outside of the packet",
9194 		.result = REJECT,
9195 		.prog_type = BPF_PROG_TYPE_XDP,
9196 	},
9197 	{
9198 		"XDP pkt read, pkt_data < pkt_meta', good access",
9199 		.insns = {
9200 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9201 				    offsetof(struct xdp_md, data_meta)),
9202 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9203 				    offsetof(struct xdp_md, data)),
9204 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9205 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9206 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9207 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9208 			BPF_MOV64_IMM(BPF_REG_0, 0),
9209 			BPF_EXIT_INSN(),
9210 		},
9211 		.result = ACCEPT,
9212 		.prog_type = BPF_PROG_TYPE_XDP,
9213 	},
9214 	{
9215 		"XDP pkt read, pkt_data < pkt_meta', bad access 1",
9216 		.insns = {
9217 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9218 				    offsetof(struct xdp_md, data_meta)),
9219 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9220 				    offsetof(struct xdp_md, data)),
9221 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9222 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9223 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
9224 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9225 			BPF_MOV64_IMM(BPF_REG_0, 0),
9226 			BPF_EXIT_INSN(),
9227 		},
9228 		.errstr = "R1 offset is outside of the packet",
9229 		.result = REJECT,
9230 		.prog_type = BPF_PROG_TYPE_XDP,
9231 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9232 	},
9233 	{
9234 		"XDP pkt read, pkt_data < pkt_meta', bad access 2",
9235 		.insns = {
9236 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9237 				    offsetof(struct xdp_md, data_meta)),
9238 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9239 				    offsetof(struct xdp_md, data)),
9240 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9241 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9242 			BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
9243 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9244 			BPF_MOV64_IMM(BPF_REG_0, 0),
9245 			BPF_EXIT_INSN(),
9246 		},
9247 		.errstr = "R1 offset is outside of the packet",
9248 		.result = REJECT,
9249 		.prog_type = BPF_PROG_TYPE_XDP,
9250 	},
9251 	{
9252 		"XDP pkt read, pkt_meta' >= pkt_data, good access",
9253 		.insns = {
9254 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9255 				    offsetof(struct xdp_md, data_meta)),
9256 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9257 				    offsetof(struct xdp_md, data)),
9258 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9260 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9261 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9262 			BPF_MOV64_IMM(BPF_REG_0, 0),
9263 			BPF_EXIT_INSN(),
9264 		},
9265 		.result = ACCEPT,
9266 		.prog_type = BPF_PROG_TYPE_XDP,
9267 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9268 	},
9269 	{
9270 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 1",
9271 		.insns = {
9272 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9273 				    offsetof(struct xdp_md, data_meta)),
9274 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9275 				    offsetof(struct xdp_md, data)),
9276 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9277 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9278 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
9279 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9280 			BPF_MOV64_IMM(BPF_REG_0, 0),
9281 			BPF_EXIT_INSN(),
9282 		},
9283 		.errstr = "R1 offset is outside of the packet",
9284 		.result = REJECT,
9285 		.prog_type = BPF_PROG_TYPE_XDP,
9286 	},
9287 	{
9288 		"XDP pkt read, pkt_meta' >= pkt_data, bad access 2",
9289 		.insns = {
9290 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9291 				    offsetof(struct xdp_md, data_meta)),
9292 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9293 				    offsetof(struct xdp_md, data)),
9294 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9295 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9296 			BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
9297 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9298 			BPF_MOV64_IMM(BPF_REG_0, 0),
9299 			BPF_EXIT_INSN(),
9300 		},
9301 		.errstr = "R1 offset is outside of the packet",
9302 		.result = REJECT,
9303 		.prog_type = BPF_PROG_TYPE_XDP,
9304 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9305 	},
9306 	{
9307 		"XDP pkt read, pkt_data >= pkt_meta', good access",
9308 		.insns = {
9309 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9310 				    offsetof(struct xdp_md, data_meta)),
9311 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9312 				    offsetof(struct xdp_md, data)),
9313 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9314 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9315 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9316 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9317 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9318 			BPF_MOV64_IMM(BPF_REG_0, 0),
9319 			BPF_EXIT_INSN(),
9320 		},
9321 		.result = ACCEPT,
9322 		.prog_type = BPF_PROG_TYPE_XDP,
9323 	},
9324 	{
9325 		"XDP pkt read, pkt_data >= pkt_meta', bad access 1",
9326 		.insns = {
9327 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9328 				    offsetof(struct xdp_md, data_meta)),
9329 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9330 				    offsetof(struct xdp_md, data)),
9331 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9332 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9333 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9334 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9335 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9336 			BPF_MOV64_IMM(BPF_REG_0, 0),
9337 			BPF_EXIT_INSN(),
9338 		},
9339 		.errstr = "R1 offset is outside of the packet",
9340 		.result = REJECT,
9341 		.prog_type = BPF_PROG_TYPE_XDP,
9342 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9343 	},
9344 	{
9345 		"XDP pkt read, pkt_data >= pkt_meta', bad access 2",
9346 		.insns = {
9347 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9348 				    offsetof(struct xdp_md, data_meta)),
9349 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9350 				    offsetof(struct xdp_md, data)),
9351 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9352 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9353 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
9354 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9355 			BPF_MOV64_IMM(BPF_REG_0, 0),
9356 			BPF_EXIT_INSN(),
9357 		},
9358 		.errstr = "R1 offset is outside of the packet",
9359 		.result = REJECT,
9360 		.prog_type = BPF_PROG_TYPE_XDP,
9361 	},
9362 	{
9363 		"XDP pkt read, pkt_meta' <= pkt_data, good access",
9364 		.insns = {
9365 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9366 				    offsetof(struct xdp_md, data_meta)),
9367 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9368 				    offsetof(struct xdp_md, data)),
9369 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9370 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9371 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9372 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9373 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9374 			BPF_MOV64_IMM(BPF_REG_0, 0),
9375 			BPF_EXIT_INSN(),
9376 		},
9377 		.result = ACCEPT,
9378 		.prog_type = BPF_PROG_TYPE_XDP,
9379 	},
9380 	{
9381 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 1",
9382 		.insns = {
9383 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9384 				    offsetof(struct xdp_md, data_meta)),
9385 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9386 				    offsetof(struct xdp_md, data)),
9387 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9388 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9389 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9390 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
9391 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
9392 			BPF_MOV64_IMM(BPF_REG_0, 0),
9393 			BPF_EXIT_INSN(),
9394 		},
9395 		.errstr = "R1 offset is outside of the packet",
9396 		.result = REJECT,
9397 		.prog_type = BPF_PROG_TYPE_XDP,
9398 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9399 	},
9400 	{
9401 		"XDP pkt read, pkt_meta' <= pkt_data, bad access 2",
9402 		.insns = {
9403 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9404 				    offsetof(struct xdp_md, data_meta)),
9405 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9406 				    offsetof(struct xdp_md, data)),
9407 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9408 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9409 			BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
9410 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9411 			BPF_MOV64_IMM(BPF_REG_0, 0),
9412 			BPF_EXIT_INSN(),
9413 		},
9414 		.errstr = "R1 offset is outside of the packet",
9415 		.result = REJECT,
9416 		.prog_type = BPF_PROG_TYPE_XDP,
9417 	},
9418 	{
9419 		"XDP pkt read, pkt_data <= pkt_meta', good access",
9420 		.insns = {
9421 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9422 				    offsetof(struct xdp_md, data_meta)),
9423 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9424 				    offsetof(struct xdp_md, data)),
9425 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9426 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9427 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9428 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9429 			BPF_MOV64_IMM(BPF_REG_0, 0),
9430 			BPF_EXIT_INSN(),
9431 		},
9432 		.result = ACCEPT,
9433 		.prog_type = BPF_PROG_TYPE_XDP,
9434 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9435 	},
9436 	{
9437 		"XDP pkt read, pkt_data <= pkt_meta', bad access 1",
9438 		.insns = {
9439 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9440 				    offsetof(struct xdp_md, data_meta)),
9441 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9442 				    offsetof(struct xdp_md, data)),
9443 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9444 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9445 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
9446 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
9447 			BPF_MOV64_IMM(BPF_REG_0, 0),
9448 			BPF_EXIT_INSN(),
9449 		},
9450 		.errstr = "R1 offset is outside of the packet",
9451 		.result = REJECT,
9452 		.prog_type = BPF_PROG_TYPE_XDP,
9453 	},
9454 	{
9455 		"XDP pkt read, pkt_data <= pkt_meta', bad access 2",
9456 		.insns = {
9457 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
9458 				    offsetof(struct xdp_md, data_meta)),
9459 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
9460 				    offsetof(struct xdp_md, data)),
9461 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
9462 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
9463 			BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
9464 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
9465 			BPF_MOV64_IMM(BPF_REG_0, 0),
9466 			BPF_EXIT_INSN(),
9467 		},
9468 		.errstr = "R1 offset is outside of the packet",
9469 		.result = REJECT,
9470 		.prog_type = BPF_PROG_TYPE_XDP,
9471 		.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
9472 	},
9473 	{
9474 		"check deducing bounds from const, 1",
9475 		.insns = {
9476 			BPF_MOV64_IMM(BPF_REG_0, 1),
9477 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 0),
9478 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9479 			BPF_EXIT_INSN(),
9480 		},
9481 		.result = REJECT,
9482 		.errstr = "R0 tried to subtract pointer from scalar",
9483 	},
9484 	{
9485 		"check deducing bounds from const, 2",
9486 		.insns = {
9487 			BPF_MOV64_IMM(BPF_REG_0, 1),
9488 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1),
9489 			BPF_EXIT_INSN(),
9490 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 1, 1),
9491 			BPF_EXIT_INSN(),
9492 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9493 			BPF_EXIT_INSN(),
9494 		},
9495 		.result = ACCEPT,
9496 		.retval = 1,
9497 	},
9498 	{
9499 		"check deducing bounds from const, 3",
9500 		.insns = {
9501 			BPF_MOV64_IMM(BPF_REG_0, 0),
9502 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9503 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9504 			BPF_EXIT_INSN(),
9505 		},
9506 		.result = REJECT,
9507 		.errstr = "R0 tried to subtract pointer from scalar",
9508 	},
9509 	{
9510 		"check deducing bounds from const, 4",
9511 		.insns = {
9512 			BPF_MOV64_IMM(BPF_REG_0, 0),
9513 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1),
9514 			BPF_EXIT_INSN(),
9515 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9516 			BPF_EXIT_INSN(),
9517 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9518 			BPF_EXIT_INSN(),
9519 		},
9520 		.result = ACCEPT,
9521 	},
9522 	{
9523 		"check deducing bounds from const, 5",
9524 		.insns = {
9525 			BPF_MOV64_IMM(BPF_REG_0, 0),
9526 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9527 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9528 			BPF_EXIT_INSN(),
9529 		},
9530 		.result = REJECT,
9531 		.errstr = "R0 tried to subtract pointer from scalar",
9532 	},
9533 	{
9534 		"check deducing bounds from const, 6",
9535 		.insns = {
9536 			BPF_MOV64_IMM(BPF_REG_0, 0),
9537 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9538 			BPF_EXIT_INSN(),
9539 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9540 			BPF_EXIT_INSN(),
9541 		},
9542 		.result = REJECT,
9543 		.errstr = "R0 tried to subtract pointer from scalar",
9544 	},
9545 	{
9546 		"check deducing bounds from const, 7",
9547 		.insns = {
9548 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9549 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9550 			BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
9551 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9552 				    offsetof(struct __sk_buff, mark)),
9553 			BPF_EXIT_INSN(),
9554 		},
9555 		.result = REJECT,
9556 		.errstr = "dereference of modified ctx ptr",
9557 	},
9558 	{
9559 		"check deducing bounds from const, 8",
9560 		.insns = {
9561 			BPF_MOV64_IMM(BPF_REG_0, ~0),
9562 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1),
9563 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_0),
9564 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9565 				    offsetof(struct __sk_buff, mark)),
9566 			BPF_EXIT_INSN(),
9567 		},
9568 		.result = REJECT,
9569 		.errstr = "dereference of modified ctx ptr",
9570 	},
9571 	{
9572 		"check deducing bounds from const, 9",
9573 		.insns = {
9574 			BPF_MOV64_IMM(BPF_REG_0, 0),
9575 			BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 0),
9576 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9577 			BPF_EXIT_INSN(),
9578 		},
9579 		.result = REJECT,
9580 		.errstr = "R0 tried to subtract pointer from scalar",
9581 	},
9582 	{
9583 		"check deducing bounds from const, 10",
9584 		.insns = {
9585 			BPF_MOV64_IMM(BPF_REG_0, 0),
9586 			BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 0),
9587 			/* Marks reg as unknown. */
9588 			BPF_ALU64_IMM(BPF_NEG, BPF_REG_0, 0),
9589 			BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
9590 			BPF_EXIT_INSN(),
9591 		},
9592 		.result = REJECT,
9593 		.errstr = "math between ctx pointer and register with unbounded min value is not allowed",
9594 	},
9595 	{
9596 		"bpf_exit with invalid return code. test1",
9597 		.insns = {
9598 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9599 			BPF_EXIT_INSN(),
9600 		},
9601 		.errstr = "R0 has value (0x0; 0xffffffff)",
9602 		.result = REJECT,
9603 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9604 	},
9605 	{
9606 		"bpf_exit with invalid return code. test2",
9607 		.insns = {
9608 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9609 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
9610 			BPF_EXIT_INSN(),
9611 		},
9612 		.result = ACCEPT,
9613 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9614 	},
9615 	{
9616 		"bpf_exit with invalid return code. test3",
9617 		.insns = {
9618 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9619 			BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 3),
9620 			BPF_EXIT_INSN(),
9621 		},
9622 		.errstr = "R0 has value (0x0; 0x3)",
9623 		.result = REJECT,
9624 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9625 	},
9626 	{
9627 		"bpf_exit with invalid return code. test4",
9628 		.insns = {
9629 			BPF_MOV64_IMM(BPF_REG_0, 1),
9630 			BPF_EXIT_INSN(),
9631 		},
9632 		.result = ACCEPT,
9633 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9634 	},
9635 	{
9636 		"bpf_exit with invalid return code. test5",
9637 		.insns = {
9638 			BPF_MOV64_IMM(BPF_REG_0, 2),
9639 			BPF_EXIT_INSN(),
9640 		},
9641 		.errstr = "R0 has value (0x2; 0x0)",
9642 		.result = REJECT,
9643 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9644 	},
9645 	{
9646 		"bpf_exit with invalid return code. test6",
9647 		.insns = {
9648 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9649 			BPF_EXIT_INSN(),
9650 		},
9651 		.errstr = "R0 is not a known value (ctx)",
9652 		.result = REJECT,
9653 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9654 	},
9655 	{
9656 		"bpf_exit with invalid return code. test7",
9657 		.insns = {
9658 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
9659 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, 4),
9660 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_2),
9661 			BPF_EXIT_INSN(),
9662 		},
9663 		.errstr = "R0 has unknown scalar value",
9664 		.result = REJECT,
9665 		.prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
9666 	},
9667 	{
9668 		"calls: basic sanity",
9669 		.insns = {
9670 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9671 			BPF_MOV64_IMM(BPF_REG_0, 1),
9672 			BPF_EXIT_INSN(),
9673 			BPF_MOV64_IMM(BPF_REG_0, 2),
9674 			BPF_EXIT_INSN(),
9675 		},
9676 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9677 		.result = ACCEPT,
9678 	},
9679 	{
9680 		"calls: not on unpriviledged",
9681 		.insns = {
9682 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9683 			BPF_MOV64_IMM(BPF_REG_0, 1),
9684 			BPF_EXIT_INSN(),
9685 			BPF_MOV64_IMM(BPF_REG_0, 2),
9686 			BPF_EXIT_INSN(),
9687 		},
9688 		.errstr_unpriv = "function calls to other bpf functions are allowed for root only",
9689 		.result_unpriv = REJECT,
9690 		.result = ACCEPT,
9691 		.retval = 1,
9692 	},
9693 	{
9694 		"calls: div by 0 in subprog",
9695 		.insns = {
9696 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9697 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9698 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9699 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9700 				    offsetof(struct __sk_buff, data_end)),
9701 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9702 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9703 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9704 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9705 			BPF_MOV64_IMM(BPF_REG_0, 1),
9706 			BPF_EXIT_INSN(),
9707 			BPF_MOV32_IMM(BPF_REG_2, 0),
9708 			BPF_MOV32_IMM(BPF_REG_3, 1),
9709 			BPF_ALU32_REG(BPF_DIV, BPF_REG_3, BPF_REG_2),
9710 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9711 				    offsetof(struct __sk_buff, data)),
9712 			BPF_EXIT_INSN(),
9713 		},
9714 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9715 		.result = ACCEPT,
9716 		.retval = 1,
9717 	},
9718 	{
9719 		"calls: multiple ret types in subprog 1",
9720 		.insns = {
9721 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9722 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9723 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9724 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9725 				    offsetof(struct __sk_buff, data_end)),
9726 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9727 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9728 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9729 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9730 			BPF_MOV64_IMM(BPF_REG_0, 1),
9731 			BPF_EXIT_INSN(),
9732 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9733 				    offsetof(struct __sk_buff, data)),
9734 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9735 			BPF_MOV32_IMM(BPF_REG_0, 42),
9736 			BPF_EXIT_INSN(),
9737 		},
9738 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9739 		.result = REJECT,
9740 		.errstr = "R0 invalid mem access 'inv'",
9741 	},
9742 	{
9743 		"calls: multiple ret types in subprog 2",
9744 		.insns = {
9745 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9746 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
9747 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
9748 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
9749 				    offsetof(struct __sk_buff, data_end)),
9750 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
9751 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
9752 			BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
9753 			BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
9754 			BPF_MOV64_IMM(BPF_REG_0, 1),
9755 			BPF_EXIT_INSN(),
9756 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9757 				    offsetof(struct __sk_buff, data)),
9758 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
9759 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 9),
9760 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
9761 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
9762 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
9763 			BPF_LD_MAP_FD(BPF_REG_1, 0),
9764 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
9765 				     BPF_FUNC_map_lookup_elem),
9766 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
9767 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_6,
9768 				    offsetof(struct __sk_buff, data)),
9769 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 64),
9770 			BPF_EXIT_INSN(),
9771 		},
9772 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
9773 		.fixup_map1 = { 16 },
9774 		.result = REJECT,
9775 		.errstr = "R0 min value is outside of the array range",
9776 	},
9777 	{
9778 		"calls: overlapping caller/callee",
9779 		.insns = {
9780 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),
9781 			BPF_MOV64_IMM(BPF_REG_0, 1),
9782 			BPF_EXIT_INSN(),
9783 		},
9784 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9785 		.errstr = "last insn is not an exit or jmp",
9786 		.result = REJECT,
9787 	},
9788 	{
9789 		"calls: wrong recursive calls",
9790 		.insns = {
9791 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9792 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9793 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9794 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9795 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -2),
9796 			BPF_MOV64_IMM(BPF_REG_0, 1),
9797 			BPF_EXIT_INSN(),
9798 		},
9799 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9800 		.errstr = "jump out of range",
9801 		.result = REJECT,
9802 	},
9803 	{
9804 		"calls: wrong src reg",
9805 		.insns = {
9806 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 2, 0, 0),
9807 			BPF_MOV64_IMM(BPF_REG_0, 1),
9808 			BPF_EXIT_INSN(),
9809 		},
9810 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9811 		.errstr = "BPF_CALL uses reserved fields",
9812 		.result = REJECT,
9813 	},
9814 	{
9815 		"calls: wrong off value",
9816 		.insns = {
9817 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, -1, 2),
9818 			BPF_MOV64_IMM(BPF_REG_0, 1),
9819 			BPF_EXIT_INSN(),
9820 			BPF_MOV64_IMM(BPF_REG_0, 2),
9821 			BPF_EXIT_INSN(),
9822 		},
9823 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9824 		.errstr = "BPF_CALL uses reserved fields",
9825 		.result = REJECT,
9826 	},
9827 	{
9828 		"calls: jump back loop",
9829 		.insns = {
9830 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
9831 			BPF_MOV64_IMM(BPF_REG_0, 1),
9832 			BPF_EXIT_INSN(),
9833 		},
9834 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9835 		.errstr = "back-edge from insn 0 to 0",
9836 		.result = REJECT,
9837 	},
9838 	{
9839 		"calls: conditional call",
9840 		.insns = {
9841 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9842 				    offsetof(struct __sk_buff, mark)),
9843 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9844 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9845 			BPF_MOV64_IMM(BPF_REG_0, 1),
9846 			BPF_EXIT_INSN(),
9847 			BPF_MOV64_IMM(BPF_REG_0, 2),
9848 			BPF_EXIT_INSN(),
9849 		},
9850 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9851 		.errstr = "jump out of range",
9852 		.result = REJECT,
9853 	},
9854 	{
9855 		"calls: conditional call 2",
9856 		.insns = {
9857 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9858 				    offsetof(struct __sk_buff, mark)),
9859 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9860 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9861 			BPF_MOV64_IMM(BPF_REG_0, 1),
9862 			BPF_EXIT_INSN(),
9863 			BPF_MOV64_IMM(BPF_REG_0, 2),
9864 			BPF_EXIT_INSN(),
9865 			BPF_MOV64_IMM(BPF_REG_0, 3),
9866 			BPF_EXIT_INSN(),
9867 		},
9868 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9869 		.result = ACCEPT,
9870 	},
9871 	{
9872 		"calls: conditional call 3",
9873 		.insns = {
9874 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9875 				    offsetof(struct __sk_buff, mark)),
9876 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9877 			BPF_JMP_IMM(BPF_JA, 0, 0, 4),
9878 			BPF_MOV64_IMM(BPF_REG_0, 1),
9879 			BPF_EXIT_INSN(),
9880 			BPF_MOV64_IMM(BPF_REG_0, 1),
9881 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9882 			BPF_MOV64_IMM(BPF_REG_0, 3),
9883 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9884 		},
9885 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9886 		.errstr = "back-edge from insn",
9887 		.result = REJECT,
9888 	},
9889 	{
9890 		"calls: conditional call 4",
9891 		.insns = {
9892 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9893 				    offsetof(struct __sk_buff, mark)),
9894 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9895 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9896 			BPF_MOV64_IMM(BPF_REG_0, 1),
9897 			BPF_EXIT_INSN(),
9898 			BPF_MOV64_IMM(BPF_REG_0, 1),
9899 			BPF_JMP_IMM(BPF_JA, 0, 0, -5),
9900 			BPF_MOV64_IMM(BPF_REG_0, 3),
9901 			BPF_EXIT_INSN(),
9902 		},
9903 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9904 		.result = ACCEPT,
9905 	},
9906 	{
9907 		"calls: conditional call 5",
9908 		.insns = {
9909 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9910 				    offsetof(struct __sk_buff, mark)),
9911 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
9912 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
9913 			BPF_MOV64_IMM(BPF_REG_0, 1),
9914 			BPF_EXIT_INSN(),
9915 			BPF_MOV64_IMM(BPF_REG_0, 1),
9916 			BPF_JMP_IMM(BPF_JA, 0, 0, -6),
9917 			BPF_MOV64_IMM(BPF_REG_0, 3),
9918 			BPF_EXIT_INSN(),
9919 		},
9920 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9921 		.errstr = "back-edge from insn",
9922 		.result = REJECT,
9923 	},
9924 	{
9925 		"calls: conditional call 6",
9926 		.insns = {
9927 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
9928 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -2),
9929 			BPF_EXIT_INSN(),
9930 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9931 				    offsetof(struct __sk_buff, mark)),
9932 			BPF_EXIT_INSN(),
9933 		},
9934 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9935 		.errstr = "back-edge from insn",
9936 		.result = REJECT,
9937 	},
9938 	{
9939 		"calls: using r0 returned by callee",
9940 		.insns = {
9941 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9942 			BPF_EXIT_INSN(),
9943 			BPF_MOV64_IMM(BPF_REG_0, 2),
9944 			BPF_EXIT_INSN(),
9945 		},
9946 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9947 		.result = ACCEPT,
9948 	},
9949 	{
9950 		"calls: using uninit r0 from callee",
9951 		.insns = {
9952 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9953 			BPF_EXIT_INSN(),
9954 			BPF_EXIT_INSN(),
9955 		},
9956 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9957 		.errstr = "!read_ok",
9958 		.result = REJECT,
9959 	},
9960 	{
9961 		"calls: callee is using r1",
9962 		.insns = {
9963 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9964 			BPF_EXIT_INSN(),
9965 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
9966 				    offsetof(struct __sk_buff, len)),
9967 			BPF_EXIT_INSN(),
9968 		},
9969 		.prog_type = BPF_PROG_TYPE_SCHED_ACT,
9970 		.result = ACCEPT,
9971 		.retval = TEST_DATA_LEN,
9972 	},
9973 	{
9974 		"calls: callee using args1",
9975 		.insns = {
9976 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9977 			BPF_EXIT_INSN(),
9978 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
9979 			BPF_EXIT_INSN(),
9980 		},
9981 		.errstr_unpriv = "allowed for root only",
9982 		.result_unpriv = REJECT,
9983 		.result = ACCEPT,
9984 		.retval = POINTER_VALUE,
9985 	},
9986 	{
9987 		"calls: callee using wrong args2",
9988 		.insns = {
9989 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
9990 			BPF_EXIT_INSN(),
9991 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
9992 			BPF_EXIT_INSN(),
9993 		},
9994 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
9995 		.errstr = "R2 !read_ok",
9996 		.result = REJECT,
9997 	},
9998 	{
9999 		"calls: callee using two args",
10000 		.insns = {
10001 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10002 			BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
10003 				    offsetof(struct __sk_buff, len)),
10004 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_6,
10005 				    offsetof(struct __sk_buff, len)),
10006 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10007 			BPF_EXIT_INSN(),
10008 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
10009 			BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
10010 			BPF_EXIT_INSN(),
10011 		},
10012 		.errstr_unpriv = "allowed for root only",
10013 		.result_unpriv = REJECT,
10014 		.result = ACCEPT,
10015 		.retval = TEST_DATA_LEN + TEST_DATA_LEN - ETH_HLEN - ETH_HLEN,
10016 	},
10017 	{
10018 		"calls: callee changing pkt pointers",
10019 		.insns = {
10020 			BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
10021 				    offsetof(struct xdp_md, data)),
10022 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
10023 				    offsetof(struct xdp_md, data_end)),
10024 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_6),
10025 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 8),
10026 			BPF_JMP_REG(BPF_JGT, BPF_REG_8, BPF_REG_7, 2),
10027 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10028 			/* clear_all_pkt_pointers() has to walk all frames
10029 			 * to make sure that pkt pointers in the caller
10030 			 * are cleared when callee is calling a helper that
10031 			 * adjusts packet size
10032 			 */
10033 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10034 			BPF_MOV32_IMM(BPF_REG_0, 0),
10035 			BPF_EXIT_INSN(),
10036 			BPF_MOV64_IMM(BPF_REG_2, 0),
10037 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10038 				     BPF_FUNC_xdp_adjust_head),
10039 			BPF_EXIT_INSN(),
10040 		},
10041 		.result = REJECT,
10042 		.errstr = "R6 invalid mem access 'inv'",
10043 		.prog_type = BPF_PROG_TYPE_XDP,
10044 	},
10045 	{
10046 		"calls: two calls with args",
10047 		.insns = {
10048 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10049 			BPF_EXIT_INSN(),
10050 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10051 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10052 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10053 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10054 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10055 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10056 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10057 			BPF_EXIT_INSN(),
10058 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10059 				    offsetof(struct __sk_buff, len)),
10060 			BPF_EXIT_INSN(),
10061 		},
10062 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10063 		.result = ACCEPT,
10064 		.retval = TEST_DATA_LEN + TEST_DATA_LEN,
10065 	},
10066 	{
10067 		"calls: calls with stack arith",
10068 		.insns = {
10069 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10070 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10071 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10072 			BPF_EXIT_INSN(),
10073 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10075 			BPF_EXIT_INSN(),
10076 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -64),
10077 			BPF_MOV64_IMM(BPF_REG_0, 42),
10078 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10079 			BPF_EXIT_INSN(),
10080 		},
10081 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10082 		.result = ACCEPT,
10083 		.retval = 42,
10084 	},
10085 	{
10086 		"calls: calls with misaligned stack access",
10087 		.insns = {
10088 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10089 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10090 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10091 			BPF_EXIT_INSN(),
10092 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -61),
10093 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10094 			BPF_EXIT_INSN(),
10095 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -63),
10096 			BPF_MOV64_IMM(BPF_REG_0, 42),
10097 			BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
10098 			BPF_EXIT_INSN(),
10099 		},
10100 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10101 		.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
10102 		.errstr = "misaligned stack access",
10103 		.result = REJECT,
10104 	},
10105 	{
10106 		"calls: calls control flow, jump test",
10107 		.insns = {
10108 			BPF_MOV64_IMM(BPF_REG_0, 42),
10109 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10110 			BPF_MOV64_IMM(BPF_REG_0, 43),
10111 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10112 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10113 			BPF_EXIT_INSN(),
10114 		},
10115 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10116 		.result = ACCEPT,
10117 		.retval = 43,
10118 	},
10119 	{
10120 		"calls: calls control flow, jump test 2",
10121 		.insns = {
10122 			BPF_MOV64_IMM(BPF_REG_0, 42),
10123 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10124 			BPF_MOV64_IMM(BPF_REG_0, 43),
10125 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
10126 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10127 			BPF_EXIT_INSN(),
10128 		},
10129 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10130 		.errstr = "jump out of range from insn 1 to 4",
10131 		.result = REJECT,
10132 	},
10133 	{
10134 		"calls: two calls with bad jump",
10135 		.insns = {
10136 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10137 			BPF_EXIT_INSN(),
10138 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10139 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10140 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10141 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10142 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10143 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10144 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10145 			BPF_EXIT_INSN(),
10146 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10147 				    offsetof(struct __sk_buff, len)),
10148 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, -3),
10149 			BPF_EXIT_INSN(),
10150 		},
10151 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10152 		.errstr = "jump out of range from insn 11 to 9",
10153 		.result = REJECT,
10154 	},
10155 	{
10156 		"calls: recursive call. test1",
10157 		.insns = {
10158 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10159 			BPF_EXIT_INSN(),
10160 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -1),
10161 			BPF_EXIT_INSN(),
10162 		},
10163 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10164 		.errstr = "back-edge",
10165 		.result = REJECT,
10166 	},
10167 	{
10168 		"calls: recursive call. test2",
10169 		.insns = {
10170 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10171 			BPF_EXIT_INSN(),
10172 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -3),
10173 			BPF_EXIT_INSN(),
10174 		},
10175 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10176 		.errstr = "back-edge",
10177 		.result = REJECT,
10178 	},
10179 	{
10180 		"calls: unreachable code",
10181 		.insns = {
10182 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10183 			BPF_EXIT_INSN(),
10184 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10185 			BPF_EXIT_INSN(),
10186 			BPF_MOV64_IMM(BPF_REG_0, 0),
10187 			BPF_EXIT_INSN(),
10188 			BPF_MOV64_IMM(BPF_REG_0, 0),
10189 			BPF_EXIT_INSN(),
10190 		},
10191 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10192 		.errstr = "unreachable insn 6",
10193 		.result = REJECT,
10194 	},
10195 	{
10196 		"calls: invalid call",
10197 		.insns = {
10198 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10199 			BPF_EXIT_INSN(),
10200 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, -4),
10201 			BPF_EXIT_INSN(),
10202 		},
10203 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10204 		.errstr = "invalid destination",
10205 		.result = REJECT,
10206 	},
10207 	{
10208 		"calls: invalid call 2",
10209 		.insns = {
10210 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10211 			BPF_EXIT_INSN(),
10212 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0x7fffffff),
10213 			BPF_EXIT_INSN(),
10214 		},
10215 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10216 		.errstr = "invalid destination",
10217 		.result = REJECT,
10218 	},
10219 	{
10220 		"calls: jumping across function bodies. test1",
10221 		.insns = {
10222 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10223 			BPF_MOV64_IMM(BPF_REG_0, 0),
10224 			BPF_EXIT_INSN(),
10225 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
10226 			BPF_EXIT_INSN(),
10227 		},
10228 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10229 		.errstr = "jump out of range",
10230 		.result = REJECT,
10231 	},
10232 	{
10233 		"calls: jumping across function bodies. test2",
10234 		.insns = {
10235 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
10236 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10237 			BPF_MOV64_IMM(BPF_REG_0, 0),
10238 			BPF_EXIT_INSN(),
10239 			BPF_EXIT_INSN(),
10240 		},
10241 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10242 		.errstr = "jump out of range",
10243 		.result = REJECT,
10244 	},
10245 	{
10246 		"calls: call without exit",
10247 		.insns = {
10248 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10249 			BPF_EXIT_INSN(),
10250 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10251 			BPF_EXIT_INSN(),
10252 			BPF_MOV64_IMM(BPF_REG_0, 0),
10253 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -2),
10254 		},
10255 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10256 		.errstr = "not an exit",
10257 		.result = REJECT,
10258 	},
10259 	{
10260 		"calls: call into middle of ld_imm64",
10261 		.insns = {
10262 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10263 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10264 			BPF_MOV64_IMM(BPF_REG_0, 0),
10265 			BPF_EXIT_INSN(),
10266 			BPF_LD_IMM64(BPF_REG_0, 0),
10267 			BPF_EXIT_INSN(),
10268 		},
10269 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10270 		.errstr = "last insn",
10271 		.result = REJECT,
10272 	},
10273 	{
10274 		"calls: call into middle of other call",
10275 		.insns = {
10276 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10277 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10278 			BPF_MOV64_IMM(BPF_REG_0, 0),
10279 			BPF_EXIT_INSN(),
10280 			BPF_MOV64_IMM(BPF_REG_0, 0),
10281 			BPF_MOV64_IMM(BPF_REG_0, 0),
10282 			BPF_EXIT_INSN(),
10283 		},
10284 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10285 		.errstr = "last insn",
10286 		.result = REJECT,
10287 	},
10288 	{
10289 		"calls: ld_abs with changing ctx data in callee",
10290 		.insns = {
10291 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10292 			BPF_LD_ABS(BPF_B, 0),
10293 			BPF_LD_ABS(BPF_H, 0),
10294 			BPF_LD_ABS(BPF_W, 0),
10295 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
10296 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10297 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
10298 			BPF_LD_ABS(BPF_B, 0),
10299 			BPF_LD_ABS(BPF_H, 0),
10300 			BPF_LD_ABS(BPF_W, 0),
10301 			BPF_EXIT_INSN(),
10302 			BPF_MOV64_IMM(BPF_REG_2, 1),
10303 			BPF_MOV64_IMM(BPF_REG_3, 2),
10304 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10305 				     BPF_FUNC_skb_vlan_push),
10306 			BPF_EXIT_INSN(),
10307 		},
10308 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10309 		.errstr = "BPF_LD_[ABS|IND] instructions cannot be mixed",
10310 		.result = REJECT,
10311 	},
10312 	{
10313 		"calls: two calls with bad fallthrough",
10314 		.insns = {
10315 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10316 			BPF_EXIT_INSN(),
10317 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10318 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10319 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10320 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10321 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10322 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10323 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10324 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_0),
10325 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
10326 				    offsetof(struct __sk_buff, len)),
10327 			BPF_EXIT_INSN(),
10328 		},
10329 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
10330 		.errstr = "not an exit",
10331 		.result = REJECT,
10332 	},
10333 	{
10334 		"calls: two calls with stack read",
10335 		.insns = {
10336 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10337 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10338 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10339 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10340 			BPF_EXIT_INSN(),
10341 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10342 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 6),
10343 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
10344 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10345 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10346 			BPF_ALU64_REG(BPF_ADD, BPF_REG_7, BPF_REG_0),
10347 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_7),
10348 			BPF_EXIT_INSN(),
10349 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10350 			BPF_EXIT_INSN(),
10351 		},
10352 		.prog_type = BPF_PROG_TYPE_XDP,
10353 		.result = ACCEPT,
10354 	},
10355 	{
10356 		"calls: two calls with stack write",
10357 		.insns = {
10358 			/* main prog */
10359 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10360 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10361 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10362 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10364 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10365 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10366 			BPF_EXIT_INSN(),
10367 
10368 			/* subprog 1 */
10369 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10370 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10371 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 7),
10372 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
10373 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10374 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10375 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
10376 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_8),
10377 			/* write into stack frame of main prog */
10378 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10379 			BPF_EXIT_INSN(),
10380 
10381 			/* subprog 2 */
10382 			/* read from stack frame of main prog */
10383 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
10384 			BPF_EXIT_INSN(),
10385 		},
10386 		.prog_type = BPF_PROG_TYPE_XDP,
10387 		.result = ACCEPT,
10388 	},
10389 	{
10390 		"calls: stack overflow using two frames (pre-call access)",
10391 		.insns = {
10392 			/* prog 1 */
10393 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10394 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1),
10395 			BPF_EXIT_INSN(),
10396 
10397 			/* prog 2 */
10398 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10399 			BPF_MOV64_IMM(BPF_REG_0, 0),
10400 			BPF_EXIT_INSN(),
10401 		},
10402 		.prog_type = BPF_PROG_TYPE_XDP,
10403 		.errstr = "combined stack size",
10404 		.result = REJECT,
10405 	},
10406 	{
10407 		"calls: stack overflow using two frames (post-call access)",
10408 		.insns = {
10409 			/* prog 1 */
10410 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 2),
10411 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10412 			BPF_EXIT_INSN(),
10413 
10414 			/* prog 2 */
10415 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10416 			BPF_MOV64_IMM(BPF_REG_0, 0),
10417 			BPF_EXIT_INSN(),
10418 		},
10419 		.prog_type = BPF_PROG_TYPE_XDP,
10420 		.errstr = "combined stack size",
10421 		.result = REJECT,
10422 	},
10423 	{
10424 		"calls: stack depth check using three frames. test1",
10425 		.insns = {
10426 			/* main */
10427 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10428 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10429 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10430 			BPF_MOV64_IMM(BPF_REG_0, 0),
10431 			BPF_EXIT_INSN(),
10432 			/* A */
10433 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10434 			BPF_EXIT_INSN(),
10435 			/* B */
10436 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10437 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10438 			BPF_EXIT_INSN(),
10439 		},
10440 		.prog_type = BPF_PROG_TYPE_XDP,
10441 		/* stack_main=32, stack_A=256, stack_B=64
10442 		 * and max(main+A, main+A+B) < 512
10443 		 */
10444 		.result = ACCEPT,
10445 	},
10446 	{
10447 		"calls: stack depth check using three frames. test2",
10448 		.insns = {
10449 			/* main */
10450 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10451 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 5), /* call B */
10452 			BPF_ST_MEM(BPF_B, BPF_REG_10, -32, 0),
10453 			BPF_MOV64_IMM(BPF_REG_0, 0),
10454 			BPF_EXIT_INSN(),
10455 			/* A */
10456 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10457 			BPF_EXIT_INSN(),
10458 			/* B */
10459 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -3), /* call A */
10460 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10461 			BPF_EXIT_INSN(),
10462 		},
10463 		.prog_type = BPF_PROG_TYPE_XDP,
10464 		/* stack_main=32, stack_A=64, stack_B=256
10465 		 * and max(main+A, main+A+B) < 512
10466 		 */
10467 		.result = ACCEPT,
10468 	},
10469 	{
10470 		"calls: stack depth check using three frames. test3",
10471 		.insns = {
10472 			/* main */
10473 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10474 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10475 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10476 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 8), /* call B */
10477 			BPF_JMP_IMM(BPF_JGE, BPF_REG_6, 0, 1),
10478 			BPF_ST_MEM(BPF_B, BPF_REG_10, -64, 0),
10479 			BPF_MOV64_IMM(BPF_REG_0, 0),
10480 			BPF_EXIT_INSN(),
10481 			/* A */
10482 			BPF_JMP_IMM(BPF_JLT, BPF_REG_1, 10, 1),
10483 			BPF_EXIT_INSN(),
10484 			BPF_ST_MEM(BPF_B, BPF_REG_10, -224, 0),
10485 			BPF_JMP_IMM(BPF_JA, 0, 0, -3),
10486 			/* B */
10487 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 1),
10488 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, -6), /* call A */
10489 			BPF_ST_MEM(BPF_B, BPF_REG_10, -256, 0),
10490 			BPF_EXIT_INSN(),
10491 		},
10492 		.prog_type = BPF_PROG_TYPE_XDP,
10493 		/* stack_main=64, stack_A=224, stack_B=256
10494 		 * and max(main+A, main+A+B) > 512
10495 		 */
10496 		.errstr = "combined stack",
10497 		.result = REJECT,
10498 	},
10499 	{
10500 		"calls: stack depth check using three frames. test4",
10501 		/* void main(void) {
10502 		 *   func1(0);
10503 		 *   func1(1);
10504 		 *   func2(1);
10505 		 * }
10506 		 * void func1(int alloc_or_recurse) {
10507 		 *   if (alloc_or_recurse) {
10508 		 *     frame_pointer[-300] = 1;
10509 		 *   } else {
10510 		 *     func2(alloc_or_recurse);
10511 		 *   }
10512 		 * }
10513 		 * void func2(int alloc_or_recurse) {
10514 		 *   if (alloc_or_recurse) {
10515 		 *     frame_pointer[-300] = 1;
10516 		 *   }
10517 		 * }
10518 		 */
10519 		.insns = {
10520 			/* main */
10521 			BPF_MOV64_IMM(BPF_REG_1, 0),
10522 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 6), /* call A */
10523 			BPF_MOV64_IMM(BPF_REG_1, 1),
10524 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 4), /* call A */
10525 			BPF_MOV64_IMM(BPF_REG_1, 1),
10526 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 7), /* call B */
10527 			BPF_MOV64_IMM(BPF_REG_0, 0),
10528 			BPF_EXIT_INSN(),
10529 			/* A */
10530 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
10531 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10532 			BPF_EXIT_INSN(),
10533 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10534 			BPF_EXIT_INSN(),
10535 			/* B */
10536 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10537 			BPF_ST_MEM(BPF_B, BPF_REG_10, -300, 0),
10538 			BPF_EXIT_INSN(),
10539 		},
10540 		.prog_type = BPF_PROG_TYPE_XDP,
10541 		.result = REJECT,
10542 		.errstr = "combined stack",
10543 	},
10544 	{
10545 		"calls: stack depth check using three frames. test5",
10546 		.insns = {
10547 			/* main */
10548 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call A */
10549 			BPF_EXIT_INSN(),
10550 			/* A */
10551 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call B */
10552 			BPF_EXIT_INSN(),
10553 			/* B */
10554 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call C */
10555 			BPF_EXIT_INSN(),
10556 			/* C */
10557 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call D */
10558 			BPF_EXIT_INSN(),
10559 			/* D */
10560 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call E */
10561 			BPF_EXIT_INSN(),
10562 			/* E */
10563 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call F */
10564 			BPF_EXIT_INSN(),
10565 			/* F */
10566 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call G */
10567 			BPF_EXIT_INSN(),
10568 			/* G */
10569 			BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 1, 0, 1), /* call H */
10570 			BPF_EXIT_INSN(),
10571 			/* H */
10572 			BPF_MOV64_IMM(BPF_REG_0, 0),
10573 			BPF_EXIT_INSN(),
10574 		},
10575 		.prog_type = BPF_PROG_TYPE_XDP,
10576 		.errstr = "call stack",
10577 		.result = REJECT,
10578 	},
10579 	{
10580 		"calls: spill into caller stack frame",
10581 		.insns = {
10582 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10583 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10584 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10585 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10586 			BPF_EXIT_INSN(),
10587 			BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
10588 			BPF_MOV64_IMM(BPF_REG_0, 0),
10589 			BPF_EXIT_INSN(),
10590 		},
10591 		.prog_type = BPF_PROG_TYPE_XDP,
10592 		.errstr = "cannot spill",
10593 		.result = REJECT,
10594 	},
10595 	{
10596 		"calls: write into caller stack frame",
10597 		.insns = {
10598 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10599 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10600 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10601 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10602 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10603 			BPF_EXIT_INSN(),
10604 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 42),
10605 			BPF_MOV64_IMM(BPF_REG_0, 0),
10606 			BPF_EXIT_INSN(),
10607 		},
10608 		.prog_type = BPF_PROG_TYPE_XDP,
10609 		.result = ACCEPT,
10610 		.retval = 42,
10611 	},
10612 	{
10613 		"calls: write into callee stack frame",
10614 		.insns = {
10615 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10616 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
10617 			BPF_EXIT_INSN(),
10618 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
10619 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, -8),
10620 			BPF_EXIT_INSN(),
10621 		},
10622 		.prog_type = BPF_PROG_TYPE_XDP,
10623 		.errstr = "cannot return stack pointer",
10624 		.result = REJECT,
10625 	},
10626 	{
10627 		"calls: two calls with stack write and void return",
10628 		.insns = {
10629 			/* main prog */
10630 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10631 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10632 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10633 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10634 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10635 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10636 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10637 			BPF_EXIT_INSN(),
10638 
10639 			/* subprog 1 */
10640 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10641 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10642 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10643 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10644 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10645 			BPF_EXIT_INSN(),
10646 
10647 			/* subprog 2 */
10648 			/* write into stack frame of main prog */
10649 			BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
10650 			BPF_EXIT_INSN(), /* void return */
10651 		},
10652 		.prog_type = BPF_PROG_TYPE_XDP,
10653 		.result = ACCEPT,
10654 	},
10655 	{
10656 		"calls: ambiguous return value",
10657 		.insns = {
10658 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10659 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
10660 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10661 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
10662 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10663 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
10664 			BPF_EXIT_INSN(),
10665 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
10666 			BPF_MOV64_IMM(BPF_REG_0, 0),
10667 			BPF_EXIT_INSN(),
10668 		},
10669 		.errstr_unpriv = "allowed for root only",
10670 		.result_unpriv = REJECT,
10671 		.errstr = "R0 !read_ok",
10672 		.result = REJECT,
10673 	},
10674 	{
10675 		"calls: two calls that return map_value",
10676 		.insns = {
10677 			/* main prog */
10678 			/* pass fp-16, fp-8 into a function */
10679 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10680 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10681 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10682 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10683 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 8),
10684 
10685 			/* fetch map_value_ptr from the stack of this function */
10686 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
10687 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10688 			/* write into map value */
10689 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10690 			/* fetch secound map_value_ptr from the stack */
10691 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -16),
10692 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
10693 			/* write into map value */
10694 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10695 			BPF_MOV64_IMM(BPF_REG_0, 0),
10696 			BPF_EXIT_INSN(),
10697 
10698 			/* subprog 1 */
10699 			/* call 3rd function twice */
10700 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10701 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10702 			/* first time with fp-8 */
10703 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
10704 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10705 			/* second time with fp-16 */
10706 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
10707 			BPF_EXIT_INSN(),
10708 
10709 			/* subprog 2 */
10710 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10711 			/* lookup from map */
10712 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10713 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10714 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10715 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10716 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10717 				     BPF_FUNC_map_lookup_elem),
10718 			/* write map_value_ptr into stack frame of main prog */
10719 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10720 			BPF_MOV64_IMM(BPF_REG_0, 0),
10721 			BPF_EXIT_INSN(), /* return 0 */
10722 		},
10723 		.prog_type = BPF_PROG_TYPE_XDP,
10724 		.fixup_map1 = { 23 },
10725 		.result = ACCEPT,
10726 	},
10727 	{
10728 		"calls: two calls that return map_value with bool condition",
10729 		.insns = {
10730 			/* main prog */
10731 			/* pass fp-16, fp-8 into a function */
10732 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10733 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10734 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10735 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10736 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10737 			BPF_MOV64_IMM(BPF_REG_0, 0),
10738 			BPF_EXIT_INSN(),
10739 
10740 			/* subprog 1 */
10741 			/* call 3rd function twice */
10742 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10743 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10744 			/* first time with fp-8 */
10745 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10746 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10747 			/* fetch map_value_ptr from the stack of this function */
10748 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10749 			/* write into map value */
10750 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10751 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10752 			/* second time with fp-16 */
10753 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10754 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10755 			/* fetch secound map_value_ptr from the stack */
10756 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10757 			/* write into map value */
10758 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10759 			BPF_EXIT_INSN(),
10760 
10761 			/* subprog 2 */
10762 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10763 			/* lookup from map */
10764 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10765 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10766 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10767 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10768 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10769 				     BPF_FUNC_map_lookup_elem),
10770 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10771 			BPF_MOV64_IMM(BPF_REG_0, 0),
10772 			BPF_EXIT_INSN(), /* return 0 */
10773 			/* write map_value_ptr into stack frame of main prog */
10774 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10775 			BPF_MOV64_IMM(BPF_REG_0, 1),
10776 			BPF_EXIT_INSN(), /* return 1 */
10777 		},
10778 		.prog_type = BPF_PROG_TYPE_XDP,
10779 		.fixup_map1 = { 23 },
10780 		.result = ACCEPT,
10781 	},
10782 	{
10783 		"calls: two calls that return map_value with incorrect bool check",
10784 		.insns = {
10785 			/* main prog */
10786 			/* pass fp-16, fp-8 into a function */
10787 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10788 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10789 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10790 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10791 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10792 			BPF_MOV64_IMM(BPF_REG_0, 0),
10793 			BPF_EXIT_INSN(),
10794 
10795 			/* subprog 1 */
10796 			/* call 3rd function twice */
10797 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10798 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10799 			/* first time with fp-8 */
10800 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 9),
10801 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 1, 2),
10802 			/* fetch map_value_ptr from the stack of this function */
10803 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
10804 			/* write into map value */
10805 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10806 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
10807 			/* second time with fp-16 */
10808 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
10809 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10810 			/* fetch secound map_value_ptr from the stack */
10811 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
10812 			/* write into map value */
10813 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10814 			BPF_EXIT_INSN(),
10815 
10816 			/* subprog 2 */
10817 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10818 			/* lookup from map */
10819 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10820 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10821 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10822 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10823 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10824 				     BPF_FUNC_map_lookup_elem),
10825 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10826 			BPF_MOV64_IMM(BPF_REG_0, 0),
10827 			BPF_EXIT_INSN(), /* return 0 */
10828 			/* write map_value_ptr into stack frame of main prog */
10829 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10830 			BPF_MOV64_IMM(BPF_REG_0, 1),
10831 			BPF_EXIT_INSN(), /* return 1 */
10832 		},
10833 		.prog_type = BPF_PROG_TYPE_XDP,
10834 		.fixup_map1 = { 23 },
10835 		.result = REJECT,
10836 		.errstr = "invalid read from stack off -16+0 size 8",
10837 	},
10838 	{
10839 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test1",
10840 		.insns = {
10841 			/* main prog */
10842 			/* pass fp-16, fp-8 into a function */
10843 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10844 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10845 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10846 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10847 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10848 			BPF_MOV64_IMM(BPF_REG_0, 0),
10849 			BPF_EXIT_INSN(),
10850 
10851 			/* subprog 1 */
10852 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10853 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10854 			/* 1st lookup from map */
10855 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10856 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10857 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10858 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10859 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10860 				     BPF_FUNC_map_lookup_elem),
10861 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10862 			BPF_MOV64_IMM(BPF_REG_8, 0),
10863 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10864 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10865 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10866 			BPF_MOV64_IMM(BPF_REG_8, 1),
10867 
10868 			/* 2nd lookup from map */
10869 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10870 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10871 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10872 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10873 				     BPF_FUNC_map_lookup_elem),
10874 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10875 			BPF_MOV64_IMM(BPF_REG_9, 0),
10876 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10877 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10878 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10879 			BPF_MOV64_IMM(BPF_REG_9, 1),
10880 
10881 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10882 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10883 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10884 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10885 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10886 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
10887 			BPF_EXIT_INSN(),
10888 
10889 			/* subprog 2 */
10890 			/* if arg2 == 1 do *arg1 = 0 */
10891 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10892 			/* fetch map_value_ptr from the stack of this function */
10893 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10894 			/* write into map value */
10895 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10896 
10897 			/* if arg4 == 1 do *arg3 = 0 */
10898 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10899 			/* fetch map_value_ptr from the stack of this function */
10900 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10901 			/* write into map value */
10902 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
10903 			BPF_EXIT_INSN(),
10904 		},
10905 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10906 		.fixup_map1 = { 12, 22 },
10907 		.result = REJECT,
10908 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
10909 	},
10910 	{
10911 		"calls: two calls that receive map_value via arg=ptr_stack_of_caller. test2",
10912 		.insns = {
10913 			/* main prog */
10914 			/* pass fp-16, fp-8 into a function */
10915 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10916 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10917 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10918 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10919 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
10920 			BPF_MOV64_IMM(BPF_REG_0, 0),
10921 			BPF_EXIT_INSN(),
10922 
10923 			/* subprog 1 */
10924 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10925 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10926 			/* 1st lookup from map */
10927 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
10928 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10929 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10930 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10931 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
10932 				     BPF_FUNC_map_lookup_elem),
10933 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10934 			BPF_MOV64_IMM(BPF_REG_8, 0),
10935 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10936 			/* write map_value_ptr into stack frame of main prog at fp-8 */
10937 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
10938 			BPF_MOV64_IMM(BPF_REG_8, 1),
10939 
10940 			/* 2nd lookup from map */
10941 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), /* 20 */
10942 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
10943 			BPF_LD_MAP_FD(BPF_REG_1, 0),
10944 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, /* 24 */
10945 				     BPF_FUNC_map_lookup_elem),
10946 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
10947 			BPF_MOV64_IMM(BPF_REG_9, 0),
10948 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
10949 			/* write map_value_ptr into stack frame of main prog at fp-16 */
10950 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
10951 			BPF_MOV64_IMM(BPF_REG_9, 1),
10952 
10953 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
10954 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), /* 30 */
10955 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
10956 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
10957 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
10958 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),  /* 34 */
10959 			BPF_EXIT_INSN(),
10960 
10961 			/* subprog 2 */
10962 			/* if arg2 == 1 do *arg1 = 0 */
10963 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
10964 			/* fetch map_value_ptr from the stack of this function */
10965 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
10966 			/* write into map value */
10967 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10968 
10969 			/* if arg4 == 1 do *arg3 = 0 */
10970 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
10971 			/* fetch map_value_ptr from the stack of this function */
10972 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
10973 			/* write into map value */
10974 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
10975 			BPF_EXIT_INSN(),
10976 		},
10977 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
10978 		.fixup_map1 = { 12, 22 },
10979 		.result = ACCEPT,
10980 	},
10981 	{
10982 		"calls: two jumps that receive map_value via arg=ptr_stack_of_jumper. test3",
10983 		.insns = {
10984 			/* main prog */
10985 			/* pass fp-16, fp-8 into a function */
10986 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
10987 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
10988 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
10989 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
10990 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
10991 			BPF_MOV64_IMM(BPF_REG_0, 0),
10992 			BPF_EXIT_INSN(),
10993 
10994 			/* subprog 1 */
10995 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
10996 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
10997 			/* 1st lookup from map */
10998 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -24, 0),
10999 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11000 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11001 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11002 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11003 				     BPF_FUNC_map_lookup_elem),
11004 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11005 			BPF_MOV64_IMM(BPF_REG_8, 0),
11006 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11007 			/* write map_value_ptr into stack frame of main prog at fp-8 */
11008 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11009 			BPF_MOV64_IMM(BPF_REG_8, 1),
11010 
11011 			/* 2nd lookup from map */
11012 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11013 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -24),
11014 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11015 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11016 				     BPF_FUNC_map_lookup_elem),
11017 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11018 			BPF_MOV64_IMM(BPF_REG_9, 0),  // 26
11019 			BPF_JMP_IMM(BPF_JA, 0, 0, 2),
11020 			/* write map_value_ptr into stack frame of main prog at fp-16 */
11021 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11022 			BPF_MOV64_IMM(BPF_REG_9, 1),
11023 
11024 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11025 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), // 30
11026 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11027 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11028 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11029 			BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1), // 34
11030 			BPF_JMP_IMM(BPF_JA, 0, 0, -30),
11031 
11032 			/* subprog 2 */
11033 			/* if arg2 == 1 do *arg1 = 0 */
11034 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11035 			/* fetch map_value_ptr from the stack of this function */
11036 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11037 			/* write into map value */
11038 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11039 
11040 			/* if arg4 == 1 do *arg3 = 0 */
11041 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11042 			/* fetch map_value_ptr from the stack of this function */
11043 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11044 			/* write into map value */
11045 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 0),
11046 			BPF_JMP_IMM(BPF_JA, 0, 0, -8),
11047 		},
11048 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11049 		.fixup_map1 = { 12, 22 },
11050 		.result = REJECT,
11051 		.errstr = "invalid access to map value, value_size=8 off=2 size=8",
11052 	},
11053 	{
11054 		"calls: two calls that receive map_value_ptr_or_null via arg. test1",
11055 		.insns = {
11056 			/* main prog */
11057 			/* pass fp-16, fp-8 into a function */
11058 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11059 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11060 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11061 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11062 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11063 			BPF_MOV64_IMM(BPF_REG_0, 0),
11064 			BPF_EXIT_INSN(),
11065 
11066 			/* subprog 1 */
11067 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11068 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11069 			/* 1st lookup from map */
11070 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11071 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11072 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11073 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11074 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11075 				     BPF_FUNC_map_lookup_elem),
11076 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11077 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11078 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11079 			BPF_MOV64_IMM(BPF_REG_8, 0),
11080 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11081 			BPF_MOV64_IMM(BPF_REG_8, 1),
11082 
11083 			/* 2nd lookup from map */
11084 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11085 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11086 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11087 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11088 				     BPF_FUNC_map_lookup_elem),
11089 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11090 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11091 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11092 			BPF_MOV64_IMM(BPF_REG_9, 0),
11093 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11094 			BPF_MOV64_IMM(BPF_REG_9, 1),
11095 
11096 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11097 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11098 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11099 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11100 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11101 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11102 			BPF_EXIT_INSN(),
11103 
11104 			/* subprog 2 */
11105 			/* if arg2 == 1 do *arg1 = 0 */
11106 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11107 			/* fetch map_value_ptr from the stack of this function */
11108 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11109 			/* write into map value */
11110 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11111 
11112 			/* if arg4 == 1 do *arg3 = 0 */
11113 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 1, 2),
11114 			/* fetch map_value_ptr from the stack of this function */
11115 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11116 			/* write into map value */
11117 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11118 			BPF_EXIT_INSN(),
11119 		},
11120 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11121 		.fixup_map1 = { 12, 22 },
11122 		.result = ACCEPT,
11123 	},
11124 	{
11125 		"calls: two calls that receive map_value_ptr_or_null via arg. test2",
11126 		.insns = {
11127 			/* main prog */
11128 			/* pass fp-16, fp-8 into a function */
11129 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
11130 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
11131 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11132 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
11133 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
11134 			BPF_MOV64_IMM(BPF_REG_0, 0),
11135 			BPF_EXIT_INSN(),
11136 
11137 			/* subprog 1 */
11138 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11139 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
11140 			/* 1st lookup from map */
11141 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11142 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11143 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11144 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11145 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11146 				     BPF_FUNC_map_lookup_elem),
11147 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11148 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11149 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11150 			BPF_MOV64_IMM(BPF_REG_8, 0),
11151 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11152 			BPF_MOV64_IMM(BPF_REG_8, 1),
11153 
11154 			/* 2nd lookup from map */
11155 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11156 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11157 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11158 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11159 				     BPF_FUNC_map_lookup_elem),
11160 			/* write map_value_ptr_or_null into stack frame of main prog at fp-16 */
11161 			BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
11162 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11163 			BPF_MOV64_IMM(BPF_REG_9, 0),
11164 			BPF_JMP_IMM(BPF_JA, 0, 0, 1),
11165 			BPF_MOV64_IMM(BPF_REG_9, 1),
11166 
11167 			/* call 3rd func with fp-8, 0|1, fp-16, 0|1 */
11168 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11169 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_8),
11170 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_7),
11171 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_9),
11172 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11173 			BPF_EXIT_INSN(),
11174 
11175 			/* subprog 2 */
11176 			/* if arg2 == 1 do *arg1 = 0 */
11177 			BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 1, 2),
11178 			/* fetch map_value_ptr from the stack of this function */
11179 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
11180 			/* write into map value */
11181 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11182 
11183 			/* if arg4 == 0 do *arg3 = 0 */
11184 			BPF_JMP_IMM(BPF_JNE, BPF_REG_4, 0, 2),
11185 			/* fetch map_value_ptr from the stack of this function */
11186 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
11187 			/* write into map value */
11188 			BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
11189 			BPF_EXIT_INSN(),
11190 		},
11191 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11192 		.fixup_map1 = { 12, 22 },
11193 		.result = REJECT,
11194 		.errstr = "R0 invalid mem access 'inv'",
11195 	},
11196 	{
11197 		"calls: pkt_ptr spill into caller stack",
11198 		.insns = {
11199 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11200 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11201 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 1),
11202 			BPF_EXIT_INSN(),
11203 
11204 			/* subprog 1 */
11205 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11206 				    offsetof(struct __sk_buff, data)),
11207 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11208 				    offsetof(struct __sk_buff, data_end)),
11209 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11210 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11211 			/* spill unchecked pkt_ptr into stack of caller */
11212 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11213 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11214 			/* now the pkt range is verified, read pkt_ptr from stack */
11215 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11216 			/* write 4 bytes into packet */
11217 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11218 			BPF_EXIT_INSN(),
11219 		},
11220 		.result = ACCEPT,
11221 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11222 		.retval = POINTER_VALUE,
11223 	},
11224 	{
11225 		"calls: pkt_ptr spill into caller stack 2",
11226 		.insns = {
11227 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11228 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11229 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11230 			/* Marking is still kept, but not in all cases safe. */
11231 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11232 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11233 			BPF_EXIT_INSN(),
11234 
11235 			/* subprog 1 */
11236 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11237 				    offsetof(struct __sk_buff, data)),
11238 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11239 				    offsetof(struct __sk_buff, data_end)),
11240 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11241 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11242 			/* spill unchecked pkt_ptr into stack of caller */
11243 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11244 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11245 			/* now the pkt range is verified, read pkt_ptr from stack */
11246 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11247 			/* write 4 bytes into packet */
11248 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11249 			BPF_EXIT_INSN(),
11250 		},
11251 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11252 		.errstr = "invalid access to packet",
11253 		.result = REJECT,
11254 	},
11255 	{
11256 		"calls: pkt_ptr spill into caller stack 3",
11257 		.insns = {
11258 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11259 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11260 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11261 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11262 			/* Marking is still kept and safe here. */
11263 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11264 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11265 			BPF_EXIT_INSN(),
11266 
11267 			/* subprog 1 */
11268 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11269 				    offsetof(struct __sk_buff, data)),
11270 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11271 				    offsetof(struct __sk_buff, data_end)),
11272 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11273 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11274 			/* spill unchecked pkt_ptr into stack of caller */
11275 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11276 			BPF_MOV64_IMM(BPF_REG_5, 0),
11277 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11278 			BPF_MOV64_IMM(BPF_REG_5, 1),
11279 			/* now the pkt range is verified, read pkt_ptr from stack */
11280 			BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
11281 			/* write 4 bytes into packet */
11282 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11283 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11284 			BPF_EXIT_INSN(),
11285 		},
11286 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11287 		.result = ACCEPT,
11288 		.retval = 1,
11289 	},
11290 	{
11291 		"calls: pkt_ptr spill into caller stack 4",
11292 		.insns = {
11293 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11294 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11295 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11296 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
11297 			/* Check marking propagated. */
11298 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11299 			BPF_ST_MEM(BPF_W, BPF_REG_4, 0, 0),
11300 			BPF_EXIT_INSN(),
11301 
11302 			/* subprog 1 */
11303 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11304 				    offsetof(struct __sk_buff, data)),
11305 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11306 				    offsetof(struct __sk_buff, data_end)),
11307 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11308 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11309 			/* spill unchecked pkt_ptr into stack of caller */
11310 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11311 			BPF_MOV64_IMM(BPF_REG_5, 0),
11312 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11313 			BPF_MOV64_IMM(BPF_REG_5, 1),
11314 			/* don't read back pkt_ptr from stack here */
11315 			/* write 4 bytes into packet */
11316 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11317 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11318 			BPF_EXIT_INSN(),
11319 		},
11320 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11321 		.result = ACCEPT,
11322 		.retval = 1,
11323 	},
11324 	{
11325 		"calls: pkt_ptr spill into caller stack 5",
11326 		.insns = {
11327 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11328 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11329 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_1, 0),
11330 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11331 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11332 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11333 			BPF_EXIT_INSN(),
11334 
11335 			/* subprog 1 */
11336 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11337 				    offsetof(struct __sk_buff, data)),
11338 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11339 				    offsetof(struct __sk_buff, data_end)),
11340 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11341 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11342 			BPF_MOV64_IMM(BPF_REG_5, 0),
11343 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11344 			/* spill checked pkt_ptr into stack of caller */
11345 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11346 			BPF_MOV64_IMM(BPF_REG_5, 1),
11347 			/* don't read back pkt_ptr from stack here */
11348 			/* write 4 bytes into packet */
11349 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11350 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11351 			BPF_EXIT_INSN(),
11352 		},
11353 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11354 		.errstr = "same insn cannot be used with different",
11355 		.result = REJECT,
11356 	},
11357 	{
11358 		"calls: pkt_ptr spill into caller stack 6",
11359 		.insns = {
11360 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11361 				    offsetof(struct __sk_buff, data_end)),
11362 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11363 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11364 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11365 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11366 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11367 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11368 			BPF_EXIT_INSN(),
11369 
11370 			/* subprog 1 */
11371 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11372 				    offsetof(struct __sk_buff, data)),
11373 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11374 				    offsetof(struct __sk_buff, data_end)),
11375 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11376 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11377 			BPF_MOV64_IMM(BPF_REG_5, 0),
11378 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11379 			/* spill checked pkt_ptr into stack of caller */
11380 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11381 			BPF_MOV64_IMM(BPF_REG_5, 1),
11382 			/* don't read back pkt_ptr from stack here */
11383 			/* write 4 bytes into packet */
11384 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11385 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11386 			BPF_EXIT_INSN(),
11387 		},
11388 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11389 		.errstr = "R4 invalid mem access",
11390 		.result = REJECT,
11391 	},
11392 	{
11393 		"calls: pkt_ptr spill into caller stack 7",
11394 		.insns = {
11395 			BPF_MOV64_IMM(BPF_REG_2, 0),
11396 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11397 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11398 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11399 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11400 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11401 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11402 			BPF_EXIT_INSN(),
11403 
11404 			/* subprog 1 */
11405 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11406 				    offsetof(struct __sk_buff, data)),
11407 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11408 				    offsetof(struct __sk_buff, data_end)),
11409 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11410 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11411 			BPF_MOV64_IMM(BPF_REG_5, 0),
11412 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11413 			/* spill checked pkt_ptr into stack of caller */
11414 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11415 			BPF_MOV64_IMM(BPF_REG_5, 1),
11416 			/* don't read back pkt_ptr from stack here */
11417 			/* write 4 bytes into packet */
11418 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11419 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11420 			BPF_EXIT_INSN(),
11421 		},
11422 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11423 		.errstr = "R4 invalid mem access",
11424 		.result = REJECT,
11425 	},
11426 	{
11427 		"calls: pkt_ptr spill into caller stack 8",
11428 		.insns = {
11429 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11430 				    offsetof(struct __sk_buff, data)),
11431 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11432 				    offsetof(struct __sk_buff, data_end)),
11433 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11434 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11435 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11436 			BPF_EXIT_INSN(),
11437 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11438 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11439 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11440 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11441 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11442 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11443 			BPF_EXIT_INSN(),
11444 
11445 			/* subprog 1 */
11446 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11447 				    offsetof(struct __sk_buff, data)),
11448 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11449 				    offsetof(struct __sk_buff, data_end)),
11450 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11451 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11452 			BPF_MOV64_IMM(BPF_REG_5, 0),
11453 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
11454 			/* spill checked pkt_ptr into stack of caller */
11455 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11456 			BPF_MOV64_IMM(BPF_REG_5, 1),
11457 			/* don't read back pkt_ptr from stack here */
11458 			/* write 4 bytes into packet */
11459 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11460 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11461 			BPF_EXIT_INSN(),
11462 		},
11463 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11464 		.result = ACCEPT,
11465 	},
11466 	{
11467 		"calls: pkt_ptr spill into caller stack 9",
11468 		.insns = {
11469 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11470 				    offsetof(struct __sk_buff, data)),
11471 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11472 				    offsetof(struct __sk_buff, data_end)),
11473 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11474 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11475 			BPF_JMP_REG(BPF_JLE, BPF_REG_0, BPF_REG_3, 1),
11476 			BPF_EXIT_INSN(),
11477 			BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
11478 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
11479 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11480 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 3),
11481 			BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
11482 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_4, 0),
11483 			BPF_EXIT_INSN(),
11484 
11485 			/* subprog 1 */
11486 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11487 				    offsetof(struct __sk_buff, data)),
11488 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11489 				    offsetof(struct __sk_buff, data_end)),
11490 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11491 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
11492 			BPF_MOV64_IMM(BPF_REG_5, 0),
11493 			/* spill unchecked pkt_ptr into stack of caller */
11494 			BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
11495 			BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
11496 			BPF_MOV64_IMM(BPF_REG_5, 1),
11497 			/* don't read back pkt_ptr from stack here */
11498 			/* write 4 bytes into packet */
11499 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11500 			BPF_MOV64_REG(BPF_REG_0, BPF_REG_5),
11501 			BPF_EXIT_INSN(),
11502 		},
11503 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11504 		.errstr = "invalid access to packet",
11505 		.result = REJECT,
11506 	},
11507 	{
11508 		"calls: caller stack init to zero or map_value_or_null",
11509 		.insns = {
11510 			BPF_MOV64_IMM(BPF_REG_0, 0),
11511 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11512 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11513 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11514 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
11515 			/* fetch map_value_or_null or const_zero from stack */
11516 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11517 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
11518 			/* store into map_value */
11519 			BPF_ST_MEM(BPF_W, BPF_REG_0, 0, 0),
11520 			BPF_EXIT_INSN(),
11521 
11522 			/* subprog 1 */
11523 			/* if (ctx == 0) return; */
11524 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 8),
11525 			/* else bpf_map_lookup() and *(fp - 8) = r0 */
11526 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
11527 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11528 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11529 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11530 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11531 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11532 				     BPF_FUNC_map_lookup_elem),
11533 			/* write map_value_ptr_or_null into stack frame of main prog at fp-8 */
11534 			BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_0, 0),
11535 			BPF_EXIT_INSN(),
11536 		},
11537 		.fixup_map1 = { 13 },
11538 		.result = ACCEPT,
11539 		.prog_type = BPF_PROG_TYPE_XDP,
11540 	},
11541 	{
11542 		"calls: stack init to zero and pruning",
11543 		.insns = {
11544 			/* first make allocated_stack 16 byte */
11545 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
11546 			/* now fork the execution such that the false branch
11547 			 * of JGT insn will be verified second and it skisp zero
11548 			 * init of fp-8 stack slot. If stack liveness marking
11549 			 * is missing live_read marks from call map_lookup
11550 			 * processing then pruning will incorrectly assume
11551 			 * that fp-8 stack slot was unused in the fall-through
11552 			 * branch and will accept the program incorrectly
11553 			 */
11554 			BPF_JMP_IMM(BPF_JGT, BPF_REG_1, 2, 2),
11555 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11556 			BPF_JMP_IMM(BPF_JA, 0, 0, 0),
11557 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11558 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11559 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11560 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11561 				     BPF_FUNC_map_lookup_elem),
11562 			BPF_EXIT_INSN(),
11563 		},
11564 		.fixup_map2 = { 6 },
11565 		.errstr = "invalid indirect read from stack off -8+0 size 8",
11566 		.result = REJECT,
11567 		.prog_type = BPF_PROG_TYPE_XDP,
11568 	},
11569 	{
11570 		"search pruning: all branches should be verified (nop operation)",
11571 		.insns = {
11572 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11573 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11574 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11575 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11576 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11577 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
11578 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11579 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11580 			BPF_MOV64_IMM(BPF_REG_4, 0),
11581 			BPF_JMP_A(1),
11582 			BPF_MOV64_IMM(BPF_REG_4, 1),
11583 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11584 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11585 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11586 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_5, 0, 2),
11587 			BPF_MOV64_IMM(BPF_REG_6, 0),
11588 			BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xdead),
11589 			BPF_EXIT_INSN(),
11590 		},
11591 		.fixup_map1 = { 3 },
11592 		.errstr = "R6 invalid mem access 'inv'",
11593 		.result = REJECT,
11594 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11595 	},
11596 	{
11597 		"search pruning: all branches should be verified (invalid stack access)",
11598 		.insns = {
11599 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11600 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11601 			BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
11602 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11603 			BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
11604 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 8),
11605 			BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
11606 			BPF_MOV64_IMM(BPF_REG_4, 0),
11607 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0xbeef, 2),
11608 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -16),
11609 			BPF_JMP_A(1),
11610 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -24),
11611 			BPF_EMIT_CALL(BPF_FUNC_ktime_get_ns),
11612 			BPF_LDX_MEM(BPF_DW, BPF_REG_5, BPF_REG_10, -16),
11613 			BPF_EXIT_INSN(),
11614 		},
11615 		.fixup_map1 = { 3 },
11616 		.errstr = "invalid read from stack off -16+0 size 8",
11617 		.result = REJECT,
11618 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11619 	},
11620 	{
11621 		"jit: lsh, rsh, arsh by 1",
11622 		.insns = {
11623 			BPF_MOV64_IMM(BPF_REG_0, 1),
11624 			BPF_MOV64_IMM(BPF_REG_1, 0xff),
11625 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 1),
11626 			BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 1),
11627 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x3fc, 1),
11628 			BPF_EXIT_INSN(),
11629 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 1),
11630 			BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 1),
11631 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0xff, 1),
11632 			BPF_EXIT_INSN(),
11633 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 1),
11634 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0x7f, 1),
11635 			BPF_EXIT_INSN(),
11636 			BPF_MOV64_IMM(BPF_REG_0, 2),
11637 			BPF_EXIT_INSN(),
11638 		},
11639 		.result = ACCEPT,
11640 		.retval = 2,
11641 	},
11642 	{
11643 		"jit: mov32 for ldimm64, 1",
11644 		.insns = {
11645 			BPF_MOV64_IMM(BPF_REG_0, 2),
11646 			BPF_LD_IMM64(BPF_REG_1, 0xfeffffffffffffffULL),
11647 			BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32),
11648 			BPF_LD_IMM64(BPF_REG_2, 0xfeffffffULL),
11649 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11650 			BPF_MOV64_IMM(BPF_REG_0, 1),
11651 			BPF_EXIT_INSN(),
11652 		},
11653 		.result = ACCEPT,
11654 		.retval = 2,
11655 	},
11656 	{
11657 		"jit: mov32 for ldimm64, 2",
11658 		.insns = {
11659 			BPF_MOV64_IMM(BPF_REG_0, 1),
11660 			BPF_LD_IMM64(BPF_REG_1, 0x1ffffffffULL),
11661 			BPF_LD_IMM64(BPF_REG_2, 0xffffffffULL),
11662 			BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_2, 1),
11663 			BPF_MOV64_IMM(BPF_REG_0, 2),
11664 			BPF_EXIT_INSN(),
11665 		},
11666 		.result = ACCEPT,
11667 		.retval = 2,
11668 	},
11669 	{
11670 		"jit: various mul tests",
11671 		.insns = {
11672 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11673 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11674 			BPF_LD_IMM64(BPF_REG_1, 0xefefefULL),
11675 			BPF_ALU64_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11676 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11677 			BPF_MOV64_IMM(BPF_REG_0, 1),
11678 			BPF_EXIT_INSN(),
11679 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11680 			BPF_ALU64_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11681 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11682 			BPF_MOV64_IMM(BPF_REG_0, 1),
11683 			BPF_EXIT_INSN(),
11684 			BPF_MOV32_REG(BPF_REG_2, BPF_REG_2),
11685 			BPF_LD_IMM64(BPF_REG_0, 0xfefefeULL),
11686 			BPF_ALU32_REG(BPF_MUL, BPF_REG_0, BPF_REG_1),
11687 			BPF_JMP_REG(BPF_JEQ, BPF_REG_0, BPF_REG_2, 2),
11688 			BPF_MOV64_IMM(BPF_REG_0, 1),
11689 			BPF_EXIT_INSN(),
11690 			BPF_LD_IMM64(BPF_REG_3, 0xfefefeULL),
11691 			BPF_ALU32_REG(BPF_MUL, BPF_REG_3, BPF_REG_1),
11692 			BPF_JMP_REG(BPF_JEQ, BPF_REG_3, BPF_REG_2, 2),
11693 			BPF_MOV64_IMM(BPF_REG_0, 1),
11694 			BPF_EXIT_INSN(),
11695 			BPF_LD_IMM64(BPF_REG_0, 0x952a7bbcULL),
11696 			BPF_LD_IMM64(BPF_REG_1, 0xfefefeULL),
11697 			BPF_LD_IMM64(BPF_REG_2, 0xeeff0d413122ULL),
11698 			BPF_ALU32_REG(BPF_MUL, BPF_REG_2, BPF_REG_1),
11699 			BPF_JMP_REG(BPF_JEQ, BPF_REG_2, BPF_REG_0, 2),
11700 			BPF_MOV64_IMM(BPF_REG_0, 1),
11701 			BPF_EXIT_INSN(),
11702 			BPF_MOV64_IMM(BPF_REG_0, 2),
11703 			BPF_EXIT_INSN(),
11704 		},
11705 		.result = ACCEPT,
11706 		.retval = 2,
11707 	},
11708 	{
11709 		"xadd/w check unaligned stack",
11710 		.insns = {
11711 			BPF_MOV64_IMM(BPF_REG_0, 1),
11712 			BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
11713 			BPF_STX_XADD(BPF_W, BPF_REG_10, BPF_REG_0, -7),
11714 			BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
11715 			BPF_EXIT_INSN(),
11716 		},
11717 		.result = REJECT,
11718 		.errstr = "misaligned stack access off",
11719 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11720 	},
11721 	{
11722 		"xadd/w check unaligned map",
11723 		.insns = {
11724 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11725 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11726 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11727 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11728 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11729 				     BPF_FUNC_map_lookup_elem),
11730 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
11731 			BPF_EXIT_INSN(),
11732 			BPF_MOV64_IMM(BPF_REG_1, 1),
11733 			BPF_STX_XADD(BPF_W, BPF_REG_0, BPF_REG_1, 3),
11734 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 3),
11735 			BPF_EXIT_INSN(),
11736 		},
11737 		.fixup_map1 = { 3 },
11738 		.result = REJECT,
11739 		.errstr = "misaligned value access off",
11740 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11741 	},
11742 	{
11743 		"xadd/w check unaligned pkt",
11744 		.insns = {
11745 			BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
11746 				    offsetof(struct xdp_md, data)),
11747 			BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
11748 				    offsetof(struct xdp_md, data_end)),
11749 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
11750 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
11751 			BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 2),
11752 			BPF_MOV64_IMM(BPF_REG_0, 99),
11753 			BPF_JMP_IMM(BPF_JA, 0, 0, 6),
11754 			BPF_MOV64_IMM(BPF_REG_0, 1),
11755 			BPF_ST_MEM(BPF_W, BPF_REG_2, 0, 0),
11756 			BPF_ST_MEM(BPF_W, BPF_REG_2, 3, 0),
11757 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 1),
11758 			BPF_STX_XADD(BPF_W, BPF_REG_2, BPF_REG_0, 2),
11759 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_2, 1),
11760 			BPF_EXIT_INSN(),
11761 		},
11762 		.result = REJECT,
11763 		.errstr = "BPF_XADD stores into R2 packet",
11764 		.prog_type = BPF_PROG_TYPE_XDP,
11765 	},
11766 	{
11767 		"bpf_get_stack return R0 within range",
11768 		.insns = {
11769 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11770 			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
11771 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
11772 			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
11773 			BPF_LD_MAP_FD(BPF_REG_1, 0),
11774 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11775 				     BPF_FUNC_map_lookup_elem),
11776 			BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28),
11777 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_0),
11778 			BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)),
11779 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11780 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
11781 			BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)),
11782 			BPF_MOV64_IMM(BPF_REG_4, 256),
11783 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
11784 			BPF_MOV64_IMM(BPF_REG_1, 0),
11785 			BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
11786 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32),
11787 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32),
11788 			BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16),
11789 			BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
11790 			BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
11791 			BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8),
11792 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),
11793 			BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
11794 			BPF_ALU64_IMM(BPF_ARSH, BPF_REG_1, 32),
11795 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
11796 			BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1),
11797 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11798 			BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)),
11799 			BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5),
11800 			BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4),
11801 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
11802 			BPF_MOV64_REG(BPF_REG_3, BPF_REG_9),
11803 			BPF_MOV64_IMM(BPF_REG_4, 0),
11804 			BPF_EMIT_CALL(BPF_FUNC_get_stack),
11805 			BPF_EXIT_INSN(),
11806 		},
11807 		.fixup_map2 = { 4 },
11808 		.result = ACCEPT,
11809 		.prog_type = BPF_PROG_TYPE_TRACEPOINT,
11810 	},
11811 	{
11812 		"ld_abs: invalid op 1",
11813 		.insns = {
11814 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11815 			BPF_LD_ABS(BPF_DW, 0),
11816 			BPF_EXIT_INSN(),
11817 		},
11818 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11819 		.result = REJECT,
11820 		.errstr = "unknown opcode",
11821 	},
11822 	{
11823 		"ld_abs: invalid op 2",
11824 		.insns = {
11825 			BPF_MOV32_IMM(BPF_REG_0, 256),
11826 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11827 			BPF_LD_IND(BPF_DW, BPF_REG_0, 0),
11828 			BPF_EXIT_INSN(),
11829 		},
11830 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11831 		.result = REJECT,
11832 		.errstr = "unknown opcode",
11833 	},
11834 	{
11835 		"ld_abs: nmap reduced",
11836 		.insns = {
11837 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11838 			BPF_LD_ABS(BPF_H, 12),
11839 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 28),
11840 			BPF_LD_ABS(BPF_H, 12),
11841 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 26),
11842 			BPF_MOV32_IMM(BPF_REG_0, 18),
11843 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -64),
11844 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -64),
11845 			BPF_LD_IND(BPF_W, BPF_REG_7, 14),
11846 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -60),
11847 			BPF_MOV32_IMM(BPF_REG_0, 280971478),
11848 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
11849 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
11850 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -60),
11851 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
11852 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 15),
11853 			BPF_LD_ABS(BPF_H, 12),
11854 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x806, 13),
11855 			BPF_MOV32_IMM(BPF_REG_0, 22),
11856 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -56),
11857 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -56),
11858 			BPF_LD_IND(BPF_H, BPF_REG_7, 14),
11859 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -52),
11860 			BPF_MOV32_IMM(BPF_REG_0, 17366),
11861 			BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_0, -48),
11862 			BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_10, -48),
11863 			BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -52),
11864 			BPF_ALU32_REG(BPF_SUB, BPF_REG_0, BPF_REG_7),
11865 			BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
11866 			BPF_MOV32_IMM(BPF_REG_0, 256),
11867 			BPF_EXIT_INSN(),
11868 			BPF_MOV32_IMM(BPF_REG_0, 0),
11869 			BPF_EXIT_INSN(),
11870 		},
11871 		.data = {
11872 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x08, 0x06, 0,
11873 			0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
11874 			0x10, 0xbf, 0x48, 0xd6, 0x43, 0xd6,
11875 		},
11876 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11877 		.result = ACCEPT,
11878 		.retval = 256,
11879 	},
11880 	{
11881 		"ld_abs: div + abs, test 1",
11882 		.insns = {
11883 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11884 			BPF_LD_ABS(BPF_B, 3),
11885 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
11886 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
11887 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
11888 			BPF_LD_ABS(BPF_B, 4),
11889 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11890 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
11891 			BPF_EXIT_INSN(),
11892 		},
11893 		.data = {
11894 			10, 20, 30, 40, 50,
11895 		},
11896 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11897 		.result = ACCEPT,
11898 		.retval = 10,
11899 	},
11900 	{
11901 		"ld_abs: div + abs, test 2",
11902 		.insns = {
11903 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11904 			BPF_LD_ABS(BPF_B, 3),
11905 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_2, 2),
11906 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_2),
11907 			BPF_ALU64_REG(BPF_MOV, BPF_REG_8, BPF_REG_0),
11908 			BPF_LD_ABS(BPF_B, 128),
11909 			BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_0),
11910 			BPF_LD_IND(BPF_B, BPF_REG_8, -70),
11911 			BPF_EXIT_INSN(),
11912 		},
11913 		.data = {
11914 			10, 20, 30, 40, 50,
11915 		},
11916 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11917 		.result = ACCEPT,
11918 		.retval = 0,
11919 	},
11920 	{
11921 		"ld_abs: div + abs, test 3",
11922 		.insns = {
11923 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11924 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
11925 			BPF_LD_ABS(BPF_B, 3),
11926 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
11927 			BPF_EXIT_INSN(),
11928 		},
11929 		.data = {
11930 			10, 20, 30, 40, 50,
11931 		},
11932 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11933 		.result = ACCEPT,
11934 		.retval = 0,
11935 	},
11936 	{
11937 		"ld_abs: div + abs, test 4",
11938 		.insns = {
11939 			BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
11940 			BPF_ALU64_IMM(BPF_MOV, BPF_REG_7, 0),
11941 			BPF_LD_ABS(BPF_B, 256),
11942 			BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_7),
11943 			BPF_EXIT_INSN(),
11944 		},
11945 		.data = {
11946 			10, 20, 30, 40, 50,
11947 		},
11948 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11949 		.result = ACCEPT,
11950 		.retval = 0,
11951 	},
11952 	{
11953 		"ld_abs: vlan + abs, test 1",
11954 		.insns = { },
11955 		.data = {
11956 			0x34,
11957 		},
11958 		.fill_helper = bpf_fill_ld_abs_vlan_push_pop,
11959 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11960 		.result = ACCEPT,
11961 		.retval = 0xbef,
11962 	},
11963 	{
11964 		"ld_abs: vlan + abs, test 2",
11965 		.insns = {
11966 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
11967 			BPF_LD_ABS(BPF_B, 0),
11968 			BPF_LD_ABS(BPF_H, 0),
11969 			BPF_LD_ABS(BPF_W, 0),
11970 			BPF_MOV64_REG(BPF_REG_7, BPF_REG_6),
11971 			BPF_MOV64_IMM(BPF_REG_6, 0),
11972 			BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
11973 			BPF_MOV64_IMM(BPF_REG_2, 1),
11974 			BPF_MOV64_IMM(BPF_REG_3, 2),
11975 			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
11976 				     BPF_FUNC_skb_vlan_push),
11977 			BPF_MOV64_REG(BPF_REG_6, BPF_REG_7),
11978 			BPF_LD_ABS(BPF_B, 0),
11979 			BPF_LD_ABS(BPF_H, 0),
11980 			BPF_LD_ABS(BPF_W, 0),
11981 			BPF_MOV64_IMM(BPF_REG_0, 42),
11982 			BPF_EXIT_INSN(),
11983 		},
11984 		.data = {
11985 			0x34,
11986 		},
11987 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11988 		.result = ACCEPT,
11989 		.retval = 42,
11990 	},
11991 	{
11992 		"ld_abs: jump around ld_abs",
11993 		.insns = { },
11994 		.data = {
11995 			10, 11,
11996 		},
11997 		.fill_helper = bpf_fill_jump_around_ld_abs,
11998 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
11999 		.result = ACCEPT,
12000 		.retval = 10,
12001 	},
12002 	{
12003 		"ld_dw: xor semi-random 64 bit imms, test 1",
12004 		.insns = { },
12005 		.data = { },
12006 		.fill_helper = bpf_fill_rand_ld_dw,
12007 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12008 		.result = ACCEPT,
12009 		.retval = 4090,
12010 	},
12011 	{
12012 		"ld_dw: xor semi-random 64 bit imms, test 2",
12013 		.insns = { },
12014 		.data = { },
12015 		.fill_helper = bpf_fill_rand_ld_dw,
12016 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12017 		.result = ACCEPT,
12018 		.retval = 2047,
12019 	},
12020 	{
12021 		"ld_dw: xor semi-random 64 bit imms, test 3",
12022 		.insns = { },
12023 		.data = { },
12024 		.fill_helper = bpf_fill_rand_ld_dw,
12025 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12026 		.result = ACCEPT,
12027 		.retval = 511,
12028 	},
12029 	{
12030 		"ld_dw: xor semi-random 64 bit imms, test 4",
12031 		.insns = { },
12032 		.data = { },
12033 		.fill_helper = bpf_fill_rand_ld_dw,
12034 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
12035 		.result = ACCEPT,
12036 		.retval = 5,
12037 	},
12038 };
12039 
12040 static int probe_filter_length(const struct bpf_insn *fp)
12041 {
12042 	int len;
12043 
12044 	for (len = MAX_INSNS - 1; len > 0; --len)
12045 		if (fp[len].code != 0 || fp[len].imm != 0)
12046 			break;
12047 	return len + 1;
12048 }
12049 
12050 static int create_map(uint32_t size_value, uint32_t max_elem)
12051 {
12052 	int fd;
12053 
12054 	fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
12055 			    size_value, max_elem, BPF_F_NO_PREALLOC);
12056 	if (fd < 0)
12057 		printf("Failed to create hash map '%s'!\n", strerror(errno));
12058 
12059 	return fd;
12060 }
12061 
12062 static int create_prog_dummy1(void)
12063 {
12064 	struct bpf_insn prog[] = {
12065 		BPF_MOV64_IMM(BPF_REG_0, 42),
12066 		BPF_EXIT_INSN(),
12067 	};
12068 
12069 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12070 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12071 }
12072 
12073 static int create_prog_dummy2(int mfd, int idx)
12074 {
12075 	struct bpf_insn prog[] = {
12076 		BPF_MOV64_IMM(BPF_REG_3, idx),
12077 		BPF_LD_MAP_FD(BPF_REG_2, mfd),
12078 		BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
12079 			     BPF_FUNC_tail_call),
12080 		BPF_MOV64_IMM(BPF_REG_0, 41),
12081 		BPF_EXIT_INSN(),
12082 	};
12083 
12084 	return bpf_load_program(BPF_PROG_TYPE_SOCKET_FILTER, prog,
12085 				ARRAY_SIZE(prog), "GPL", 0, NULL, 0);
12086 }
12087 
12088 static int create_prog_array(void)
12089 {
12090 	int p1key = 0, p2key = 1;
12091 	int mfd, p1fd, p2fd;
12092 
12093 	mfd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
12094 			     sizeof(int), 4, 0);
12095 	if (mfd < 0) {
12096 		printf("Failed to create prog array '%s'!\n", strerror(errno));
12097 		return -1;
12098 	}
12099 
12100 	p1fd = create_prog_dummy1();
12101 	p2fd = create_prog_dummy2(mfd, p2key);
12102 	if (p1fd < 0 || p2fd < 0)
12103 		goto out;
12104 	if (bpf_map_update_elem(mfd, &p1key, &p1fd, BPF_ANY) < 0)
12105 		goto out;
12106 	if (bpf_map_update_elem(mfd, &p2key, &p2fd, BPF_ANY) < 0)
12107 		goto out;
12108 	close(p2fd);
12109 	close(p1fd);
12110 
12111 	return mfd;
12112 out:
12113 	close(p2fd);
12114 	close(p1fd);
12115 	close(mfd);
12116 	return -1;
12117 }
12118 
12119 static int create_map_in_map(void)
12120 {
12121 	int inner_map_fd, outer_map_fd;
12122 
12123 	inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int),
12124 				      sizeof(int), 1, 0);
12125 	if (inner_map_fd < 0) {
12126 		printf("Failed to create array '%s'!\n", strerror(errno));
12127 		return inner_map_fd;
12128 	}
12129 
12130 	outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
12131 					     sizeof(int), inner_map_fd, 1, 0);
12132 	if (outer_map_fd < 0)
12133 		printf("Failed to create array of maps '%s'!\n",
12134 		       strerror(errno));
12135 
12136 	close(inner_map_fd);
12137 
12138 	return outer_map_fd;
12139 }
12140 
12141 static char bpf_vlog[UINT_MAX >> 8];
12142 
12143 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
12144 			  int *map_fds)
12145 {
12146 	int *fixup_map1 = test->fixup_map1;
12147 	int *fixup_map2 = test->fixup_map2;
12148 	int *fixup_map3 = test->fixup_map3;
12149 	int *fixup_prog = test->fixup_prog;
12150 	int *fixup_map_in_map = test->fixup_map_in_map;
12151 
12152 	if (test->fill_helper)
12153 		test->fill_helper(test);
12154 
12155 	/* Allocating HTs with 1 elem is fine here, since we only test
12156 	 * for verifier and not do a runtime lookup, so the only thing
12157 	 * that really matters is value size in this case.
12158 	 */
12159 	if (*fixup_map1) {
12160 		map_fds[0] = create_map(sizeof(long long), 1);
12161 		do {
12162 			prog[*fixup_map1].imm = map_fds[0];
12163 			fixup_map1++;
12164 		} while (*fixup_map1);
12165 	}
12166 
12167 	if (*fixup_map2) {
12168 		map_fds[1] = create_map(sizeof(struct test_val), 1);
12169 		do {
12170 			prog[*fixup_map2].imm = map_fds[1];
12171 			fixup_map2++;
12172 		} while (*fixup_map2);
12173 	}
12174 
12175 	if (*fixup_map3) {
12176 		map_fds[1] = create_map(sizeof(struct other_val), 1);
12177 		do {
12178 			prog[*fixup_map3].imm = map_fds[1];
12179 			fixup_map3++;
12180 		} while (*fixup_map3);
12181 	}
12182 
12183 	if (*fixup_prog) {
12184 		map_fds[2] = create_prog_array();
12185 		do {
12186 			prog[*fixup_prog].imm = map_fds[2];
12187 			fixup_prog++;
12188 		} while (*fixup_prog);
12189 	}
12190 
12191 	if (*fixup_map_in_map) {
12192 		map_fds[3] = create_map_in_map();
12193 		do {
12194 			prog[*fixup_map_in_map].imm = map_fds[3];
12195 			fixup_map_in_map++;
12196 		} while (*fixup_map_in_map);
12197 	}
12198 }
12199 
12200 static void do_test_single(struct bpf_test *test, bool unpriv,
12201 			   int *passes, int *errors)
12202 {
12203 	int fd_prog, expected_ret, reject_from_alignment;
12204 	int prog_len, prog_type = test->prog_type;
12205 	struct bpf_insn *prog = test->insns;
12206 	int map_fds[MAX_NR_MAPS];
12207 	const char *expected_err;
12208 	uint32_t retval;
12209 	int i, err;
12210 
12211 	for (i = 0; i < MAX_NR_MAPS; i++)
12212 		map_fds[i] = -1;
12213 
12214 	do_test_fixup(test, prog, map_fds);
12215 	prog_len = probe_filter_length(prog);
12216 
12217 	fd_prog = bpf_verify_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
12218 				     prog, prog_len, test->flags & F_LOAD_WITH_STRICT_ALIGNMENT,
12219 				     "GPL", 0, bpf_vlog, sizeof(bpf_vlog), 1);
12220 
12221 	expected_ret = unpriv && test->result_unpriv != UNDEF ?
12222 		       test->result_unpriv : test->result;
12223 	expected_err = unpriv && test->errstr_unpriv ?
12224 		       test->errstr_unpriv : test->errstr;
12225 
12226 	reject_from_alignment = fd_prog < 0 &&
12227 				(test->flags & F_NEEDS_EFFICIENT_UNALIGNED_ACCESS) &&
12228 				strstr(bpf_vlog, "Unknown alignment.");
12229 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
12230 	if (reject_from_alignment) {
12231 		printf("FAIL\nFailed due to alignment despite having efficient unaligned access: '%s'!\n",
12232 		       strerror(errno));
12233 		goto fail_log;
12234 	}
12235 #endif
12236 	if (expected_ret == ACCEPT) {
12237 		if (fd_prog < 0 && !reject_from_alignment) {
12238 			printf("FAIL\nFailed to load prog '%s'!\n",
12239 			       strerror(errno));
12240 			goto fail_log;
12241 		}
12242 	} else {
12243 		if (fd_prog >= 0) {
12244 			printf("FAIL\nUnexpected success to load!\n");
12245 			goto fail_log;
12246 		}
12247 		if (!strstr(bpf_vlog, expected_err) && !reject_from_alignment) {
12248 			printf("FAIL\nUnexpected error message!\n\tEXP: %s\n\tRES: %s\n",
12249 			      expected_err, bpf_vlog);
12250 			goto fail_log;
12251 		}
12252 	}
12253 
12254 	if (fd_prog >= 0) {
12255 		err = bpf_prog_test_run(fd_prog, 1, test->data,
12256 					sizeof(test->data), NULL, NULL,
12257 					&retval, NULL);
12258 		if (err && errno != 524/*ENOTSUPP*/ && errno != EPERM) {
12259 			printf("Unexpected bpf_prog_test_run error\n");
12260 			goto fail_log;
12261 		}
12262 		if (!err && retval != test->retval &&
12263 		    test->retval != POINTER_VALUE) {
12264 			printf("FAIL retval %d != %d\n", retval, test->retval);
12265 			goto fail_log;
12266 		}
12267 	}
12268 	(*passes)++;
12269 	printf("OK%s\n", reject_from_alignment ?
12270 	       " (NOTE: reject due to unknown alignment)" : "");
12271 close_fds:
12272 	close(fd_prog);
12273 	for (i = 0; i < MAX_NR_MAPS; i++)
12274 		close(map_fds[i]);
12275 	sched_yield();
12276 	return;
12277 fail_log:
12278 	(*errors)++;
12279 	printf("%s", bpf_vlog);
12280 	goto close_fds;
12281 }
12282 
12283 static bool is_admin(void)
12284 {
12285 	cap_t caps;
12286 	cap_flag_value_t sysadmin = CAP_CLEAR;
12287 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12288 
12289 #ifdef CAP_IS_SUPPORTED
12290 	if (!CAP_IS_SUPPORTED(CAP_SETFCAP)) {
12291 		perror("cap_get_flag");
12292 		return false;
12293 	}
12294 #endif
12295 	caps = cap_get_proc();
12296 	if (!caps) {
12297 		perror("cap_get_proc");
12298 		return false;
12299 	}
12300 	if (cap_get_flag(caps, cap_val, CAP_EFFECTIVE, &sysadmin))
12301 		perror("cap_get_flag");
12302 	if (cap_free(caps))
12303 		perror("cap_free");
12304 	return (sysadmin == CAP_SET);
12305 }
12306 
12307 static int set_admin(bool admin)
12308 {
12309 	cap_t caps;
12310 	const cap_value_t cap_val = CAP_SYS_ADMIN;
12311 	int ret = -1;
12312 
12313 	caps = cap_get_proc();
12314 	if (!caps) {
12315 		perror("cap_get_proc");
12316 		return -1;
12317 	}
12318 	if (cap_set_flag(caps, CAP_EFFECTIVE, 1, &cap_val,
12319 				admin ? CAP_SET : CAP_CLEAR)) {
12320 		perror("cap_set_flag");
12321 		goto out;
12322 	}
12323 	if (cap_set_proc(caps)) {
12324 		perror("cap_set_proc");
12325 		goto out;
12326 	}
12327 	ret = 0;
12328 out:
12329 	if (cap_free(caps))
12330 		perror("cap_free");
12331 	return ret;
12332 }
12333 
12334 static void get_unpriv_disabled()
12335 {
12336 	char buf[2];
12337 	FILE *fd;
12338 
12339 	fd = fopen("/proc/sys/"UNPRIV_SYSCTL, "r");
12340 	if (!fd) {
12341 		perror("fopen /proc/sys/"UNPRIV_SYSCTL);
12342 		unpriv_disabled = true;
12343 		return;
12344 	}
12345 	if (fgets(buf, 2, fd) == buf && atoi(buf))
12346 		unpriv_disabled = true;
12347 	fclose(fd);
12348 }
12349 
12350 static int do_test(bool unpriv, unsigned int from, unsigned int to)
12351 {
12352 	int i, passes = 0, errors = 0, skips = 0;
12353 
12354 	for (i = from; i < to; i++) {
12355 		struct bpf_test *test = &tests[i];
12356 
12357 		/* Program types that are not supported by non-root we
12358 		 * skip right away.
12359 		 */
12360 		if (!test->prog_type && unpriv_disabled) {
12361 			printf("#%d/u %s SKIP\n", i, test->descr);
12362 			skips++;
12363 		} else if (!test->prog_type) {
12364 			if (!unpriv)
12365 				set_admin(false);
12366 			printf("#%d/u %s ", i, test->descr);
12367 			do_test_single(test, true, &passes, &errors);
12368 			if (!unpriv)
12369 				set_admin(true);
12370 		}
12371 
12372 		if (unpriv) {
12373 			printf("#%d/p %s SKIP\n", i, test->descr);
12374 			skips++;
12375 		} else {
12376 			printf("#%d/p %s ", i, test->descr);
12377 			do_test_single(test, false, &passes, &errors);
12378 		}
12379 	}
12380 
12381 	printf("Summary: %d PASSED, %d SKIPPED, %d FAILED\n", passes,
12382 	       skips, errors);
12383 	return errors ? EXIT_FAILURE : EXIT_SUCCESS;
12384 }
12385 
12386 int main(int argc, char **argv)
12387 {
12388 	unsigned int from = 0, to = ARRAY_SIZE(tests);
12389 	bool unpriv = !is_admin();
12390 
12391 	if (argc == 3) {
12392 		unsigned int l = atoi(argv[argc - 2]);
12393 		unsigned int u = atoi(argv[argc - 1]);
12394 
12395 		if (l < to && u < to) {
12396 			from = l;
12397 			to   = u + 1;
12398 		}
12399 	} else if (argc == 2) {
12400 		unsigned int t = atoi(argv[argc - 1]);
12401 
12402 		if (t < to) {
12403 			from = t;
12404 			to   = t + 1;
12405 		}
12406 	}
12407 
12408 	get_unpriv_disabled();
12409 	if (unpriv && unpriv_disabled) {
12410 		printf("Cannot run as unprivileged user with sysctl %s.\n",
12411 		       UNPRIV_SYSCTL);
12412 		return EXIT_FAILURE;
12413 	}
12414 
12415 	bpf_semi_rand_init();
12416 	return do_test(unpriv, from, to);
12417 }
12418