~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/test_verifier.c

Version: ~ [ linux-4.19-rc4 ] ~ [ linux-4.18.8 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.70 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.127 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.156 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.122 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.57 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.31.14 ] ~ [ linux-2.6.30.10 ] ~ [ linux-2.6.29.6 ] ~ [ linux-2.6.28.10 ] ~ [ linux-2.6.27.62 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Testsuite for eBPF verifier
  3  *
  4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
  5  * Copyright (c) 2017 Facebook
  6  *
  7  * This program is free software; you can redistribute it and/or
  8  * modify it under the terms of version 2 of the GNU General Public
  9  * License as published by the Free Software Foundation.
 10  */
 11 
 12 #include <endian.h>
 13 #include <asm/types.h>
 14 #include <linux/types.h>
 15 #include <stdint.h>
 16 #include <stdio.h>
 17 #include <stdlib.h>
 18 #include <unistd.h>
 19 #include <errno.h>
 20 #include <string.h>
 21 #include <stddef.h>
 22 #include <stdbool.h>
 23 #include <sched.h>
 24 #include <limits.h>
 25 
 26 #include <sys/capability.h>
 27 
 28 #include <linux/unistd.h>
 29 #include <linux/filter.h>
 30 #include <linux/bpf_perf_event.h>
 31 #include <linux/bpf.h>
 32 #include <linux/if_ether.h>
 33 
 34 #include <bpf/bpf.h>
 35 
 36 #ifdef HAVE_GENHDR
 37 # include "autoconf.h"
 38 #else
 39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
 40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
 41 # endif
 42 #endif
 43 #include "bpf_rlimit.h"
 44 #include "bpf_rand.h"
 45 #include "bpf_util.h"
 46 #include "../../../include/linux/filter.h"
 47 
 48 #define MAX_INSNS       BPF_MAXINSNS
 49 #define MAX_FIXUPS      8
 50 #define MAX_NR_MAPS     8
 51 #define POINTER_VALUE   0xcafe4all
 52 #define TEST_DATA_LEN   64
 53 
 54 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
 55 #define F_LOAD_WITH_STRICT_ALIGNMENT            (1 << 1)
 56 
 57 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
 58 static bool unpriv_disabled = false;
 59 
 60 struct bpf_test {
 61         const char *descr;
 62         struct bpf_insn insns[MAX_INSNS];
 63         int fixup_map1[MAX_FIXUPS];
 64         int fixup_map2[MAX_FIXUPS];
 65         int fixup_map3[MAX_FIXUPS];
 66         int fixup_map4[MAX_FIXUPS];
 67         int fixup_prog1[MAX_FIXUPS];
 68         int fixup_prog2[MAX_FIXUPS];
 69         int fixup_map_in_map[MAX_FIXUPS];
 70         int fixup_cgroup_storage[MAX_FIXUPS];
 71         const char *errstr;
 72         const char *errstr_unpriv;
 73         uint32_t retval;
 74         enum {
 75                 UNDEF,
 76                 ACCEPT,
 77                 REJECT
 78         } result, result_unpriv;
 79         enum bpf_prog_type prog_type;
 80         uint8_t flags;
 81         __u8 data[TEST_DATA_LEN];
 82         void (*fill_helper)(struct bpf_test *self);
 83 };
 84 
 85 /* Note we want this to be 64 bit aligned so that the end of our array is
 86  * actually the end of the structure.
 87  */
 88 #define MAX_ENTRIES 11
 89 
 90 struct test_val {
 91         unsigned int index;
 92         int foo[MAX_ENTRIES];
 93 };
 94 
 95 struct other_val {
 96         long long foo;
 97         long long bar;
 98 };
 99 
100 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
101 {
102         /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
103 #define PUSH_CNT 51
104         unsigned int len = BPF_MAXINSNS;
105         struct bpf_insn *insn = self->insns;
106         int i = 0, j, k = 0;
107 
108         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
109 loop:
110         for (j = 0; j < PUSH_CNT; j++) {
111                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
112                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
113                 i++;
114                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
115                 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
116                 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
117                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
118                                          BPF_FUNC_skb_vlan_push),
119                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
120                 i++;
121         }
122 
123         for (j = 0; j < PUSH_CNT; j++) {
124                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
125                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
126                 i++;
127                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
128                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
129                                          BPF_FUNC_skb_vlan_pop),
130                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
131                 i++;
132         }
133         if (++k < 5)
134                 goto loop;
135 
136         for (; i < len - 1; i++)
137                 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
138         insn[len - 1] = BPF_EXIT_INSN();
139 }
140 
141 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
142 {
143         struct bpf_insn *insn = self->insns;
144         unsigned int len = BPF_MAXINSNS;
145         int i = 0;
146 
147         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
148         insn[i++] = BPF_LD_ABS(BPF_B, 0);
149         insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
150         i++;
151         while (i < len - 1)
152                 insn[i++] = BPF_LD_ABS(BPF_B, 1);
153         insn[i] = BPF_EXIT_INSN();
154 }
155 
156 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
157 {
158         struct bpf_insn *insn = self->insns;
159         uint64_t res = 0;
160         int i = 0;
161 
162         insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
163         while (i < self->retval) {
164                 uint64_t val = bpf_semi_rand_get();
165                 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
166 
167                 res ^= val;
168                 insn[i++] = tmp[0];
169                 insn[i++] = tmp[1];
170                 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
171         }
172         insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
173         insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
174         insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
175         insn[i] = BPF_EXIT_INSN();
176         res ^= (res >> 32);
177         self->retval = (uint32_t)res;
178 }
179 
180 static struct bpf_test tests[] = {
181         {
182                 "add+sub+mul",
183                 .insns = {
184                         BPF_MOV64_IMM(BPF_REG_1, 1),
185                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
186                         BPF_MOV64_IMM(BPF_REG_2, 3),
187                         BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
188                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
189                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
190                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
191                         BPF_EXIT_INSN(),
192                 },
193                 .result = ACCEPT,
194                 .retval = -3,
195         },
196         {
197                 "DIV32 by 0, zero check 1",
198                 .insns = {
199                         BPF_MOV32_IMM(BPF_REG_0, 42),
200                         BPF_MOV32_IMM(BPF_REG_1, 0),
201                         BPF_MOV32_IMM(BPF_REG_2, 1),
202                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
203                         BPF_EXIT_INSN(),
204                 },
205                 .result = ACCEPT,
206                 .retval = 42,
207         },
208         {
209                 "DIV32 by 0, zero check 2",
210                 .insns = {
211                         BPF_MOV32_IMM(BPF_REG_0, 42),
212                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
213                         BPF_MOV32_IMM(BPF_REG_2, 1),
214                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
215                         BPF_EXIT_INSN(),
216                 },
217                 .result = ACCEPT,
218                 .retval = 42,
219         },
220         {
221                 "DIV64 by 0, zero check",
222                 .insns = {
223                         BPF_MOV32_IMM(BPF_REG_0, 42),
224                         BPF_MOV32_IMM(BPF_REG_1, 0),
225                         BPF_MOV32_IMM(BPF_REG_2, 1),
226                         BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227                         BPF_EXIT_INSN(),
228                 },
229                 .result = ACCEPT,
230                 .retval = 42,
231         },
232         {
233                 "MOD32 by 0, zero check 1",
234                 .insns = {
235                         BPF_MOV32_IMM(BPF_REG_0, 42),
236                         BPF_MOV32_IMM(BPF_REG_1, 0),
237                         BPF_MOV32_IMM(BPF_REG_2, 1),
238                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
239                         BPF_EXIT_INSN(),
240                 },
241                 .result = ACCEPT,
242                 .retval = 42,
243         },
244         {
245                 "MOD32 by 0, zero check 2",
246                 .insns = {
247                         BPF_MOV32_IMM(BPF_REG_0, 42),
248                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
249                         BPF_MOV32_IMM(BPF_REG_2, 1),
250                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
251                         BPF_EXIT_INSN(),
252                 },
253                 .result = ACCEPT,
254                 .retval = 42,
255         },
256         {
257                 "MOD64 by 0, zero check",
258                 .insns = {
259                         BPF_MOV32_IMM(BPF_REG_0, 42),
260                         BPF_MOV32_IMM(BPF_REG_1, 0),
261                         BPF_MOV32_IMM(BPF_REG_2, 1),
262                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263                         BPF_EXIT_INSN(),
264                 },
265                 .result = ACCEPT,
266                 .retval = 42,
267         },
268         {
269                 "DIV32 by 0, zero check ok, cls",
270                 .insns = {
271                         BPF_MOV32_IMM(BPF_REG_0, 42),
272                         BPF_MOV32_IMM(BPF_REG_1, 2),
273                         BPF_MOV32_IMM(BPF_REG_2, 16),
274                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
275                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
276                         BPF_EXIT_INSN(),
277                 },
278                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
279                 .result = ACCEPT,
280                 .retval = 8,
281         },
282         {
283                 "DIV32 by 0, zero check 1, cls",
284                 .insns = {
285                         BPF_MOV32_IMM(BPF_REG_1, 0),
286                         BPF_MOV32_IMM(BPF_REG_0, 1),
287                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
288                         BPF_EXIT_INSN(),
289                 },
290                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
291                 .result = ACCEPT,
292                 .retval = 0,
293         },
294         {
295                 "DIV32 by 0, zero check 2, cls",
296                 .insns = {
297                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
298                         BPF_MOV32_IMM(BPF_REG_0, 1),
299                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
300                         BPF_EXIT_INSN(),
301                 },
302                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
303                 .result = ACCEPT,
304                 .retval = 0,
305         },
306         {
307                 "DIV64 by 0, zero check, cls",
308                 .insns = {
309                         BPF_MOV32_IMM(BPF_REG_1, 0),
310                         BPF_MOV32_IMM(BPF_REG_0, 1),
311                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312                         BPF_EXIT_INSN(),
313                 },
314                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
315                 .result = ACCEPT,
316                 .retval = 0,
317         },
318         {
319                 "MOD32 by 0, zero check ok, cls",
320                 .insns = {
321                         BPF_MOV32_IMM(BPF_REG_0, 42),
322                         BPF_MOV32_IMM(BPF_REG_1, 3),
323                         BPF_MOV32_IMM(BPF_REG_2, 5),
324                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
325                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
326                         BPF_EXIT_INSN(),
327                 },
328                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
329                 .result = ACCEPT,
330                 .retval = 2,
331         },
332         {
333                 "MOD32 by 0, zero check 1, cls",
334                 .insns = {
335                         BPF_MOV32_IMM(BPF_REG_1, 0),
336                         BPF_MOV32_IMM(BPF_REG_0, 1),
337                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
338                         BPF_EXIT_INSN(),
339                 },
340                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
341                 .result = ACCEPT,
342                 .retval = 1,
343         },
344         {
345                 "MOD32 by 0, zero check 2, cls",
346                 .insns = {
347                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
348                         BPF_MOV32_IMM(BPF_REG_0, 1),
349                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
350                         BPF_EXIT_INSN(),
351                 },
352                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
353                 .result = ACCEPT,
354                 .retval = 1,
355         },
356         {
357                 "MOD64 by 0, zero check 1, cls",
358                 .insns = {
359                         BPF_MOV32_IMM(BPF_REG_1, 0),
360                         BPF_MOV32_IMM(BPF_REG_0, 2),
361                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362                         BPF_EXIT_INSN(),
363                 },
364                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
365                 .result = ACCEPT,
366                 .retval = 2,
367         },
368         {
369                 "MOD64 by 0, zero check 2, cls",
370                 .insns = {
371                         BPF_MOV32_IMM(BPF_REG_1, 0),
372                         BPF_MOV32_IMM(BPF_REG_0, -1),
373                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374                         BPF_EXIT_INSN(),
375                 },
376                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
377                 .result = ACCEPT,
378                 .retval = -1,
379         },
380         /* Just make sure that JITs used udiv/umod as otherwise we get
381          * an exception from INT_MIN/-1 overflow similarly as with div
382          * by zero.
383          */
384         {
385                 "DIV32 overflow, check 1",
386                 .insns = {
387                         BPF_MOV32_IMM(BPF_REG_1, -1),
388                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
389                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
390                         BPF_EXIT_INSN(),
391                 },
392                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
393                 .result = ACCEPT,
394                 .retval = 0,
395         },
396         {
397                 "DIV32 overflow, check 2",
398                 .insns = {
399                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
400                         BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
401                         BPF_EXIT_INSN(),
402                 },
403                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
404                 .result = ACCEPT,
405                 .retval = 0,
406         },
407         {
408                 "DIV64 overflow, check 1",
409                 .insns = {
410                         BPF_MOV64_IMM(BPF_REG_1, -1),
411                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
412                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
413                         BPF_EXIT_INSN(),
414                 },
415                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
416                 .result = ACCEPT,
417                 .retval = 0,
418         },
419         {
420                 "DIV64 overflow, check 2",
421                 .insns = {
422                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
423                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
424                         BPF_EXIT_INSN(),
425                 },
426                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
427                 .result = ACCEPT,
428                 .retval = 0,
429         },
430         {
431                 "MOD32 overflow, check 1",
432                 .insns = {
433                         BPF_MOV32_IMM(BPF_REG_1, -1),
434                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
435                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
436                         BPF_EXIT_INSN(),
437                 },
438                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
439                 .result = ACCEPT,
440                 .retval = INT_MIN,
441         },
442         {
443                 "MOD32 overflow, check 2",
444                 .insns = {
445                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
446                         BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
447                         BPF_EXIT_INSN(),
448                 },
449                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
450                 .result = ACCEPT,
451                 .retval = INT_MIN,
452         },
453         {
454                 "MOD64 overflow, check 1",
455                 .insns = {
456                         BPF_MOV64_IMM(BPF_REG_1, -1),
457                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
458                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
459                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
460                         BPF_MOV32_IMM(BPF_REG_0, 0),
461                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
462                         BPF_MOV32_IMM(BPF_REG_0, 1),
463                         BPF_EXIT_INSN(),
464                 },
465                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
466                 .result = ACCEPT,
467                 .retval = 1,
468         },
469         {
470                 "MOD64 overflow, check 2",
471                 .insns = {
472                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
473                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
474                         BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
475                         BPF_MOV32_IMM(BPF_REG_0, 0),
476                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
477                         BPF_MOV32_IMM(BPF_REG_0, 1),
478                         BPF_EXIT_INSN(),
479                 },
480                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
481                 .result = ACCEPT,
482                 .retval = 1,
483         },
484         {
485                 "xor32 zero extend check",
486                 .insns = {
487                         BPF_MOV32_IMM(BPF_REG_2, -1),
488                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
489                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
490                         BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
491                         BPF_MOV32_IMM(BPF_REG_0, 2),
492                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
493                         BPF_MOV32_IMM(BPF_REG_0, 1),
494                         BPF_EXIT_INSN(),
495                 },
496                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
497                 .result = ACCEPT,
498                 .retval = 1,
499         },
500         {
501                 "empty prog",
502                 .insns = {
503                 },
504                 .errstr = "unknown opcode 00",
505                 .result = REJECT,
506         },
507         {
508                 "only exit insn",
509                 .insns = {
510                         BPF_EXIT_INSN(),
511                 },
512                 .errstr = "R0 !read_ok",
513                 .result = REJECT,
514         },
515         {
516                 "unreachable",
517                 .insns = {
518                         BPF_EXIT_INSN(),
519                         BPF_EXIT_INSN(),
520                 },
521                 .errstr = "unreachable",
522                 .result = REJECT,
523         },
524         {
525                 "unreachable2",
526                 .insns = {
527                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
528                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
529                         BPF_EXIT_INSN(),
530                 },
531                 .errstr = "unreachable",
532                 .result = REJECT,
533         },
534         {
535                 "out of range jump",
536                 .insns = {
537                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
538                         BPF_EXIT_INSN(),
539                 },
540                 .errstr = "jump out of range",
541                 .result = REJECT,
542         },
543         {
544                 "out of range jump2",
545                 .insns = {
546                         BPF_JMP_IMM(BPF_JA, 0, 0, -2),
547                         BPF_EXIT_INSN(),
548                 },
549                 .errstr = "jump out of range",
550                 .result = REJECT,
551         },
552         {
553                 "test1 ld_imm64",
554                 .insns = {
555                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
556                         BPF_LD_IMM64(BPF_REG_0, 0),
557                         BPF_LD_IMM64(BPF_REG_0, 0),
558                         BPF_LD_IMM64(BPF_REG_0, 1),
559                         BPF_LD_IMM64(BPF_REG_0, 1),
560                         BPF_MOV64_IMM(BPF_REG_0, 2),
561                         BPF_EXIT_INSN(),
562                 },
563                 .errstr = "invalid BPF_LD_IMM insn",
564                 .errstr_unpriv = "R1 pointer comparison",
565                 .result = REJECT,
566         },
567         {
568                 "test2 ld_imm64",
569                 .insns = {
570                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
571                         BPF_LD_IMM64(BPF_REG_0, 0),
572                         BPF_LD_IMM64(BPF_REG_0, 0),
573                         BPF_LD_IMM64(BPF_REG_0, 1),
574                         BPF_LD_IMM64(BPF_REG_0, 1),
575                         BPF_EXIT_INSN(),
576                 },
577                 .errstr = "invalid BPF_LD_IMM insn",
578                 .errstr_unpriv = "R1 pointer comparison",
579                 .result = REJECT,
580         },
581         {
582                 "test3 ld_imm64",
583                 .insns = {
584                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
585                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
586                         BPF_LD_IMM64(BPF_REG_0, 0),
587                         BPF_LD_IMM64(BPF_REG_0, 0),
588                         BPF_LD_IMM64(BPF_REG_0, 1),
589                         BPF_LD_IMM64(BPF_REG_0, 1),
590                         BPF_EXIT_INSN(),
591                 },
592                 .errstr = "invalid bpf_ld_imm64 insn",
593                 .result = REJECT,
594         },
595         {
596                 "test4 ld_imm64",
597                 .insns = {
598                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
599                         BPF_EXIT_INSN(),
600                 },
601                 .errstr = "invalid bpf_ld_imm64 insn",
602                 .result = REJECT,
603         },
604         {
605                 "test5 ld_imm64",
606                 .insns = {
607                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
608                 },
609                 .errstr = "invalid bpf_ld_imm64 insn",
610                 .result = REJECT,
611         },
612         {
613                 "test6 ld_imm64",
614                 .insns = {
615                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
616                         BPF_RAW_INSN(0, 0, 0, 0, 0),
617                         BPF_EXIT_INSN(),
618                 },
619                 .result = ACCEPT,
620         },
621         {
622                 "test7 ld_imm64",
623                 .insns = {
624                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
625                         BPF_RAW_INSN(0, 0, 0, 0, 1),
626                         BPF_EXIT_INSN(),
627                 },
628                 .result = ACCEPT,
629                 .retval = 1,
630         },
631         {
632                 "test8 ld_imm64",
633                 .insns = {
634                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
635                         BPF_RAW_INSN(0, 0, 0, 0, 1),
636                         BPF_EXIT_INSN(),
637                 },
638                 .errstr = "uses reserved fields",
639                 .result = REJECT,
640         },
641         {
642                 "test9 ld_imm64",
643                 .insns = {
644                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
645                         BPF_RAW_INSN(0, 0, 0, 1, 1),
646                         BPF_EXIT_INSN(),
647                 },
648                 .errstr = "invalid bpf_ld_imm64 insn",
649                 .result = REJECT,
650         },
651         {
652                 "test10 ld_imm64",
653                 .insns = {
654                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
655                         BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
656                         BPF_EXIT_INSN(),
657                 },
658                 .errstr = "invalid bpf_ld_imm64 insn",
659                 .result = REJECT,
660         },
661         {
662                 "test11 ld_imm64",
663                 .insns = {
664                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
665                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
666                         BPF_EXIT_INSN(),
667                 },
668                 .errstr = "invalid bpf_ld_imm64 insn",
669                 .result = REJECT,
670         },
671         {
672                 "test12 ld_imm64",
673                 .insns = {
674                         BPF_MOV64_IMM(BPF_REG_1, 0),
675                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
676                         BPF_RAW_INSN(0, 0, 0, 0, 1),
677                         BPF_EXIT_INSN(),
678                 },
679                 .errstr = "not pointing to valid bpf_map",
680                 .result = REJECT,
681         },
682         {
683                 "test13 ld_imm64",
684                 .insns = {
685                         BPF_MOV64_IMM(BPF_REG_1, 0),
686                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
687                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
688                         BPF_EXIT_INSN(),
689                 },
690                 .errstr = "invalid bpf_ld_imm64 insn",
691                 .result = REJECT,
692         },
693         {
694                 "arsh32 on imm",
695                 .insns = {
696                         BPF_MOV64_IMM(BPF_REG_0, 1),
697                         BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
698                         BPF_EXIT_INSN(),
699                 },
700                 .result = REJECT,
701                 .errstr = "unknown opcode c4",
702         },
703         {
704                 "arsh32 on reg",
705                 .insns = {
706                         BPF_MOV64_IMM(BPF_REG_0, 1),
707                         BPF_MOV64_IMM(BPF_REG_1, 5),
708                         BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
709                         BPF_EXIT_INSN(),
710                 },
711                 .result = REJECT,
712                 .errstr = "unknown opcode cc",
713         },
714         {
715                 "arsh64 on imm",
716                 .insns = {
717                         BPF_MOV64_IMM(BPF_REG_0, 1),
718                         BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
719                         BPF_EXIT_INSN(),
720                 },
721                 .result = ACCEPT,
722         },
723         {
724                 "arsh64 on reg",
725                 .insns = {
726                         BPF_MOV64_IMM(BPF_REG_0, 1),
727                         BPF_MOV64_IMM(BPF_REG_1, 5),
728                         BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
729                         BPF_EXIT_INSN(),
730                 },
731                 .result = ACCEPT,
732         },
733         {
734                 "no bpf_exit",
735                 .insns = {
736                         BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
737                 },
738                 .errstr = "not an exit",
739                 .result = REJECT,
740         },
741         {
742                 "loop (back-edge)",
743                 .insns = {
744                         BPF_JMP_IMM(BPF_JA, 0, 0, -1),
745                         BPF_EXIT_INSN(),
746                 },
747                 .errstr = "back-edge",
748                 .result = REJECT,
749         },
750         {
751                 "loop2 (back-edge)",
752                 .insns = {
753                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
754                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
755                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
756                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
757                         BPF_EXIT_INSN(),
758                 },
759                 .errstr = "back-edge",
760                 .result = REJECT,
761         },
762         {
763                 "conditional loop",
764                 .insns = {
765                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
766                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
767                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
768                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
769                         BPF_EXIT_INSN(),
770                 },
771                 .errstr = "back-edge",
772                 .result = REJECT,
773         },
774         {
775                 "read uninitialized register",
776                 .insns = {
777                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
778                         BPF_EXIT_INSN(),
779                 },
780                 .errstr = "R2 !read_ok",
781                 .result = REJECT,
782         },
783         {
784                 "read invalid register",
785                 .insns = {
786                         BPF_MOV64_REG(BPF_REG_0, -1),
787                         BPF_EXIT_INSN(),
788                 },
789                 .errstr = "R15 is invalid",
790                 .result = REJECT,
791         },
792         {
793                 "program doesn't init R0 before exit",
794                 .insns = {
795                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
796                         BPF_EXIT_INSN(),
797                 },
798                 .errstr = "R0 !read_ok",
799                 .result = REJECT,
800         },
801         {
802                 "program doesn't init R0 before exit in all branches",
803                 .insns = {
804                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
805                         BPF_MOV64_IMM(BPF_REG_0, 1),
806                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
807                         BPF_EXIT_INSN(),
808                 },
809                 .errstr = "R0 !read_ok",
810                 .errstr_unpriv = "R1 pointer comparison",
811                 .result = REJECT,
812         },
813         {
814                 "stack out of bounds",
815                 .insns = {
816                         BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
817                         BPF_EXIT_INSN(),
818                 },
819                 .errstr = "invalid stack",
820                 .result = REJECT,
821         },
822         {
823                 "invalid call insn1",
824                 .insns = {
825                         BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
826                         BPF_EXIT_INSN(),
827                 },
828                 .errstr = "unknown opcode 8d",
829                 .result = REJECT,
830         },
831         {
832                 "invalid call insn2",
833                 .insns = {
834                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
835                         BPF_EXIT_INSN(),
836                 },
837                 .errstr = "BPF_CALL uses reserved",
838                 .result = REJECT,
839         },
840         {
841                 "invalid function call",
842                 .insns = {
843                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
844                         BPF_EXIT_INSN(),
845                 },
846                 .errstr = "invalid func unknown#1234567",
847                 .result = REJECT,
848         },
849         {
850                 "uninitialized stack1",
851                 .insns = {
852                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
853                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
854                         BPF_LD_MAP_FD(BPF_REG_1, 0),
855                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
856                                      BPF_FUNC_map_lookup_elem),
857                         BPF_EXIT_INSN(),
858                 },
859                 .fixup_map1 = { 2 },
860                 .errstr = "invalid indirect read from stack",
861                 .result = REJECT,
862         },
863         {
864                 "uninitialized stack2",
865                 .insns = {
866                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
867                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
868                         BPF_EXIT_INSN(),
869                 },
870                 .errstr = "invalid read from stack",
871                 .result = REJECT,
872         },
873         {
874                 "invalid fp arithmetic",
875                 /* If this gets ever changed, make sure JITs can deal with it. */
876                 .insns = {
877                         BPF_MOV64_IMM(BPF_REG_0, 0),
878                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
879                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
880                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
881                         BPF_EXIT_INSN(),
882                 },
883                 .errstr = "R1 subtraction from stack pointer",
884                 .result = REJECT,
885         },
886         {
887                 "non-invalid fp arithmetic",
888                 .insns = {
889                         BPF_MOV64_IMM(BPF_REG_0, 0),
890                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
891                         BPF_EXIT_INSN(),
892                 },
893                 .result = ACCEPT,
894         },
895         {
896                 "invalid argument register",
897                 .insns = {
898                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
899                                      BPF_FUNC_get_cgroup_classid),
900                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901                                      BPF_FUNC_get_cgroup_classid),
902                         BPF_EXIT_INSN(),
903                 },
904                 .errstr = "R1 !read_ok",
905                 .result = REJECT,
906                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
907         },
908         {
909                 "non-invalid argument register",
910                 .insns = {
911                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
912                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
913                                      BPF_FUNC_get_cgroup_classid),
914                         BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
915                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
916                                      BPF_FUNC_get_cgroup_classid),
917                         BPF_EXIT_INSN(),
918                 },
919                 .result = ACCEPT,
920                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
921         },
922         {
923                 "check valid spill/fill",
924                 .insns = {
925                         /* spill R1(ctx) into stack */
926                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
927                         /* fill it back into R2 */
928                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
929                         /* should be able to access R0 = *(R2 + 8) */
930                         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
931                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
932                         BPF_EXIT_INSN(),
933                 },
934                 .errstr_unpriv = "R0 leaks addr",
935                 .result = ACCEPT,
936                 .result_unpriv = REJECT,
937                 .retval = POINTER_VALUE,
938         },
939         {
940                 "check valid spill/fill, skb mark",
941                 .insns = {
942                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
943                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
944                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
945                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
946                                     offsetof(struct __sk_buff, mark)),
947                         BPF_EXIT_INSN(),
948                 },
949                 .result = ACCEPT,
950                 .result_unpriv = ACCEPT,
951         },
952         {
953                 "check corrupted spill/fill",
954                 .insns = {
955                         /* spill R1(ctx) into stack */
956                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
957                         /* mess up with R1 pointer on stack */
958                         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
959                         /* fill back into R0 should fail */
960                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
961                         BPF_EXIT_INSN(),
962                 },
963                 .errstr_unpriv = "attempt to corrupt spilled",
964                 .errstr = "corrupted spill",
965                 .result = REJECT,
966         },
967         {
968                 "invalid src register in STX",
969                 .insns = {
970                         BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
971                         BPF_EXIT_INSN(),
972                 },
973                 .errstr = "R15 is invalid",
974                 .result = REJECT,
975         },
976         {
977                 "invalid dst register in STX",
978                 .insns = {
979                         BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
980                         BPF_EXIT_INSN(),
981                 },
982                 .errstr = "R14 is invalid",
983                 .result = REJECT,
984         },
985         {
986                 "invalid dst register in ST",
987                 .insns = {
988                         BPF_ST_MEM(BPF_B, 14, -1, -1),
989                         BPF_EXIT_INSN(),
990                 },
991                 .errstr = "R14 is invalid",
992                 .result = REJECT,
993         },
994         {
995                 "invalid src register in LDX",
996                 .insns = {
997                         BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
998                         BPF_EXIT_INSN(),
999                 },
1000                 .errstr = "R12 is invalid",
1001                 .result = REJECT,
1002         },
1003         {
1004                 "invalid dst register in LDX",
1005                 .insns = {
1006                         BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1007                         BPF_EXIT_INSN(),
1008                 },
1009                 .errstr = "R11 is invalid",
1010                 .result = REJECT,
1011         },
1012         {
1013                 "junk insn",
1014                 .insns = {
1015                         BPF_RAW_INSN(0, 0, 0, 0, 0),
1016                         BPF_EXIT_INSN(),
1017                 },
1018                 .errstr = "unknown opcode 00",
1019                 .result = REJECT,
1020         },
1021         {
1022                 "junk insn2",
1023                 .insns = {
1024                         BPF_RAW_INSN(1, 0, 0, 0, 0),
1025                         BPF_EXIT_INSN(),
1026                 },
1027                 .errstr = "BPF_LDX uses reserved fields",
1028                 .result = REJECT,
1029         },
1030         {
1031                 "junk insn3",
1032                 .insns = {
1033                         BPF_RAW_INSN(-1, 0, 0, 0, 0),
1034                         BPF_EXIT_INSN(),
1035                 },
1036                 .errstr = "unknown opcode ff",
1037                 .result = REJECT,
1038         },
1039         {
1040                 "junk insn4",
1041                 .insns = {
1042                         BPF_RAW_INSN(-1, -1, -1, -1, -1),
1043                         BPF_EXIT_INSN(),
1044                 },
1045                 .errstr = "unknown opcode ff",
1046                 .result = REJECT,
1047         },
1048         {
1049                 "junk insn5",
1050                 .insns = {
1051                         BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1052                         BPF_EXIT_INSN(),
1053                 },
1054                 .errstr = "BPF_ALU uses reserved fields",
1055                 .result = REJECT,
1056         },
1057         {
1058                 "misaligned read from stack",
1059                 .insns = {
1060                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1061                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1062                         BPF_EXIT_INSN(),
1063                 },
1064                 .errstr = "misaligned stack access",
1065                 .result = REJECT,
1066         },
1067         {
1068                 "invalid map_fd for function call",
1069                 .insns = {
1070                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1071                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1072                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1073                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1074                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1075                                      BPF_FUNC_map_delete_elem),
1076                         BPF_EXIT_INSN(),
1077                 },
1078                 .errstr = "fd 0 is not pointing to valid bpf_map",
1079                 .result = REJECT,
1080         },
1081         {
1082                 "don't check return value before access",
1083                 .insns = {
1084                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1085                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1086                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1087                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1088                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1089                                      BPF_FUNC_map_lookup_elem),
1090                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1091                         BPF_EXIT_INSN(),
1092                 },
1093                 .fixup_map1 = { 3 },
1094                 .errstr = "R0 invalid mem access 'map_value_or_null'",
1095                 .result = REJECT,
1096         },
1097         {
1098                 "access memory with incorrect alignment",
1099                 .insns = {
1100                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1101                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1102                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1103                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1104                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1105                                      BPF_FUNC_map_lookup_elem),
1106                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1107                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1108                         BPF_EXIT_INSN(),
1109                 },
1110                 .fixup_map1 = { 3 },
1111                 .errstr = "misaligned value access",
1112                 .result = REJECT,
1113                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1114         },
1115         {
1116                 "sometimes access memory with incorrect alignment",
1117                 .insns = {
1118                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1119                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1120                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1121                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1122                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1123                                      BPF_FUNC_map_lookup_elem),
1124                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1125                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1126                         BPF_EXIT_INSN(),
1127                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1128                         BPF_EXIT_INSN(),
1129                 },
1130                 .fixup_map1 = { 3 },
1131                 .errstr = "R0 invalid mem access",
1132                 .errstr_unpriv = "R0 leaks addr",
1133                 .result = REJECT,
1134                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1135         },
1136         {
1137                 "jump test 1",
1138                 .insns = {
1139                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1140                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1141                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1142                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1143                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1144                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1145                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1146                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1147                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1148                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1149                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1150                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1151                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1152                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1153                         BPF_MOV64_IMM(BPF_REG_0, 0),
1154                         BPF_EXIT_INSN(),
1155                 },
1156                 .errstr_unpriv = "R1 pointer comparison",
1157                 .result_unpriv = REJECT,
1158                 .result = ACCEPT,
1159         },
1160         {
1161                 "jump test 2",
1162                 .insns = {
1163                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1165                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1166                         BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1167                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1168                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1169                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1170                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1171                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1172                         BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1173                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1174                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1175                         BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1176                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1177                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1178                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1179                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1180                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1181                         BPF_MOV64_IMM(BPF_REG_0, 0),
1182                         BPF_EXIT_INSN(),
1183                 },
1184                 .errstr_unpriv = "R1 pointer comparison",
1185                 .result_unpriv = REJECT,
1186                 .result = ACCEPT,
1187         },
1188         {
1189                 "jump test 3",
1190                 .insns = {
1191                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1192                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1193                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1194                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1195                         BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1196                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1197                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1198                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1199                         BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1200                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1201                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1202                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1203                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1204                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1205                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1206                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1207                         BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1208                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1209                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1210                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1211                         BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1212                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1213                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1214                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1215                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1216                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1217                                      BPF_FUNC_map_delete_elem),
1218                         BPF_EXIT_INSN(),
1219                 },
1220                 .fixup_map1 = { 24 },
1221                 .errstr_unpriv = "R1 pointer comparison",
1222                 .result_unpriv = REJECT,
1223                 .result = ACCEPT,
1224                 .retval = -ENOENT,
1225         },
1226         {
1227                 "jump test 4",
1228                 .insns = {
1229                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1230                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1231                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1232                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1233                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1234                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1235                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1236                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1237                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1238                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1239                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1240                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1241                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1242                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1243                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1244                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1245                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1246                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1247                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1248                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1249                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1250                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1251                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1252                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1253                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1266                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1267                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269                         BPF_MOV64_IMM(BPF_REG_0, 0),
1270                         BPF_EXIT_INSN(),
1271                 },
1272                 .errstr_unpriv = "R1 pointer comparison",
1273                 .result_unpriv = REJECT,
1274                 .result = ACCEPT,
1275         },
1276         {
1277                 "jump test 5",
1278                 .insns = {
1279                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1280                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1281                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1282                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1283                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1284                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1285                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1286                         BPF_MOV64_IMM(BPF_REG_0, 0),
1287                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1288                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1289                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1290                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1291                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1292                         BPF_MOV64_IMM(BPF_REG_0, 0),
1293                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1294                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1295                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1296                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1297                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1298                         BPF_MOV64_IMM(BPF_REG_0, 0),
1299                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1300                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1301                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1302                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1303                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1304                         BPF_MOV64_IMM(BPF_REG_0, 0),
1305                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310                         BPF_MOV64_IMM(BPF_REG_0, 0),
1311                         BPF_EXIT_INSN(),
1312                 },
1313                 .errstr_unpriv = "R1 pointer comparison",
1314                 .result_unpriv = REJECT,
1315                 .result = ACCEPT,
1316         },
1317         {
1318                 "access skb fields ok",
1319                 .insns = {
1320                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1321                                     offsetof(struct __sk_buff, len)),
1322                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1323                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1324                                     offsetof(struct __sk_buff, mark)),
1325                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1326                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1327                                     offsetof(struct __sk_buff, pkt_type)),
1328                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1329                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1330                                     offsetof(struct __sk_buff, queue_mapping)),
1331                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1332                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1333                                     offsetof(struct __sk_buff, protocol)),
1334                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1335                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1336                                     offsetof(struct __sk_buff, vlan_present)),
1337                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1338                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339                                     offsetof(struct __sk_buff, vlan_tci)),
1340                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1341                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1342                                     offsetof(struct __sk_buff, napi_id)),
1343                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1344                         BPF_EXIT_INSN(),
1345                 },
1346                 .result = ACCEPT,
1347         },
1348         {
1349                 "access skb fields bad1",
1350                 .insns = {
1351                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1352                         BPF_EXIT_INSN(),
1353                 },
1354                 .errstr = "invalid bpf_context access",
1355                 .result = REJECT,
1356         },
1357         {
1358                 "access skb fields bad2",
1359                 .insns = {
1360                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1361                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1362                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1363                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1364                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1365                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1366                                      BPF_FUNC_map_lookup_elem),
1367                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1368                         BPF_EXIT_INSN(),
1369                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1370                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1371                                     offsetof(struct __sk_buff, pkt_type)),
1372                         BPF_EXIT_INSN(),
1373                 },
1374                 .fixup_map1 = { 4 },
1375                 .errstr = "different pointers",
1376                 .errstr_unpriv = "R1 pointer comparison",
1377                 .result = REJECT,
1378         },
1379         {
1380                 "access skb fields bad3",
1381                 .insns = {
1382                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1383                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1384                                     offsetof(struct __sk_buff, pkt_type)),
1385                         BPF_EXIT_INSN(),
1386                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1387                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1388                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1389                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1390                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1391                                      BPF_FUNC_map_lookup_elem),
1392                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1393                         BPF_EXIT_INSN(),
1394                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1395                         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1396                 },
1397                 .fixup_map1 = { 6 },
1398                 .errstr = "different pointers",
1399                 .errstr_unpriv = "R1 pointer comparison",
1400                 .result = REJECT,
1401         },
1402         {
1403                 "access skb fields bad4",
1404                 .insns = {
1405                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1406                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1407                                     offsetof(struct __sk_buff, len)),
1408                         BPF_MOV64_IMM(BPF_REG_0, 0),
1409                         BPF_EXIT_INSN(),
1410                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1414                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415                                      BPF_FUNC_map_lookup_elem),
1416                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417                         BPF_EXIT_INSN(),
1418                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419                         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1420                 },
1421                 .fixup_map1 = { 7 },
1422                 .errstr = "different pointers",
1423                 .errstr_unpriv = "R1 pointer comparison",
1424                 .result = REJECT,
1425         },
1426         {
1427                 "invalid access __sk_buff family",
1428                 .insns = {
1429                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1430                                     offsetof(struct __sk_buff, family)),
1431                         BPF_EXIT_INSN(),
1432                 },
1433                 .errstr = "invalid bpf_context access",
1434                 .result = REJECT,
1435         },
1436         {
1437                 "invalid access __sk_buff remote_ip4",
1438                 .insns = {
1439                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1440                                     offsetof(struct __sk_buff, remote_ip4)),
1441                         BPF_EXIT_INSN(),
1442                 },
1443                 .errstr = "invalid bpf_context access",
1444                 .result = REJECT,
1445         },
1446         {
1447                 "invalid access __sk_buff local_ip4",
1448                 .insns = {
1449                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1450                                     offsetof(struct __sk_buff, local_ip4)),
1451                         BPF_EXIT_INSN(),
1452                 },
1453                 .errstr = "invalid bpf_context access",
1454                 .result = REJECT,
1455         },
1456         {
1457                 "invalid access __sk_buff remote_ip6",
1458                 .insns = {
1459                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1460                                     offsetof(struct __sk_buff, remote_ip6)),
1461                         BPF_EXIT_INSN(),
1462                 },
1463                 .errstr = "invalid bpf_context access",
1464                 .result = REJECT,
1465         },
1466         {
1467                 "invalid access __sk_buff local_ip6",
1468                 .insns = {
1469                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1470                                     offsetof(struct __sk_buff, local_ip6)),
1471                         BPF_EXIT_INSN(),
1472                 },
1473                 .errstr = "invalid bpf_context access",
1474                 .result = REJECT,
1475         },
1476         {
1477                 "invalid access __sk_buff remote_port",
1478                 .insns = {
1479                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1480                                     offsetof(struct __sk_buff, remote_port)),
1481                         BPF_EXIT_INSN(),
1482                 },
1483                 .errstr = "invalid bpf_context access",
1484                 .result = REJECT,
1485         },
1486         {
1487                 "invalid access __sk_buff remote_port",
1488                 .insns = {
1489                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1490                                     offsetof(struct __sk_buff, local_port)),
1491                         BPF_EXIT_INSN(),
1492                 },
1493                 .errstr = "invalid bpf_context access",
1494                 .result = REJECT,
1495         },
1496         {
1497                 "valid access __sk_buff family",
1498                 .insns = {
1499                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1500                                     offsetof(struct __sk_buff, family)),
1501                         BPF_EXIT_INSN(),
1502                 },
1503                 .result = ACCEPT,
1504                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1505         },
1506         {
1507                 "valid access __sk_buff remote_ip4",
1508                 .insns = {
1509                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1510                                     offsetof(struct __sk_buff, remote_ip4)),
1511                         BPF_EXIT_INSN(),
1512                 },
1513                 .result = ACCEPT,
1514                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1515         },
1516         {
1517                 "valid access __sk_buff local_ip4",
1518                 .insns = {
1519                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1520                                     offsetof(struct __sk_buff, local_ip4)),
1521                         BPF_EXIT_INSN(),
1522                 },
1523                 .result = ACCEPT,
1524                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1525         },
1526         {
1527                 "valid access __sk_buff remote_ip6",
1528                 .insns = {
1529                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1530                                     offsetof(struct __sk_buff, remote_ip6[0])),
1531                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532                                     offsetof(struct __sk_buff, remote_ip6[1])),
1533                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534                                     offsetof(struct __sk_buff, remote_ip6[2])),
1535                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536                                     offsetof(struct __sk_buff, remote_ip6[3])),
1537                         BPF_EXIT_INSN(),
1538                 },
1539                 .result = ACCEPT,
1540                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1541         },
1542         {
1543                 "valid access __sk_buff local_ip6",
1544                 .insns = {
1545                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1546                                     offsetof(struct __sk_buff, local_ip6[0])),
1547                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548                                     offsetof(struct __sk_buff, local_ip6[1])),
1549                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550                                     offsetof(struct __sk_buff, local_ip6[2])),
1551                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552                                     offsetof(struct __sk_buff, local_ip6[3])),
1553                         BPF_EXIT_INSN(),
1554                 },
1555                 .result = ACCEPT,
1556                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1557         },
1558         {
1559                 "valid access __sk_buff remote_port",
1560                 .insns = {
1561                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1562                                     offsetof(struct __sk_buff, remote_port)),
1563                         BPF_EXIT_INSN(),
1564                 },
1565                 .result = ACCEPT,
1566                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1567         },
1568         {
1569                 "valid access __sk_buff remote_port",
1570                 .insns = {
1571                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572                                     offsetof(struct __sk_buff, local_port)),
1573                         BPF_EXIT_INSN(),
1574                 },
1575                 .result = ACCEPT,
1576                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1577         },
1578         {
1579                 "invalid access of tc_classid for SK_SKB",
1580                 .insns = {
1581                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1582                                     offsetof(struct __sk_buff, tc_classid)),
1583                         BPF_EXIT_INSN(),
1584                 },
1585                 .result = REJECT,
1586                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1587                 .errstr = "invalid bpf_context access",
1588         },
1589         {
1590                 "invalid access of skb->mark for SK_SKB",
1591                 .insns = {
1592                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1593                                     offsetof(struct __sk_buff, mark)),
1594                         BPF_EXIT_INSN(),
1595                 },
1596                 .result =  REJECT,
1597                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1598                 .errstr = "invalid bpf_context access",
1599         },
1600         {
1601                 "check skb->mark is not writeable by SK_SKB",
1602                 .insns = {
1603                         BPF_MOV64_IMM(BPF_REG_0, 0),
1604                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1605                                     offsetof(struct __sk_buff, mark)),
1606                         BPF_EXIT_INSN(),
1607                 },
1608                 .result =  REJECT,
1609                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1610                 .errstr = "invalid bpf_context access",
1611         },
1612         {
1613                 "check skb->tc_index is writeable by SK_SKB",
1614                 .insns = {
1615                         BPF_MOV64_IMM(BPF_REG_0, 0),
1616                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1617                                     offsetof(struct __sk_buff, tc_index)),
1618                         BPF_EXIT_INSN(),
1619                 },
1620                 .result = ACCEPT,
1621                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622         },
1623         {
1624                 "check skb->priority is writeable by SK_SKB",
1625                 .insns = {
1626                         BPF_MOV64_IMM(BPF_REG_0, 0),
1627                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1628                                     offsetof(struct __sk_buff, priority)),
1629                         BPF_EXIT_INSN(),
1630                 },
1631                 .result = ACCEPT,
1632                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1633         },
1634         {
1635                 "direct packet read for SK_SKB",
1636                 .insns = {
1637                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1638                                     offsetof(struct __sk_buff, data)),
1639                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1640                                     offsetof(struct __sk_buff, data_end)),
1641                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1642                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1643                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1644                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1645                         BPF_MOV64_IMM(BPF_REG_0, 0),
1646                         BPF_EXIT_INSN(),
1647                 },
1648                 .result = ACCEPT,
1649                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1650         },
1651         {
1652                 "direct packet write for SK_SKB",
1653                 .insns = {
1654                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1655                                     offsetof(struct __sk_buff, data)),
1656                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1657                                     offsetof(struct __sk_buff, data_end)),
1658                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1659                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1660                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1661                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1662                         BPF_MOV64_IMM(BPF_REG_0, 0),
1663                         BPF_EXIT_INSN(),
1664                 },
1665                 .result = ACCEPT,
1666                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1667         },
1668         {
1669                 "overlapping checks for direct packet access SK_SKB",
1670                 .insns = {
1671                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1672                                     offsetof(struct __sk_buff, data)),
1673                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1674                                     offsetof(struct __sk_buff, data_end)),
1675                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1676                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1677                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1678                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1679                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1680                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1681                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1682                         BPF_MOV64_IMM(BPF_REG_0, 0),
1683                         BPF_EXIT_INSN(),
1684                 },
1685                 .result = ACCEPT,
1686                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1687         },
1688         {
1689                 "valid access family in SK_MSG",
1690                 .insns = {
1691                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1692                                     offsetof(struct sk_msg_md, family)),
1693                         BPF_EXIT_INSN(),
1694                 },
1695                 .result = ACCEPT,
1696                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1697         },
1698         {
1699                 "valid access remote_ip4 in SK_MSG",
1700                 .insns = {
1701                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1702                                     offsetof(struct sk_msg_md, remote_ip4)),
1703                         BPF_EXIT_INSN(),
1704                 },
1705                 .result = ACCEPT,
1706                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1707         },
1708         {
1709                 "valid access local_ip4 in SK_MSG",
1710                 .insns = {
1711                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1712                                     offsetof(struct sk_msg_md, local_ip4)),
1713                         BPF_EXIT_INSN(),
1714                 },
1715                 .result = ACCEPT,
1716                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1717         },
1718         {
1719                 "valid access remote_port in SK_MSG",
1720                 .insns = {
1721                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1722                                     offsetof(struct sk_msg_md, remote_port)),
1723                         BPF_EXIT_INSN(),
1724                 },
1725                 .result = ACCEPT,
1726                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1727         },
1728         {
1729                 "valid access local_port in SK_MSG",
1730                 .insns = {
1731                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1732                                     offsetof(struct sk_msg_md, local_port)),
1733                         BPF_EXIT_INSN(),
1734                 },
1735                 .result = ACCEPT,
1736                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1737         },
1738         {
1739                 "valid access remote_ip6 in SK_MSG",
1740                 .insns = {
1741                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1742                                     offsetof(struct sk_msg_md, remote_ip6[0])),
1743                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744                                     offsetof(struct sk_msg_md, remote_ip6[1])),
1745                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746                                     offsetof(struct sk_msg_md, remote_ip6[2])),
1747                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748                                     offsetof(struct sk_msg_md, remote_ip6[3])),
1749                         BPF_EXIT_INSN(),
1750                 },
1751                 .result = ACCEPT,
1752                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1753         },
1754         {
1755                 "valid access local_ip6 in SK_MSG",
1756                 .insns = {
1757                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1758                                     offsetof(struct sk_msg_md, local_ip6[0])),
1759                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760                                     offsetof(struct sk_msg_md, local_ip6[1])),
1761                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762                                     offsetof(struct sk_msg_md, local_ip6[2])),
1763                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764                                     offsetof(struct sk_msg_md, local_ip6[3])),
1765                         BPF_EXIT_INSN(),
1766                 },
1767                 .result = ACCEPT,
1768                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1769         },
1770         {
1771                 "invalid 64B read of family in SK_MSG",
1772                 .insns = {
1773                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1774                                     offsetof(struct sk_msg_md, family)),
1775                         BPF_EXIT_INSN(),
1776                 },
1777                 .errstr = "invalid bpf_context access",
1778                 .result = REJECT,
1779                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1780         },
1781         {
1782                 "invalid read past end of SK_MSG",
1783                 .insns = {
1784                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1785                                     offsetof(struct sk_msg_md, local_port) + 4),
1786                         BPF_EXIT_INSN(),
1787                 },
1788                 .errstr = "R0 !read_ok",
1789                 .result = REJECT,
1790                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1791         },
1792         {
1793                 "invalid read offset in SK_MSG",
1794                 .insns = {
1795                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1796                                     offsetof(struct sk_msg_md, family) + 1),
1797                         BPF_EXIT_INSN(),
1798                 },
1799                 .errstr = "invalid bpf_context access",
1800                 .result = REJECT,
1801                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1802         },
1803         {
1804                 "direct packet read for SK_MSG",
1805                 .insns = {
1806                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1807                                     offsetof(struct sk_msg_md, data)),
1808                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1809                                     offsetof(struct sk_msg_md, data_end)),
1810                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1811                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1812                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1813                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1814                         BPF_MOV64_IMM(BPF_REG_0, 0),
1815                         BPF_EXIT_INSN(),
1816                 },
1817                 .result = ACCEPT,
1818                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1819         },
1820         {
1821                 "direct packet write for SK_MSG",
1822                 .insns = {
1823                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1824                                     offsetof(struct sk_msg_md, data)),
1825                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1826                                     offsetof(struct sk_msg_md, data_end)),
1827                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1828                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1829                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1830                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1831                         BPF_MOV64_IMM(BPF_REG_0, 0),
1832                         BPF_EXIT_INSN(),
1833                 },
1834                 .result = ACCEPT,
1835                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1836         },
1837         {
1838                 "overlapping checks for direct packet access SK_MSG",
1839                 .insns = {
1840                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1841                                     offsetof(struct sk_msg_md, data)),
1842                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1843                                     offsetof(struct sk_msg_md, data_end)),
1844                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1845                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1846                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1847                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1848                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1849                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1850                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1851                         BPF_MOV64_IMM(BPF_REG_0, 0),
1852                         BPF_EXIT_INSN(),
1853                 },
1854                 .result = ACCEPT,
1855                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1856         },
1857         {
1858                 "check skb->mark is not writeable by sockets",
1859                 .insns = {
1860                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1861                                     offsetof(struct __sk_buff, mark)),
1862                         BPF_EXIT_INSN(),
1863                 },
1864                 .errstr = "invalid bpf_context access",
1865                 .errstr_unpriv = "R1 leaks addr",
1866                 .result = REJECT,
1867         },
1868         {
1869                 "check skb->tc_index is not writeable by sockets",
1870                 .insns = {
1871                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1872                                     offsetof(struct __sk_buff, tc_index)),
1873                         BPF_EXIT_INSN(),
1874                 },
1875                 .errstr = "invalid bpf_context access",
1876                 .errstr_unpriv = "R1 leaks addr",
1877                 .result = REJECT,
1878         },
1879         {
1880                 "check cb access: byte",
1881                 .insns = {
1882                         BPF_MOV64_IMM(BPF_REG_0, 0),
1883                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1884                                     offsetof(struct __sk_buff, cb[0])),
1885                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886                                     offsetof(struct __sk_buff, cb[0]) + 1),
1887                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888                                     offsetof(struct __sk_buff, cb[0]) + 2),
1889                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890                                     offsetof(struct __sk_buff, cb[0]) + 3),
1891                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892                                     offsetof(struct __sk_buff, cb[1])),
1893                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894                                     offsetof(struct __sk_buff, cb[1]) + 1),
1895                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896                                     offsetof(struct __sk_buff, cb[1]) + 2),
1897                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898                                     offsetof(struct __sk_buff, cb[1]) + 3),
1899                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900                                     offsetof(struct __sk_buff, cb[2])),
1901                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902                                     offsetof(struct __sk_buff, cb[2]) + 1),
1903                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904                                     offsetof(struct __sk_buff, cb[2]) + 2),
1905                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906                                     offsetof(struct __sk_buff, cb[2]) + 3),
1907                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908                                     offsetof(struct __sk_buff, cb[3])),
1909                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910                                     offsetof(struct __sk_buff, cb[3]) + 1),
1911                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912                                     offsetof(struct __sk_buff, cb[3]) + 2),
1913                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914                                     offsetof(struct __sk_buff, cb[3]) + 3),
1915                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916                                     offsetof(struct __sk_buff, cb[4])),
1917                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918                                     offsetof(struct __sk_buff, cb[4]) + 1),
1919                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920                                     offsetof(struct __sk_buff, cb[4]) + 2),
1921                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922                                     offsetof(struct __sk_buff, cb[4]) + 3),
1923                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1924                                     offsetof(struct __sk_buff, cb[0])),
1925                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926                                     offsetof(struct __sk_buff, cb[0]) + 1),
1927                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928                                     offsetof(struct __sk_buff, cb[0]) + 2),
1929                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930                                     offsetof(struct __sk_buff, cb[0]) + 3),
1931                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932                                     offsetof(struct __sk_buff, cb[1])),
1933                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934                                     offsetof(struct __sk_buff, cb[1]) + 1),
1935                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936                                     offsetof(struct __sk_buff, cb[1]) + 2),
1937                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938                                     offsetof(struct __sk_buff, cb[1]) + 3),
1939                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940                                     offsetof(struct __sk_buff, cb[2])),
1941                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942                                     offsetof(struct __sk_buff, cb[2]) + 1),
1943                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944                                     offsetof(struct __sk_buff, cb[2]) + 2),
1945                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946                                     offsetof(struct __sk_buff, cb[2]) + 3),
1947                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948                                     offsetof(struct __sk_buff, cb[3])),
1949                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950                                     offsetof(struct __sk_buff, cb[3]) + 1),
1951                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952                                     offsetof(struct __sk_buff, cb[3]) + 2),
1953                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954                                     offsetof(struct __sk_buff, cb[3]) + 3),
1955                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956                                     offsetof(struct __sk_buff, cb[4])),
1957                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958                                     offsetof(struct __sk_buff, cb[4]) + 1),
1959                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960                                     offsetof(struct __sk_buff, cb[4]) + 2),
1961                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962                                     offsetof(struct __sk_buff, cb[4]) + 3),
1963                         BPF_EXIT_INSN(),
1964                 },
1965                 .result = ACCEPT,
1966         },
1967         {
1968                 "__sk_buff->hash, offset 0, byte store not permitted",
1969                 .insns = {
1970                         BPF_MOV64_IMM(BPF_REG_0, 0),
1971                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1972                                     offsetof(struct __sk_buff, hash)),
1973                         BPF_EXIT_INSN(),
1974                 },
1975                 .errstr = "invalid bpf_context access",
1976                 .result = REJECT,
1977         },
1978         {
1979                 "__sk_buff->tc_index, offset 3, byte store not permitted",
1980                 .insns = {
1981                         BPF_MOV64_IMM(BPF_REG_0, 0),
1982                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1983                                     offsetof(struct __sk_buff, tc_index) + 3),
1984                         BPF_EXIT_INSN(),
1985                 },
1986                 .errstr = "invalid bpf_context access",
1987                 .result = REJECT,
1988         },
1989         {
1990                 "check skb->hash byte load permitted",
1991                 .insns = {
1992                         BPF_MOV64_IMM(BPF_REG_0, 0),
1993 #if __BYTE_ORDER == __LITTLE_ENDIAN
1994                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1995                                     offsetof(struct __sk_buff, hash)),
1996 #else
1997                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1998                                     offsetof(struct __sk_buff, hash) + 3),
1999 #endif
2000                         BPF_EXIT_INSN(),
2001                 },
2002                 .result = ACCEPT,
2003         },
2004         {
2005                 "check skb->hash byte load not permitted 1",
2006                 .insns = {
2007                         BPF_MOV64_IMM(BPF_REG_0, 0),
2008                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2009                                     offsetof(struct __sk_buff, hash) + 1),
2010                         BPF_EXIT_INSN(),
2011                 },
2012                 .errstr = "invalid bpf_context access",
2013                 .result = REJECT,
2014         },
2015         {
2016                 "check skb->hash byte load not permitted 2",
2017                 .insns = {
2018                         BPF_MOV64_IMM(BPF_REG_0, 0),
2019                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020                                     offsetof(struct __sk_buff, hash) + 2),
2021                         BPF_EXIT_INSN(),
2022                 },
2023                 .errstr = "invalid bpf_context access",
2024                 .result = REJECT,
2025         },
2026         {
2027                 "check skb->hash byte load not permitted 3",
2028                 .insns = {
2029                         BPF_MOV64_IMM(BPF_REG_0, 0),
2030 #if __BYTE_ORDER == __LITTLE_ENDIAN
2031                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032                                     offsetof(struct __sk_buff, hash) + 3),
2033 #else
2034                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2035                                     offsetof(struct __sk_buff, hash)),
2036 #endif
2037                         BPF_EXIT_INSN(),
2038                 },
2039                 .errstr = "invalid bpf_context access",
2040                 .result = REJECT,
2041         },
2042         {
2043                 "check cb access: byte, wrong type",
2044                 .insns = {
2045                         BPF_MOV64_IMM(BPF_REG_0, 0),
2046                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2047                                     offsetof(struct __sk_buff, cb[0])),
2048                         BPF_EXIT_INSN(),
2049                 },
2050                 .errstr = "invalid bpf_context access",
2051                 .result = REJECT,
2052                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2053         },
2054         {
2055                 "check cb access: half",
2056                 .insns = {
2057                         BPF_MOV64_IMM(BPF_REG_0, 0),
2058                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2059                                     offsetof(struct __sk_buff, cb[0])),
2060                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061                                     offsetof(struct __sk_buff, cb[0]) + 2),
2062                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063                                     offsetof(struct __sk_buff, cb[1])),
2064                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065                                     offsetof(struct __sk_buff, cb[1]) + 2),
2066                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067                                     offsetof(struct __sk_buff, cb[2])),
2068                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069                                     offsetof(struct __sk_buff, cb[2]) + 2),
2070                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071                                     offsetof(struct __sk_buff, cb[3])),
2072                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073                                     offsetof(struct __sk_buff, cb[3]) + 2),
2074                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075                                     offsetof(struct __sk_buff, cb[4])),
2076                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077                                     offsetof(struct __sk_buff, cb[4]) + 2),
2078                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2079                                     offsetof(struct __sk_buff, cb[0])),
2080                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081                                     offsetof(struct __sk_buff, cb[0]) + 2),
2082                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083                                     offsetof(struct __sk_buff, cb[1])),
2084                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085                                     offsetof(struct __sk_buff, cb[1]) + 2),
2086                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087                                     offsetof(struct __sk_buff, cb[2])),
2088                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089                                     offsetof(struct __sk_buff, cb[2]) + 2),
2090                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091                                     offsetof(struct __sk_buff, cb[3])),
2092                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093                                     offsetof(struct __sk_buff, cb[3]) + 2),
2094                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095                                     offsetof(struct __sk_buff, cb[4])),
2096                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097                                     offsetof(struct __sk_buff, cb[4]) + 2),
2098                         BPF_EXIT_INSN(),
2099                 },
2100                 .result = ACCEPT,
2101         },
2102         {
2103                 "check cb access: half, unaligned",
2104                 .insns = {
2105                         BPF_MOV64_IMM(BPF_REG_0, 0),
2106                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2107                                     offsetof(struct __sk_buff, cb[0]) + 1),
2108                         BPF_EXIT_INSN(),
2109                 },
2110                 .errstr = "misaligned context access",
2111                 .result = REJECT,
2112                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2113         },
2114         {
2115                 "check __sk_buff->hash, offset 0, half store not permitted",
2116                 .insns = {
2117                         BPF_MOV64_IMM(BPF_REG_0, 0),
2118                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2119                                     offsetof(struct __sk_buff, hash)),
2120                         BPF_EXIT_INSN(),
2121                 },
2122                 .errstr = "invalid bpf_context access",
2123                 .result = REJECT,
2124         },
2125         {
2126                 "check __sk_buff->tc_index, offset 2, half store not permitted",
2127                 .insns = {
2128                         BPF_MOV64_IMM(BPF_REG_0, 0),
2129                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2130                                     offsetof(struct __sk_buff, tc_index) + 2),
2131                         BPF_EXIT_INSN(),
2132                 },
2133                 .errstr = "invalid bpf_context access",
2134                 .result = REJECT,
2135         },
2136         {
2137                 "check skb->hash half load permitted",
2138                 .insns = {
2139                         BPF_MOV64_IMM(BPF_REG_0, 0),
2140 #if __BYTE_ORDER == __LITTLE_ENDIAN
2141                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2142                                     offsetof(struct __sk_buff, hash)),
2143 #else
2144                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2145                                     offsetof(struct __sk_buff, hash) + 2),
2146 #endif
2147                         BPF_EXIT_INSN(),
2148                 },
2149                 .result = ACCEPT,
2150         },
2151         {
2152                 "check skb->hash half load not permitted",
2153                 .insns = {
2154                         BPF_MOV64_IMM(BPF_REG_0, 0),
2155 #if __BYTE_ORDER == __LITTLE_ENDIAN
2156                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2157                                     offsetof(struct __sk_buff, hash) + 2),
2158 #else
2159                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2160                                     offsetof(struct __sk_buff, hash)),
2161 #endif
2162                         BPF_EXIT_INSN(),
2163                 },
2164                 .errstr = "invalid bpf_context access",
2165                 .result = REJECT,
2166         },
2167         {
2168                 "check cb access: half, wrong type",
2169                 .insns = {
2170                         BPF_MOV64_IMM(BPF_REG_0, 0),
2171                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2172                                     offsetof(struct __sk_buff, cb[0])),
2173                         BPF_EXIT_INSN(),
2174                 },
2175                 .errstr = "invalid bpf_context access",
2176                 .result = REJECT,
2177                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2178         },
2179         {
2180                 "check cb access: word",
2181                 .insns = {
2182                         BPF_MOV64_IMM(BPF_REG_0, 0),
2183                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2184                                     offsetof(struct __sk_buff, cb[0])),
2185                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186                                     offsetof(struct __sk_buff, cb[1])),
2187                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188                                     offsetof(struct __sk_buff, cb[2])),
2189                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190                                     offsetof(struct __sk_buff, cb[3])),
2191                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192                                     offsetof(struct __sk_buff, cb[4])),
2193                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2194                                     offsetof(struct __sk_buff, cb[0])),
2195                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196                                     offsetof(struct __sk_buff, cb[1])),
2197                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198                                     offsetof(struct __sk_buff, cb[2])),
2199                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200                                     offsetof(struct __sk_buff, cb[3])),
2201                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202                                     offsetof(struct __sk_buff, cb[4])),
2203                         BPF_EXIT_INSN(),
2204                 },
2205                 .result = ACCEPT,
2206         },
2207         {
2208                 "check cb access: word, unaligned 1",
2209                 .insns = {
2210                         BPF_MOV64_IMM(BPF_REG_0, 0),
2211                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212                                     offsetof(struct __sk_buff, cb[0]) + 2),
2213                         BPF_EXIT_INSN(),
2214                 },
2215                 .errstr = "misaligned context access",
2216                 .result = REJECT,
2217                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2218         },
2219         {
2220                 "check cb access: word, unaligned 2",
2221                 .insns = {
2222                         BPF_MOV64_IMM(BPF_REG_0, 0),
2223                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2224                                     offsetof(struct __sk_buff, cb[4]) + 1),
2225                         BPF_EXIT_INSN(),
2226                 },
2227                 .errstr = "misaligned context access",
2228                 .result = REJECT,
2229                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2230         },
2231         {
2232                 "check cb access: word, unaligned 3",
2233                 .insns = {
2234                         BPF_MOV64_IMM(BPF_REG_0, 0),
2235                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236                                     offsetof(struct __sk_buff, cb[4]) + 2),
2237                         BPF_EXIT_INSN(),
2238                 },
2239                 .errstr = "misaligned context access",
2240                 .result = REJECT,
2241                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2242         },
2243         {
2244                 "check cb access: word, unaligned 4",
2245                 .insns = {
2246                         BPF_MOV64_IMM(BPF_REG_0, 0),
2247                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248                                     offsetof(struct __sk_buff, cb[4]) + 3),
2249                         BPF_EXIT_INSN(),
2250                 },
2251                 .errstr = "misaligned context access",
2252                 .result = REJECT,
2253                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2254         },
2255         {
2256                 "check cb access: double",
2257                 .insns = {
2258                         BPF_MOV64_IMM(BPF_REG_0, 0),
2259                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2260                                     offsetof(struct __sk_buff, cb[0])),
2261                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262                                     offsetof(struct __sk_buff, cb[2])),
2263                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2264                                     offsetof(struct __sk_buff, cb[0])),
2265                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266                                     offsetof(struct __sk_buff, cb[2])),
2267                         BPF_EXIT_INSN(),
2268                 },
2269                 .result = ACCEPT,
2270         },
2271         {
2272                 "check cb access: double, unaligned 1",
2273                 .insns = {
2274                         BPF_MOV64_IMM(BPF_REG_0, 0),
2275                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2276                                     offsetof(struct __sk_buff, cb[1])),
2277                         BPF_EXIT_INSN(),
2278                 },
2279                 .errstr = "misaligned context access",
2280                 .result = REJECT,
2281                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2282         },
2283         {
2284                 "check cb access: double, unaligned 2",
2285                 .insns = {
2286                         BPF_MOV64_IMM(BPF_REG_0, 0),
2287                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2288                                     offsetof(struct __sk_buff, cb[3])),
2289                         BPF_EXIT_INSN(),
2290                 },
2291                 .errstr = "misaligned context access",
2292                 .result = REJECT,
2293                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2294         },
2295         {
2296                 "check cb access: double, oob 1",
2297                 .insns = {
2298                         BPF_MOV64_IMM(BPF_REG_0, 0),
2299                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300                                     offsetof(struct __sk_buff, cb[4])),
2301                         BPF_EXIT_INSN(),
2302                 },
2303                 .errstr = "invalid bpf_context access",
2304                 .result = REJECT,
2305         },
2306         {
2307                 "check cb access: double, oob 2",
2308                 .insns = {
2309                         BPF_MOV64_IMM(BPF_REG_0, 0),
2310                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2311                                     offsetof(struct __sk_buff, cb[4])),
2312                         BPF_EXIT_INSN(),
2313                 },
2314                 .errstr = "invalid bpf_context access",
2315                 .result = REJECT,
2316         },
2317         {
2318                 "check __sk_buff->ifindex dw store not permitted",
2319                 .insns = {
2320                         BPF_MOV64_IMM(BPF_REG_0, 0),
2321                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2322                                     offsetof(struct __sk_buff, ifindex)),
2323                         BPF_EXIT_INSN(),
2324                 },
2325                 .errstr = "invalid bpf_context access",
2326                 .result = REJECT,
2327         },
2328         {
2329                 "check __sk_buff->ifindex dw load not permitted",
2330                 .insns = {
2331                         BPF_MOV64_IMM(BPF_REG_0, 0),
2332                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2333                                     offsetof(struct __sk_buff, ifindex)),
2334                         BPF_EXIT_INSN(),
2335                 },
2336                 .errstr = "invalid bpf_context access",
2337                 .result = REJECT,
2338         },
2339         {
2340                 "check cb access: double, wrong type",
2341                 .insns = {
2342                         BPF_MOV64_IMM(BPF_REG_0, 0),
2343                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2344                                     offsetof(struct __sk_buff, cb[0])),
2345                         BPF_EXIT_INSN(),
2346                 },
2347                 .errstr = "invalid bpf_context access",
2348                 .result = REJECT,
2349                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2350         },
2351         {
2352                 "check out of range skb->cb access",
2353                 .insns = {
2354                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2355                                     offsetof(struct __sk_buff, cb[0]) + 256),
2356                         BPF_EXIT_INSN(),
2357                 },
2358                 .errstr = "invalid bpf_context access",
2359                 .errstr_unpriv = "",
2360                 .result = REJECT,
2361                 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2362         },
2363         {
2364                 "write skb fields from socket prog",
2365                 .insns = {
2366                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2367                                     offsetof(struct __sk_buff, cb[4])),
2368                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2369                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2370                                     offsetof(struct __sk_buff, mark)),
2371                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372                                     offsetof(struct __sk_buff, tc_index)),
2373                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2374                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2375                                     offsetof(struct __sk_buff, cb[0])),
2376                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377                                     offsetof(struct __sk_buff, cb[2])),
2378                         BPF_EXIT_INSN(),
2379                 },
2380                 .result = ACCEPT,
2381                 .errstr_unpriv = "R1 leaks addr",
2382                 .result_unpriv = REJECT,
2383         },
2384         {
2385                 "write skb fields from tc_cls_act prog",
2386                 .insns = {
2387                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2388                                     offsetof(struct __sk_buff, cb[0])),
2389                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2390                                     offsetof(struct __sk_buff, mark)),
2391                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2392                                     offsetof(struct __sk_buff, tc_index)),
2393                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2394                                     offsetof(struct __sk_buff, tc_index)),
2395                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396                                     offsetof(struct __sk_buff, cb[3])),
2397                         BPF_EXIT_INSN(),
2398                 },
2399                 .errstr_unpriv = "",
2400                 .result_unpriv = REJECT,
2401                 .result = ACCEPT,
2402                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2403         },
2404         {
2405                 "PTR_TO_STACK store/load",
2406                 .insns = {
2407                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2408                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2409                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2410                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2411                         BPF_EXIT_INSN(),
2412                 },
2413                 .result = ACCEPT,
2414                 .retval = 0xfaceb00c,
2415         },
2416         {
2417                 "PTR_TO_STACK store/load - bad alignment on off",
2418                 .insns = {
2419                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2420                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2421                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2422                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2423                         BPF_EXIT_INSN(),
2424                 },
2425                 .result = REJECT,
2426                 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2427         },
2428         {
2429                 "PTR_TO_STACK store/load - bad alignment on reg",
2430                 .insns = {
2431                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2434                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2435                         BPF_EXIT_INSN(),
2436                 },
2437                 .result = REJECT,
2438                 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2439         },
2440         {
2441                 "PTR_TO_STACK store/load - out of bounds low",
2442                 .insns = {
2443                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2445                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2446                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2447                         BPF_EXIT_INSN(),
2448                 },
2449                 .result = REJECT,
2450                 .errstr = "invalid stack off=-79992 size=8",
2451         },
2452         {
2453                 "PTR_TO_STACK store/load - out of bounds high",
2454                 .insns = {
2455                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2457                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2459                         BPF_EXIT_INSN(),
2460                 },
2461                 .result = REJECT,
2462                 .errstr = "invalid stack off=0 size=8",
2463         },
2464         {
2465                 "unpriv: return pointer",
2466                 .insns = {
2467                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2468                         BPF_EXIT_INSN(),
2469                 },
2470                 .result = ACCEPT,
2471                 .result_unpriv = REJECT,
2472                 .errstr_unpriv = "R0 leaks addr",
2473                 .retval = POINTER_VALUE,
2474         },
2475         {
2476                 "unpriv: add const to pointer",
2477                 .insns = {
2478                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2479                         BPF_MOV64_IMM(BPF_REG_0, 0),
2480                         BPF_EXIT_INSN(),
2481                 },
2482                 .result = ACCEPT,
2483         },
2484         {
2485                 "unpriv: add pointer to pointer",
2486                 .insns = {
2487                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2488                         BPF_MOV64_IMM(BPF_REG_0, 0),
2489                         BPF_EXIT_INSN(),
2490                 },
2491                 .result = REJECT,
2492                 .errstr = "R1 pointer += pointer",
2493         },
2494         {
2495                 "unpriv: neg pointer",
2496                 .insns = {
2497                         BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2498                         BPF_MOV64_IMM(BPF_REG_0, 0),
2499                         BPF_EXIT_INSN(),
2500                 },
2501                 .result = ACCEPT,
2502                 .result_unpriv = REJECT,
2503                 .errstr_unpriv = "R1 pointer arithmetic",
2504         },
2505         {
2506                 "unpriv: cmp pointer with const",
2507                 .insns = {
2508                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2509                         BPF_MOV64_IMM(BPF_REG_0, 0),
2510                         BPF_EXIT_INSN(),
2511                 },
2512                 .result = ACCEPT,
2513                 .result_unpriv = REJECT,
2514                 .errstr_unpriv = "R1 pointer comparison",
2515         },
2516         {
2517                 "unpriv: cmp pointer with pointer",
2518                 .insns = {
2519                         BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2520                         BPF_MOV64_IMM(BPF_REG_0, 0),
2521                         BPF_EXIT_INSN(),
2522                 },
2523                 .result = ACCEPT,
2524                 .result_unpriv = REJECT,
2525                 .errstr_unpriv = "R10 pointer comparison",
2526         },
2527         {
2528                 "unpriv: check that printk is disallowed",
2529                 .insns = {
2530                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2531                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2532                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2533                         BPF_MOV64_IMM(BPF_REG_2, 8),
2534                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2535                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2536                                      BPF_FUNC_trace_printk),
2537                         BPF_MOV64_IMM(BPF_REG_0, 0),
2538                         BPF_EXIT_INSN(),
2539                 },
2540                 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2541                 .result_unpriv = REJECT,
2542                 .result = ACCEPT,
2543         },
2544         {
2545                 "unpriv: pass pointer to helper function",
2546                 .insns = {
2547                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2548                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2549                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2550                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2551                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2552                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2553                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2554                                      BPF_FUNC_map_update_elem),
2555                         BPF_MOV64_IMM(BPF_REG_0, 0),
2556                         BPF_EXIT_INSN(),
2557                 },
2558                 .fixup_map1 = { 3 },
2559                 .errstr_unpriv = "R4 leaks addr",
2560                 .result_unpriv = REJECT,
2561                 .result = ACCEPT,
2562         },
2563         {
2564                 "unpriv: indirectly pass pointer on stack to helper function",
2565                 .insns = {
2566                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2567                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2568                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2569                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2570                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2571                                      BPF_FUNC_map_lookup_elem),
2572                         BPF_MOV64_IMM(BPF_REG_0, 0),
2573                         BPF_EXIT_INSN(),
2574                 },
2575                 .fixup_map1 = { 3 },
2576                 .errstr = "invalid indirect read from stack off -8+0 size 8",
2577                 .result = REJECT,
2578         },
2579         {
2580                 "unpriv: mangle pointer on stack 1",
2581                 .insns = {
2582                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2583                         BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2584                         BPF_MOV64_IMM(BPF_REG_0, 0),
2585                         BPF_EXIT_INSN(),
2586                 },
2587                 .errstr_unpriv = "attempt to corrupt spilled",
2588                 .result_unpriv = REJECT,
2589                 .result = ACCEPT,
2590         },
2591         {
2592                 "unpriv: mangle pointer on stack 2",
2593                 .insns = {
2594                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2595                         BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2596                         BPF_MOV64_IMM(BPF_REG_0, 0),
2597                         BPF_EXIT_INSN(),
2598                 },
2599                 .errstr_unpriv = "attempt to corrupt spilled",
2600                 .result_unpriv = REJECT,
2601                 .result = ACCEPT,
2602         },
2603         {
2604                 "unpriv: read pointer from stack in small chunks",
2605                 .insns = {
2606                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2608                         BPF_MOV64_IMM(BPF_REG_0, 0),
2609                         BPF_EXIT_INSN(),
2610                 },
2611                 .errstr = "invalid size",
2612                 .result = REJECT,
2613         },
2614         {
2615                 "unpriv: write pointer into ctx",
2616                 .insns = {
2617                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2618                         BPF_MOV64_IMM(BPF_REG_0, 0),
2619                         BPF_EXIT_INSN(),
2620                 },
2621                 .errstr_unpriv = "R1 leaks addr",
2622                 .result_unpriv = REJECT,
2623                 .errstr = "invalid bpf_context access",
2624                 .result = REJECT,
2625         },
2626         {
2627                 "unpriv: spill/fill of ctx",
2628                 .insns = {
2629                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2630                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2631                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2632                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2633                         BPF_MOV64_IMM(BPF_REG_0, 0),
2634                         BPF_EXIT_INSN(),
2635                 },
2636                 .result = ACCEPT,
2637         },
2638         {
2639                 "unpriv: spill/fill of ctx 2",
2640                 .insns = {
2641                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2642                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2643                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2644                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2645                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2646                                      BPF_FUNC_get_hash_recalc),
2647                         BPF_MOV64_IMM(BPF_REG_0, 0),
2648                         BPF_EXIT_INSN(),
2649                 },
2650                 .result = ACCEPT,
2651                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2652         },
2653         {
2654                 "unpriv: spill/fill of ctx 3",
2655                 .insns = {
2656                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2657                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2658                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2659                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2660                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2661                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2662                                      BPF_FUNC_get_hash_recalc),
2663                         BPF_EXIT_INSN(),
2664                 },
2665                 .result = REJECT,
2666                 .errstr = "R1 type=fp expected=ctx",
2667                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2668         },
2669         {
2670                 "unpriv: spill/fill of ctx 4",
2671                 .insns = {
2672                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2673                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2674                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2675                         BPF_MOV64_IMM(BPF_REG_0, 1),
2676                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2677                                      BPF_REG_0, -8, 0),
2678                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2679                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2680                                      BPF_FUNC_get_hash_recalc),
2681                         BPF_EXIT_INSN(),
2682                 },
2683                 .result = REJECT,
2684                 .errstr = "R1 type=inv expected=ctx",
2685                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2686         },
2687         {
2688                 "unpriv: spill/fill of different pointers stx",
2689                 .insns = {
2690                         BPF_MOV64_IMM(BPF_REG_3, 42),
2691                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2692                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2693                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2694                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2695                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2696                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2697                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2698                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2700                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2701                                     offsetof(struct __sk_buff, mark)),
2702                         BPF_MOV64_IMM(BPF_REG_0, 0),
2703                         BPF_EXIT_INSN(),
2704                 },
2705                 .result = REJECT,
2706                 .errstr = "same insn cannot be used with different pointers",
2707                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2708         },
2709         {
2710                 "unpriv: spill/fill of different pointers ldx",
2711                 .insns = {
2712                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2713                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2714                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2715                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2716                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2717                                       -(__s32)offsetof(struct bpf_perf_event_data,
2718                                                        sample_period) - 8),
2719                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2720                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2721                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2722                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2723                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2724                                     offsetof(struct bpf_perf_event_data,
2725                                              sample_period)),
2726                         BPF_MOV64_IMM(BPF_REG_0, 0),
2727                         BPF_EXIT_INSN(),
2728                 },
2729                 .result = REJECT,
2730                 .errstr = "same insn cannot be used with different pointers",
2731                 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2732         },
2733         {
2734                 "unpriv: write pointer into map elem value",
2735                 .insns = {
2736                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2737                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2738                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2739                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2740                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2741                                      BPF_FUNC_map_lookup_elem),
2742                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2743                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2744                         BPF_EXIT_INSN(),
2745                 },
2746                 .fixup_map1 = { 3 },
2747                 .errstr_unpriv = "R0 leaks addr",
2748                 .result_unpriv = REJECT,
2749                 .result = ACCEPT,
2750         },
2751         {
2752                 "unpriv: partial copy of pointer",
2753                 .insns = {
2754                         BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2755                         BPF_MOV64_IMM(BPF_REG_0, 0),
2756                         BPF_EXIT_INSN(),
2757                 },
2758                 .errstr_unpriv = "R10 partial copy",
2759                 .result_unpriv = REJECT,
2760                 .result = ACCEPT,
2761         },
2762         {
2763                 "unpriv: pass pointer to tail_call",
2764                 .insns = {
2765                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2766                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2767                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2768                                      BPF_FUNC_tail_call),
2769                         BPF_MOV64_IMM(BPF_REG_0, 0),
2770                         BPF_EXIT_INSN(),
2771                 },
2772                 .fixup_prog1 = { 1 },
2773                 .errstr_unpriv = "R3 leaks addr into helper",
2774                 .result_unpriv = REJECT,
2775                 .result = ACCEPT,
2776         },
2777         {
2778                 "unpriv: cmp map pointer with zero",
2779                 .insns = {
2780                         BPF_MOV64_IMM(BPF_REG_1, 0),
2781                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2782                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2783                         BPF_MOV64_IMM(BPF_REG_0, 0),
2784                         BPF_EXIT_INSN(),
2785                 },
2786                 .fixup_map1 = { 1 },
2787                 .errstr_unpriv = "R1 pointer comparison",
2788                 .result_unpriv = REJECT,
2789                 .result = ACCEPT,
2790         },
2791         {
2792                 "unpriv: write into frame pointer",
2793                 .insns = {
2794                         BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2795                         BPF_MOV64_IMM(BPF_REG_0, 0),
2796                         BPF_EXIT_INSN(),
2797                 },
2798                 .errstr = "frame pointer is read only",
2799                 .result = REJECT,
2800         },
2801         {
2802                 "unpriv: spill/fill frame pointer",
2803                 .insns = {
2804                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2805                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2806                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2807                         BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2808                         BPF_MOV64_IMM(BPF_REG_0, 0),
2809                         BPF_EXIT_INSN(),
2810                 },
2811                 .errstr = "frame pointer is read only",
2812                 .result = REJECT,
2813         },
2814         {
2815                 "unpriv: cmp of frame pointer",
2816                 .insns = {
2817                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2818                         BPF_MOV64_IMM(BPF_REG_0, 0),
2819                         BPF_EXIT_INSN(),
2820                 },
2821                 .errstr_unpriv = "R10 pointer comparison",
2822                 .result_unpriv = REJECT,
2823                 .result = ACCEPT,
2824         },
2825         {
2826                 "unpriv: adding of fp",
2827                 .insns = {
2828                         BPF_MOV64_IMM(BPF_REG_0, 0),
2829                         BPF_MOV64_IMM(BPF_REG_1, 0),
2830                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2831                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2832                         BPF_EXIT_INSN(),
2833                 },
2834                 .result = ACCEPT,
2835         },
2836         {
2837                 "unpriv: cmp of stack pointer",
2838                 .insns = {
2839                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2840                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2841                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2842                         BPF_MOV64_IMM(BPF_REG_0, 0),
2843                         BPF_EXIT_INSN(),
2844                 },
2845                 .errstr_unpriv = "R2 pointer comparison",
2846                 .result_unpriv = REJECT,
2847                 .result = ACCEPT,
2848         },
2849         {
2850                 "runtime/jit: tail_call within bounds, prog once",
2851                 .insns = {
2852                         BPF_MOV64_IMM(BPF_REG_3, 0),
2853                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2854                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2855                                      BPF_FUNC_tail_call),
2856                         BPF_MOV64_IMM(BPF_REG_0, 1),
2857                         BPF_EXIT_INSN(),
2858                 },
2859                 .fixup_prog1 = { 1 },
2860                 .result = ACCEPT,
2861                 .retval = 42,
2862         },
2863         {
2864                 "runtime/jit: tail_call within bounds, prog loop",
2865                 .insns = {
2866                         BPF_MOV64_IMM(BPF_REG_3, 1),
2867                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2868                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2869                                      BPF_FUNC_tail_call),
2870                         BPF_MOV64_IMM(BPF_REG_0, 1),
2871                         BPF_EXIT_INSN(),
2872                 },
2873                 .fixup_prog1 = { 1 },
2874                 .result = ACCEPT,
2875                 .retval = 41,
2876         },
2877         {
2878                 "runtime/jit: tail_call within bounds, no prog",
2879                 .insns = {
2880                         BPF_MOV64_IMM(BPF_REG_3, 2),
2881                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2882                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2883                                      BPF_FUNC_tail_call),
2884                         BPF_MOV64_IMM(BPF_REG_0, 1),
2885                         BPF_EXIT_INSN(),
2886                 },
2887                 .fixup_prog1 = { 1 },
2888                 .result = ACCEPT,
2889                 .retval = 1,
2890         },
2891         {
2892                 "runtime/jit: tail_call out of bounds",
2893                 .insns = {
2894                         BPF_MOV64_IMM(BPF_REG_3, 256),
2895                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2896                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2897                                      BPF_FUNC_tail_call),
2898                         BPF_MOV64_IMM(BPF_REG_0, 2),
2899                         BPF_EXIT_INSN(),
2900                 },
2901                 .fixup_prog1 = { 1 },
2902                 .result = ACCEPT,
2903                 .retval = 2,
2904         },
2905         {
2906                 "runtime/jit: pass negative index to tail_call",
2907                 .insns = {
2908                         BPF_MOV64_IMM(BPF_REG_3, -1),
2909                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2910                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2911                                      BPF_FUNC_tail_call),
2912                         BPF_MOV64_IMM(BPF_REG_0, 2),
2913                         BPF_EXIT_INSN(),
2914                 },
2915                 .fixup_prog1 = { 1 },
2916                 .result = ACCEPT,
2917                 .retval = 2,
2918         },
2919         {
2920                 "runtime/jit: pass > 32bit index to tail_call",
2921                 .insns = {
2922                         BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2923                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2924                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2925                                      BPF_FUNC_tail_call),
2926                         BPF_MOV64_IMM(BPF_REG_0, 2),
2927                         BPF_EXIT_INSN(),
2928                 },
2929                 .fixup_prog1 = { 2 },
2930                 .result = ACCEPT,
2931                 .retval = 42,
2932         },
2933         {
2934                 "stack pointer arithmetic",
2935                 .insns = {
2936                         BPF_MOV64_IMM(BPF_REG_1, 4),
2937                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2938                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2939                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2940                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2941                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2942                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2943                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2944                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2945                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2946                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2947                         BPF_MOV64_IMM(BPF_REG_0, 0),
2948                         BPF_EXIT_INSN(),
2949                 },
2950                 .result = ACCEPT,
2951         },
2952         {
2953                 "raw_stack: no skb_load_bytes",
2954                 .insns = {
2955                         BPF_MOV64_IMM(BPF_REG_2, 4),
2956                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2957                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2958                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2959                         BPF_MOV64_IMM(BPF_REG_4, 8),
2960                         /* Call to skb_load_bytes() omitted. */
2961                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2962                         BPF_EXIT_INSN(),
2963                 },
2964                 .result = REJECT,
2965                 .errstr = "invalid read from stack off -8+0 size 8",
2966                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2967         },
2968         {
2969                 "raw_stack: skb_load_bytes, negative len",
2970                 .insns = {
2971                         BPF_MOV64_IMM(BPF_REG_2, 4),
2972                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2973                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2974                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2975                         BPF_MOV64_IMM(BPF_REG_4, -8),
2976                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2977                                      BPF_FUNC_skb_load_bytes),
2978                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2979                         BPF_EXIT_INSN(),
2980                 },
2981                 .result = REJECT,
2982                 .errstr = "R4 min value is negative",
2983                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2984         },
2985         {
2986                 "raw_stack: skb_load_bytes, negative len 2",
2987                 .insns = {
2988                         BPF_MOV64_IMM(BPF_REG_2, 4),
2989                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2990                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2991                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2992                         BPF_MOV64_IMM(BPF_REG_4, ~0),
2993                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2994                                      BPF_FUNC_skb_load_bytes),
2995                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2996                         BPF_EXIT_INSN(),
2997                 },
2998                 .result = REJECT,
2999                 .errstr = "R4 min value is negative",
3000                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3001         },
3002         {
3003                 "raw_stack: skb_load_bytes, zero len",
3004                 .insns = {
3005                         BPF_MOV64_IMM(BPF_REG_2, 4),
3006                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3007                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3008                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3009                         BPF_MOV64_IMM(BPF_REG_4, 0),
3010                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3011                                      BPF_FUNC_skb_load_bytes),
3012                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3013                         BPF_EXIT_INSN(),
3014                 },
3015                 .result = REJECT,
3016                 .errstr = "invalid stack type R3",
3017                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3018         },
3019         {
3020                 "raw_stack: skb_load_bytes, no init",
3021                 .insns = {
3022                         BPF_MOV64_IMM(BPF_REG_2, 4),
3023                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3024                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3025                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3026                         BPF_MOV64_IMM(BPF_REG_4, 8),
3027                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3028                                      BPF_FUNC_skb_load_bytes),
3029                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3030                         BPF_EXIT_INSN(),
3031                 },
3032                 .result = ACCEPT,
3033                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3034         },
3035         {
3036                 "raw_stack: skb_load_bytes, init",
3037                 .insns = {
3038                         BPF_MOV64_IMM(BPF_REG_2, 4),
3039                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3040                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3041                         BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3042                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3043                         BPF_MOV64_IMM(BPF_REG_4, 8),
3044                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3045                                      BPF_FUNC_skb_load_bytes),
3046                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3047                         BPF_EXIT_INSN(),
3048                 },
3049                 .result = ACCEPT,
3050                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3051         },
3052         {
3053                 "raw_stack: skb_load_bytes, spilled regs around bounds",
3054                 .insns = {
3055                         BPF_MOV64_IMM(BPF_REG_2, 4),
3056                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3057                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3058                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3059                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3060                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3061                         BPF_MOV64_IMM(BPF_REG_4, 8),
3062                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3063                                      BPF_FUNC_skb_load_bytes),
3064                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3065                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3066                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3067                                     offsetof(struct __sk_buff, mark)),
3068                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3069                                     offsetof(struct __sk_buff, priority)),
3070                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3071                         BPF_EXIT_INSN(),
3072                 },
3073                 .result = ACCEPT,
3074                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3075         },
3076         {
3077                 "raw_stack: skb_load_bytes, spilled regs corruption",
3078                 .insns = {
3079                         BPF_MOV64_IMM(BPF_REG_2, 4),
3080                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3081                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3082                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3083                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3084                         BPF_MOV64_IMM(BPF_REG_4, 8),
3085                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3086                                      BPF_FUNC_skb_load_bytes),
3087                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3088                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3089                                     offsetof(struct __sk_buff, mark)),
3090                         BPF_EXIT_INSN(),
3091                 },
3092                 .result = REJECT,
3093                 .errstr = "R0 invalid mem access 'inv'",
3094                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3095         },
3096         {
3097                 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3098                 .insns = {
3099                         BPF_MOV64_IMM(BPF_REG_2, 4),
3100                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3101                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3102                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3103                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3104                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3105                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3106                         BPF_MOV64_IMM(BPF_REG_4, 8),
3107                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3108                                      BPF_FUNC_skb_load_bytes),
3109                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3110                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3111                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3112                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3113                                     offsetof(struct __sk_buff, mark)),
3114                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3115                                     offsetof(struct __sk_buff, priority)),
3116                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3117                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3118                                     offsetof(struct __sk_buff, pkt_type)),
3119                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3120                         BPF_EXIT_INSN(),
3121                 },
3122                 .result = REJECT,
3123                 .errstr = "R3 invalid mem access 'inv'",
3124                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3125         },
3126         {
3127                 "raw_stack: skb_load_bytes, spilled regs + data",
3128                 .insns = {
3129                         BPF_MOV64_IMM(BPF_REG_2, 4),
3130                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3131                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3132                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3133                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3134                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3135                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3136                         BPF_MOV64_IMM(BPF_REG_4, 8),
3137                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3138                                      BPF_FUNC_skb_load_bytes),
3139                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3140                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3141                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3142                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3143                                     offsetof(struct __sk_buff, mark)),
3144                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3145                                     offsetof(struct __sk_buff, priority)),
3146                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3147                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3148                         BPF_EXIT_INSN(),
3149                 },
3150                 .result = ACCEPT,
3151                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3152         },
3153         {
3154                 "raw_stack: skb_load_bytes, invalid access 1",
3155                 .insns = {
3156                         BPF_MOV64_IMM(BPF_REG_2, 4),
3157                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3158                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3159                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3160                         BPF_MOV64_IMM(BPF_REG_4, 8),
3161                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3162                                      BPF_FUNC_skb_load_bytes),
3163                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3164                         BPF_EXIT_INSN(),
3165                 },
3166                 .result = REJECT,
3167                 .errstr = "invalid stack type R3 off=-513 access_size=8",
3168                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3169         },
3170         {
3171                 "raw_stack: skb_load_bytes, invalid access 2",
3172                 .insns = {
3173                         BPF_MOV64_IMM(BPF_REG_2, 4),
3174                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3175                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3176                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3177                         BPF_MOV64_IMM(BPF_REG_4, 8),
3178                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3179                                      BPF_FUNC_skb_load_bytes),
3180                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3181                         BPF_EXIT_INSN(),
3182                 },
3183                 .result = REJECT,
3184                 .errstr = "invalid stack type R3 off=-1 access_size=8",
3185                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3186         },
3187         {
3188                 "raw_stack: skb_load_bytes, invalid access 3",
3189                 .insns = {
3190                         BPF_MOV64_IMM(BPF_REG_2, 4),
3191                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3192                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3193                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3194                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3195                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3196                                      BPF_FUNC_skb_load_bytes),
3197                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3198                         BPF_EXIT_INSN(),
3199                 },
3200                 .result = REJECT,
3201                 .errstr = "R4 min value is negative",
3202                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3203         },
3204         {
3205                 "raw_stack: skb_load_bytes, invalid access 4",
3206                 .insns = {
3207                         BPF_MOV64_IMM(BPF_REG_2, 4),
3208                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3209                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3210                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3211                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3212                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3213                                      BPF_FUNC_skb_load_bytes),
3214                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3215                         BPF_EXIT_INSN(),
3216                 },
3217                 .result = REJECT,
3218                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3219                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3220         },
3221         {
3222                 "raw_stack: skb_load_bytes, invalid access 5",
3223                 .insns = {
3224                         BPF_MOV64_IMM(BPF_REG_2, 4),
3225                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3226                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3227                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3228                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3229                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3230                                      BPF_FUNC_skb_load_bytes),
3231                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3232                         BPF_EXIT_INSN(),
3233                 },
3234                 .result = REJECT,
3235                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3236                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3237         },
3238         {
3239                 "raw_stack: skb_load_bytes, invalid access 6",
3240                 .insns = {
3241                         BPF_MOV64_IMM(BPF_REG_2, 4),
3242                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3243                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3244                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3245                         BPF_MOV64_IMM(BPF_REG_4, 0),
3246                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3247                                      BPF_FUNC_skb_load_bytes),
3248                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3249                         BPF_EXIT_INSN(),
3250                 },
3251                 .result = REJECT,
3252                 .errstr = "invalid stack type R3 off=-512 access_size=0",
3253                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3254         },
3255         {
3256                 "raw_stack: skb_load_bytes, large access",
3257                 .insns = {
3258                         BPF_MOV64_IMM(BPF_REG_2, 4),
3259                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3260                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3261                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3262                         BPF_MOV64_IMM(BPF_REG_4, 512),
3263                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3264                                      BPF_FUNC_skb_load_bytes),
3265                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3266                         BPF_EXIT_INSN(),
3267                 },
3268                 .result = ACCEPT,
3269                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3270         },
3271         {
3272                 "context stores via ST",
3273                 .insns = {
3274                         BPF_MOV64_IMM(BPF_REG_0, 0),
3275                         BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3276                         BPF_EXIT_INSN(),
3277                 },
3278                 .errstr = "BPF_ST stores into R1 context is not allowed",
3279                 .result = REJECT,
3280                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3281         },
3282         {
3283                 "context stores via XADD",
3284                 .insns = {
3285                         BPF_MOV64_IMM(BPF_REG_0, 0),
3286                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3287                                      BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3288                         BPF_EXIT_INSN(),
3289                 },
3290                 .errstr = "BPF_XADD stores into R1 context is not allowed",
3291                 .result = REJECT,
3292                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3293         },
3294         {
3295                 "direct packet access: test1",
3296                 .insns = {
3297                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3298                                     offsetof(struct __sk_buff, data)),
3299                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3300                                     offsetof(struct __sk_buff, data_end)),
3301                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3302                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3303                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3304                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3305                         BPF_MOV64_IMM(BPF_REG_0, 0),
3306                         BPF_EXIT_INSN(),
3307                 },
3308                 .result = ACCEPT,
3309                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3310         },
3311         {
3312                 "direct packet access: test2",
3313                 .insns = {
3314                         BPF_MOV64_IMM(BPF_REG_0, 1),
3315                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3316                                     offsetof(struct __sk_buff, data_end)),
3317                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3318                                     offsetof(struct __sk_buff, data)),
3319                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3320                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3321                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3322                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3323                         BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3324                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3325                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3326                                     offsetof(struct __sk_buff, data)),
3327                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3328                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3329                                     offsetof(struct __sk_buff, len)),
3330                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3331                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3332                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3333                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3334                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3335                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3336                                     offsetof(struct __sk_buff, data_end)),
3337                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3338                         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3339                         BPF_MOV64_IMM(BPF_REG_0, 0),
3340                         BPF_EXIT_INSN(),
3341                 },
3342                 .result = ACCEPT,
3343                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3344         },
3345         {
3346                 "direct packet access: test3",
3347                 .insns = {
3348                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3349                                     offsetof(struct __sk_buff, data)),
3350                         BPF_MOV64_IMM(BPF_REG_0, 0),
3351                         BPF_EXIT_INSN(),
3352                 },
3353                 .errstr = "invalid bpf_context access off=76",
3354                 .result = REJECT,
3355                 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3356         },
3357         {
3358                 "direct packet access: test4 (write)",
3359                 .insns = {
3360                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3361                                     offsetof(struct __sk_buff, data)),
3362                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3363                                     offsetof(struct __sk_buff, data_end)),
3364                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3365                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3366                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3367                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3368                         BPF_MOV64_IMM(BPF_REG_0, 0),
3369                         BPF_EXIT_INSN(),
3370                 },
3371                 .result = ACCEPT,
3372                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3373         },
3374         {
3375                 "direct packet access: test5 (pkt_end >= reg, good access)",
3376                 .insns = {
3377                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3378                                     offsetof(struct __sk_buff, data)),
3379                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3380                                     offsetof(struct __sk_buff, data_end)),
3381                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3382                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3383                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3384                         BPF_MOV64_IMM(BPF_REG_0, 1),
3385                         BPF_EXIT_INSN(),
3386                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3387                         BPF_MOV64_IMM(BPF_REG_0, 0),
3388                         BPF_EXIT_INSN(),
3389                 },
3390                 .result = ACCEPT,
3391                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3392         },
3393         {
3394                 "direct packet access: test6 (pkt_end >= reg, bad access)",
3395                 .insns = {
3396                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3397                                     offsetof(struct __sk_buff, data)),
3398                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3399                                     offsetof(struct __sk_buff, data_end)),
3400                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3401                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3402                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3403                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3404                         BPF_MOV64_IMM(BPF_REG_0, 1),
3405                         BPF_EXIT_INSN(),
3406                         BPF_MOV64_IMM(BPF_REG_0, 0),
3407                         BPF_EXIT_INSN(),
3408                 },
3409                 .errstr = "invalid access to packet",
3410                 .result = REJECT,
3411                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3412         },
3413         {
3414                 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3415                 .insns = {
3416                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3417                                     offsetof(struct __sk_buff, data)),
3418                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3419                                     offsetof(struct __sk_buff, data_end)),
3420                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3421                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3422                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3423                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3424                         BPF_MOV64_IMM(BPF_REG_0, 1),
3425                         BPF_EXIT_INSN(),
3426                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3427                         BPF_MOV64_IMM(BPF_REG_0, 0),
3428                         BPF_EXIT_INSN(),
3429                 },
3430                 .errstr = "invalid access to packet",
3431                 .result = REJECT,
3432                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3433         },
3434         {
3435                 "direct packet access: test8 (double test, variant 1)",
3436                 .insns = {
3437                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3438                                     offsetof(struct __sk_buff, data)),
3439                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3440                                     offsetof(struct __sk_buff, data_end)),
3441                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3442                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3443                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3444                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3445                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3446                         BPF_MOV64_IMM(BPF_REG_0, 1),
3447                         BPF_EXIT_INSN(),
3448                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3449                         BPF_MOV64_IMM(BPF_REG_0, 0),
3450                         BPF_EXIT_INSN(),
3451                 },
3452                 .result = ACCEPT,
3453                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3454         },
3455         {
3456                 "direct packet access: test9 (double test, variant 2)",
3457                 .insns = {
3458                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3459                                     offsetof(struct __sk_buff, data)),
3460                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3461                                     offsetof(struct __sk_buff, data_end)),
3462                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3463                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3464                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3465                         BPF_MOV64_IMM(BPF_REG_0, 1),
3466                         BPF_EXIT_INSN(),
3467                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3468                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3469                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3470                         BPF_MOV64_IMM(BPF_REG_0, 0),
3471                         BPF_EXIT_INSN(),
3472                 },
3473                 .result = ACCEPT,
3474                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3475         },
3476         {
3477                 "direct packet access: test10 (write invalid)",
3478                 .insns = {
3479                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3480                                     offsetof(struct __sk_buff, data)),
3481                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3482                                     offsetof(struct __sk_buff, data_end)),
3483                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3484                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3485                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3486                         BPF_MOV64_IMM(BPF_REG_0, 0),
3487                         BPF_EXIT_INSN(),
3488                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3489                         BPF_MOV64_IMM(BPF_REG_0, 0),
3490                         BPF_EXIT_INSN(),
3491                 },
3492                 .errstr = "invalid access to packet",
3493                 .result = REJECT,
3494                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3495         },
3496         {
3497                 "direct packet access: test11 (shift, good access)",
3498                 .insns = {
3499                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3500                                     offsetof(struct __sk_buff, data)),
3501                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3502                                     offsetof(struct __sk_buff, data_end)),
3503                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3504                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3505                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3506                         BPF_MOV64_IMM(BPF_REG_3, 144),
3507                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3508                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3509                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3510                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3511                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3512                         BPF_MOV64_IMM(BPF_REG_0, 1),
3513                         BPF_EXIT_INSN(),
3514                         BPF_MOV64_IMM(BPF_REG_0, 0),
3515                         BPF_EXIT_INSN(),
3516                 },
3517                 .result = ACCEPT,
3518                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3519                 .retval = 1,
3520         },
3521         {
3522                 "direct packet access: test12 (and, good access)",
3523                 .insns = {
3524                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3525                                     offsetof(struct __sk_buff, data)),
3526                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3527                                     offsetof(struct __sk_buff, data_end)),
3528                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3529                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3530                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3531                         BPF_MOV64_IMM(BPF_REG_3, 144),
3532                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3533                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3534                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3535                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3536                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3537                         BPF_MOV64_IMM(BPF_REG_0, 1),
3538                         BPF_EXIT_INSN(),
3539                         BPF_MOV64_IMM(BPF_REG_0, 0),
3540                         BPF_EXIT_INSN(),
3541                 },
3542                 .result = ACCEPT,
3543                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3544                 .retval = 1,
3545         },
3546         {
3547                 "direct packet access: test13 (branches, good access)",
3548                 .insns = {
3549                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3550                                     offsetof(struct __sk_buff, data)),
3551                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3552                                     offsetof(struct __sk_buff, data_end)),
3553                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3554                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3555                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3556                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3557                                     offsetof(struct __sk_buff, mark)),
3558                         BPF_MOV64_IMM(BPF_REG_4, 1),
3559                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3560                         BPF_MOV64_IMM(BPF_REG_3, 14),
3561                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3562                         BPF_MOV64_IMM(BPF_REG_3, 24),
3563                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3564                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3565                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3566                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3567                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3568                         BPF_MOV64_IMM(BPF_REG_0, 1),
3569                         BPF_EXIT_INSN(),
3570                         BPF_MOV64_IMM(BPF_REG_0, 0),
3571                         BPF_EXIT_INSN(),
3572                 },
3573                 .result = ACCEPT,
3574                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3575                 .retval = 1,
3576         },
3577         {
3578                 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3579                 .insns = {
3580                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3581                                     offsetof(struct __sk_buff, data)),
3582                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3583                                     offsetof(struct __sk_buff, data_end)),
3584                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3585                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3586                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3587                         BPF_MOV64_IMM(BPF_REG_5, 12),
3588                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3589                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3590                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3591                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3592                         BPF_MOV64_IMM(BPF_REG_0, 1),
3593                         BPF_EXIT_INSN(),
3594                         BPF_MOV64_IMM(BPF_REG_0, 0),
3595                         BPF_EXIT_INSN(),
3596                 },
3597                 .result = ACCEPT,
3598                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3599                 .retval = 1,
3600         },
3601         {
3602                 "direct packet access: test15 (spill with xadd)",
3603                 .insns = {
3604                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3605                                     offsetof(struct __sk_buff, data)),
3606                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3607                                     offsetof(struct __sk_buff, data_end)),
3608                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3609                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3610                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3611                         BPF_MOV64_IMM(BPF_REG_5, 4096),
3612                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3613                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3614                         BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3615                         BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3616                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3617                         BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3618                         BPF_MOV64_IMM(BPF_REG_0, 0),
3619                         BPF_EXIT_INSN(),
3620                 },
3621                 .errstr = "R2 invalid mem access 'inv'",
3622                 .result = REJECT,
3623                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3624         },
3625         {
3626                 "direct packet access: test16 (arith on data_end)",
3627                 .insns = {
3628                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3629                                     offsetof(struct __sk_buff, data)),
3630                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3631                                     offsetof(struct __sk_buff, data_end)),
3632                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3633                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3634                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3635                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3636                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3637                         BPF_MOV64_IMM(BPF_REG_0, 0),
3638                         BPF_EXIT_INSN(),
3639                 },
3640                 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3641                 .result = REJECT,
3642                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3643         },
3644         {
3645                 "direct packet access: test17 (pruning, alignment)",
3646                 .insns = {
3647                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3648                                     offsetof(struct __sk_buff, data)),
3649                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3650                                     offsetof(struct __sk_buff, data_end)),
3651                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3652                                     offsetof(struct __sk_buff, mark)),
3653                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3654                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3655                         BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3656                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3657                         BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3658                         BPF_MOV64_IMM(BPF_REG_0, 0),
3659                         BPF_EXIT_INSN(),
3660                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3661                         BPF_JMP_A(-6),
3662                 },
3663                 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3664                 .result = REJECT,
3665                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3666                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3667         },
3668         {
3669                 "direct packet access: test18 (imm += pkt_ptr, 1)",
3670                 .insns = {
3671                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3672                                     offsetof(struct __sk_buff, data)),
3673                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3674                                     offsetof(struct __sk_buff, data_end)),
3675                         BPF_MOV64_IMM(BPF_REG_0, 8),
3676                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3677                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3678                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3679                         BPF_MOV64_IMM(BPF_REG_0, 0),
3680                         BPF_EXIT_INSN(),
3681                 },
3682                 .result = ACCEPT,
3683                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3684         },
3685         {
3686                 "direct packet access: test19 (imm += pkt_ptr, 2)",
3687                 .insns = {
3688                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3689                                     offsetof(struct __sk_buff, data)),
3690                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3691                                     offsetof(struct __sk_buff, data_end)),
3692                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3693                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3694                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3695                         BPF_MOV64_IMM(BPF_REG_4, 4),
3696                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3697                         BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3698                         BPF_MOV64_IMM(BPF_REG_0, 0),
3699                         BPF_EXIT_INSN(),
3700                 },
3701                 .result = ACCEPT,
3702                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3703         },
3704         {
3705                 "direct packet access: test20 (x += pkt_ptr, 1)",
3706                 .insns = {
3707                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3708                                     offsetof(struct __sk_buff, data)),
3709                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3710                                     offsetof(struct __sk_buff, data_end)),
3711                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3712                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3713                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3714                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3715                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3716                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3717                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3718                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3719                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3720                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3721                         BPF_MOV64_IMM(BPF_REG_0, 0),
3722                         BPF_EXIT_INSN(),
3723                 },
3724                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3725                 .result = ACCEPT,
3726         },
3727         {
3728                 "direct packet access: test21 (x += pkt_ptr, 2)",
3729                 .insns = {
3730                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3731                                     offsetof(struct __sk_buff, data)),
3732                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3733                                     offsetof(struct __sk_buff, data_end)),
3734                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3735                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3736                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3737                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3738                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3739                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3740                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3741                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3742                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3743                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3744                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3745                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3746                         BPF_MOV64_IMM(BPF_REG_0, 0),
3747                         BPF_EXIT_INSN(),
3748                 },
3749                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3750                 .result = ACCEPT,
3751         },
3752         {
3753                 "direct packet access: test22 (x += pkt_ptr, 3)",
3754                 .insns = {
3755                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3756                                     offsetof(struct __sk_buff, data)),
3757                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3758                                     offsetof(struct __sk_buff, data_end)),
3759                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3760                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3761                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3762                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3763                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3764                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3765                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3766                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3767                         BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3768                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3769                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3770                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3771                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3772                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3773                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3774                         BPF_MOV64_IMM(BPF_REG_2, 1),
3775                         BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3776                         BPF_MOV64_IMM(BPF_REG_0, 0),
3777                         BPF_EXIT_INSN(),
3778                 },
3779                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3780                 .result = ACCEPT,
3781         },
3782         {
3783                 "direct packet access: test23 (x += pkt_ptr, 4)",
3784                 .insns = {
3785                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3786                                     offsetof(struct __sk_buff, data)),
3787                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3788                                     offsetof(struct __sk_buff, data_end)),
3789                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3790                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3791                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3792                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3793                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3794                         BPF_MOV64_IMM(BPF_REG_0, 31),
3795                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3796                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3797                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3798                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3799                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3800                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3801                         BPF_MOV64_IMM(BPF_REG_0, 0),
3802                         BPF_EXIT_INSN(),
3803                 },
3804                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3805                 .result = REJECT,
3806                 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3807         },
3808         {
3809                 "direct packet access: test24 (x += pkt_ptr, 5)",
3810                 .insns = {
3811                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3812                                     offsetof(struct __sk_buff, data)),
3813                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3814                                     offsetof(struct __sk_buff, data_end)),
3815                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3816                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3817                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3818                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3819                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3820                         BPF_MOV64_IMM(BPF_REG_0, 64),
3821                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3822                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3823                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3824                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3825                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3826                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3827                         BPF_MOV64_IMM(BPF_REG_0, 0),
3828                         BPF_EXIT_INSN(),
3829                 },
3830                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3831                 .result = ACCEPT,
3832         },
3833         {
3834                 "direct packet access: test25 (marking on <, good access)",
3835                 .insns = {
3836                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3837                                     offsetof(struct __sk_buff, data)),
3838                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3839                                     offsetof(struct __sk_buff, data_end)),
3840                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3841                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3842                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3843                         BPF_MOV64_IMM(BPF_REG_0, 0),
3844                         BPF_EXIT_INSN(),
3845                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3846                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3847                 },
3848                 .result = ACCEPT,
3849                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3850         },
3851         {
3852                 "direct packet access: test26 (marking on <, bad access)",
3853                 .insns = {
3854                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3855                                     offsetof(struct __sk_buff, data)),
3856                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3857                                     offsetof(struct __sk_buff, data_end)),
3858                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3859                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3860                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3861                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3862                         BPF_MOV64_IMM(BPF_REG_0, 0),
3863                         BPF_EXIT_INSN(),
3864                         BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3865                 },
3866                 .result = REJECT,
3867                 .errstr = "invalid access to packet",
3868                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3869         },
3870         {
3871                 "direct packet access: test27 (marking on <=, good access)",
3872                 .insns = {
3873                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3874                                     offsetof(struct __sk_buff, data)),
3875                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3876                                     offsetof(struct __sk_buff, data_end)),
3877                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3878                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3879                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3880                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3881                         BPF_MOV64_IMM(BPF_REG_0, 1),
3882                         BPF_EXIT_INSN(),
3883                 },
3884                 .result = ACCEPT,
3885                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3886                 .retval = 1,
3887         },
3888         {
3889                 "direct packet access: test28 (marking on <=, bad access)",
3890                 .insns = {
3891                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3892                                     offsetof(struct __sk_buff, data)),
3893                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3894                                     offsetof(struct __sk_buff, data_end)),
3895                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3896                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3897                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3898                         BPF_MOV64_IMM(BPF_REG_0, 1),
3899                         BPF_EXIT_INSN(),
3900                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3901                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3902                 },
3903                 .result = REJECT,
3904                 .errstr = "invalid access to packet",
3905                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3906         },
3907         {
3908                 "helper access to packet: test1, valid packet_ptr range",
3909                 .insns = {
3910                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3911                                     offsetof(struct xdp_md, data)),
3912                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3913                                     offsetof(struct xdp_md, data_end)),
3914                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3915                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3916                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3917                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3918                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3919                         BPF_MOV64_IMM(BPF_REG_4, 0),
3920                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3921                                      BPF_FUNC_map_update_elem),
3922                         BPF_MOV64_IMM(BPF_REG_0, 0),
3923                         BPF_EXIT_INSN(),
3924                 },
3925                 .fixup_map1 = { 5 },
3926                 .result_unpriv = ACCEPT,
3927                 .result = ACCEPT,
3928                 .prog_type = BPF_PROG_TYPE_XDP,
3929         },
3930         {
3931                 "helper access to packet: test2, unchecked packet_ptr",
3932                 .insns = {
3933                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3934                                     offsetof(struct xdp_md, data)),
3935                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3936                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3937                                      BPF_FUNC_map_lookup_elem),
3938                         BPF_MOV64_IMM(BPF_REG_0, 0),
3939                         BPF_EXIT_INSN(),
3940                 },
3941                 .fixup_map1 = { 1 },
3942                 .result = REJECT,
3943                 .errstr = "invalid access to packet",
3944                 .prog_type = BPF_PROG_TYPE_XDP,
3945         },
3946         {
3947                 "helper access to packet: test3, variable add",
3948                 .insns = {
3949                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3950                                         offsetof(struct xdp_md, data)),
3951                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3952                                         offsetof(struct xdp_md, data_end)),
3953                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3954                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3955                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3956                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3957                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3958                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3959                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3960                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3961                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3962                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3963                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3964                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3965                                      BPF_FUNC_map_lookup_elem),
3966                         BPF_MOV64_IMM(BPF_REG_0, 0),
3967                         BPF_EXIT_INSN(),
3968                 },
3969                 .fixup_map1 = { 11 },
3970                 .result = ACCEPT,
3971                 .prog_type = BPF_PROG_TYPE_XDP,
3972         },
3973         {
3974                 "helper access to packet: test4, packet_ptr with bad range",
3975                 .insns = {
3976                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977                                     offsetof(struct xdp_md, data)),
3978                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979                                     offsetof(struct xdp_md, data_end)),
3980                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3981                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3982                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3983                         BPF_MOV64_IMM(BPF_REG_0, 0),
3984                         BPF_EXIT_INSN(),
3985                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3986                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3987                                      BPF_FUNC_map_lookup_elem),
3988                         BPF_MOV64_IMM(BPF_REG_0, 0),
3989                         BPF_EXIT_INSN(),
3990                 },
3991                 .fixup_map1 = { 7 },
3992                 .result = REJECT,
3993                 .errstr = "invalid access to packet",
3994                 .prog_type = BPF_PROG_TYPE_XDP,
3995         },
3996         {
3997                 "helper access to packet: test5, packet_ptr with too short range",
3998                 .insns = {
3999                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4000                                     offsetof(struct xdp_md, data)),
4001                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4002                                     offsetof(struct xdp_md, data_end)),
4003                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4004                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4005                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4006                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4007                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4008                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4009                                      BPF_FUNC_map_lookup_elem),
4010                         BPF_MOV64_IMM(BPF_REG_0, 0),
4011                         BPF_EXIT_INSN(),
4012                 },
4013                 .fixup_map1 = { 6 },
4014                 .result = REJECT,
4015                 .errstr = "invalid access to packet",
4016                 .prog_type = BPF_PROG_TYPE_XDP,
4017         },
4018         {
4019                 "helper access to packet: test6, cls valid packet_ptr range",
4020                 .insns = {
4021                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4022                                     offsetof(struct __sk_buff, data)),
4023                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4024                                     offsetof(struct __sk_buff, data_end)),
4025                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4026                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4027                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4028                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4029                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4030                         BPF_MOV64_IMM(BPF_REG_4, 0),
4031                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4032                                      BPF_FUNC_map_update_elem),
4033                         BPF_MOV64_IMM(BPF_REG_0, 0),
4034                         BPF_EXIT_INSN(),
4035                 },
4036                 .fixup_map1 = { 5 },
4037                 .result = ACCEPT,
4038                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4039         },
4040         {
4041                 "helper access to packet: test7, cls unchecked packet_ptr",
4042                 .insns = {
4043                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4044                                     offsetof(struct __sk_buff, data)),
4045                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4046                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4047                                      BPF_FUNC_map_lookup_elem),
4048                         BPF_MOV64_IMM(BPF_REG_0, 0),
4049                         BPF_EXIT_INSN(),
4050                 },
4051                 .fixup_map1 = { 1 },
4052                 .result = REJECT,
4053                 .errstr = "invalid access to packet",
4054                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4055         },
4056         {
4057                 "helper access to packet: test8, cls variable add",
4058                 .insns = {
4059                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4060                                         offsetof(struct __sk_buff, data)),
4061                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4062                                         offsetof(struct __sk_buff, data_end)),
4063                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4064                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4065                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4066                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4067                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4068                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4069                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4070                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4071                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4072                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4073                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4074                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4075                                      BPF_FUNC_map_lookup_elem),
4076                         BPF_MOV64_IMM(BPF_REG_0, 0),
4077                         BPF_EXIT_INSN(),
4078                 },
4079                 .fixup_map1 = { 11 },
4080                 .result = ACCEPT,
4081                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4082         },
4083         {
4084                 "helper access to packet: test9, cls packet_ptr with bad range",
4085                 .insns = {
4086                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4087                                     offsetof(struct __sk_buff, data)),
4088                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4089                                     offsetof(struct __sk_buff, data_end)),
4090                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4091                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4092                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4093                         BPF_MOV64_IMM(BPF_REG_0, 0),
4094                         BPF_EXIT_INSN(),
4095                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4096                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4097                                      BPF_FUNC_map_lookup_elem),
4098                         BPF_MOV64_IMM(BPF_REG_0, 0),
4099                         BPF_EXIT_INSN(),
4100                 },
4101                 .fixup_map1 = { 7 },
4102                 .result = REJECT,
4103                 .errstr = "invalid access to packet",
4104                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4105         },
4106         {
4107                 "helper access to packet: test10, cls packet_ptr with too short range",
4108                 .insns = {
4109                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4110                                     offsetof(struct __sk_buff, data)),
4111                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4112                                     offsetof(struct __sk_buff, data_end)),
4113                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4114                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4115                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4116                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4117                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4118                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4119                                      BPF_FUNC_map_lookup_elem),
4120                         BPF_MOV64_IMM(BPF_REG_0, 0),
4121                         BPF_EXIT_INSN(),
4122                 },
4123                 .fixup_map1 = { 6 },
4124                 .result = REJECT,
4125                 .errstr = "invalid access to packet",
4126                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4127         },
4128         {
4129                 "helper access to packet: test11, cls unsuitable helper 1",
4130                 .insns = {
4131                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4132                                     offsetof(struct __sk_buff, data)),
4133                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4134                                     offsetof(struct __sk_buff, data_end)),
4135                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4136                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4137                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4138                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4139                         BPF_MOV64_IMM(BPF_REG_2, 0),
4140                         BPF_MOV64_IMM(BPF_REG_4, 42),
4141                         BPF_MOV64_IMM(BPF_REG_5, 0),
4142                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4143                                      BPF_FUNC_skb_store_bytes),
4144                         BPF_MOV64_IMM(BPF_REG_0, 0),
4145                         BPF_EXIT_INSN(),
4146                 },
4147                 .result = REJECT,
4148                 .errstr = "helper access to the packet",
4149                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4150         },
4151         {
4152                 "helper access to packet: test12, cls unsuitable helper 2",
4153                 .insns = {
4154                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4155                                     offsetof(struct __sk_buff, data)),
4156                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4157                                     offsetof(struct __sk_buff, data_end)),
4158                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4159                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4160                         BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4161                         BPF_MOV64_IMM(BPF_REG_2, 0),
4162                         BPF_MOV64_IMM(BPF_REG_4, 4),
4163                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4164                                      BPF_FUNC_skb_load_bytes),
4165                         BPF_MOV64_IMM(BPF_REG_0, 0),
4166                         BPF_EXIT_INSN(),
4167                 },
4168                 .result = REJECT,
4169                 .errstr = "helper access to the packet",
4170                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4171         },
4172         {
4173                 "helper access to packet: test13, cls helper ok",
4174                 .insns = {
4175                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4176                                     offsetof(struct __sk_buff, data)),
4177                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4178                                     offsetof(struct __sk_buff, data_end)),
4179                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4180                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4181                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4182                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4183                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4184                         BPF_MOV64_IMM(BPF_REG_2, 4),
4185                         BPF_MOV64_IMM(BPF_REG_3, 0),
4186                         BPF_MOV64_IMM(BPF_REG_4, 0),
4187                         BPF_MOV64_IMM(BPF_REG_5, 0),
4188                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4189                                      BPF_FUNC_csum_diff),
4190                         BPF_MOV64_IMM(BPF_REG_0, 0),
4191                         BPF_EXIT_INSN(),
4192                 },
4193                 .result = ACCEPT,
4194                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4195         },
4196         {
4197                 "helper access to packet: test14, cls helper ok sub",
4198                 .insns = {
4199                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4200                                     offsetof(struct __sk_buff, data)),
4201                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4202                                     offsetof(struct __sk_buff, data_end)),
4203                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4204                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4205                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4206                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4207                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4208                         BPF_MOV64_IMM(BPF_REG_2, 4),
4209                         BPF_MOV64_IMM(BPF_REG_3, 0),
4210                         BPF_MOV64_IMM(BPF_REG_4, 0),
4211                         BPF_MOV64_IMM(BPF_REG_5, 0),
4212                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4213                                      BPF_FUNC_csum_diff),
4214                         BPF_MOV64_IMM(BPF_REG_0, 0),
4215                         BPF_EXIT_INSN(),
4216                 },
4217                 .result = ACCEPT,
4218                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4219         },
4220         {
4221                 "helper access to packet: test15, cls helper fail sub",
4222                 .insns = {
4223                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4224                                     offsetof(struct __sk_buff, data)),
4225                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4226                                     offsetof(struct __sk_buff, data_end)),
4227                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4228                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4229                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4230                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4231                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4232                         BPF_MOV64_IMM(BPF_REG_2, 4),
4233                         BPF_MOV64_IMM(BPF_REG_3, 0),
4234                         BPF_MOV64_IMM(BPF_REG_4, 0),
4235                         BPF_MOV64_IMM(BPF_REG_5, 0),
4236                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4237                                      BPF_FUNC_csum_diff),
4238                         BPF_MOV64_IMM(BPF_REG_0, 0),
4239                         BPF_EXIT_INSN(),
4240                 },
4241                 .result = REJECT,
4242                 .errstr = "invalid access to packet",
4243                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4244         },
4245         {
4246                 "helper access to packet: test16, cls helper fail range 1",
4247                 .insns = {
4248                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4249                                     offsetof(struct __sk_buff, data)),
4250                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4251                                     offsetof(struct __sk_buff, data_end)),
4252                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4253                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4254                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4255                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4256                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4257                         BPF_MOV64_IMM(BPF_REG_2, 8),
4258                         BPF_MOV64_IMM(BPF_REG_3, 0),
4259                         BPF_MOV64_IMM(BPF_REG_4, 0),
4260                         BPF_MOV64_IMM(BPF_REG_5, 0),
4261                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4262                                      BPF_FUNC_csum_diff),
4263                         BPF_MOV64_IMM(BPF_REG_0, 0),
4264                         BPF_EXIT_INSN(),
4265                 },
4266                 .result = REJECT,
4267                 .errstr = "invalid access to packet",
4268                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4269         },
4270         {
4271                 "helper access to packet: test17, cls helper fail range 2",
4272                 .insns = {
4273                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4274                                     offsetof(struct __sk_buff, data)),
4275                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4276                                     offsetof(struct __sk_buff, data_end)),
4277                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4278                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4279                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4280                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4281                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4282                         BPF_MOV64_IMM(BPF_REG_2, -9),
4283                         BPF_MOV64_IMM(BPF_REG_3, 0),
4284                         BPF_MOV64_IMM(BPF_REG_4, 0),
4285                         BPF_MOV64_IMM(BPF_REG_5, 0),
4286                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4287                                      BPF_FUNC_csum_diff),
4288                         BPF_MOV64_IMM(BPF_REG_0, 0),
4289                         BPF_EXIT_INSN(),
4290                 },
4291                 .result = REJECT,
4292                 .errstr = "R2 min value is negative",
4293                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4294         },
4295         {
4296                 "helper access to packet: test18, cls helper fail range 3",
4297                 .insns = {
4298                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4299                                     offsetof(struct __sk_buff, data)),
4300                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4301                                     offsetof(struct __sk_buff, data_end)),
4302                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4303                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4304                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4305                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4306                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4307                         BPF_MOV64_IMM(BPF_REG_2, ~0),
4308                         BPF_MOV64_IMM(BPF_REG_3, 0),
4309                         BPF_MOV64_IMM(BPF_REG_4, 0),
4310                         BPF_MOV64_IMM(BPF_REG_5, 0),
4311                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4312                                      BPF_FUNC_csum_diff),
4313                         BPF_MOV64_IMM(BPF_REG_0, 0),
4314                         BPF_EXIT_INSN(),
4315                 },
4316                 .result = REJECT,
4317                 .errstr = "R2 min value is negative",
4318                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4319         },
4320         {
4321                 "helper access to packet: test19, cls helper range zero",
4322                 .insns = {
4323                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4324                                     offsetof(struct __sk_buff, data)),
4325                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4326                                     offsetof(struct __sk_buff, data_end)),
4327                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4328                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4329                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4330                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4331                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4332                         BPF_MOV64_IMM(BPF_REG_2, 0),
4333                         BPF_MOV64_IMM(BPF_REG_3, 0),
4334                         BPF_MOV64_IMM(BPF_REG_4, 0),
4335                         BPF_MOV64_IMM(BPF_REG_5, 0),
4336                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4337                                      BPF_FUNC_csum_diff),
4338                         BPF_MOV64_IMM(BPF_REG_0, 0),
4339                         BPF_EXIT_INSN(),
4340                 },
4341                 .result = ACCEPT,
4342                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4343         },
4344         {
4345                 "helper access to packet: test20, pkt end as input",
4346                 .insns = {
4347                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4348                                     offsetof(struct __sk_buff, data)),
4349                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4350                                     offsetof(struct __sk_buff, data_end)),
4351                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4352                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4353                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4354                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4355                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4356                         BPF_MOV64_IMM(BPF_REG_2, 4),
4357                         BPF_MOV64_IMM(BPF_REG_3, 0),
4358                         BPF_MOV64_IMM(BPF_REG_4, 0),
4359                         BPF_MOV64_IMM(BPF_REG_5, 0),
4360                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4361                                      BPF_FUNC_csum_diff),
4362                         BPF_MOV64_IMM(BPF_REG_0, 0),
4363                         BPF_EXIT_INSN(),
4364                 },
4365                 .result = REJECT,
4366                 .errstr = "R1 type=pkt_end expected=fp",
4367                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4368         },
4369         {
4370                 "helper access to packet: test21, wrong reg",
4371                 .insns = {
4372                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4373                                     offsetof(struct __sk_buff, data)),
4374                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4375                                     offsetof(struct __sk_buff, data_end)),
4376                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4377                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4378                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4379                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4380                         BPF_MOV64_IMM(BPF_REG_2, 4),
4381                         BPF_MOV64_IMM(BPF_REG_3, 0),
4382                         BPF_MOV64_IMM(BPF_REG_4, 0),
4383                         BPF_MOV64_IMM(BPF_REG_5, 0),
4384                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4385                                      BPF_FUNC_csum_diff),
4386                         BPF_MOV64_IMM(BPF_REG_0, 0),
4387                         BPF_EXIT_INSN(),
4388                 },
4389                 .result = REJECT,
4390                 .errstr = "invalid access to packet",
4391                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4392         },
4393         {
4394                 "valid map access into an array with a constant",
4395                 .insns = {
4396                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4397                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4398                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4399                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4400                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4401                                      BPF_FUNC_map_lookup_elem),
4402                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4403                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4404                                    offsetof(struct test_val, foo)),
4405                         BPF_EXIT_INSN(),
4406                 },
4407                 .fixup_map2 = { 3 },
4408                 .errstr_unpriv = "R0 leaks addr",
4409                 .result_unpriv = REJECT,
4410                 .result = ACCEPT,
4411         },
4412         {
4413                 "valid map access into an array with a register",
4414                 .insns = {
4415                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4416                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4417                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4418                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4419                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4420                                      BPF_FUNC_map_lookup_elem),
4421                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4422                         BPF_MOV64_IMM(BPF_REG_1, 4),
4423                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4424                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4425                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4426                                    offsetof(struct test_val, foo)),
4427                         BPF_EXIT_INSN(),
4428                 },
4429                 .fixup_map2 = { 3 },
4430                 .errstr_unpriv = "R0 leaks addr",
4431                 .result_unpriv = REJECT,
4432                 .result = ACCEPT,
4433                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4434         },
4435         {
4436                 "valid map access into an array with a variable",
4437                 .insns = {
4438                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4439                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4440                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4441                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4442                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4443                                      BPF_FUNC_map_lookup_elem),
4444                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4445                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4446                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4447                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4448                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4449                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4450                                    offsetof(struct test_val, foo)),
4451                         BPF_EXIT_INSN(),
4452                 },
4453                 .fixup_map2 = { 3 },
4454                 .errstr_unpriv = "R0 leaks addr",
4455                 .result_unpriv = REJECT,
4456                 .result = ACCEPT,
4457                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4458         },
4459         {
4460                 "valid map access into an array with a signed variable",
4461                 .insns = {
4462                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4463                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4464                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4465                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4466                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4467                                      BPF_FUNC_map_lookup_elem),
4468                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4469                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4470                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4471                         BPF_MOV32_IMM(BPF_REG_1, 0),
4472                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4473                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4474                         BPF_MOV32_IMM(BPF_REG_1, 0),
4475                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4476                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4477                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4478                                    offsetof(struct test_val, foo)),
4479                         BPF_EXIT_INSN(),
4480                 },
4481                 .fixup_map2 = { 3 },
4482                 .errstr_unpriv = "R0 leaks addr",
4483                 .result_unpriv = REJECT,
4484                 .result = ACCEPT,
4485                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4486         },
4487         {
4488                 "invalid map access into an array with a constant",
4489                 .insns = {
4490                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4491                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4492                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4493                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4494                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4495                                      BPF_FUNC_map_lookup_elem),
4496                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4497                         BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4498                                    offsetof(struct test_val, foo)),
4499                         BPF_EXIT_INSN(),
4500                 },
4501                 .fixup_map2 = { 3 },
4502                 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4503                 .result = REJECT,
4504         },
4505         {
4506                 "invalid map access into an array with a register",
4507                 .insns = {
4508                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4509                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4510                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4511                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4512                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4513                                      BPF_FUNC_map_lookup_elem),
4514                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4515                         BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4516                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4517                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4518                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4519                                    offsetof(struct test_val, foo)),
4520                         BPF_EXIT_INSN(),
4521                 },
4522                 .fixup_map2 = { 3 },
4523                 .errstr = "R0 min value is outside of the array range",
4524                 .result = REJECT,
4525                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4526         },
4527         {
4528                 "invalid map access into an array with a variable",
4529                 .insns = {
4530                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4531                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4532                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4533                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4534                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4535                                      BPF_FUNC_map_lookup_elem),
4536                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4537                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4538                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4539                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4540                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4541                                    offsetof(struct test_val, foo)),
4542                         BPF_EXIT_INSN(),
4543                 },
4544                 .fixup_map2 = { 3 },
4545                 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4546                 .result = REJECT,
4547                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4548         },
4549         {
4550                 "invalid map access into an array with no floor check",
4551                 .insns = {
4552                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4553                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4554                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4555                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4556                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4557                                      BPF_FUNC_map_lookup_elem),
4558                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4559                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4560                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4561                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4562                         BPF_MOV32_IMM(BPF_REG_1, 0),
4563                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4564                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4565                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4566                                    offsetof(struct test_val, foo)),
4567                         BPF_EXIT_INSN(),
4568                 },
4569                 .fixup_map2 = { 3 },
4570                 .errstr_unpriv = "R0 leaks addr",
4571                 .errstr = "R0 unbounded memory access",
4572                 .result_unpriv = REJECT,
4573                 .result = REJECT,
4574                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4575         },
4576         {
4577                 "invalid map access into an array with a invalid max check",
4578                 .insns = {
4579                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4580                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4581                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4582                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4583                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4584                                      BPF_FUNC_map_lookup_elem),
4585                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4586                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4587                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4588                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4589                         BPF_MOV32_IMM(BPF_REG_1, 0),
4590                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4591                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4592                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4593                                    offsetof(struct test_val, foo)),
4594                         BPF_EXIT_INSN(),
4595                 },
4596                 .fixup_map2 = { 3 },
4597                 .errstr_unpriv = "R0 leaks addr",
4598                 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4599                 .result_unpriv = REJECT,
4600                 .result = REJECT,
4601                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4602         },
4603         {
4604                 "invalid map access into an array with a invalid max check",
4605                 .insns = {
4606                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4607                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4608                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4609                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4610                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4611                                      BPF_FUNC_map_lookup_elem),
4612                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4613                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4614                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4615                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4616                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4617                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4618                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4619                                      BPF_FUNC_map_lookup_elem),
4620                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4621                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4622                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4623                                     offsetof(struct test_val, foo)),
4624                         BPF_EXIT_INSN(),
4625                 },
4626                 .fixup_map2 = { 3, 11 },
4627                 .errstr = "R0 pointer += pointer",
4628                 .result = REJECT,
4629                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4630         },
4631         {
4632                 "valid cgroup storage access",
4633                 .insns = {
4634                         BPF_MOV64_IMM(BPF_REG_2, 0),
4635                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4636                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4637                                      BPF_FUNC_get_local_storage),
4638                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4639                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4640                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4641                         BPF_EXIT_INSN(),
4642                 },
4643                 .fixup_cgroup_storage = { 1 },
4644                 .result = ACCEPT,
4645                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4646         },
4647         {
4648                 "invalid cgroup storage access 1",
4649                 .insns = {
4650                         BPF_MOV64_IMM(BPF_REG_2, 0),
4651                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4652                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4653                                      BPF_FUNC_get_local_storage),
4654                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4655                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4656                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4657                         BPF_EXIT_INSN(),
4658                 },
4659                 .fixup_map1 = { 1 },
4660                 .result = REJECT,
4661                 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
4662                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4663         },
4664         {
4665                 "invalid cgroup storage access 2",
4666                 .insns = {
4667                         BPF_MOV64_IMM(BPF_REG_2, 0),
4668                         BPF_LD_MAP_FD(BPF_REG_1, 1),
4669                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4670                                      BPF_FUNC_get_local_storage),
4671                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4672                         BPF_EXIT_INSN(),
4673                 },
4674                 .result = REJECT,
4675                 .errstr = "fd 1 is not pointing to valid bpf_map",
4676                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4677         },
4678         {
4679                 "invalid per-cgroup storage access 3",
4680                 .insns = {
4681                         BPF_MOV64_IMM(BPF_REG_2, 0),
4682                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4683                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4684                                      BPF_FUNC_get_local_storage),
4685                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
4686                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4687                         BPF_MOV64_IMM(BPF_REG_0, 0),
4688                         BPF_EXIT_INSN(),
4689                 },
4690                 .fixup_cgroup_storage = { 1 },
4691                 .result = REJECT,
4692                 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
4693                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4694         },
4695         {
4696                 "invalid cgroup storage access 4",
4697                 .insns = {
4698                         BPF_MOV64_IMM(BPF_REG_2, 0),
4699                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4700                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4701                                      BPF_FUNC_get_local_storage),
4702                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
4703                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4704                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4705                         BPF_EXIT_INSN(),
4706                 },
4707                 .fixup_cgroup_storage = { 1 },
4708                 .result = REJECT,
4709                 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
4710                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4711         },
4712         {
4713                 "invalid cgroup storage access 5",
4714                 .insns = {
4715                         BPF_MOV64_IMM(BPF_REG_2, 7),
4716                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4717                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4718                                      BPF_FUNC_get_local_storage),
4719                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4720                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4721                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4722                         BPF_EXIT_INSN(),
4723                 },
4724                 .fixup_cgroup_storage = { 1 },
4725                 .result = REJECT,
4726                 .errstr = "get_local_storage() doesn't support non-zero flags",
4727                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4728         },
4729         {
4730                 "invalid cgroup storage access 6",
4731                 .insns = {
4732                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
4733                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4734                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4735                                      BPF_FUNC_get_local_storage),
4736                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4737                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
4738                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
4739                         BPF_EXIT_INSN(),
4740                 },
4741                 .fixup_cgroup_storage = { 1 },
4742                 .result = REJECT,
4743                 .errstr = "get_local_storage() doesn't support non-zero flags",
4744                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
4745         },
4746         {
4747                 "multiple registers share map_lookup_elem result",
4748                 .insns = {
4749                         BPF_MOV64_IMM(BPF_REG_1, 10),
4750                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4751                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4752                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4753                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4754                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4755                                      BPF_FUNC_map_lookup_elem),
4756                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4757                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4758                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4759                         BPF_EXIT_INSN(),
4760                 },
4761                 .fixup_map1 = { 4 },
4762                 .result = ACCEPT,
4763                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4764         },
4765         {
4766                 "alu ops on ptr_to_map_value_or_null, 1",
4767                 .insns = {
4768                         BPF_MOV64_IMM(BPF_REG_1, 10),
4769                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4770                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4771                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4772                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4773                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4774                                      BPF_FUNC_map_lookup_elem),
4775                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4776                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4777                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4778                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4779                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4780                         BPF_EXIT_INSN(),
4781                 },
4782                 .fixup_map1 = { 4 },
4783                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4784                 .result = REJECT,
4785                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4786         },
4787         {
4788                 "alu ops on ptr_to_map_value_or_null, 2",
4789                 .insns = {
4790                         BPF_MOV64_IMM(BPF_REG_1, 10),
4791                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4792                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4793                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4794                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4795                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4796                                      BPF_FUNC_map_lookup_elem),
4797                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4798                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4799                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4800                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4801                         BPF_EXIT_INSN(),
4802                 },
4803                 .fixup_map1 = { 4 },
4804                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4805                 .result = REJECT,
4806                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4807         },
4808         {
4809                 "alu ops on ptr_to_map_value_or_null, 3",
4810                 .insns = {
4811                         BPF_MOV64_IMM(BPF_REG_1, 10),
4812                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4813                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4814                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4815                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4816                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4817                                      BPF_FUNC_map_lookup_elem),
4818                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4819                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4820                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4821                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4822                         BPF_EXIT_INSN(),
4823                 },
4824                 .fixup_map1 = { 4 },
4825                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4826                 .result = REJECT,
4827                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4828         },
4829         {
4830                 "invalid memory access with multiple map_lookup_elem calls",
4831                 .insns = {
4832                         BPF_MOV64_IMM(BPF_REG_1, 10),
4833                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4834                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4835                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4836                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4837                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4838                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4839                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4840                                      BPF_FUNC_map_lookup_elem),
4841                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4842                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4843                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4844                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4845                                      BPF_FUNC_map_lookup_elem),
4846                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4847                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4848                         BPF_EXIT_INSN(),
4849                 },
4850                 .fixup_map1 = { 4 },
4851                 .result = REJECT,
4852                 .errstr = "R4 !read_ok",
4853                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4854         },
4855         {
4856                 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4857                 .insns = {
4858                         BPF_MOV64_IMM(BPF_REG_1, 10),
4859                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4860                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4861                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4862                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4863                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4864                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4865                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4866                                      BPF_FUNC_map_lookup_elem),
4867                         BPF_MOV64_IMM(BPF_REG_2, 10),
4868                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4869                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4870                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4871                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4872                                      BPF_FUNC_map_lookup_elem),
4873                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4874                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4875                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4876                         BPF_EXIT_INSN(),
4877                 },
4878                 .fixup_map1 = { 4 },
4879                 .result = ACCEPT,
4880                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4881         },
4882         {
4883                 "invalid map access from else condition",
4884                 .insns = {
4885                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4886                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4887                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4888                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4889                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4890                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4891                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4892                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4893                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4894                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4895                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4896                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4897                         BPF_EXIT_INSN(),
4898                 },
4899                 .fixup_map2 = { 3 },
4900                 .errstr = "R0 unbounded memory access",
4901                 .result = REJECT,
4902                 .errstr_unpriv = "R0 leaks addr",
4903                 .result_unpriv = REJECT,
4904                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4905         },
4906         {
4907                 "constant register |= constant should keep constant type",
4908                 .insns = {
4909                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4910                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4911                         BPF_MOV64_IMM(BPF_REG_2, 34),
4912                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4913                         BPF_MOV64_IMM(BPF_REG_3, 0),
4914                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4915                         BPF_EXIT_INSN(),
4916                 },
4917                 .result = ACCEPT,
4918                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4919         },
4920         {
4921                 "constant register |= constant should not bypass stack boundary checks",
4922                 .insns = {
4923                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4924                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4925                         BPF_MOV64_IMM(BPF_REG_2, 34),
4926                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4927                         BPF_MOV64_IMM(BPF_REG_3, 0),
4928                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4929                         BPF_EXIT_INSN(),
4930                 },
4931                 .errstr = "invalid stack type R1 off=-48 access_size=58",
4932                 .result = REJECT,
4933                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4934         },
4935         {
4936                 "constant register |= constant register should keep constant type",
4937                 .insns = {
4938                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4939                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4940                         BPF_MOV64_IMM(BPF_REG_2, 34),
4941                         BPF_MOV64_IMM(BPF_REG_4, 13),
4942                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4943                         BPF_MOV64_IMM(BPF_REG_3, 0),
4944                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4945                         BPF_EXIT_INSN(),
4946                 },
4947                 .result = ACCEPT,
4948                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4949         },
4950         {
4951                 "constant register |= constant register should not bypass stack boundary checks",
4952                 .insns = {
4953                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4954                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4955                         BPF_MOV64_IMM(BPF_REG_2, 34),
4956                         BPF_MOV64_IMM(BPF_REG_4, 24),
4957                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4958                         BPF_MOV64_IMM(BPF_REG_3, 0),
4959                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4960                         BPF_EXIT_INSN(),
4961                 },
4962                 .errstr = "invalid stack type R1 off=-48 access_size=58",
4963                 .result = REJECT,
4964                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4965         },
4966         {
4967                 "invalid direct packet write for LWT_IN",
4968                 .insns = {
4969                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4970                                     offsetof(struct __sk_buff, data)),
4971                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4972                                     offsetof(struct __sk_buff, data_end)),
4973                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4974                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4975                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4976                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4977                         BPF_MOV64_IMM(BPF_REG_0, 0),
4978                         BPF_EXIT_INSN(),
4979                 },
4980                 .errstr = "cannot write into packet",
4981                 .result = REJECT,
4982                 .prog_type = BPF_PROG_TYPE_LWT_IN,
4983         },
4984         {
4985                 "invalid direct packet write for LWT_OUT",
4986                 .insns = {
4987                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4988                                     offsetof(struct __sk_buff, data)),
4989                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4990                                     offsetof(struct __sk_buff, data_end)),
4991                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4992                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4993                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4994                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4995                         BPF_MOV64_IMM(BPF_REG_0, 0),
4996                         BPF_EXIT_INSN(),
4997                 },
4998                 .errstr = "cannot write into packet",
4999                 .result = REJECT,
5000                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5001         },
5002         {
5003                 "direct packet write for LWT_XMIT",
5004                 .insns = {
5005                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5006                                     offsetof(struct __sk_buff, data)),
5007                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5008                                     offsetof(struct __sk_buff, data_end)),
5009                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5010                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5011                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5012                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5013                         BPF_MOV64_IMM(BPF_REG_0, 0),
5014                         BPF_EXIT_INSN(),
5015                 },
5016                 .result = ACCEPT,
5017                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5018         },
5019         {
5020                 "direct packet read for LWT_IN",
5021                 .insns = {
5022                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5023                                     offsetof(struct __sk_buff, data)),
5024                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5025                                     offsetof(struct __sk_buff, data_end)),
5026                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5027                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5028                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5029                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5030                         BPF_MOV64_IMM(BPF_REG_0, 0),
5031                         BPF_EXIT_INSN(),
5032                 },
5033                 .result = ACCEPT,
5034                 .prog_type = BPF_PROG_TYPE_LWT_IN,
5035         },
5036         {
5037                 "direct packet read for LWT_OUT",
5038                 .insns = {
5039                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5040                                     offsetof(struct __sk_buff, data)),
5041                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5042                                     offsetof(struct __sk_buff, data_end)),
5043                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5044                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5045                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5046                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5047                         BPF_MOV64_IMM(BPF_REG_0, 0),
5048                         BPF_EXIT_INSN(),
5049                 },
5050                 .result = ACCEPT,
5051                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5052         },
5053         {
5054                 "direct packet read for LWT_XMIT",
5055                 .insns = {
5056                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5057                                     offsetof(struct __sk_buff, data)),
5058                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5059                                     offsetof(struct __sk_buff, data_end)),
5060                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5061                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5062                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5063                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5064                         BPF_MOV64_IMM(BPF_REG_0, 0),
5065                         BPF_EXIT_INSN(),
5066                 },
5067                 .result = ACCEPT,
5068                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5069         },
5070         {
5071                 "overlapping checks for direct packet access",
5072                 .insns = {
5073                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5074                                     offsetof(struct __sk_buff, data)),
5075                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5076                                     offsetof(struct __sk_buff, data_end)),
5077                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5078                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5079                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
5080                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
5081                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
5082                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
5083                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
5084                         BPF_MOV64_IMM(BPF_REG_0, 0),
5085                         BPF_EXIT_INSN(),
5086                 },
5087                 .result = ACCEPT,
5088                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5089         },
5090         {
5091                 "make headroom for LWT_XMIT",
5092                 .insns = {
5093                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5094                         BPF_MOV64_IMM(BPF_REG_2, 34),
5095                         BPF_MOV64_IMM(BPF_REG_3, 0),
5096                         BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5097                         /* split for s390 to succeed */
5098                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
5099                         BPF_MOV64_IMM(BPF_REG_2, 42),
5100                         BPF_MOV64_IMM(BPF_REG_3, 0),
5101                         BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
5102                         BPF_MOV64_IMM(BPF_REG_0, 0),
5103                         BPF_EXIT_INSN(),
5104                 },
5105                 .result = ACCEPT,
5106                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5107         },
5108         {
5109                 "invalid access of tc_classid for LWT_IN",
5110                 .insns = {
5111                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5112                                     offsetof(struct __sk_buff, tc_classid)),
5113                         BPF_EXIT_INSN(),
5114                 },
5115                 .result = REJECT,
5116                 .errstr = "invalid bpf_context access",
5117         },
5118         {
5119                 "invalid access of tc_classid for LWT_OUT",
5120                 .insns = {
5121                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5122                                     offsetof(struct __sk_buff, tc_classid)),
5123                         BPF_EXIT_INSN(),
5124                 },
5125                 .result = REJECT,
5126                 .errstr = "invalid bpf_context access",
5127         },
5128         {
5129                 "invalid access of tc_classid for LWT_XMIT",
5130                 .insns = {
5131                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5132                                     offsetof(struct __sk_buff, tc_classid)),
5133                         BPF_EXIT_INSN(),
5134                 },
5135                 .result = REJECT,
5136                 .errstr = "invalid bpf_context access",
5137         },
5138         {
5139                 "leak pointer into ctx 1",
5140                 .insns = {
5141                         BPF_MOV64_IMM(BPF_REG_0, 0),
5142                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5143                                     offsetof(struct __sk_buff, cb[0])),
5144                         BPF_LD_MAP_FD(BPF_REG_2, 0),
5145                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5146                                       offsetof(struct __sk_buff, cb[0])),
5147                         BPF_EXIT_INSN(),
5148                 },
5149                 .fixup_map1 = { 2 },
5150                 .errstr_unpriv = "R2 leaks addr into mem",
5151                 .result_unpriv = REJECT,
5152                 .result = REJECT,
5153                 .errstr = "BPF_XADD stores into R1 context is not allowed",
5154         },
5155         {
5156                 "leak pointer into ctx 2",
5157                 .insns = {
5158                         BPF_MOV64_IMM(BPF_REG_0, 0),
5159                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5160                                     offsetof(struct __sk_buff, cb[0])),
5161                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5162                                       offsetof(struct __sk_buff, cb[0])),
5163                         BPF_EXIT_INSN(),
5164                 },
5165                 .errstr_unpriv = "R10 leaks addr into mem",
5166                 .result_unpriv = REJECT,
5167                 .result = REJECT,
5168                 .errstr = "BPF_XADD stores into R1 context is not allowed",
5169         },
5170         {
5171                 "leak pointer into ctx 3",
5172                 .insns = {
5173                         BPF_MOV64_IMM(BPF_REG_0, 0),
5174                         BPF_LD_MAP_FD(BPF_REG_2, 0),
5175                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5176                                       offsetof(struct __sk_buff, cb[0])),
5177                         BPF_EXIT_INSN(),
5178                 },
5179                 .fixup_map1 = { 1 },
5180                 .errstr_unpriv = "R2 leaks addr into ctx",
5181                 .result_unpriv = REJECT,
5182                 .result = ACCEPT,
5183         },
5184         {
5185                 "leak pointer into map val",
5186                 .insns = {
5187                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5188                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5189                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5190                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5191                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5192                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5193                                      BPF_FUNC_map_lookup_elem),
5194                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5195                         BPF_MOV64_IMM(BPF_REG_3, 0),
5196                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5197                         BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5198                         BPF_MOV64_IMM(BPF_REG_0, 0),
5199                         BPF_EXIT_INSN(),
5200                 },
5201                 .fixup_map1 = { 4 },
5202                 .errstr_unpriv = "R6 leaks addr into mem",
5203                 .result_unpriv = REJECT,
5204                 .result = ACCEPT,
5205         },
5206         {
5207                 "helper access to map: full range",
5208                 .insns = {
5209                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5210                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5211                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5212                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5213                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5214                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5215                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5216                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5217                         BPF_MOV64_IMM(BPF_REG_3, 0),
5218                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5219                         BPF_EXIT_INSN(),
5220                 },
5221                 .fixup_map2 = { 3 },
5222                 .result = ACCEPT,
5223                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5224         },
5225         {
5226                 "helper access to map: partial range",
5227                 .insns = {
5228                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5229                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5230                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5231                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5232                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5233                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5234                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5235                         BPF_MOV64_IMM(BPF_REG_2, 8),
5236                         BPF_MOV64_IMM(BPF_REG_3, 0),
5237                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5238                         BPF_EXIT_INSN(),
5239                 },
5240                 .fixup_map2 = { 3 },
5241                 .result = ACCEPT,
5242                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5243         },
5244         {
5245                 "helper access to map: empty range",
5246                 .insns = {
5247                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5248                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5249                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5250                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5251                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5252                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5253                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5254                         BPF_MOV64_IMM(BPF_REG_2, 0),
5255                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5256                         BPF_EXIT_INSN(),
5257                 },
5258                 .fixup_map2 = { 3 },
5259                 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5260                 .result = REJECT,
5261                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5262         },
5263         {
5264                 "helper access to map: out-of-bound range",
5265                 .insns = {
5266                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5267                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5268                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5269                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5270                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5271                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5272                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5273                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5274                         BPF_MOV64_IMM(BPF_REG_3, 0),
5275                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5276                         BPF_EXIT_INSN(),
5277                 },
5278                 .fixup_map2 = { 3 },
5279                 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5280                 .result = REJECT,
5281                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5282         },
5283         {
5284                 "helper access to map: negative range",
5285                 .insns = {
5286                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5287                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5288                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5289                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5290                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5291                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5292                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5293                         BPF_MOV64_IMM(BPF_REG_2, -8),
5294                         BPF_MOV64_IMM(BPF_REG_3, 0),
5295                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5296                         BPF_EXIT_INSN(),
5297                 },
5298                 .fixup_map2 = { 3 },
5299                 .errstr = "R2 min value is negative",
5300                 .result = REJECT,
5301                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5302         },
5303         {
5304                 "helper access to adjusted map (via const imm): full range",
5305                 .insns = {
5306                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5307                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5308                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5309                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5310                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5311                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5312                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5313                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5314                                 offsetof(struct test_val, foo)),
5315                         BPF_MOV64_IMM(BPF_REG_2,
5316                                 sizeof(struct test_val) -
5317                                 offsetof(struct test_val, foo)),
5318                         BPF_MOV64_IMM(BPF_REG_3, 0),
5319                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5320                         BPF_EXIT_INSN(),
5321                 },
5322                 .fixup_map2 = { 3 },
5323                 .result = ACCEPT,
5324                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5325         },
5326         {
5327                 "helper access to adjusted map (via const imm): partial range",
5328                 .insns = {
5329                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5330                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5331                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5332                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5333                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5334                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5335                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5336                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5337                                 offsetof(struct test_val, foo)),
5338                         BPF_MOV64_IMM(BPF_REG_2, 8),
5339                         BPF_MOV64_IMM(BPF_REG_3, 0),
5340                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5341                         BPF_EXIT_INSN(),
5342                 },
5343                 .fixup_map2 = { 3 },
5344                 .result = ACCEPT,
5345                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5346         },
5347         {
5348                 "helper access to adjusted map (via const imm): empty range",
5349                 .insns = {
5350                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5351                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5352                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5353                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5354                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5355                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5356                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5357                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5358                                 offsetof(struct test_val, foo)),
5359                         BPF_MOV64_IMM(BPF_REG_2, 0),
5360                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5361                         BPF_EXIT_INSN(),
5362                 },
5363                 .fixup_map2 = { 3 },
5364                 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5365                 .result = REJECT,
5366                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5367         },
5368         {
5369                 "helper access to adjusted map (via const imm): out-of-bound range",
5370                 .insns = {
5371                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5372                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5373                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5374                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5375                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5376                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5377                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5378                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5379                                 offsetof(struct test_val, foo)),
5380                         BPF_MOV64_IMM(BPF_REG_2,
5381                                 sizeof(struct test_val) -
5382                                 offsetof(struct test_val, foo) + 8),
5383                         BPF_MOV64_IMM(BPF_REG_3, 0),
5384                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5385                         BPF_EXIT_INSN(),
5386                 },
5387                 .fixup_map2 = { 3 },
5388                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5389                 .result = REJECT,
5390                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5391         },
5392         {
5393                 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5394                 .insns = {
5395                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5396                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5397                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5398                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5399                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5400                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5401                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5402                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5403                                 offsetof(struct test_val, foo)),
5404                         BPF_MOV64_IMM(BPF_REG_2, -8),
5405                         BPF_MOV64_IMM(BPF_REG_3, 0),
5406                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5407                         BPF_EXIT_INSN(),
5408                 },
5409                 .fixup_map2 = { 3 },
5410                 .errstr = "R2 min value is negative",
5411                 .result = REJECT,
5412                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5413         },
5414         {
5415                 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5416                 .insns = {
5417                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5418                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5419                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5420                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5421                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5422                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5423                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5424                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5425                                 offsetof(struct test_val, foo)),
5426                         BPF_MOV64_IMM(BPF_REG_2, -1),
5427                         BPF_MOV64_IMM(BPF_REG_3, 0),
5428                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5429                         BPF_EXIT_INSN(),
5430                 },
5431                 .fixup_map2 = { 3 },
5432                 .errstr = "R2 min value is negative",
5433                 .result = REJECT,
5434                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5435         },
5436         {
5437                 "helper access to adjusted map (via const reg): full range",
5438                 .insns = {
5439                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5440                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5441                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5442                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5443                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5444                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5445                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5446                         BPF_MOV64_IMM(BPF_REG_3,
5447                                 offsetof(struct test_val, foo)),
5448                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5449                         BPF_MOV64_IMM(BPF_REG_2,
5450                                 sizeof(struct test_val) -
5451                                 offsetof(struct test_val, foo)),
5452                         BPF_MOV64_IMM(BPF_REG_3, 0),
5453                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5454                         BPF_EXIT_INSN(),
5455                 },
5456                 .fixup_map2 = { 3 },
5457                 .result = ACCEPT,
5458                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5459         },
5460         {
5461                 "helper access to adjusted map (via const reg): partial range",
5462                 .insns = {
5463                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5464                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5465                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5466                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5467                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5468                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5469                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5470                         BPF_MOV64_IMM(BPF_REG_3,
5471                                 offsetof(struct test_val, foo)),
5472                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5473                         BPF_MOV64_IMM(BPF_REG_2, 8),
5474                         BPF_MOV64_IMM(BPF_REG_3, 0),
5475                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5476                         BPF_EXIT_INSN(),
5477                 },
5478                 .fixup_map2 = { 3 },
5479                 .result = ACCEPT,
5480                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5481         },
5482         {
5483                 "helper access to adjusted map (via const reg): empty range",
5484                 .insns = {
5485                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5486                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5487                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5488                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5489                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5490                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5491                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5492                         BPF_MOV64_IMM(BPF_REG_3, 0),
5493                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5494                         BPF_MOV64_IMM(BPF_REG_2, 0),
5495                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5496                         BPF_EXIT_INSN(),
5497                 },
5498                 .fixup_map2 = { 3 },
5499                 .errstr = "R1 min value is outside of the array range",
5500                 .result = REJECT,
5501                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5502         },
5503         {
5504                 "helper access to adjusted map (via const reg): out-of-bound range",
5505                 .insns = {
5506                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5507                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5508                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5509                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5510                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5511                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5512                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5513                         BPF_MOV64_IMM(BPF_REG_3,
5514                                 offsetof(struct test_val, foo)),
5515                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5516                         BPF_MOV64_IMM(BPF_REG_2,
5517                                 sizeof(struct test_val) -
5518                                 offsetof(struct test_val, foo) + 8),
5519                         BPF_MOV64_IMM(BPF_REG_3, 0),
5520                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5521                         BPF_EXIT_INSN(),
5522                 },
5523                 .fixup_map2 = { 3 },
5524                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5525                 .result = REJECT,
5526                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5527         },
5528         {
5529                 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5530                 .insns = {
5531                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5532                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5533                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5534                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5535                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5536                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5537                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5538                         BPF_MOV64_IMM(BPF_REG_3,
5539                                 offsetof(struct test_val, foo)),
5540                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5541                         BPF_MOV64_IMM(BPF_REG_2, -8),
5542                         BPF_MOV64_IMM(BPF_REG_3, 0),
5543                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5544                         BPF_EXIT_INSN(),
5545                 },
5546                 .fixup_map2 = { 3 },
5547                 .errstr = "R2 min value is negative",
5548                 .result = REJECT,
5549                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5550         },
5551         {
5552                 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5553                 .insns = {
5554                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5555                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5556                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5557                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5558                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5559                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5560                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5561                         BPF_MOV64_IMM(BPF_REG_3,
5562                                 offsetof(struct test_val, foo)),
5563                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5564                         BPF_MOV64_IMM(BPF_REG_2, -1),
5565                         BPF_MOV64_IMM(BPF_REG_3, 0),
5566                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5567                         BPF_EXIT_INSN(),
5568                 },
5569                 .fixup_map2 = { 3 },
5570                 .errstr = "R2 min value is negative",
5571                 .result = REJECT,
5572                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5573         },
5574         {
5575                 "helper access to adjusted map (via variable): full range",
5576                 .insns = {
5577                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5578                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5579                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5580                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5581                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5582                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5583                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5584                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5585                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5586                                 offsetof(struct test_val, foo), 4),
5587                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5588                         BPF_MOV64_IMM(BPF_REG_2,
5589                                 sizeof(struct test_val) -
5590                                 offsetof(struct test_val, foo)),
5591                         BPF_MOV64_IMM(BPF_REG_3, 0),
5592                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5593                         BPF_EXIT_INSN(),
5594                 },
5595                 .fixup_map2 = { 3 },
5596                 .result = ACCEPT,
5597                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5598         },
5599         {
5600                 "helper access to adjusted map (via variable): partial range",
5601                 .insns = {
5602                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5603                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5604                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5605                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5606                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5607                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5608                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5609                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5610                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5611                                 offsetof(struct test_val, foo), 4),
5612                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5613                         BPF_MOV64_IMM(BPF_REG_2, 8),
5614                         BPF_MOV64_IMM(BPF_REG_3, 0),
5615                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5616                         BPF_EXIT_INSN(),
5617                 },
5618                 .fixup_map2 = { 3 },
5619                 .result = ACCEPT,
5620                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5621         },
5622         {
5623                 "helper access to adjusted map (via variable): empty range",
5624                 .insns = {
5625                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5626                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5627                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5628                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5629                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5630                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5631                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5632                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5633                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5634                                 offsetof(struct test_val, foo), 3),
5635                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5636                         BPF_MOV64_IMM(BPF_REG_2, 0),
5637                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5638                         BPF_EXIT_INSN(),
5639                 },
5640                 .fixup_map2 = { 3 },
5641                 .errstr = "R1 min value is outside of the array range",
5642                 .result = REJECT,
5643                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5644         },
5645         {
5646                 "helper access to adjusted map (via variable): no max check",
5647                 .insns = {
5648                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5649                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5650                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5651                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5652                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5653                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5654                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5655                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5656                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5657                         BPF_MOV64_IMM(BPF_REG_2, 1),
5658                         BPF_MOV64_IMM(BPF_REG_3, 0),
5659                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5660                         BPF_EXIT_INSN(),
5661                 },
5662                 .fixup_map2 = { 3 },
5663                 .errstr = "R1 unbounded memory access",
5664                 .result = REJECT,
5665                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5666         },
5667         {
5668                 "helper access to adjusted map (via variable): wrong max check",
5669                 .insns = {
5670                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5671                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5672                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5673                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5674                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5675                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5676                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5677                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5678                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5679                                 offsetof(struct test_val, foo), 4),
5680                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5681                         BPF_MOV64_IMM(BPF_REG_2,
5682                                 sizeof(struct test_val) -
5683                                 offsetof(struct test_val, foo) + 1),
5684                         BPF_MOV64_IMM(BPF_REG_3, 0),
5685                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5686                         BPF_EXIT_INSN(),
5687                 },
5688                 .fixup_map2 = { 3 },
5689                 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5690                 .result = REJECT,
5691                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5692         },
5693         {
5694                 "helper access to map: bounds check using <, good access",
5695                 .insns = {
5696                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5697                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5698                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5699                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5700                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5701                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5702                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5703                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5704                         BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5705                         BPF_MOV64_IMM(BPF_REG_0, 0),
5706                         BPF_EXIT_INSN(),
5707                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5708                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5709                         BPF_MOV64_IMM(BPF_REG_0, 0),
5710                         BPF_EXIT_INSN(),
5711                 },
5712                 .fixup_map2 = { 3 },
5713                 .result = ACCEPT,
5714                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5715         },
5716         {
5717                 "helper access to map: bounds check using <, bad access",
5718                 .insns = {
5719                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5720                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5721                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5722                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5723                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5724                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5725                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5726                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5727                         BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5728                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5729                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5730                         BPF_MOV64_IMM(BPF_REG_0, 0),
5731                         BPF_EXIT_INSN(),
5732                         BPF_MOV64_IMM(BPF_REG_0, 0),
5733                         BPF_EXIT_INSN(),
5734                 },
5735                 .fixup_map2 = { 3 },
5736                 .result = REJECT,
5737                 .errstr = "R1 unbounded memory access",
5738                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5739         },
5740         {
5741                 "helper access to map: bounds check using <=, good access",
5742                 .insns = {
5743                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5744                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5745                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5746                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5747                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5748                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5749                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5750                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5751                         BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5752                         BPF_MOV64_IMM(BPF_REG_0, 0),
5753                         BPF_EXIT_INSN(),
5754                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5755                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5756                         BPF_MOV64_IMM(BPF_REG_0, 0),
5757                         BPF_EXIT_INSN(),
5758                 },
5759                 .fixup_map2 = { 3 },
5760                 .result = ACCEPT,
5761                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5762         },
5763         {
5764                 "helper access to map: bounds check using <=, bad access",
5765                 .insns = {
5766                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5767                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5768                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5769                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5770                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5771                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5772                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5773                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5774                         BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5775                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5776                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5777                         BPF_MOV64_IMM(BPF_REG_0, 0),
5778                         BPF_EXIT_INSN(),
5779                         BPF_MOV64_IMM(BPF_REG_0, 0),
5780                         BPF_EXIT_INSN(),
5781                 },
5782                 .fixup_map2 = { 3 },
5783                 .result = REJECT,
5784                 .errstr = "R1 unbounded memory access",
5785                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5786         },
5787         {
5788                 "helper access to map: bounds check using s<, good access",
5789                 .insns = {
5790                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5791                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5792                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5793                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5794                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5795                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5796                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5797                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5798                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5799                         BPF_MOV64_IMM(BPF_REG_0, 0),
5800                         BPF_EXIT_INSN(),
5801                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5802                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5803                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5804                         BPF_MOV64_IMM(BPF_REG_0, 0),
5805                         BPF_EXIT_INSN(),
5806                 },
5807                 .fixup_map2 = { 3 },
5808                 .result = ACCEPT,
5809                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5810         },
5811         {
5812                 "helper access to map: bounds check using s<, good access 2",
5813                 .insns = {
5814                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5815                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5816                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5817                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5818                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5819                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5820                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5821                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5822                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5823                         BPF_MOV64_IMM(BPF_REG_0, 0),
5824                         BPF_EXIT_INSN(),
5825                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5826                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5827                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5828                         BPF_MOV64_IMM(BPF_REG_0, 0),
5829                         BPF_EXIT_INSN(),
5830                 },
5831                 .fixup_map2 = { 3 },
5832                 .result = ACCEPT,
5833                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5834         },
5835         {
5836                 "helper access to map: bounds check using s<, bad access",
5837                 .insns = {
5838                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5839                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5840                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5841                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5842                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5843                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5844                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5845                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5846                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5847                         BPF_MOV64_IMM(BPF_REG_0, 0),
5848                         BPF_EXIT_INSN(),
5849                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5850                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5851                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5852                         BPF_MOV64_IMM(BPF_REG_0, 0),
5853                         BPF_EXIT_INSN(),
5854                 },
5855                 .fixup_map2 = { 3 },
5856                 .result = REJECT,
5857                 .errstr = "R1 min value is negative",
5858                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5859         },
5860         {
5861                 "helper access to map: bounds check using s<=, good access",
5862                 .insns = {
5863                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5864                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5865                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5866                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5867                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5868                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5869                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5870                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5871                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5872                         BPF_MOV64_IMM(BPF_REG_0, 0),
5873                         BPF_EXIT_INSN(),
5874                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5875                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5876                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5877                         BPF_MOV64_IMM(BPF_REG_0, 0),
5878                         BPF_EXIT_INSN(),
5879                 },
5880                 .fixup_map2 = { 3 },
5881                 .result = ACCEPT,
5882                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5883         },
5884         {
5885                 "helper access to map: bounds check using s<=, good access 2",
5886                 .insns = {
5887                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5888                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5889                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5890                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5891                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5892                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5893                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5894                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5895                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5896                         BPF_MOV64_IMM(BPF_REG_0, 0),
5897                         BPF_EXIT_INSN(),
5898                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5899                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5900                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5901                         BPF_MOV64_IMM(BPF_REG_0, 0),
5902                         BPF_EXIT_INSN(),
5903                 },
5904                 .fixup_map2 = { 3 },
5905                 .result = ACCEPT,
5906                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5907         },
5908         {
5909                 "helper access to map: bounds check using s<=, bad access",
5910                 .insns = {
5911                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5912                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5913                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5914                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5915                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5916                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5917                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5918                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5919                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5920                         BPF_MOV64_IMM(BPF_REG_0, 0),
5921                         BPF_EXIT_INSN(),
5922                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5923                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5924                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5925                         BPF_MOV64_IMM(BPF_REG_0, 0),
5926                         BPF_EXIT_INSN(),
5927                 },
5928                 .fixup_map2 = { 3 },
5929                 .result = REJECT,
5930                 .errstr = "R1 min value is negative",
5931                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5932         },
5933         {
5934                 "map lookup helper access to map",
5935                 .insns = {
5936                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5937                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5938                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5939                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5940                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5941                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5942                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5943                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5944                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5945                         BPF_EXIT_INSN(),
5946                 },
5947                 .fixup_map3 = { 3, 8 },
5948                 .result = ACCEPT,
5949                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5950         },
5951         {
5952                 "map update helper access to map",
5953                 .insns = {
5954                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5955                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5956                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5957                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5958                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5959                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5960                         BPF_MOV64_IMM(BPF_REG_4, 0),
5961                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5962                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5963                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5964                         BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5965                         BPF_EXIT_INSN(),
5966                 },
5967                 .fixup_map3 = { 3, 10 },
5968                 .result = ACCEPT,
5969                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5970         },
5971         {
5972                 "map update helper access to map: wrong size",
5973                 .insns = {
5974                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5975                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5976                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5977                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5978                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5979                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5980                         BPF_MOV64_IMM(BPF_REG_4, 0),
5981                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5982                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5983                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5984                         BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5985                         BPF_EXIT_INSN(),
5986                 },
5987                 .fixup_map1 = { 3 },
5988                 .fixup_map3 = { 10 },
5989                 .result = REJECT,
5990                 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
5991                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5992         },
5993         {
5994                 "map helper access to adjusted map (via const imm)",
5995                 .insns = {
5996                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5997                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5998                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5999                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6000                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6001                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6002                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6003                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6004                                       offsetof(struct other_val, bar)),
6005                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6006                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6007                         BPF_EXIT_INSN(),
6008                 },
6009                 .fixup_map3 = { 3, 9 },
6010                 .result = ACCEPT,
6011                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6012         },
6013         {
6014                 "map helper access to adjusted map (via const imm): out-of-bound 1",
6015                 .insns = {
6016                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6017                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6018                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6019                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6020                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6021                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6022                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6023                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
6024                                       sizeof(struct other_val) - 4),
6025                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6026                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6027                         BPF_EXIT_INSN(),
6028                 },
6029                 .fixup_map3 = { 3, 9 },
6030                 .result = REJECT,
6031                 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6032                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6033         },
6034         {
6035                 "map helper access to adjusted map (via const imm): out-of-bound 2",
6036                 .insns = {
6037                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6038                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6039                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6040                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6041                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6042                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6043                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6044                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
6045                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6046                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6047                         BPF_EXIT_INSN(),
6048                 },
6049                 .fixup_map3 = { 3, 9 },
6050                 .result = REJECT,
6051                 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6052                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6053         },
6054         {
6055                 "map helper access to adjusted map (via const reg)",
6056                 .insns = {
6057                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6058                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6059                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6060                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6061                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6062                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6063                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6064                         BPF_MOV64_IMM(BPF_REG_3,
6065                                       offsetof(struct other_val, bar)),
6066                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6067                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6068                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6069                         BPF_EXIT_INSN(),
6070                 },
6071                 .fixup_map3 = { 3, 10 },
6072                 .result = ACCEPT,
6073                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6074         },
6075         {
6076                 "map helper access to adjusted map (via const reg): out-of-bound 1",
6077                 .insns = {
6078                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6082                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6084                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6085                         BPF_MOV64_IMM(BPF_REG_3,
6086                                       sizeof(struct other_val) - 4),
6087                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6088                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6089                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6090                         BPF_EXIT_INSN(),
6091                 },
6092                 .fixup_map3 = { 3, 10 },
6093                 .result = REJECT,
6094                 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
6095                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6096         },
6097         {
6098                 "map helper access to adjusted map (via const reg): out-of-bound 2",
6099                 .insns = {
6100                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6101                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6102                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6103                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6104                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6105                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6106                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6107                         BPF_MOV64_IMM(BPF_REG_3, -4),
6108                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6109                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6110                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6111                         BPF_EXIT_INSN(),
6112                 },
6113                 .fixup_map3 = { 3, 10 },
6114                 .result = REJECT,
6115                 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
6116                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6117         },
6118         {
6119                 "map helper access to adjusted map (via variable)",
6120                 .insns = {
6121                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6122                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6123                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6124                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6125                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6126                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6127                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6128                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6129                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6130                                     offsetof(struct other_val, bar), 4),
6131                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6132                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6133                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6134                         BPF_EXIT_INSN(),
6135                 },
6136                 .fixup_map3 = { 3, 11 },
6137                 .result = ACCEPT,
6138                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6139         },
6140         {
6141                 "map helper access to adjusted map (via variable): no max check",
6142                 .insns = {
6143                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6144                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6145                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6146                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6147                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6148                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6149                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6150                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6151                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6152                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6153                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6154                         BPF_EXIT_INSN(),
6155                 },
6156                 .fixup_map3 = { 3, 10 },
6157                 .result = REJECT,
6158                 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6159                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6160         },
6161         {
6162                 "map helper access to adjusted map (via variable): wrong max check",
6163                 .insns = {
6164                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6165                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6166                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6167                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6168                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6169                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6170                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6171                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6172                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6173                                     offsetof(struct other_val, bar) + 1, 4),
6174                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6175                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6176                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6177                         BPF_EXIT_INSN(),
6178                 },
6179                 .fixup_map3 = { 3, 11 },
6180                 .result = REJECT,
6181                 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6182                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6183         },
6184         {
6185                 "map element value is preserved across register spilling",
6186                 .insns = {
6187                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6188                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6189                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6190                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6191                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6192                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6193                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6194                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6195                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6196                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6197                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6198                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6199                         BPF_EXIT_INSN(),
6200                 },
6201                 .fixup_map2 = { 3 },
6202                 .errstr_unpriv = "R0 leaks addr",
6203                 .result = ACCEPT,
6204                 .result_unpriv = REJECT,
6205         },
6206         {
6207                 "map element value or null is marked on register spilling",
6208                 .insns = {
6209                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6210                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6211                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6212                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6213                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6214                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6215                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6216                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6217                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6218                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6219                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6220                         BPF_EXIT_INSN(),
6221                 },
6222                 .fixup_map2 = { 3 },
6223                 .errstr_unpriv = "R0 leaks addr",
6224                 .result = ACCEPT,
6225                 .result_unpriv = REJECT,
6226         },
6227         {
6228                 "map element value store of cleared call register",
6229                 .insns = {
6230                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6231                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6232                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6233                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6234                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6235                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6236                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6237                         BPF_EXIT_INSN(),
6238                 },
6239                 .fixup_map2 = { 3 },
6240                 .errstr_unpriv = "R1 !read_ok",
6241                 .errstr = "R1 !read_ok",
6242                 .result = REJECT,
6243                 .result_unpriv = REJECT,
6244         },
6245         {