~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/test_verifier.c

Version: ~ [ linux-4.18-rc1 ] ~ [ linux-4.17.2 ] ~ [ linux-4.16.16 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.50 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.109 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.138 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.113 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.57 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.27.62 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Testsuite for eBPF verifier
  3  *
  4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
  5  * Copyright (c) 2017 Facebook
  6  *
  7  * This program is free software; you can redistribute it and/or
  8  * modify it under the terms of version 2 of the GNU General Public
  9  * License as published by the Free Software Foundation.
 10  */
 11 
 12 #include <endian.h>
 13 #include <asm/types.h>
 14 #include <linux/types.h>
 15 #include <stdint.h>
 16 #include <stdio.h>
 17 #include <stdlib.h>
 18 #include <unistd.h>
 19 #include <errno.h>
 20 #include <string.h>
 21 #include <stddef.h>
 22 #include <stdbool.h>
 23 #include <sched.h>
 24 #include <limits.h>
 25 
 26 #include <sys/capability.h>
 27 
 28 #include <linux/unistd.h>
 29 #include <linux/filter.h>
 30 #include <linux/bpf_perf_event.h>
 31 #include <linux/bpf.h>
 32 #include <linux/if_ether.h>
 33 
 34 #include <bpf/bpf.h>
 35 
 36 #ifdef HAVE_GENHDR
 37 # include "autoconf.h"
 38 #else
 39 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
 40 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
 41 # endif
 42 #endif
 43 #include "bpf_rlimit.h"
 44 #include "bpf_rand.h"
 45 #include "../../../include/linux/filter.h"
 46 
 47 #ifndef ARRAY_SIZE
 48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
 49 #endif
 50 
 51 #define MAX_INSNS       BPF_MAXINSNS
 52 #define MAX_FIXUPS      8
 53 #define MAX_NR_MAPS     7
 54 #define POINTER_VALUE   0xcafe4all
 55 #define TEST_DATA_LEN   64
 56 
 57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
 58 #define F_LOAD_WITH_STRICT_ALIGNMENT            (1 << 1)
 59 
 60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
 61 static bool unpriv_disabled = false;
 62 
 63 struct bpf_test {
 64         const char *descr;
 65         struct bpf_insn insns[MAX_INSNS];
 66         int fixup_map1[MAX_FIXUPS];
 67         int fixup_map2[MAX_FIXUPS];
 68         int fixup_map3[MAX_FIXUPS];
 69         int fixup_map4[MAX_FIXUPS];
 70         int fixup_prog1[MAX_FIXUPS];
 71         int fixup_prog2[MAX_FIXUPS];
 72         int fixup_map_in_map[MAX_FIXUPS];
 73         const char *errstr;
 74         const char *errstr_unpriv;
 75         uint32_t retval;
 76         enum {
 77                 UNDEF,
 78                 ACCEPT,
 79                 REJECT
 80         } result, result_unpriv;
 81         enum bpf_prog_type prog_type;
 82         uint8_t flags;
 83         __u8 data[TEST_DATA_LEN];
 84         void (*fill_helper)(struct bpf_test *self);
 85 };
 86 
 87 /* Note we want this to be 64 bit aligned so that the end of our array is
 88  * actually the end of the structure.
 89  */
 90 #define MAX_ENTRIES 11
 91 
 92 struct test_val {
 93         unsigned int index;
 94         int foo[MAX_ENTRIES];
 95 };
 96 
 97 struct other_val {
 98         long long foo;
 99         long long bar;
100 };
101 
102 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
103 {
104         /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
105 #define PUSH_CNT 51
106         unsigned int len = BPF_MAXINSNS;
107         struct bpf_insn *insn = self->insns;
108         int i = 0, j, k = 0;
109 
110         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
111 loop:
112         for (j = 0; j < PUSH_CNT; j++) {
113                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
114                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
115                 i++;
116                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
117                 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
118                 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
119                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
120                                          BPF_FUNC_skb_vlan_push),
121                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
122                 i++;
123         }
124 
125         for (j = 0; j < PUSH_CNT; j++) {
126                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
127                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
128                 i++;
129                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
130                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
131                                          BPF_FUNC_skb_vlan_pop),
132                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
133                 i++;
134         }
135         if (++k < 5)
136                 goto loop;
137 
138         for (; i < len - 1; i++)
139                 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
140         insn[len - 1] = BPF_EXIT_INSN();
141 }
142 
143 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
144 {
145         struct bpf_insn *insn = self->insns;
146         unsigned int len = BPF_MAXINSNS;
147         int i = 0;
148 
149         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
150         insn[i++] = BPF_LD_ABS(BPF_B, 0);
151         insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
152         i++;
153         while (i < len - 1)
154                 insn[i++] = BPF_LD_ABS(BPF_B, 1);
155         insn[i] = BPF_EXIT_INSN();
156 }
157 
158 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
159 {
160         struct bpf_insn *insn = self->insns;
161         uint64_t res = 0;
162         int i = 0;
163 
164         insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
165         while (i < self->retval) {
166                 uint64_t val = bpf_semi_rand_get();
167                 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
168 
169                 res ^= val;
170                 insn[i++] = tmp[0];
171                 insn[i++] = tmp[1];
172                 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
173         }
174         insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
175         insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
176         insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
177         insn[i] = BPF_EXIT_INSN();
178         res ^= (res >> 32);
179         self->retval = (uint32_t)res;
180 }
181 
182 static struct bpf_test tests[] = {
183         {
184                 "add+sub+mul",
185                 .insns = {
186                         BPF_MOV64_IMM(BPF_REG_1, 1),
187                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
188                         BPF_MOV64_IMM(BPF_REG_2, 3),
189                         BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
190                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
191                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
192                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
193                         BPF_EXIT_INSN(),
194                 },
195                 .result = ACCEPT,
196                 .retval = -3,
197         },
198         {
199                 "DIV32 by 0, zero check 1",
200                 .insns = {
201                         BPF_MOV32_IMM(BPF_REG_0, 42),
202                         BPF_MOV32_IMM(BPF_REG_1, 0),
203                         BPF_MOV32_IMM(BPF_REG_2, 1),
204                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
205                         BPF_EXIT_INSN(),
206                 },
207                 .result = ACCEPT,
208                 .retval = 42,
209         },
210         {
211                 "DIV32 by 0, zero check 2",
212                 .insns = {
213                         BPF_MOV32_IMM(BPF_REG_0, 42),
214                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
215                         BPF_MOV32_IMM(BPF_REG_2, 1),
216                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
217                         BPF_EXIT_INSN(),
218                 },
219                 .result = ACCEPT,
220                 .retval = 42,
221         },
222         {
223                 "DIV64 by 0, zero check",
224                 .insns = {
225                         BPF_MOV32_IMM(BPF_REG_0, 42),
226                         BPF_MOV32_IMM(BPF_REG_1, 0),
227                         BPF_MOV32_IMM(BPF_REG_2, 1),
228                         BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
229                         BPF_EXIT_INSN(),
230                 },
231                 .result = ACCEPT,
232                 .retval = 42,
233         },
234         {
235                 "MOD32 by 0, zero check 1",
236                 .insns = {
237                         BPF_MOV32_IMM(BPF_REG_0, 42),
238                         BPF_MOV32_IMM(BPF_REG_1, 0),
239                         BPF_MOV32_IMM(BPF_REG_2, 1),
240                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
241                         BPF_EXIT_INSN(),
242                 },
243                 .result = ACCEPT,
244                 .retval = 42,
245         },
246         {
247                 "MOD32 by 0, zero check 2",
248                 .insns = {
249                         BPF_MOV32_IMM(BPF_REG_0, 42),
250                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
251                         BPF_MOV32_IMM(BPF_REG_2, 1),
252                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
253                         BPF_EXIT_INSN(),
254                 },
255                 .result = ACCEPT,
256                 .retval = 42,
257         },
258         {
259                 "MOD64 by 0, zero check",
260                 .insns = {
261                         BPF_MOV32_IMM(BPF_REG_0, 42),
262                         BPF_MOV32_IMM(BPF_REG_1, 0),
263                         BPF_MOV32_IMM(BPF_REG_2, 1),
264                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
265                         BPF_EXIT_INSN(),
266                 },
267                 .result = ACCEPT,
268                 .retval = 42,
269         },
270         {
271                 "DIV32 by 0, zero check ok, cls",
272                 .insns = {
273                         BPF_MOV32_IMM(BPF_REG_0, 42),
274                         BPF_MOV32_IMM(BPF_REG_1, 2),
275                         BPF_MOV32_IMM(BPF_REG_2, 16),
276                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
277                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
278                         BPF_EXIT_INSN(),
279                 },
280                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
281                 .result = ACCEPT,
282                 .retval = 8,
283         },
284         {
285                 "DIV32 by 0, zero check 1, cls",
286                 .insns = {
287                         BPF_MOV32_IMM(BPF_REG_1, 0),
288                         BPF_MOV32_IMM(BPF_REG_0, 1),
289                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
290                         BPF_EXIT_INSN(),
291                 },
292                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
293                 .result = ACCEPT,
294                 .retval = 0,
295         },
296         {
297                 "DIV32 by 0, zero check 2, cls",
298                 .insns = {
299                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
300                         BPF_MOV32_IMM(BPF_REG_0, 1),
301                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
302                         BPF_EXIT_INSN(),
303                 },
304                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
305                 .result = ACCEPT,
306                 .retval = 0,
307         },
308         {
309                 "DIV64 by 0, zero check, cls",
310                 .insns = {
311                         BPF_MOV32_IMM(BPF_REG_1, 0),
312                         BPF_MOV32_IMM(BPF_REG_0, 1),
313                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
314                         BPF_EXIT_INSN(),
315                 },
316                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
317                 .result = ACCEPT,
318                 .retval = 0,
319         },
320         {
321                 "MOD32 by 0, zero check ok, cls",
322                 .insns = {
323                         BPF_MOV32_IMM(BPF_REG_0, 42),
324                         BPF_MOV32_IMM(BPF_REG_1, 3),
325                         BPF_MOV32_IMM(BPF_REG_2, 5),
326                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
327                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
328                         BPF_EXIT_INSN(),
329                 },
330                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
331                 .result = ACCEPT,
332                 .retval = 2,
333         },
334         {
335                 "MOD32 by 0, zero check 1, cls",
336                 .insns = {
337                         BPF_MOV32_IMM(BPF_REG_1, 0),
338                         BPF_MOV32_IMM(BPF_REG_0, 1),
339                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
340                         BPF_EXIT_INSN(),
341                 },
342                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343                 .result = ACCEPT,
344                 .retval = 1,
345         },
346         {
347                 "MOD32 by 0, zero check 2, cls",
348                 .insns = {
349                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
350                         BPF_MOV32_IMM(BPF_REG_0, 1),
351                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
352                         BPF_EXIT_INSN(),
353                 },
354                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
355                 .result = ACCEPT,
356                 .retval = 1,
357         },
358         {
359                 "MOD64 by 0, zero check 1, cls",
360                 .insns = {
361                         BPF_MOV32_IMM(BPF_REG_1, 0),
362                         BPF_MOV32_IMM(BPF_REG_0, 2),
363                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
364                         BPF_EXIT_INSN(),
365                 },
366                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
367                 .result = ACCEPT,
368                 .retval = 2,
369         },
370         {
371                 "MOD64 by 0, zero check 2, cls",
372                 .insns = {
373                         BPF_MOV32_IMM(BPF_REG_1, 0),
374                         BPF_MOV32_IMM(BPF_REG_0, -1),
375                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
376                         BPF_EXIT_INSN(),
377                 },
378                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
379                 .result = ACCEPT,
380                 .retval = -1,
381         },
382         /* Just make sure that JITs used udiv/umod as otherwise we get
383          * an exception from INT_MIN/-1 overflow similarly as with div
384          * by zero.
385          */
386         {
387                 "DIV32 overflow, check 1",
388                 .insns = {
389                         BPF_MOV32_IMM(BPF_REG_1, -1),
390                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
391                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
392                         BPF_EXIT_INSN(),
393                 },
394                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
395                 .result = ACCEPT,
396                 .retval = 0,
397         },
398         {
399                 "DIV32 overflow, check 2",
400                 .insns = {
401                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
402                         BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
403                         BPF_EXIT_INSN(),
404                 },
405                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
406                 .result = ACCEPT,
407                 .retval = 0,
408         },
409         {
410                 "DIV64 overflow, check 1",
411                 .insns = {
412                         BPF_MOV64_IMM(BPF_REG_1, -1),
413                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
414                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
415                         BPF_EXIT_INSN(),
416                 },
417                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
418                 .result = ACCEPT,
419                 .retval = 0,
420         },
421         {
422                 "DIV64 overflow, check 2",
423                 .insns = {
424                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
425                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
426                         BPF_EXIT_INSN(),
427                 },
428                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
429                 .result = ACCEPT,
430                 .retval = 0,
431         },
432         {
433                 "MOD32 overflow, check 1",
434                 .insns = {
435                         BPF_MOV32_IMM(BPF_REG_1, -1),
436                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
437                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
438                         BPF_EXIT_INSN(),
439                 },
440                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
441                 .result = ACCEPT,
442                 .retval = INT_MIN,
443         },
444         {
445                 "MOD32 overflow, check 2",
446                 .insns = {
447                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
448                         BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
449                         BPF_EXIT_INSN(),
450                 },
451                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
452                 .result = ACCEPT,
453                 .retval = INT_MIN,
454         },
455         {
456                 "MOD64 overflow, check 1",
457                 .insns = {
458                         BPF_MOV64_IMM(BPF_REG_1, -1),
459                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
460                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
461                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
462                         BPF_MOV32_IMM(BPF_REG_0, 0),
463                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
464                         BPF_MOV32_IMM(BPF_REG_0, 1),
465                         BPF_EXIT_INSN(),
466                 },
467                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
468                 .result = ACCEPT,
469                 .retval = 1,
470         },
471         {
472                 "MOD64 overflow, check 2",
473                 .insns = {
474                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
475                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
476                         BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
477                         BPF_MOV32_IMM(BPF_REG_0, 0),
478                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
479                         BPF_MOV32_IMM(BPF_REG_0, 1),
480                         BPF_EXIT_INSN(),
481                 },
482                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
483                 .result = ACCEPT,
484                 .retval = 1,
485         },
486         {
487                 "xor32 zero extend check",
488                 .insns = {
489                         BPF_MOV32_IMM(BPF_REG_2, -1),
490                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
491                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
492                         BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
493                         BPF_MOV32_IMM(BPF_REG_0, 2),
494                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
495                         BPF_MOV32_IMM(BPF_REG_0, 1),
496                         BPF_EXIT_INSN(),
497                 },
498                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
499                 .result = ACCEPT,
500                 .retval = 1,
501         },
502         {
503                 "empty prog",
504                 .insns = {
505                 },
506                 .errstr = "unknown opcode 00",
507                 .result = REJECT,
508         },
509         {
510                 "only exit insn",
511                 .insns = {
512                         BPF_EXIT_INSN(),
513                 },
514                 .errstr = "R0 !read_ok",
515                 .result = REJECT,
516         },
517         {
518                 "unreachable",
519                 .insns = {
520                         BPF_EXIT_INSN(),
521                         BPF_EXIT_INSN(),
522                 },
523                 .errstr = "unreachable",
524                 .result = REJECT,
525         },
526         {
527                 "unreachable2",
528                 .insns = {
529                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
530                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
531                         BPF_EXIT_INSN(),
532                 },
533                 .errstr = "unreachable",
534                 .result = REJECT,
535         },
536         {
537                 "out of range jump",
538                 .insns = {
539                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
540                         BPF_EXIT_INSN(),
541                 },
542                 .errstr = "jump out of range",
543                 .result = REJECT,
544         },
545         {
546                 "out of range jump2",
547                 .insns = {
548                         BPF_JMP_IMM(BPF_JA, 0, 0, -2),
549                         BPF_EXIT_INSN(),
550                 },
551                 .errstr = "jump out of range",
552                 .result = REJECT,
553         },
554         {
555                 "test1 ld_imm64",
556                 .insns = {
557                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
558                         BPF_LD_IMM64(BPF_REG_0, 0),
559                         BPF_LD_IMM64(BPF_REG_0, 0),
560                         BPF_LD_IMM64(BPF_REG_0, 1),
561                         BPF_LD_IMM64(BPF_REG_0, 1),
562                         BPF_MOV64_IMM(BPF_REG_0, 2),
563                         BPF_EXIT_INSN(),
564                 },
565                 .errstr = "invalid BPF_LD_IMM insn",
566                 .errstr_unpriv = "R1 pointer comparison",
567                 .result = REJECT,
568         },
569         {
570                 "test2 ld_imm64",
571                 .insns = {
572                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
573                         BPF_LD_IMM64(BPF_REG_0, 0),
574                         BPF_LD_IMM64(BPF_REG_0, 0),
575                         BPF_LD_IMM64(BPF_REG_0, 1),
576                         BPF_LD_IMM64(BPF_REG_0, 1),
577                         BPF_EXIT_INSN(),
578                 },
579                 .errstr = "invalid BPF_LD_IMM insn",
580                 .errstr_unpriv = "R1 pointer comparison",
581                 .result = REJECT,
582         },
583         {
584                 "test3 ld_imm64",
585                 .insns = {
586                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
587                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
588                         BPF_LD_IMM64(BPF_REG_0, 0),
589                         BPF_LD_IMM64(BPF_REG_0, 0),
590                         BPF_LD_IMM64(BPF_REG_0, 1),
591                         BPF_LD_IMM64(BPF_REG_0, 1),
592                         BPF_EXIT_INSN(),
593                 },
594                 .errstr = "invalid bpf_ld_imm64 insn",
595                 .result = REJECT,
596         },
597         {
598                 "test4 ld_imm64",
599                 .insns = {
600                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
601                         BPF_EXIT_INSN(),
602                 },
603                 .errstr = "invalid bpf_ld_imm64 insn",
604                 .result = REJECT,
605         },
606         {
607                 "test5 ld_imm64",
608                 .insns = {
609                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610                 },
611                 .errstr = "invalid bpf_ld_imm64 insn",
612                 .result = REJECT,
613         },
614         {
615                 "test6 ld_imm64",
616                 .insns = {
617                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
618                         BPF_RAW_INSN(0, 0, 0, 0, 0),
619                         BPF_EXIT_INSN(),
620                 },
621                 .result = ACCEPT,
622         },
623         {
624                 "test7 ld_imm64",
625                 .insns = {
626                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
627                         BPF_RAW_INSN(0, 0, 0, 0, 1),
628                         BPF_EXIT_INSN(),
629                 },
630                 .result = ACCEPT,
631                 .retval = 1,
632         },
633         {
634                 "test8 ld_imm64",
635                 .insns = {
636                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
637                         BPF_RAW_INSN(0, 0, 0, 0, 1),
638                         BPF_EXIT_INSN(),
639                 },
640                 .errstr = "uses reserved fields",
641                 .result = REJECT,
642         },
643         {
644                 "test9 ld_imm64",
645                 .insns = {
646                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
647                         BPF_RAW_INSN(0, 0, 0, 1, 1),
648                         BPF_EXIT_INSN(),
649                 },
650                 .errstr = "invalid bpf_ld_imm64 insn",
651                 .result = REJECT,
652         },
653         {
654                 "test10 ld_imm64",
655                 .insns = {
656                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
657                         BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
658                         BPF_EXIT_INSN(),
659                 },
660                 .errstr = "invalid bpf_ld_imm64 insn",
661                 .result = REJECT,
662         },
663         {
664                 "test11 ld_imm64",
665                 .insns = {
666                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
667                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
668                         BPF_EXIT_INSN(),
669                 },
670                 .errstr = "invalid bpf_ld_imm64 insn",
671                 .result = REJECT,
672         },
673         {
674                 "test12 ld_imm64",
675                 .insns = {
676                         BPF_MOV64_IMM(BPF_REG_1, 0),
677                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
678                         BPF_RAW_INSN(0, 0, 0, 0, 1),
679                         BPF_EXIT_INSN(),
680                 },
681                 .errstr = "not pointing to valid bpf_map",
682                 .result = REJECT,
683         },
684         {
685                 "test13 ld_imm64",
686                 .insns = {
687                         BPF_MOV64_IMM(BPF_REG_1, 0),
688                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
689                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690                         BPF_EXIT_INSN(),
691                 },
692                 .errstr = "invalid bpf_ld_imm64 insn",
693                 .result = REJECT,
694         },
695         {
696                 "arsh32 on imm",
697                 .insns = {
698                         BPF_MOV64_IMM(BPF_REG_0, 1),
699                         BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
700                         BPF_EXIT_INSN(),
701                 },
702                 .result = REJECT,
703                 .errstr = "unknown opcode c4",
704         },
705         {
706                 "arsh32 on reg",
707                 .insns = {
708                         BPF_MOV64_IMM(BPF_REG_0, 1),
709                         BPF_MOV64_IMM(BPF_REG_1, 5),
710                         BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
711                         BPF_EXIT_INSN(),
712                 },
713                 .result = REJECT,
714                 .errstr = "unknown opcode cc",
715         },
716         {
717                 "arsh64 on imm",
718                 .insns = {
719                         BPF_MOV64_IMM(BPF_REG_0, 1),
720                         BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
721                         BPF_EXIT_INSN(),
722                 },
723                 .result = ACCEPT,
724         },
725         {
726                 "arsh64 on reg",
727                 .insns = {
728                         BPF_MOV64_IMM(BPF_REG_0, 1),
729                         BPF_MOV64_IMM(BPF_REG_1, 5),
730                         BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
731                         BPF_EXIT_INSN(),
732                 },
733                 .result = ACCEPT,
734         },
735         {
736                 "no bpf_exit",
737                 .insns = {
738                         BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
739                 },
740                 .errstr = "not an exit",
741                 .result = REJECT,
742         },
743         {
744                 "loop (back-edge)",
745                 .insns = {
746                         BPF_JMP_IMM(BPF_JA, 0, 0, -1),
747                         BPF_EXIT_INSN(),
748                 },
749                 .errstr = "back-edge",
750                 .result = REJECT,
751         },
752         {
753                 "loop2 (back-edge)",
754                 .insns = {
755                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
756                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
757                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
758                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
759                         BPF_EXIT_INSN(),
760                 },
761                 .errstr = "back-edge",
762                 .result = REJECT,
763         },
764         {
765                 "conditional loop",
766                 .insns = {
767                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
768                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
769                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
770                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
771                         BPF_EXIT_INSN(),
772                 },
773                 .errstr = "back-edge",
774                 .result = REJECT,
775         },
776         {
777                 "read uninitialized register",
778                 .insns = {
779                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
780                         BPF_EXIT_INSN(),
781                 },
782                 .errstr = "R2 !read_ok",
783                 .result = REJECT,
784         },
785         {
786                 "read invalid register",
787                 .insns = {
788                         BPF_MOV64_REG(BPF_REG_0, -1),
789                         BPF_EXIT_INSN(),
790                 },
791                 .errstr = "R15 is invalid",
792                 .result = REJECT,
793         },
794         {
795                 "program doesn't init R0 before exit",
796                 .insns = {
797                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
798                         BPF_EXIT_INSN(),
799                 },
800                 .errstr = "R0 !read_ok",
801                 .result = REJECT,
802         },
803         {
804                 "program doesn't init R0 before exit in all branches",
805                 .insns = {
806                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
807                         BPF_MOV64_IMM(BPF_REG_0, 1),
808                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
809                         BPF_EXIT_INSN(),
810                 },
811                 .errstr = "R0 !read_ok",
812                 .errstr_unpriv = "R1 pointer comparison",
813                 .result = REJECT,
814         },
815         {
816                 "stack out of bounds",
817                 .insns = {
818                         BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
819                         BPF_EXIT_INSN(),
820                 },
821                 .errstr = "invalid stack",
822                 .result = REJECT,
823         },
824         {
825                 "invalid call insn1",
826                 .insns = {
827                         BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
828                         BPF_EXIT_INSN(),
829                 },
830                 .errstr = "unknown opcode 8d",
831                 .result = REJECT,
832         },
833         {
834                 "invalid call insn2",
835                 .insns = {
836                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
837                         BPF_EXIT_INSN(),
838                 },
839                 .errstr = "BPF_CALL uses reserved",
840                 .result = REJECT,
841         },
842         {
843                 "invalid function call",
844                 .insns = {
845                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
846                         BPF_EXIT_INSN(),
847                 },
848                 .errstr = "invalid func unknown#1234567",
849                 .result = REJECT,
850         },
851         {
852                 "uninitialized stack1",
853                 .insns = {
854                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
855                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
856                         BPF_LD_MAP_FD(BPF_REG_1, 0),
857                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
858                                      BPF_FUNC_map_lookup_elem),
859                         BPF_EXIT_INSN(),
860                 },
861                 .fixup_map1 = { 2 },
862                 .errstr = "invalid indirect read from stack",
863                 .result = REJECT,
864         },
865         {
866                 "uninitialized stack2",
867                 .insns = {
868                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
869                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
870                         BPF_EXIT_INSN(),
871                 },
872                 .errstr = "invalid read from stack",
873                 .result = REJECT,
874         },
875         {
876                 "invalid fp arithmetic",
877                 /* If this gets ever changed, make sure JITs can deal with it. */
878                 .insns = {
879                         BPF_MOV64_IMM(BPF_REG_0, 0),
880                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
881                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
882                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
883                         BPF_EXIT_INSN(),
884                 },
885                 .errstr = "R1 subtraction from stack pointer",
886                 .result = REJECT,
887         },
888         {
889                 "non-invalid fp arithmetic",
890                 .insns = {
891                         BPF_MOV64_IMM(BPF_REG_0, 0),
892                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
893                         BPF_EXIT_INSN(),
894                 },
895                 .result = ACCEPT,
896         },
897         {
898                 "invalid argument register",
899                 .insns = {
900                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
901                                      BPF_FUNC_get_cgroup_classid),
902                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
903                                      BPF_FUNC_get_cgroup_classid),
904                         BPF_EXIT_INSN(),
905                 },
906                 .errstr = "R1 !read_ok",
907                 .result = REJECT,
908                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
909         },
910         {
911                 "non-invalid argument register",
912                 .insns = {
913                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
914                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
915                                      BPF_FUNC_get_cgroup_classid),
916                         BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
917                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
918                                      BPF_FUNC_get_cgroup_classid),
919                         BPF_EXIT_INSN(),
920                 },
921                 .result = ACCEPT,
922                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
923         },
924         {
925                 "check valid spill/fill",
926                 .insns = {
927                         /* spill R1(ctx) into stack */
928                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
929                         /* fill it back into R2 */
930                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
931                         /* should be able to access R0 = *(R2 + 8) */
932                         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
933                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
934                         BPF_EXIT_INSN(),
935                 },
936                 .errstr_unpriv = "R0 leaks addr",
937                 .result = ACCEPT,
938                 .result_unpriv = REJECT,
939                 .retval = POINTER_VALUE,
940         },
941         {
942                 "check valid spill/fill, skb mark",
943                 .insns = {
944                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
945                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
946                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
947                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
948                                     offsetof(struct __sk_buff, mark)),
949                         BPF_EXIT_INSN(),
950                 },
951                 .result = ACCEPT,
952                 .result_unpriv = ACCEPT,
953         },
954         {
955                 "check corrupted spill/fill",
956                 .insns = {
957                         /* spill R1(ctx) into stack */
958                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
959                         /* mess up with R1 pointer on stack */
960                         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
961                         /* fill back into R0 should fail */
962                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
963                         BPF_EXIT_INSN(),
964                 },
965                 .errstr_unpriv = "attempt to corrupt spilled",
966                 .errstr = "corrupted spill",
967                 .result = REJECT,
968         },
969         {
970                 "invalid src register in STX",
971                 .insns = {
972                         BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
973                         BPF_EXIT_INSN(),
974                 },
975                 .errstr = "R15 is invalid",
976                 .result = REJECT,
977         },
978         {
979                 "invalid dst register in STX",
980                 .insns = {
981                         BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
982                         BPF_EXIT_INSN(),
983                 },
984                 .errstr = "R14 is invalid",
985                 .result = REJECT,
986         },
987         {
988                 "invalid dst register in ST",
989                 .insns = {
990                         BPF_ST_MEM(BPF_B, 14, -1, -1),
991                         BPF_EXIT_INSN(),
992                 },
993                 .errstr = "R14 is invalid",
994                 .result = REJECT,
995         },
996         {
997                 "invalid src register in LDX",
998                 .insns = {
999                         BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1000                         BPF_EXIT_INSN(),
1001                 },
1002                 .errstr = "R12 is invalid",
1003                 .result = REJECT,
1004         },
1005         {
1006                 "invalid dst register in LDX",
1007                 .insns = {
1008                         BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1009                         BPF_EXIT_INSN(),
1010                 },
1011                 .errstr = "R11 is invalid",
1012                 .result = REJECT,
1013         },
1014         {
1015                 "junk insn",
1016                 .insns = {
1017                         BPF_RAW_INSN(0, 0, 0, 0, 0),
1018                         BPF_EXIT_INSN(),
1019                 },
1020                 .errstr = "unknown opcode 00",
1021                 .result = REJECT,
1022         },
1023         {
1024                 "junk insn2",
1025                 .insns = {
1026                         BPF_RAW_INSN(1, 0, 0, 0, 0),
1027                         BPF_EXIT_INSN(),
1028                 },
1029                 .errstr = "BPF_LDX uses reserved fields",
1030                 .result = REJECT,
1031         },
1032         {
1033                 "junk insn3",
1034                 .insns = {
1035                         BPF_RAW_INSN(-1, 0, 0, 0, 0),
1036                         BPF_EXIT_INSN(),
1037                 },
1038                 .errstr = "unknown opcode ff",
1039                 .result = REJECT,
1040         },
1041         {
1042                 "junk insn4",
1043                 .insns = {
1044                         BPF_RAW_INSN(-1, -1, -1, -1, -1),
1045                         BPF_EXIT_INSN(),
1046                 },
1047                 .errstr = "unknown opcode ff",
1048                 .result = REJECT,
1049         },
1050         {
1051                 "junk insn5",
1052                 .insns = {
1053                         BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1054                         BPF_EXIT_INSN(),
1055                 },
1056                 .errstr = "BPF_ALU uses reserved fields",
1057                 .result = REJECT,
1058         },
1059         {
1060                 "misaligned read from stack",
1061                 .insns = {
1062                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1063                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1064                         BPF_EXIT_INSN(),
1065                 },
1066                 .errstr = "misaligned stack access",
1067                 .result = REJECT,
1068         },
1069         {
1070                 "invalid map_fd for function call",
1071                 .insns = {
1072                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1073                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1074                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1075                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1076                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1077                                      BPF_FUNC_map_delete_elem),
1078                         BPF_EXIT_INSN(),
1079                 },
1080                 .errstr = "fd 0 is not pointing to valid bpf_map",
1081                 .result = REJECT,
1082         },
1083         {
1084                 "don't check return value before access",
1085                 .insns = {
1086                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1087                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1088                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1089                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1090                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1091                                      BPF_FUNC_map_lookup_elem),
1092                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1093                         BPF_EXIT_INSN(),
1094                 },
1095                 .fixup_map1 = { 3 },
1096                 .errstr = "R0 invalid mem access 'map_value_or_null'",
1097                 .result = REJECT,
1098         },
1099         {
1100                 "access memory with incorrect alignment",
1101                 .insns = {
1102                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1103                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1104                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1105                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1106                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1107                                      BPF_FUNC_map_lookup_elem),
1108                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1109                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1110                         BPF_EXIT_INSN(),
1111                 },
1112                 .fixup_map1 = { 3 },
1113                 .errstr = "misaligned value access",
1114                 .result = REJECT,
1115                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1116         },
1117         {
1118                 "sometimes access memory with incorrect alignment",
1119                 .insns = {
1120                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1121                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1122                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1123                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1124                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1125                                      BPF_FUNC_map_lookup_elem),
1126                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1127                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1128                         BPF_EXIT_INSN(),
1129                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1130                         BPF_EXIT_INSN(),
1131                 },
1132                 .fixup_map1 = { 3 },
1133                 .errstr = "R0 invalid mem access",
1134                 .errstr_unpriv = "R0 leaks addr",
1135                 .result = REJECT,
1136                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1137         },
1138         {
1139                 "jump test 1",
1140                 .insns = {
1141                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1142                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1143                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1144                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1145                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1146                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1147                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1148                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1149                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1150                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1151                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1152                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1153                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1154                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1155                         BPF_MOV64_IMM(BPF_REG_0, 0),
1156                         BPF_EXIT_INSN(),
1157                 },
1158                 .errstr_unpriv = "R1 pointer comparison",
1159                 .result_unpriv = REJECT,
1160                 .result = ACCEPT,
1161         },
1162         {
1163                 "jump test 2",
1164                 .insns = {
1165                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1166                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1167                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1168                         BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1169                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1170                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1171                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1172                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1173                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1174                         BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1175                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1176                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1177                         BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1178                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1179                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1180                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1181                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1182                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1183                         BPF_MOV64_IMM(BPF_REG_0, 0),
1184                         BPF_EXIT_INSN(),
1185                 },
1186                 .errstr_unpriv = "R1 pointer comparison",
1187                 .result_unpriv = REJECT,
1188                 .result = ACCEPT,
1189         },
1190         {
1191                 "jump test 3",
1192                 .insns = {
1193                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1194                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1195                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1196                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1197                         BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1198                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1199                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1200                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1201                         BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1202                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1203                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1204                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1205                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1206                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1207                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1208                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1209                         BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1210                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1211                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1212                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1213                         BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1214                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1215                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1216                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1217                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1218                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1219                                      BPF_FUNC_map_delete_elem),
1220                         BPF_EXIT_INSN(),
1221                 },
1222                 .fixup_map1 = { 24 },
1223                 .errstr_unpriv = "R1 pointer comparison",
1224                 .result_unpriv = REJECT,
1225                 .result = ACCEPT,
1226                 .retval = -ENOENT,
1227         },
1228         {
1229                 "jump test 4",
1230                 .insns = {
1231                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1232                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1233                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1234                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1235                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1236                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1237                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1238                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1239                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1240                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1241                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1242                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1243                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1244                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1245                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1246                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1247                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1248                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1249                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1250                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1251                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1252                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1253                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1254                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1255                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1256                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1257                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1258                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1259                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1260                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1261                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1262                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1263                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1264                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1265                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1266                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1267                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1268                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1269                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1270                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1271                         BPF_MOV64_IMM(BPF_REG_0, 0),
1272                         BPF_EXIT_INSN(),
1273                 },
1274                 .errstr_unpriv = "R1 pointer comparison",
1275                 .result_unpriv = REJECT,
1276                 .result = ACCEPT,
1277         },
1278         {
1279                 "jump test 5",
1280                 .insns = {
1281                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1282                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1283                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1284                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1285                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1286                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1287                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1288                         BPF_MOV64_IMM(BPF_REG_0, 0),
1289                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1290                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1291                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1292                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1293                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1294                         BPF_MOV64_IMM(BPF_REG_0, 0),
1295                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1296                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1297                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1298                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1299                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1300                         BPF_MOV64_IMM(BPF_REG_0, 0),
1301                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1302                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1303                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1304                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1305                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1306                         BPF_MOV64_IMM(BPF_REG_0, 0),
1307                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1308                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1309                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1310                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1311                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1312                         BPF_MOV64_IMM(BPF_REG_0, 0),
1313                         BPF_EXIT_INSN(),
1314                 },
1315                 .errstr_unpriv = "R1 pointer comparison",
1316                 .result_unpriv = REJECT,
1317                 .result = ACCEPT,
1318         },
1319         {
1320                 "access skb fields ok",
1321                 .insns = {
1322                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1323                                     offsetof(struct __sk_buff, len)),
1324                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1325                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1326                                     offsetof(struct __sk_buff, mark)),
1327                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1328                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1329                                     offsetof(struct __sk_buff, pkt_type)),
1330                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1331                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1332                                     offsetof(struct __sk_buff, queue_mapping)),
1333                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1334                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1335                                     offsetof(struct __sk_buff, protocol)),
1336                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1337                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1338                                     offsetof(struct __sk_buff, vlan_present)),
1339                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1340                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1341                                     offsetof(struct __sk_buff, vlan_tci)),
1342                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1343                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1344                                     offsetof(struct __sk_buff, napi_id)),
1345                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1346                         BPF_EXIT_INSN(),
1347                 },
1348                 .result = ACCEPT,
1349         },
1350         {
1351                 "access skb fields bad1",
1352                 .insns = {
1353                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1354                         BPF_EXIT_INSN(),
1355                 },
1356                 .errstr = "invalid bpf_context access",
1357                 .result = REJECT,
1358         },
1359         {
1360                 "access skb fields bad2",
1361                 .insns = {
1362                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1363                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1364                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1366                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1367                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1368                                      BPF_FUNC_map_lookup_elem),
1369                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1370                         BPF_EXIT_INSN(),
1371                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1372                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1373                                     offsetof(struct __sk_buff, pkt_type)),
1374                         BPF_EXIT_INSN(),
1375                 },
1376                 .fixup_map1 = { 4 },
1377                 .errstr = "different pointers",
1378                 .errstr_unpriv = "R1 pointer comparison",
1379                 .result = REJECT,
1380         },
1381         {
1382                 "access skb fields bad3",
1383                 .insns = {
1384                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1386                                     offsetof(struct __sk_buff, pkt_type)),
1387                         BPF_EXIT_INSN(),
1388                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1389                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1390                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1391                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1392                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1393                                      BPF_FUNC_map_lookup_elem),
1394                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1395                         BPF_EXIT_INSN(),
1396                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1397                         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1398                 },
1399                 .fixup_map1 = { 6 },
1400                 .errstr = "different pointers",
1401                 .errstr_unpriv = "R1 pointer comparison",
1402                 .result = REJECT,
1403         },
1404         {
1405                 "access skb fields bad4",
1406                 .insns = {
1407                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1408                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1409                                     offsetof(struct __sk_buff, len)),
1410                         BPF_MOV64_IMM(BPF_REG_0, 0),
1411                         BPF_EXIT_INSN(),
1412                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1413                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1414                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1415                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1416                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1417                                      BPF_FUNC_map_lookup_elem),
1418                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1419                         BPF_EXIT_INSN(),
1420                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1421                         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1422                 },
1423                 .fixup_map1 = { 7 },
1424                 .errstr = "different pointers",
1425                 .errstr_unpriv = "R1 pointer comparison",
1426                 .result = REJECT,
1427         },
1428         {
1429                 "invalid access __sk_buff family",
1430                 .insns = {
1431                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1432                                     offsetof(struct __sk_buff, family)),
1433                         BPF_EXIT_INSN(),
1434                 },
1435                 .errstr = "invalid bpf_context access",
1436                 .result = REJECT,
1437         },
1438         {
1439                 "invalid access __sk_buff remote_ip4",
1440                 .insns = {
1441                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1442                                     offsetof(struct __sk_buff, remote_ip4)),
1443                         BPF_EXIT_INSN(),
1444                 },
1445                 .errstr = "invalid bpf_context access",
1446                 .result = REJECT,
1447         },
1448         {
1449                 "invalid access __sk_buff local_ip4",
1450                 .insns = {
1451                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1452                                     offsetof(struct __sk_buff, local_ip4)),
1453                         BPF_EXIT_INSN(),
1454                 },
1455                 .errstr = "invalid bpf_context access",
1456                 .result = REJECT,
1457         },
1458         {
1459                 "invalid access __sk_buff remote_ip6",
1460                 .insns = {
1461                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1462                                     offsetof(struct __sk_buff, remote_ip6)),
1463                         BPF_EXIT_INSN(),
1464                 },
1465                 .errstr = "invalid bpf_context access",
1466                 .result = REJECT,
1467         },
1468         {
1469                 "invalid access __sk_buff local_ip6",
1470                 .insns = {
1471                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1472                                     offsetof(struct __sk_buff, local_ip6)),
1473                         BPF_EXIT_INSN(),
1474                 },
1475                 .errstr = "invalid bpf_context access",
1476                 .result = REJECT,
1477         },
1478         {
1479                 "invalid access __sk_buff remote_port",
1480                 .insns = {
1481                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1482                                     offsetof(struct __sk_buff, remote_port)),
1483                         BPF_EXIT_INSN(),
1484                 },
1485                 .errstr = "invalid bpf_context access",
1486                 .result = REJECT,
1487         },
1488         {
1489                 "invalid access __sk_buff remote_port",
1490                 .insns = {
1491                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1492                                     offsetof(struct __sk_buff, local_port)),
1493                         BPF_EXIT_INSN(),
1494                 },
1495                 .errstr = "invalid bpf_context access",
1496                 .result = REJECT,
1497         },
1498         {
1499                 "valid access __sk_buff family",
1500                 .insns = {
1501                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1502                                     offsetof(struct __sk_buff, family)),
1503                         BPF_EXIT_INSN(),
1504                 },
1505                 .result = ACCEPT,
1506                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1507         },
1508         {
1509                 "valid access __sk_buff remote_ip4",
1510                 .insns = {
1511                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1512                                     offsetof(struct __sk_buff, remote_ip4)),
1513                         BPF_EXIT_INSN(),
1514                 },
1515                 .result = ACCEPT,
1516                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1517         },
1518         {
1519                 "valid access __sk_buff local_ip4",
1520                 .insns = {
1521                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1522                                     offsetof(struct __sk_buff, local_ip4)),
1523                         BPF_EXIT_INSN(),
1524                 },
1525                 .result = ACCEPT,
1526                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1527         },
1528         {
1529                 "valid access __sk_buff remote_ip6",
1530                 .insns = {
1531                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1532                                     offsetof(struct __sk_buff, remote_ip6[0])),
1533                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534                                     offsetof(struct __sk_buff, remote_ip6[1])),
1535                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1536                                     offsetof(struct __sk_buff, remote_ip6[2])),
1537                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1538                                     offsetof(struct __sk_buff, remote_ip6[3])),
1539                         BPF_EXIT_INSN(),
1540                 },
1541                 .result = ACCEPT,
1542                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1543         },
1544         {
1545                 "valid access __sk_buff local_ip6",
1546                 .insns = {
1547                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1548                                     offsetof(struct __sk_buff, local_ip6[0])),
1549                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1550                                     offsetof(struct __sk_buff, local_ip6[1])),
1551                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1552                                     offsetof(struct __sk_buff, local_ip6[2])),
1553                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554                                     offsetof(struct __sk_buff, local_ip6[3])),
1555                         BPF_EXIT_INSN(),
1556                 },
1557                 .result = ACCEPT,
1558                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1559         },
1560         {
1561                 "valid access __sk_buff remote_port",
1562                 .insns = {
1563                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1564                                     offsetof(struct __sk_buff, remote_port)),
1565                         BPF_EXIT_INSN(),
1566                 },
1567                 .result = ACCEPT,
1568                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1569         },
1570         {
1571                 "valid access __sk_buff remote_port",
1572                 .insns = {
1573                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574                                     offsetof(struct __sk_buff, local_port)),
1575                         BPF_EXIT_INSN(),
1576                 },
1577                 .result = ACCEPT,
1578                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1579         },
1580         {
1581                 "invalid access of tc_classid for SK_SKB",
1582                 .insns = {
1583                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1584                                     offsetof(struct __sk_buff, tc_classid)),
1585                         BPF_EXIT_INSN(),
1586                 },
1587                 .result = REJECT,
1588                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1589                 .errstr = "invalid bpf_context access",
1590         },
1591         {
1592                 "invalid access of skb->mark for SK_SKB",
1593                 .insns = {
1594                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595                                     offsetof(struct __sk_buff, mark)),
1596                         BPF_EXIT_INSN(),
1597                 },
1598                 .result =  REJECT,
1599                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1600                 .errstr = "invalid bpf_context access",
1601         },
1602         {
1603                 "check skb->mark is not writeable by SK_SKB",
1604                 .insns = {
1605                         BPF_MOV64_IMM(BPF_REG_0, 0),
1606                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1607                                     offsetof(struct __sk_buff, mark)),
1608                         BPF_EXIT_INSN(),
1609                 },
1610                 .result =  REJECT,
1611                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1612                 .errstr = "invalid bpf_context access",
1613         },
1614         {
1615                 "check skb->tc_index is writeable by SK_SKB",
1616                 .insns = {
1617                         BPF_MOV64_IMM(BPF_REG_0, 0),
1618                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1619                                     offsetof(struct __sk_buff, tc_index)),
1620                         BPF_EXIT_INSN(),
1621                 },
1622                 .result = ACCEPT,
1623                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1624         },
1625         {
1626                 "check skb->priority is writeable by SK_SKB",
1627                 .insns = {
1628                         BPF_MOV64_IMM(BPF_REG_0, 0),
1629                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1630                                     offsetof(struct __sk_buff, priority)),
1631                         BPF_EXIT_INSN(),
1632                 },
1633                 .result = ACCEPT,
1634                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1635         },
1636         {
1637                 "direct packet read for SK_SKB",
1638                 .insns = {
1639                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1640                                     offsetof(struct __sk_buff, data)),
1641                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1642                                     offsetof(struct __sk_buff, data_end)),
1643                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1644                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1645                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1646                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1647                         BPF_MOV64_IMM(BPF_REG_0, 0),
1648                         BPF_EXIT_INSN(),
1649                 },
1650                 .result = ACCEPT,
1651                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1652         },
1653         {
1654                 "direct packet write for SK_SKB",
1655                 .insns = {
1656                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1657                                     offsetof(struct __sk_buff, data)),
1658                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1659                                     offsetof(struct __sk_buff, data_end)),
1660                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1661                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1662                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1663                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1664                         BPF_MOV64_IMM(BPF_REG_0, 0),
1665                         BPF_EXIT_INSN(),
1666                 },
1667                 .result = ACCEPT,
1668                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1669         },
1670         {
1671                 "overlapping checks for direct packet access SK_SKB",
1672                 .insns = {
1673                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1674                                     offsetof(struct __sk_buff, data)),
1675                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1676                                     offsetof(struct __sk_buff, data_end)),
1677                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1678                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1679                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1680                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1681                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1682                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1683                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1684                         BPF_MOV64_IMM(BPF_REG_0, 0),
1685                         BPF_EXIT_INSN(),
1686                 },
1687                 .result = ACCEPT,
1688                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1689         },
1690         {
1691                 "valid access family in SK_MSG",
1692                 .insns = {
1693                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1694                                     offsetof(struct sk_msg_md, family)),
1695                         BPF_EXIT_INSN(),
1696                 },
1697                 .result = ACCEPT,
1698                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1699         },
1700         {
1701                 "valid access remote_ip4 in SK_MSG",
1702                 .insns = {
1703                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1704                                     offsetof(struct sk_msg_md, remote_ip4)),
1705                         BPF_EXIT_INSN(),
1706                 },
1707                 .result = ACCEPT,
1708                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1709         },
1710         {
1711                 "valid access local_ip4 in SK_MSG",
1712                 .insns = {
1713                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1714                                     offsetof(struct sk_msg_md, local_ip4)),
1715                         BPF_EXIT_INSN(),
1716                 },
1717                 .result = ACCEPT,
1718                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1719         },
1720         {
1721                 "valid access remote_port in SK_MSG",
1722                 .insns = {
1723                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1724                                     offsetof(struct sk_msg_md, remote_port)),
1725                         BPF_EXIT_INSN(),
1726                 },
1727                 .result = ACCEPT,
1728                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1729         },
1730         {
1731                 "valid access local_port in SK_MSG",
1732                 .insns = {
1733                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1734                                     offsetof(struct sk_msg_md, local_port)),
1735                         BPF_EXIT_INSN(),
1736                 },
1737                 .result = ACCEPT,
1738                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1739         },
1740         {
1741                 "valid access remote_ip6 in SK_MSG",
1742                 .insns = {
1743                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1744                                     offsetof(struct sk_msg_md, remote_ip6[0])),
1745                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746                                     offsetof(struct sk_msg_md, remote_ip6[1])),
1747                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1748                                     offsetof(struct sk_msg_md, remote_ip6[2])),
1749                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1750                                     offsetof(struct sk_msg_md, remote_ip6[3])),
1751                         BPF_EXIT_INSN(),
1752                 },
1753                 .result = ACCEPT,
1754                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1755         },
1756         {
1757                 "valid access local_ip6 in SK_MSG",
1758                 .insns = {
1759                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1760                                     offsetof(struct sk_msg_md, local_ip6[0])),
1761                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1762                                     offsetof(struct sk_msg_md, local_ip6[1])),
1763                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1764                                     offsetof(struct sk_msg_md, local_ip6[2])),
1765                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766                                     offsetof(struct sk_msg_md, local_ip6[3])),
1767                         BPF_EXIT_INSN(),
1768                 },
1769                 .result = ACCEPT,
1770                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1771         },
1772         {
1773                 "invalid 64B read of family in SK_MSG",
1774                 .insns = {
1775                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1776                                     offsetof(struct sk_msg_md, family)),
1777                         BPF_EXIT_INSN(),
1778                 },
1779                 .errstr = "invalid bpf_context access",
1780                 .result = REJECT,
1781                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1782         },
1783         {
1784                 "invalid read past end of SK_MSG",
1785                 .insns = {
1786                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1787                                     offsetof(struct sk_msg_md, local_port) + 4),
1788                         BPF_EXIT_INSN(),
1789                 },
1790                 .errstr = "R0 !read_ok",
1791                 .result = REJECT,
1792                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1793         },
1794         {
1795                 "invalid read offset in SK_MSG",
1796                 .insns = {
1797                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1798                                     offsetof(struct sk_msg_md, family) + 1),
1799                         BPF_EXIT_INSN(),
1800                 },
1801                 .errstr = "invalid bpf_context access",
1802                 .result = REJECT,
1803                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804         },
1805         {
1806                 "direct packet read for SK_MSG",
1807                 .insns = {
1808                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1809                                     offsetof(struct sk_msg_md, data)),
1810                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1811                                     offsetof(struct sk_msg_md, data_end)),
1812                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1813                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1814                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1815                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1816                         BPF_MOV64_IMM(BPF_REG_0, 0),
1817                         BPF_EXIT_INSN(),
1818                 },
1819                 .result = ACCEPT,
1820                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1821         },
1822         {
1823                 "direct packet write for SK_MSG",
1824                 .insns = {
1825                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1826                                     offsetof(struct sk_msg_md, data)),
1827                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1828                                     offsetof(struct sk_msg_md, data_end)),
1829                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1830                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1831                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1832                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1833                         BPF_MOV64_IMM(BPF_REG_0, 0),
1834                         BPF_EXIT_INSN(),
1835                 },
1836                 .result = ACCEPT,
1837                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1838         },
1839         {
1840                 "overlapping checks for direct packet access SK_MSG",
1841                 .insns = {
1842                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1843                                     offsetof(struct sk_msg_md, data)),
1844                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1845                                     offsetof(struct sk_msg_md, data_end)),
1846                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1847                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1848                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1849                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1850                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1851                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1852                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1853                         BPF_MOV64_IMM(BPF_REG_0, 0),
1854                         BPF_EXIT_INSN(),
1855                 },
1856                 .result = ACCEPT,
1857                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1858         },
1859         {
1860                 "check skb->mark is not writeable by sockets",
1861                 .insns = {
1862                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1863                                     offsetof(struct __sk_buff, mark)),
1864                         BPF_EXIT_INSN(),
1865                 },
1866                 .errstr = "invalid bpf_context access",
1867                 .errstr_unpriv = "R1 leaks addr",
1868                 .result = REJECT,
1869         },
1870         {
1871                 "check skb->tc_index is not writeable by sockets",
1872                 .insns = {
1873                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1874                                     offsetof(struct __sk_buff, tc_index)),
1875                         BPF_EXIT_INSN(),
1876                 },
1877                 .errstr = "invalid bpf_context access",
1878                 .errstr_unpriv = "R1 leaks addr",
1879                 .result = REJECT,
1880         },
1881         {
1882                 "check cb access: byte",
1883                 .insns = {
1884                         BPF_MOV64_IMM(BPF_REG_0, 0),
1885                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1886                                     offsetof(struct __sk_buff, cb[0])),
1887                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1888                                     offsetof(struct __sk_buff, cb[0]) + 1),
1889                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1890                                     offsetof(struct __sk_buff, cb[0]) + 2),
1891                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1892                                     offsetof(struct __sk_buff, cb[0]) + 3),
1893                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1894                                     offsetof(struct __sk_buff, cb[1])),
1895                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1896                                     offsetof(struct __sk_buff, cb[1]) + 1),
1897                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1898                                     offsetof(struct __sk_buff, cb[1]) + 2),
1899                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1900                                     offsetof(struct __sk_buff, cb[1]) + 3),
1901                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1902                                     offsetof(struct __sk_buff, cb[2])),
1903                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1904                                     offsetof(struct __sk_buff, cb[2]) + 1),
1905                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1906                                     offsetof(struct __sk_buff, cb[2]) + 2),
1907                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908                                     offsetof(struct __sk_buff, cb[2]) + 3),
1909                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910                                     offsetof(struct __sk_buff, cb[3])),
1911                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912                                     offsetof(struct __sk_buff, cb[3]) + 1),
1913                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914                                     offsetof(struct __sk_buff, cb[3]) + 2),
1915                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916                                     offsetof(struct __sk_buff, cb[3]) + 3),
1917                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918                                     offsetof(struct __sk_buff, cb[4])),
1919                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920                                     offsetof(struct __sk_buff, cb[4]) + 1),
1921                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922                                     offsetof(struct __sk_buff, cb[4]) + 2),
1923                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924                                     offsetof(struct __sk_buff, cb[4]) + 3),
1925                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1926                                     offsetof(struct __sk_buff, cb[0])),
1927                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1928                                     offsetof(struct __sk_buff, cb[0]) + 1),
1929                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1930                                     offsetof(struct __sk_buff, cb[0]) + 2),
1931                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1932                                     offsetof(struct __sk_buff, cb[0]) + 3),
1933                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1934                                     offsetof(struct __sk_buff, cb[1])),
1935                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1936                                     offsetof(struct __sk_buff, cb[1]) + 1),
1937                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1938                                     offsetof(struct __sk_buff, cb[1]) + 2),
1939                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1940                                     offsetof(struct __sk_buff, cb[1]) + 3),
1941                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1942                                     offsetof(struct __sk_buff, cb[2])),
1943                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1944                                     offsetof(struct __sk_buff, cb[2]) + 1),
1945                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1946                                     offsetof(struct __sk_buff, cb[2]) + 2),
1947                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948                                     offsetof(struct __sk_buff, cb[2]) + 3),
1949                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950                                     offsetof(struct __sk_buff, cb[3])),
1951                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952                                     offsetof(struct __sk_buff, cb[3]) + 1),
1953                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954                                     offsetof(struct __sk_buff, cb[3]) + 2),
1955                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956                                     offsetof(struct __sk_buff, cb[3]) + 3),
1957                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958                                     offsetof(struct __sk_buff, cb[4])),
1959                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960                                     offsetof(struct __sk_buff, cb[4]) + 1),
1961                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962                                     offsetof(struct __sk_buff, cb[4]) + 2),
1963                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964                                     offsetof(struct __sk_buff, cb[4]) + 3),
1965                         BPF_EXIT_INSN(),
1966                 },
1967                 .result = ACCEPT,
1968         },
1969         {
1970                 "__sk_buff->hash, offset 0, byte store not permitted",
1971                 .insns = {
1972                         BPF_MOV64_IMM(BPF_REG_0, 0),
1973                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1974                                     offsetof(struct __sk_buff, hash)),
1975                         BPF_EXIT_INSN(),
1976                 },
1977                 .errstr = "invalid bpf_context access",
1978                 .result = REJECT,
1979         },
1980         {
1981                 "__sk_buff->tc_index, offset 3, byte store not permitted",
1982                 .insns = {
1983                         BPF_MOV64_IMM(BPF_REG_0, 0),
1984                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1985                                     offsetof(struct __sk_buff, tc_index) + 3),
1986                         BPF_EXIT_INSN(),
1987                 },
1988                 .errstr = "invalid bpf_context access",
1989                 .result = REJECT,
1990         },
1991         {
1992                 "check skb->hash byte load permitted",
1993                 .insns = {
1994                         BPF_MOV64_IMM(BPF_REG_0, 0),
1995 #if __BYTE_ORDER == __LITTLE_ENDIAN
1996                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1997                                     offsetof(struct __sk_buff, hash)),
1998 #else
1999                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2000                                     offsetof(struct __sk_buff, hash) + 3),
2001 #endif
2002                         BPF_EXIT_INSN(),
2003                 },
2004                 .result = ACCEPT,
2005         },
2006         {
2007                 "check skb->hash byte load not permitted 1",
2008                 .insns = {
2009                         BPF_MOV64_IMM(BPF_REG_0, 0),
2010                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2011                                     offsetof(struct __sk_buff, hash) + 1),
2012                         BPF_EXIT_INSN(),
2013                 },
2014                 .errstr = "invalid bpf_context access",
2015                 .result = REJECT,
2016         },
2017         {
2018                 "check skb->hash byte load not permitted 2",
2019                 .insns = {
2020                         BPF_MOV64_IMM(BPF_REG_0, 0),
2021                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022                                     offsetof(struct __sk_buff, hash) + 2),
2023                         BPF_EXIT_INSN(),
2024                 },
2025                 .errstr = "invalid bpf_context access",
2026                 .result = REJECT,
2027         },
2028         {
2029                 "check skb->hash byte load not permitted 3",
2030                 .insns = {
2031                         BPF_MOV64_IMM(BPF_REG_0, 0),
2032 #if __BYTE_ORDER == __LITTLE_ENDIAN
2033                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034                                     offsetof(struct __sk_buff, hash) + 3),
2035 #else
2036                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2037                                     offsetof(struct __sk_buff, hash)),
2038 #endif
2039                         BPF_EXIT_INSN(),
2040                 },
2041                 .errstr = "invalid bpf_context access",
2042                 .result = REJECT,
2043         },
2044         {
2045                 "check cb access: byte, wrong type",
2046                 .insns = {
2047                         BPF_MOV64_IMM(BPF_REG_0, 0),
2048                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2049                                     offsetof(struct __sk_buff, cb[0])),
2050                         BPF_EXIT_INSN(),
2051                 },
2052                 .errstr = "invalid bpf_context access",
2053                 .result = REJECT,
2054                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2055         },
2056         {
2057                 "check cb access: half",
2058                 .insns = {
2059                         BPF_MOV64_IMM(BPF_REG_0, 0),
2060                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2061                                     offsetof(struct __sk_buff, cb[0])),
2062                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2063                                     offsetof(struct __sk_buff, cb[0]) + 2),
2064                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2065                                     offsetof(struct __sk_buff, cb[1])),
2066                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2067                                     offsetof(struct __sk_buff, cb[1]) + 2),
2068                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2069                                     offsetof(struct __sk_buff, cb[2])),
2070                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2071                                     offsetof(struct __sk_buff, cb[2]) + 2),
2072                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2073                                     offsetof(struct __sk_buff, cb[3])),
2074                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2075                                     offsetof(struct __sk_buff, cb[3]) + 2),
2076                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2077                                     offsetof(struct __sk_buff, cb[4])),
2078                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2079                                     offsetof(struct __sk_buff, cb[4]) + 2),
2080                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2081                                     offsetof(struct __sk_buff, cb[0])),
2082                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2083                                     offsetof(struct __sk_buff, cb[0]) + 2),
2084                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2085                                     offsetof(struct __sk_buff, cb[1])),
2086                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2087                                     offsetof(struct __sk_buff, cb[1]) + 2),
2088                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2089                                     offsetof(struct __sk_buff, cb[2])),
2090                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2091                                     offsetof(struct __sk_buff, cb[2]) + 2),
2092                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2093                                     offsetof(struct __sk_buff, cb[3])),
2094                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2095                                     offsetof(struct __sk_buff, cb[3]) + 2),
2096                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2097                                     offsetof(struct __sk_buff, cb[4])),
2098                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2099                                     offsetof(struct __sk_buff, cb[4]) + 2),
2100                         BPF_EXIT_INSN(),
2101                 },
2102                 .result = ACCEPT,
2103         },
2104         {
2105                 "check cb access: half, unaligned",
2106                 .insns = {
2107                         BPF_MOV64_IMM(BPF_REG_0, 0),
2108                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2109                                     offsetof(struct __sk_buff, cb[0]) + 1),
2110                         BPF_EXIT_INSN(),
2111                 },
2112                 .errstr = "misaligned context access",
2113                 .result = REJECT,
2114                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2115         },
2116         {
2117                 "check __sk_buff->hash, offset 0, half store not permitted",
2118                 .insns = {
2119                         BPF_MOV64_IMM(BPF_REG_0, 0),
2120                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2121                                     offsetof(struct __sk_buff, hash)),
2122                         BPF_EXIT_INSN(),
2123                 },
2124                 .errstr = "invalid bpf_context access",
2125                 .result = REJECT,
2126         },
2127         {
2128                 "check __sk_buff->tc_index, offset 2, half store not permitted",
2129                 .insns = {
2130                         BPF_MOV64_IMM(BPF_REG_0, 0),
2131                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2132                                     offsetof(struct __sk_buff, tc_index) + 2),
2133                         BPF_EXIT_INSN(),
2134                 },
2135                 .errstr = "invalid bpf_context access",
2136                 .result = REJECT,
2137         },
2138         {
2139                 "check skb->hash half load permitted",
2140                 .insns = {
2141                         BPF_MOV64_IMM(BPF_REG_0, 0),
2142 #if __BYTE_ORDER == __LITTLE_ENDIAN
2143                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2144                                     offsetof(struct __sk_buff, hash)),
2145 #else
2146                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2147                                     offsetof(struct __sk_buff, hash) + 2),
2148 #endif
2149                         BPF_EXIT_INSN(),
2150                 },
2151                 .result = ACCEPT,
2152         },
2153         {
2154                 "check skb->hash half load not permitted",
2155                 .insns = {
2156                         BPF_MOV64_IMM(BPF_REG_0, 0),
2157 #if __BYTE_ORDER == __LITTLE_ENDIAN
2158                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2159                                     offsetof(struct __sk_buff, hash) + 2),
2160 #else
2161                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2162                                     offsetof(struct __sk_buff, hash)),
2163 #endif
2164                         BPF_EXIT_INSN(),
2165                 },
2166                 .errstr = "invalid bpf_context access",
2167                 .result = REJECT,
2168         },
2169         {
2170                 "check cb access: half, wrong type",
2171                 .insns = {
2172                         BPF_MOV64_IMM(BPF_REG_0, 0),
2173                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2174                                     offsetof(struct __sk_buff, cb[0])),
2175                         BPF_EXIT_INSN(),
2176                 },
2177                 .errstr = "invalid bpf_context access",
2178                 .result = REJECT,
2179                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2180         },
2181         {
2182                 "check cb access: word",
2183                 .insns = {
2184                         BPF_MOV64_IMM(BPF_REG_0, 0),
2185                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2186                                     offsetof(struct __sk_buff, cb[0])),
2187                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2188                                     offsetof(struct __sk_buff, cb[1])),
2189                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2190                                     offsetof(struct __sk_buff, cb[2])),
2191                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2192                                     offsetof(struct __sk_buff, cb[3])),
2193                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2194                                     offsetof(struct __sk_buff, cb[4])),
2195                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2196                                     offsetof(struct __sk_buff, cb[0])),
2197                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2198                                     offsetof(struct __sk_buff, cb[1])),
2199                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2200                                     offsetof(struct __sk_buff, cb[2])),
2201                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2202                                     offsetof(struct __sk_buff, cb[3])),
2203                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2204                                     offsetof(struct __sk_buff, cb[4])),
2205                         BPF_EXIT_INSN(),
2206                 },
2207                 .result = ACCEPT,
2208         },
2209         {
2210                 "check cb access: word, unaligned 1",
2211                 .insns = {
2212                         BPF_MOV64_IMM(BPF_REG_0, 0),
2213                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214                                     offsetof(struct __sk_buff, cb[0]) + 2),
2215                         BPF_EXIT_INSN(),
2216                 },
2217                 .errstr = "misaligned context access",
2218                 .result = REJECT,
2219                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2220         },
2221         {
2222                 "check cb access: word, unaligned 2",
2223                 .insns = {
2224                         BPF_MOV64_IMM(BPF_REG_0, 0),
2225                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2226                                     offsetof(struct __sk_buff, cb[4]) + 1),
2227                         BPF_EXIT_INSN(),
2228                 },
2229                 .errstr = "misaligned context access",
2230                 .result = REJECT,
2231                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2232         },
2233         {
2234                 "check cb access: word, unaligned 3",
2235                 .insns = {
2236                         BPF_MOV64_IMM(BPF_REG_0, 0),
2237                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2238                                     offsetof(struct __sk_buff, cb[4]) + 2),
2239                         BPF_EXIT_INSN(),
2240                 },
2241                 .errstr = "misaligned context access",
2242                 .result = REJECT,
2243                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2244         },
2245         {
2246                 "check cb access: word, unaligned 4",
2247                 .insns = {
2248                         BPF_MOV64_IMM(BPF_REG_0, 0),
2249                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2250                                     offsetof(struct __sk_buff, cb[4]) + 3),
2251                         BPF_EXIT_INSN(),
2252                 },
2253                 .errstr = "misaligned context access",
2254                 .result = REJECT,
2255                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2256         },
2257         {
2258                 "check cb access: double",
2259                 .insns = {
2260                         BPF_MOV64_IMM(BPF_REG_0, 0),
2261                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2262                                     offsetof(struct __sk_buff, cb[0])),
2263                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2264                                     offsetof(struct __sk_buff, cb[2])),
2265                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2266                                     offsetof(struct __sk_buff, cb[0])),
2267                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2268                                     offsetof(struct __sk_buff, cb[2])),
2269                         BPF_EXIT_INSN(),
2270                 },
2271                 .result = ACCEPT,
2272         },
2273         {
2274                 "check cb access: double, unaligned 1",
2275                 .insns = {
2276                         BPF_MOV64_IMM(BPF_REG_0, 0),
2277                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2278                                     offsetof(struct __sk_buff, cb[1])),
2279                         BPF_EXIT_INSN(),
2280                 },
2281                 .errstr = "misaligned context access",
2282                 .result = REJECT,
2283                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2284         },
2285         {
2286                 "check cb access: double, unaligned 2",
2287                 .insns = {
2288                         BPF_MOV64_IMM(BPF_REG_0, 0),
2289                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2290                                     offsetof(struct __sk_buff, cb[3])),
2291                         BPF_EXIT_INSN(),
2292                 },
2293                 .errstr = "misaligned context access",
2294                 .result = REJECT,
2295                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2296         },
2297         {
2298                 "check cb access: double, oob 1",
2299                 .insns = {
2300                         BPF_MOV64_IMM(BPF_REG_0, 0),
2301                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2302                                     offsetof(struct __sk_buff, cb[4])),
2303                         BPF_EXIT_INSN(),
2304                 },
2305                 .errstr = "invalid bpf_context access",
2306                 .result = REJECT,
2307         },
2308         {
2309                 "check cb access: double, oob 2",
2310                 .insns = {
2311                         BPF_MOV64_IMM(BPF_REG_0, 0),
2312                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2313                                     offsetof(struct __sk_buff, cb[4])),
2314                         BPF_EXIT_INSN(),
2315                 },
2316                 .errstr = "invalid bpf_context access",
2317                 .result = REJECT,
2318         },
2319         {
2320                 "check __sk_buff->ifindex dw store not permitted",
2321                 .insns = {
2322                         BPF_MOV64_IMM(BPF_REG_0, 0),
2323                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324                                     offsetof(struct __sk_buff, ifindex)),
2325                         BPF_EXIT_INSN(),
2326                 },
2327                 .errstr = "invalid bpf_context access",
2328                 .result = REJECT,
2329         },
2330         {
2331                 "check __sk_buff->ifindex dw load not permitted",
2332                 .insns = {
2333                         BPF_MOV64_IMM(BPF_REG_0, 0),
2334                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335                                     offsetof(struct __sk_buff, ifindex)),
2336                         BPF_EXIT_INSN(),
2337                 },
2338                 .errstr = "invalid bpf_context access",
2339                 .result = REJECT,
2340         },
2341         {
2342                 "check cb access: double, wrong type",
2343                 .insns = {
2344                         BPF_MOV64_IMM(BPF_REG_0, 0),
2345                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346                                     offsetof(struct __sk_buff, cb[0])),
2347                         BPF_EXIT_INSN(),
2348                 },
2349                 .errstr = "invalid bpf_context access",
2350                 .result = REJECT,
2351                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2352         },
2353         {
2354                 "check out of range skb->cb access",
2355                 .insns = {
2356                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2357                                     offsetof(struct __sk_buff, cb[0]) + 256),
2358                         BPF_EXIT_INSN(),
2359                 },
2360                 .errstr = "invalid bpf_context access",
2361                 .errstr_unpriv = "",
2362                 .result = REJECT,
2363                 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2364         },
2365         {
2366                 "write skb fields from socket prog",
2367                 .insns = {
2368                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2369                                     offsetof(struct __sk_buff, cb[4])),
2370                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2371                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2372                                     offsetof(struct __sk_buff, mark)),
2373                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2374                                     offsetof(struct __sk_buff, tc_index)),
2375                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2376                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2377                                     offsetof(struct __sk_buff, cb[0])),
2378                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2379                                     offsetof(struct __sk_buff, cb[2])),
2380                         BPF_EXIT_INSN(),
2381                 },
2382                 .result = ACCEPT,
2383                 .errstr_unpriv = "R1 leaks addr",
2384                 .result_unpriv = REJECT,
2385         },
2386         {
2387                 "write skb fields from tc_cls_act prog",
2388                 .insns = {
2389                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2390                                     offsetof(struct __sk_buff, cb[0])),
2391                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2392                                     offsetof(struct __sk_buff, mark)),
2393                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394                                     offsetof(struct __sk_buff, tc_index)),
2395                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2396                                     offsetof(struct __sk_buff, tc_index)),
2397                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2398                                     offsetof(struct __sk_buff, cb[3])),
2399                         BPF_EXIT_INSN(),
2400                 },
2401                 .errstr_unpriv = "",
2402                 .result_unpriv = REJECT,
2403                 .result = ACCEPT,
2404                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2405         },
2406         {
2407                 "PTR_TO_STACK store/load",
2408                 .insns = {
2409                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2410                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2411                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2412                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2413                         BPF_EXIT_INSN(),
2414                 },
2415                 .result = ACCEPT,
2416                 .retval = 0xfaceb00c,
2417         },
2418         {
2419                 "PTR_TO_STACK store/load - bad alignment on off",
2420                 .insns = {
2421                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2422                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2423                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2424                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2425                         BPF_EXIT_INSN(),
2426                 },
2427                 .result = REJECT,
2428                 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2429         },
2430         {
2431                 "PTR_TO_STACK store/load - bad alignment on reg",
2432                 .insns = {
2433                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2434                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2435                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2436                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2437                         BPF_EXIT_INSN(),
2438                 },
2439                 .result = REJECT,
2440                 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2441         },
2442         {
2443                 "PTR_TO_STACK store/load - out of bounds low",
2444                 .insns = {
2445                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2446                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2447                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2448                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2449                         BPF_EXIT_INSN(),
2450                 },
2451                 .result = REJECT,
2452                 .errstr = "invalid stack off=-79992 size=8",
2453         },
2454         {
2455                 "PTR_TO_STACK store/load - out of bounds high",
2456                 .insns = {
2457                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2458                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2459                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2460                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2461                         BPF_EXIT_INSN(),
2462                 },
2463                 .result = REJECT,
2464                 .errstr = "invalid stack off=0 size=8",
2465         },
2466         {
2467                 "unpriv: return pointer",
2468                 .insns = {
2469                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2470                         BPF_EXIT_INSN(),
2471                 },
2472                 .result = ACCEPT,
2473                 .result_unpriv = REJECT,
2474                 .errstr_unpriv = "R0 leaks addr",
2475                 .retval = POINTER_VALUE,
2476         },
2477         {
2478                 "unpriv: add const to pointer",
2479                 .insns = {
2480                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2481                         BPF_MOV64_IMM(BPF_REG_0, 0),
2482                         BPF_EXIT_INSN(),
2483                 },
2484                 .result = ACCEPT,
2485         },
2486         {
2487                 "unpriv: add pointer to pointer",
2488                 .insns = {
2489                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2490                         BPF_MOV64_IMM(BPF_REG_0, 0),
2491                         BPF_EXIT_INSN(),
2492                 },
2493                 .result = REJECT,
2494                 .errstr = "R1 pointer += pointer",
2495         },
2496         {
2497                 "unpriv: neg pointer",
2498                 .insns = {
2499                         BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2500                         BPF_MOV64_IMM(BPF_REG_0, 0),
2501                         BPF_EXIT_INSN(),
2502                 },
2503                 .result = ACCEPT,
2504                 .result_unpriv = REJECT,
2505                 .errstr_unpriv = "R1 pointer arithmetic",
2506         },
2507         {
2508                 "unpriv: cmp pointer with const",
2509                 .insns = {
2510                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2511                         BPF_MOV64_IMM(BPF_REG_0, 0),
2512                         BPF_EXIT_INSN(),
2513                 },
2514                 .result = ACCEPT,
2515                 .result_unpriv = REJECT,
2516                 .errstr_unpriv = "R1 pointer comparison",
2517         },
2518         {
2519                 "unpriv: cmp pointer with pointer",
2520                 .insns = {
2521                         BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2522                         BPF_MOV64_IMM(BPF_REG_0, 0),
2523                         BPF_EXIT_INSN(),
2524                 },
2525                 .result = ACCEPT,
2526                 .result_unpriv = REJECT,
2527                 .errstr_unpriv = "R10 pointer comparison",
2528         },
2529         {
2530                 "unpriv: check that printk is disallowed",
2531                 .insns = {
2532                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2533                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2534                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2535                         BPF_MOV64_IMM(BPF_REG_2, 8),
2536                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2537                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2538                                      BPF_FUNC_trace_printk),
2539                         BPF_MOV64_IMM(BPF_REG_0, 0),
2540                         BPF_EXIT_INSN(),
2541                 },
2542                 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2543                 .result_unpriv = REJECT,
2544                 .result = ACCEPT,
2545         },
2546         {
2547                 "unpriv: pass pointer to helper function",
2548                 .insns = {
2549                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2550                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2551                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2552                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2553                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2554                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2555                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2556                                      BPF_FUNC_map_update_elem),
2557                         BPF_MOV64_IMM(BPF_REG_0, 0),
2558                         BPF_EXIT_INSN(),
2559                 },
2560                 .fixup_map1 = { 3 },
2561                 .errstr_unpriv = "R4 leaks addr",
2562                 .result_unpriv = REJECT,
2563                 .result = ACCEPT,
2564         },
2565         {
2566                 "unpriv: indirectly pass pointer on stack to helper function",
2567                 .insns = {
2568                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2569                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2570                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2571                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2572                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2573                                      BPF_FUNC_map_lookup_elem),
2574                         BPF_MOV64_IMM(BPF_REG_0, 0),
2575                         BPF_EXIT_INSN(),
2576                 },
2577                 .fixup_map1 = { 3 },
2578                 .errstr = "invalid indirect read from stack off -8+0 size 8",
2579                 .result = REJECT,
2580         },
2581         {
2582                 "unpriv: mangle pointer on stack 1",
2583                 .insns = {
2584                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2585                         BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2586                         BPF_MOV64_IMM(BPF_REG_0, 0),
2587                         BPF_EXIT_INSN(),
2588                 },
2589                 .errstr_unpriv = "attempt to corrupt spilled",
2590                 .result_unpriv = REJECT,
2591                 .result = ACCEPT,
2592         },
2593         {
2594                 "unpriv: mangle pointer on stack 2",
2595                 .insns = {
2596                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2597                         BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2598                         BPF_MOV64_IMM(BPF_REG_0, 0),
2599                         BPF_EXIT_INSN(),
2600                 },
2601                 .errstr_unpriv = "attempt to corrupt spilled",
2602                 .result_unpriv = REJECT,
2603                 .result = ACCEPT,
2604         },
2605         {
2606                 "unpriv: read pointer from stack in small chunks",
2607                 .insns = {
2608                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2609                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2610                         BPF_MOV64_IMM(BPF_REG_0, 0),
2611                         BPF_EXIT_INSN(),
2612                 },
2613                 .errstr = "invalid size",
2614                 .result = REJECT,
2615         },
2616         {
2617                 "unpriv: write pointer into ctx",
2618                 .insns = {
2619                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2620                         BPF_MOV64_IMM(BPF_REG_0, 0),
2621                         BPF_EXIT_INSN(),
2622                 },
2623                 .errstr_unpriv = "R1 leaks addr",
2624                 .result_unpriv = REJECT,
2625                 .errstr = "invalid bpf_context access",
2626                 .result = REJECT,
2627         },
2628         {
2629                 "unpriv: spill/fill of ctx",
2630                 .insns = {
2631                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2632                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2633                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2634                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2635                         BPF_MOV64_IMM(BPF_REG_0, 0),
2636                         BPF_EXIT_INSN(),
2637                 },
2638                 .result = ACCEPT,
2639         },
2640         {
2641                 "unpriv: spill/fill of ctx 2",
2642                 .insns = {
2643                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2644                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2645                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2646                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2647                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2648                                      BPF_FUNC_get_hash_recalc),
2649                         BPF_MOV64_IMM(BPF_REG_0, 0),
2650                         BPF_EXIT_INSN(),
2651                 },
2652                 .result = ACCEPT,
2653                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2654         },
2655         {
2656                 "unpriv: spill/fill of ctx 3",
2657                 .insns = {
2658                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2659                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2660                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2661                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2662                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2663                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2664                                      BPF_FUNC_get_hash_recalc),
2665                         BPF_EXIT_INSN(),
2666                 },
2667                 .result = REJECT,
2668                 .errstr = "R1 type=fp expected=ctx",
2669                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2670         },
2671         {
2672                 "unpriv: spill/fill of ctx 4",
2673                 .insns = {
2674                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2675                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2676                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2677                         BPF_MOV64_IMM(BPF_REG_0, 1),
2678                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2679                                      BPF_REG_0, -8, 0),
2680                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2681                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2682                                      BPF_FUNC_get_hash_recalc),
2683                         BPF_EXIT_INSN(),
2684                 },
2685                 .result = REJECT,
2686                 .errstr = "R1 type=inv expected=ctx",
2687                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2688         },
2689         {
2690                 "unpriv: spill/fill of different pointers stx",
2691                 .insns = {
2692                         BPF_MOV64_IMM(BPF_REG_3, 42),
2693                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2694                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2695                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2696                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2697                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2698                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2699                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2700                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2701                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2702                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2703                                     offsetof(struct __sk_buff, mark)),
2704                         BPF_MOV64_IMM(BPF_REG_0, 0),
2705                         BPF_EXIT_INSN(),
2706                 },
2707                 .result = REJECT,
2708                 .errstr = "same insn cannot be used with different pointers",
2709                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2710         },
2711         {
2712                 "unpriv: spill/fill of different pointers ldx",
2713                 .insns = {
2714                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2715                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2716                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2717                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2718                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2719                                       -(__s32)offsetof(struct bpf_perf_event_data,
2720                                                        sample_period) - 8),
2721                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2722                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2723                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2724                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2725                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2726                                     offsetof(struct bpf_perf_event_data,
2727                                              sample_period)),
2728                         BPF_MOV64_IMM(BPF_REG_0, 0),
2729                         BPF_EXIT_INSN(),
2730                 },
2731                 .result = REJECT,
2732                 .errstr = "same insn cannot be used with different pointers",
2733                 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2734         },
2735         {
2736                 "unpriv: write pointer into map elem value",
2737                 .insns = {
2738                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2739                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2740                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2741                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2742                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2743                                      BPF_FUNC_map_lookup_elem),
2744                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2745                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2746                         BPF_EXIT_INSN(),
2747                 },
2748                 .fixup_map1 = { 3 },
2749                 .errstr_unpriv = "R0 leaks addr",
2750                 .result_unpriv = REJECT,
2751                 .result = ACCEPT,
2752         },
2753         {
2754                 "unpriv: partial copy of pointer",
2755                 .insns = {
2756                         BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2757                         BPF_MOV64_IMM(BPF_REG_0, 0),
2758                         BPF_EXIT_INSN(),
2759                 },
2760                 .errstr_unpriv = "R10 partial copy",
2761                 .result_unpriv = REJECT,
2762                 .result = ACCEPT,
2763         },
2764         {
2765                 "unpriv: pass pointer to tail_call",
2766                 .insns = {
2767                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2768                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2769                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2770                                      BPF_FUNC_tail_call),
2771                         BPF_MOV64_IMM(BPF_REG_0, 0),
2772                         BPF_EXIT_INSN(),
2773                 },
2774                 .fixup_prog1 = { 1 },
2775                 .errstr_unpriv = "R3 leaks addr into helper",
2776                 .result_unpriv = REJECT,
2777                 .result = ACCEPT,
2778         },
2779         {
2780                 "unpriv: cmp map pointer with zero",
2781                 .insns = {
2782                         BPF_MOV64_IMM(BPF_REG_1, 0),
2783                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2784                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2785                         BPF_MOV64_IMM(BPF_REG_0, 0),
2786                         BPF_EXIT_INSN(),
2787                 },
2788                 .fixup_map1 = { 1 },
2789                 .errstr_unpriv = "R1 pointer comparison",
2790                 .result_unpriv = REJECT,
2791                 .result = ACCEPT,
2792         },
2793         {
2794                 "unpriv: write into frame pointer",
2795                 .insns = {
2796                         BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2797                         BPF_MOV64_IMM(BPF_REG_0, 0),
2798                         BPF_EXIT_INSN(),
2799                 },
2800                 .errstr = "frame pointer is read only",
2801                 .result = REJECT,
2802         },
2803         {
2804                 "unpriv: spill/fill frame pointer",
2805                 .insns = {
2806                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2807                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2808                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2809                         BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2810                         BPF_MOV64_IMM(BPF_REG_0, 0),
2811                         BPF_EXIT_INSN(),
2812                 },
2813                 .errstr = "frame pointer is read only",
2814                 .result = REJECT,
2815         },
2816         {
2817                 "unpriv: cmp of frame pointer",
2818                 .insns = {
2819                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2820                         BPF_MOV64_IMM(BPF_REG_0, 0),
2821                         BPF_EXIT_INSN(),
2822                 },
2823                 .errstr_unpriv = "R10 pointer comparison",
2824                 .result_unpriv = REJECT,
2825                 .result = ACCEPT,
2826         },
2827         {
2828                 "unpriv: adding of fp",
2829                 .insns = {
2830                         BPF_MOV64_IMM(BPF_REG_0, 0),
2831                         BPF_MOV64_IMM(BPF_REG_1, 0),
2832                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2833                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2834                         BPF_EXIT_INSN(),
2835                 },
2836                 .result = ACCEPT,
2837         },
2838         {
2839                 "unpriv: cmp of stack pointer",
2840                 .insns = {
2841                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2842                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2843                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2844                         BPF_MOV64_IMM(BPF_REG_0, 0),
2845                         BPF_EXIT_INSN(),
2846                 },
2847                 .errstr_unpriv = "R2 pointer comparison",
2848                 .result_unpriv = REJECT,
2849                 .result = ACCEPT,
2850         },
2851         {
2852                 "runtime/jit: tail_call within bounds, prog once",
2853                 .insns = {
2854                         BPF_MOV64_IMM(BPF_REG_3, 0),
2855                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2856                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2857                                      BPF_FUNC_tail_call),
2858                         BPF_MOV64_IMM(BPF_REG_0, 1),
2859                         BPF_EXIT_INSN(),
2860                 },
2861                 .fixup_prog1 = { 1 },
2862                 .result = ACCEPT,
2863                 .retval = 42,
2864         },
2865         {
2866                 "runtime/jit: tail_call within bounds, prog loop",
2867                 .insns = {
2868                         BPF_MOV64_IMM(BPF_REG_3, 1),
2869                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2870                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2871                                      BPF_FUNC_tail_call),
2872                         BPF_MOV64_IMM(BPF_REG_0, 1),
2873                         BPF_EXIT_INSN(),
2874                 },
2875                 .fixup_prog1 = { 1 },
2876                 .result = ACCEPT,
2877                 .retval = 41,
2878         },
2879         {
2880                 "runtime/jit: tail_call within bounds, no prog",
2881                 .insns = {
2882                         BPF_MOV64_IMM(BPF_REG_3, 2),
2883                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2884                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2885                                      BPF_FUNC_tail_call),
2886                         BPF_MOV64_IMM(BPF_REG_0, 1),
2887                         BPF_EXIT_INSN(),
2888                 },
2889                 .fixup_prog1 = { 1 },
2890                 .result = ACCEPT,
2891                 .retval = 1,
2892         },
2893         {
2894                 "runtime/jit: tail_call out of bounds",
2895                 .insns = {
2896                         BPF_MOV64_IMM(BPF_REG_3, 256),
2897                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2898                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2899                                      BPF_FUNC_tail_call),
2900                         BPF_MOV64_IMM(BPF_REG_0, 2),
2901                         BPF_EXIT_INSN(),
2902                 },
2903                 .fixup_prog1 = { 1 },
2904                 .result = ACCEPT,
2905                 .retval = 2,
2906         },
2907         {
2908                 "runtime/jit: pass negative index to tail_call",
2909                 .insns = {
2910                         BPF_MOV64_IMM(BPF_REG_3, -1),
2911                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2912                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2913                                      BPF_FUNC_tail_call),
2914                         BPF_MOV64_IMM(BPF_REG_0, 2),
2915                         BPF_EXIT_INSN(),
2916                 },
2917                 .fixup_prog1 = { 1 },
2918                 .result = ACCEPT,
2919                 .retval = 2,
2920         },
2921         {
2922                 "runtime/jit: pass > 32bit index to tail_call",
2923                 .insns = {
2924                         BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2925                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2926                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2927                                      BPF_FUNC_tail_call),
2928                         BPF_MOV64_IMM(BPF_REG_0, 2),
2929                         BPF_EXIT_INSN(),
2930                 },
2931                 .fixup_prog1 = { 2 },
2932                 .result = ACCEPT,
2933                 .retval = 42,
2934         },
2935         {
2936                 "stack pointer arithmetic",
2937                 .insns = {
2938                         BPF_MOV64_IMM(BPF_REG_1, 4),
2939                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2940                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2941                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2942                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2943                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2944                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2945                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2946                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2947                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2948                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2949                         BPF_MOV64_IMM(BPF_REG_0, 0),
2950                         BPF_EXIT_INSN(),
2951                 },
2952                 .result = ACCEPT,
2953         },
2954         {
2955                 "raw_stack: no skb_load_bytes",
2956                 .insns = {
2957                         BPF_MOV64_IMM(BPF_REG_2, 4),
2958                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2959                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2960                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2961                         BPF_MOV64_IMM(BPF_REG_4, 8),
2962                         /* Call to skb_load_bytes() omitted. */
2963                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2964                         BPF_EXIT_INSN(),
2965                 },
2966                 .result = REJECT,
2967                 .errstr = "invalid read from stack off -8+0 size 8",
2968                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2969         },
2970         {
2971                 "raw_stack: skb_load_bytes, negative len",
2972                 .insns = {
2973                         BPF_MOV64_IMM(BPF_REG_2, 4),
2974                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2977                         BPF_MOV64_IMM(BPF_REG_4, -8),
2978                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2979                                      BPF_FUNC_skb_load_bytes),
2980                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2981                         BPF_EXIT_INSN(),
2982                 },
2983                 .result = REJECT,
2984                 .errstr = "R4 min value is negative",
2985                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2986         },
2987         {
2988                 "raw_stack: skb_load_bytes, negative len 2",
2989                 .insns = {
2990                         BPF_MOV64_IMM(BPF_REG_2, 4),
2991                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2992                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2993                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2994                         BPF_MOV64_IMM(BPF_REG_4, ~0),
2995                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2996                                      BPF_FUNC_skb_load_bytes),
2997                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2998                         BPF_EXIT_INSN(),
2999                 },
3000                 .result = REJECT,
3001                 .errstr = "R4 min value is negative",
3002                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3003         },
3004         {
3005                 "raw_stack: skb_load_bytes, zero len",
3006                 .insns = {
3007                         BPF_MOV64_IMM(BPF_REG_2, 4),
3008                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3009                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3010                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3011                         BPF_MOV64_IMM(BPF_REG_4, 0),
3012                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3013                                      BPF_FUNC_skb_load_bytes),
3014                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3015                         BPF_EXIT_INSN(),
3016                 },
3017                 .result = REJECT,
3018                 .errstr = "invalid stack type R3",
3019                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3020         },
3021         {
3022                 "raw_stack: skb_load_bytes, no init",
3023                 .insns = {
3024                         BPF_MOV64_IMM(BPF_REG_2, 4),
3025                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3026                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3027                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3028                         BPF_MOV64_IMM(BPF_REG_4, 8),
3029                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3030                                      BPF_FUNC_skb_load_bytes),
3031                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3032                         BPF_EXIT_INSN(),
3033                 },
3034                 .result = ACCEPT,
3035                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3036         },
3037         {
3038                 "raw_stack: skb_load_bytes, init",
3039                 .insns = {
3040                         BPF_MOV64_IMM(BPF_REG_2, 4),
3041                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3042                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3043                         BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3044                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3045                         BPF_MOV64_IMM(BPF_REG_4, 8),
3046                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3047                                      BPF_FUNC_skb_load_bytes),
3048                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3049                         BPF_EXIT_INSN(),
3050                 },
3051                 .result = ACCEPT,
3052                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3053         },
3054         {
3055                 "raw_stack: skb_load_bytes, spilled regs around bounds",
3056                 .insns = {
3057                         BPF_MOV64_IMM(BPF_REG_2, 4),
3058                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3059                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3060                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3061                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3062                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3063                         BPF_MOV64_IMM(BPF_REG_4, 8),
3064                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3065                                      BPF_FUNC_skb_load_bytes),
3066                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3067                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3068                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3069                                     offsetof(struct __sk_buff, mark)),
3070                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3071                                     offsetof(struct __sk_buff, priority)),
3072                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3073                         BPF_EXIT_INSN(),
3074                 },
3075                 .result = ACCEPT,
3076                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3077         },
3078         {
3079                 "raw_stack: skb_load_bytes, spilled regs corruption",
3080                 .insns = {
3081                         BPF_MOV64_IMM(BPF_REG_2, 4),
3082                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3083                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3084                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3085                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3086                         BPF_MOV64_IMM(BPF_REG_4, 8),
3087                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3088                                      BPF_FUNC_skb_load_bytes),
3089                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3090                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3091                                     offsetof(struct __sk_buff, mark)),
3092                         BPF_EXIT_INSN(),
3093                 },
3094                 .result = REJECT,
3095                 .errstr = "R0 invalid mem access 'inv'",
3096                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3097         },
3098         {
3099                 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3100                 .insns = {
3101                         BPF_MOV64_IMM(BPF_REG_2, 4),
3102                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3103                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3104                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3105                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3106                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3107                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3108                         BPF_MOV64_IMM(BPF_REG_4, 8),
3109                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3110                                      BPF_FUNC_skb_load_bytes),
3111                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3112                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3113                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3114                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3115                                     offsetof(struct __sk_buff, mark)),
3116                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3117                                     offsetof(struct __sk_buff, priority)),
3118                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3119                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3120                                     offsetof(struct __sk_buff, pkt_type)),
3121                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3122                         BPF_EXIT_INSN(),
3123                 },
3124                 .result = REJECT,
3125                 .errstr = "R3 invalid mem access 'inv'",
3126                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3127         },
3128         {
3129                 "raw_stack: skb_load_bytes, spilled regs + data",
3130                 .insns = {
3131                         BPF_MOV64_IMM(BPF_REG_2, 4),
3132                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3133                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3134                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3135                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3136                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3137                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3138                         BPF_MOV64_IMM(BPF_REG_4, 8),
3139                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3140                                      BPF_FUNC_skb_load_bytes),
3141                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3142                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3143                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3144                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3145                                     offsetof(struct __sk_buff, mark)),
3146                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3147                                     offsetof(struct __sk_buff, priority)),
3148                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3149                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3150                         BPF_EXIT_INSN(),
3151                 },
3152                 .result = ACCEPT,
3153                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3154         },
3155         {
3156                 "raw_stack: skb_load_bytes, invalid access 1",
3157                 .insns = {
3158                         BPF_MOV64_IMM(BPF_REG_2, 4),
3159                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3160                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3161                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3162                         BPF_MOV64_IMM(BPF_REG_4, 8),
3163                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3164                                      BPF_FUNC_skb_load_bytes),
3165                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3166                         BPF_EXIT_INSN(),
3167                 },
3168                 .result = REJECT,
3169                 .errstr = "invalid stack type R3 off=-513 access_size=8",
3170                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3171         },
3172         {
3173                 "raw_stack: skb_load_bytes, invalid access 2",
3174                 .insns = {
3175                         BPF_MOV64_IMM(BPF_REG_2, 4),
3176                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3177                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3178                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3179                         BPF_MOV64_IMM(BPF_REG_4, 8),
3180                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3181                                      BPF_FUNC_skb_load_bytes),
3182                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3183                         BPF_EXIT_INSN(),
3184                 },
3185                 .result = REJECT,
3186                 .errstr = "invalid stack type R3 off=-1 access_size=8",
3187                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3188         },
3189         {
3190                 "raw_stack: skb_load_bytes, invalid access 3",
3191                 .insns = {
3192                         BPF_MOV64_IMM(BPF_REG_2, 4),
3193                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3194                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3195                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3196                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3197                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3198                                      BPF_FUNC_skb_load_bytes),
3199                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3200                         BPF_EXIT_INSN(),
3201                 },
3202                 .result = REJECT,
3203                 .errstr = "R4 min value is negative",
3204                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3205         },
3206         {
3207                 "raw_stack: skb_load_bytes, invalid access 4",
3208                 .insns = {
3209                         BPF_MOV64_IMM(BPF_REG_2, 4),
3210                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3211                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3212                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3213                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3214                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3215                                      BPF_FUNC_skb_load_bytes),
3216                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3217                         BPF_EXIT_INSN(),
3218                 },
3219                 .result = REJECT,
3220                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3221                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3222         },
3223         {
3224                 "raw_stack: skb_load_bytes, invalid access 5",
3225                 .insns = {
3226                         BPF_MOV64_IMM(BPF_REG_2, 4),
3227                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3228                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3229                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3230                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3231                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3232                                      BPF_FUNC_skb_load_bytes),
3233                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3234                         BPF_EXIT_INSN(),
3235                 },
3236                 .result = REJECT,
3237                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3238                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3239         },
3240         {
3241                 "raw_stack: skb_load_bytes, invalid access 6",
3242                 .insns = {
3243                         BPF_MOV64_IMM(BPF_REG_2, 4),
3244                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3245                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3246                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3247                         BPF_MOV64_IMM(BPF_REG_4, 0),
3248                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3249                                      BPF_FUNC_skb_load_bytes),
3250                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3251                         BPF_EXIT_INSN(),
3252                 },
3253                 .result = REJECT,
3254                 .errstr = "invalid stack type R3 off=-512 access_size=0",
3255                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3256         },
3257         {
3258                 "raw_stack: skb_load_bytes, large access",
3259                 .insns = {
3260                         BPF_MOV64_IMM(BPF_REG_2, 4),
3261                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3262                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3263                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3264                         BPF_MOV64_IMM(BPF_REG_4, 512),
3265                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3266                                      BPF_FUNC_skb_load_bytes),
3267                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3268                         BPF_EXIT_INSN(),
3269                 },
3270                 .result = ACCEPT,
3271                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3272         },
3273         {
3274                 "context stores via ST",
3275                 .insns = {
3276                         BPF_MOV64_IMM(BPF_REG_0, 0),
3277                         BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3278                         BPF_EXIT_INSN(),
3279                 },
3280                 .errstr = "BPF_ST stores into R1 context is not allowed",
3281                 .result = REJECT,
3282                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3283         },
3284         {
3285                 "context stores via XADD",
3286                 .insns = {
3287                         BPF_MOV64_IMM(BPF_REG_0, 0),
3288                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3289                                      BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3290                         BPF_EXIT_INSN(),
3291                 },
3292                 .errstr = "BPF_XADD stores into R1 context is not allowed",
3293                 .result = REJECT,
3294                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3295         },
3296         {
3297                 "direct packet access: test1",
3298                 .insns = {
3299                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3300                                     offsetof(struct __sk_buff, data)),
3301                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3302                                     offsetof(struct __sk_buff, data_end)),
3303                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3304                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3305                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3306                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3307                         BPF_MOV64_IMM(BPF_REG_0, 0),
3308                         BPF_EXIT_INSN(),
3309                 },
3310                 .result = ACCEPT,
3311                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3312         },
3313         {
3314                 "direct packet access: test2",
3315                 .insns = {
3316                         BPF_MOV64_IMM(BPF_REG_0, 1),
3317                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3318                                     offsetof(struct __sk_buff, data_end)),
3319                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3320                                     offsetof(struct __sk_buff, data)),
3321                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3322                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3323                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3324                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3325                         BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3326                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3327                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3328                                     offsetof(struct __sk_buff, data)),
3329                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3330                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3331                                     offsetof(struct __sk_buff, len)),
3332                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3333                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3334                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3335                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3336                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3337                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3338                                     offsetof(struct __sk_buff, data_end)),
3339                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3340                         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3341                         BPF_MOV64_IMM(BPF_REG_0, 0),
3342                         BPF_EXIT_INSN(),
3343                 },
3344                 .result = ACCEPT,
3345                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3346         },
3347         {
3348                 "direct packet access: test3",
3349                 .insns = {
3350                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3351                                     offsetof(struct __sk_buff, data)),
3352                         BPF_MOV64_IMM(BPF_REG_0, 0),
3353                         BPF_EXIT_INSN(),
3354                 },
3355                 .errstr = "invalid bpf_context access off=76",
3356                 .result = REJECT,
3357                 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3358         },
3359         {
3360                 "direct packet access: test4 (write)",
3361                 .insns = {
3362                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3363                                     offsetof(struct __sk_buff, data)),
3364                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3365                                     offsetof(struct __sk_buff, data_end)),
3366                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3367                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3368                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3369                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3370                         BPF_MOV64_IMM(BPF_REG_0, 0),
3371                         BPF_EXIT_INSN(),
3372                 },
3373                 .result = ACCEPT,
3374                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3375         },
3376         {
3377                 "direct packet access: test5 (pkt_end >= reg, good access)",
3378                 .insns = {
3379                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3380                                     offsetof(struct __sk_buff, data)),
3381                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3382                                     offsetof(struct __sk_buff, data_end)),
3383                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3384                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3385                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3386                         BPF_MOV64_IMM(BPF_REG_0, 1),
3387                         BPF_EXIT_INSN(),
3388                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3389                         BPF_MOV64_IMM(BPF_REG_0, 0),
3390                         BPF_EXIT_INSN(),
3391                 },
3392                 .result = ACCEPT,
3393                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3394         },
3395         {
3396                 "direct packet access: test6 (pkt_end >= reg, bad access)",
3397                 .insns = {
3398                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3399                                     offsetof(struct __sk_buff, data)),
3400                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3401                                     offsetof(struct __sk_buff, data_end)),
3402                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3403                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3404                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3405                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3406                         BPF_MOV64_IMM(BPF_REG_0, 1),
3407                         BPF_EXIT_INSN(),
3408                         BPF_MOV64_IMM(BPF_REG_0, 0),
3409                         BPF_EXIT_INSN(),
3410                 },
3411                 .errstr = "invalid access to packet",
3412                 .result = REJECT,
3413                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3414         },
3415         {
3416                 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3417                 .insns = {
3418                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3419                                     offsetof(struct __sk_buff, data)),
3420                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3421                                     offsetof(struct __sk_buff, data_end)),
3422                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3423                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3424                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3425                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3426                         BPF_MOV64_IMM(BPF_REG_0, 1),
3427                         BPF_EXIT_INSN(),
3428                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3429                         BPF_MOV64_IMM(BPF_REG_0, 0),
3430                         BPF_EXIT_INSN(),
3431                 },
3432                 .errstr = "invalid access to packet",
3433                 .result = REJECT,
3434                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3435         },
3436         {
3437                 "direct packet access: test8 (double test, variant 1)",
3438                 .insns = {
3439                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3440                                     offsetof(struct __sk_buff, data)),
3441                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3442                                     offsetof(struct __sk_buff, data_end)),
3443                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3444                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3445                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3446                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3447                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3448                         BPF_MOV64_IMM(BPF_REG_0, 1),
3449                         BPF_EXIT_INSN(),
3450                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3451                         BPF_MOV64_IMM(BPF_REG_0, 0),
3452                         BPF_EXIT_INSN(),
3453                 },
3454                 .result = ACCEPT,
3455                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3456         },
3457         {
3458                 "direct packet access: test9 (double test, variant 2)",
3459                 .insns = {
3460                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3461                                     offsetof(struct __sk_buff, data)),
3462                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3463                                     offsetof(struct __sk_buff, data_end)),
3464                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3465                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3466                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3467                         BPF_MOV64_IMM(BPF_REG_0, 1),
3468                         BPF_EXIT_INSN(),
3469                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3470                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3471                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3472                         BPF_MOV64_IMM(BPF_REG_0, 0),
3473                         BPF_EXIT_INSN(),
3474                 },
3475                 .result = ACCEPT,
3476                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3477         },
3478         {
3479                 "direct packet access: test10 (write invalid)",
3480                 .insns = {
3481                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3482                                     offsetof(struct __sk_buff, data)),
3483                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3484                                     offsetof(struct __sk_buff, data_end)),
3485                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3486                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3487                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3488                         BPF_MOV64_IMM(BPF_REG_0, 0),
3489                         BPF_EXIT_INSN(),
3490                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3491                         BPF_MOV64_IMM(BPF_REG_0, 0),
3492                         BPF_EXIT_INSN(),
3493                 },
3494                 .errstr = "invalid access to packet",
3495                 .result = REJECT,
3496                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3497         },
3498         {
3499                 "direct packet access: test11 (shift, good access)",
3500                 .insns = {
3501                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3502                                     offsetof(struct __sk_buff, data)),
3503                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3504                                     offsetof(struct __sk_buff, data_end)),
3505                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3506                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3507                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3508                         BPF_MOV64_IMM(BPF_REG_3, 144),
3509                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3510                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3511                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3512                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3513                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3514                         BPF_MOV64_IMM(BPF_REG_0, 1),
3515                         BPF_EXIT_INSN(),
3516                         BPF_MOV64_IMM(BPF_REG_0, 0),
3517                         BPF_EXIT_INSN(),
3518                 },
3519                 .result = ACCEPT,
3520                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3521                 .retval = 1,
3522         },
3523         {
3524                 "direct packet access: test12 (and, good access)",
3525                 .insns = {
3526                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3527                                     offsetof(struct __sk_buff, data)),
3528                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3529                                     offsetof(struct __sk_buff, data_end)),
3530                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3531                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3532                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3533                         BPF_MOV64_IMM(BPF_REG_3, 144),
3534                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3535                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3536                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3537                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3538                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3539                         BPF_MOV64_IMM(BPF_REG_0, 1),
3540                         BPF_EXIT_INSN(),
3541                         BPF_MOV64_IMM(BPF_REG_0, 0),
3542                         BPF_EXIT_INSN(),
3543                 },
3544                 .result = ACCEPT,
3545                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3546                 .retval = 1,
3547         },
3548         {
3549                 "direct packet access: test13 (branches, good access)",
3550                 .insns = {
3551                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3552                                     offsetof(struct __sk_buff, data)),
3553                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3554                                     offsetof(struct __sk_buff, data_end)),
3555                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3556                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3557                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3558                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3559                                     offsetof(struct __sk_buff, mark)),
3560                         BPF_MOV64_IMM(BPF_REG_4, 1),
3561                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3562                         BPF_MOV64_IMM(BPF_REG_3, 14),
3563                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3564                         BPF_MOV64_IMM(BPF_REG_3, 24),
3565                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3566                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3567                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3568                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3569                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3570                         BPF_MOV64_IMM(BPF_REG_0, 1),
3571                         BPF_EXIT_INSN(),
3572                         BPF_MOV64_IMM(BPF_REG_0, 0),
3573                         BPF_EXIT_INSN(),
3574                 },
3575                 .result = ACCEPT,
3576                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3577                 .retval = 1,
3578         },
3579         {
3580                 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3581                 .insns = {
3582                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3583                                     offsetof(struct __sk_buff, data)),
3584                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3585                                     offsetof(struct __sk_buff, data_end)),
3586                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3587                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3588                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3589                         BPF_MOV64_IMM(BPF_REG_5, 12),
3590                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3591                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3592                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3593                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3594                         BPF_MOV64_IMM(BPF_REG_0, 1),
3595                         BPF_EXIT_INSN(),
3596                         BPF_MOV64_IMM(BPF_REG_0, 0),
3597                         BPF_EXIT_INSN(),
3598                 },
3599                 .result = ACCEPT,
3600                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3601                 .retval = 1,
3602         },
3603         {
3604                 "direct packet access: test15 (spill with xadd)",
3605                 .insns = {
3606                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3607                                     offsetof(struct __sk_buff, data)),
3608                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3609                                     offsetof(struct __sk_buff, data_end)),
3610                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3611                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3612                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3613                         BPF_MOV64_IMM(BPF_REG_5, 4096),
3614                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3615                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3616                         BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3617                         BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3618                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3619                         BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3620                         BPF_MOV64_IMM(BPF_REG_0, 0),
3621                         BPF_EXIT_INSN(),
3622                 },
3623                 .errstr = "R2 invalid mem access 'inv'",
3624                 .result = REJECT,
3625                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3626         },
3627         {
3628                 "direct packet access: test16 (arith on data_end)",
3629                 .insns = {
3630                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3631                                     offsetof(struct __sk_buff, data)),
3632                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3633                                     offsetof(struct __sk_buff, data_end)),
3634                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3635                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3636                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3637                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3638                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3639                         BPF_MOV64_IMM(BPF_REG_0, 0),
3640                         BPF_EXIT_INSN(),
3641                 },
3642                 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3643                 .result = REJECT,
3644                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3645         },
3646         {
3647                 "direct packet access: test17 (pruning, alignment)",
3648                 .insns = {
3649                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3650                                     offsetof(struct __sk_buff, data)),
3651                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3652                                     offsetof(struct __sk_buff, data_end)),
3653                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3654                                     offsetof(struct __sk_buff, mark)),
3655                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3656                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3657                         BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3658                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3659                         BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3660                         BPF_MOV64_IMM(BPF_REG_0, 0),
3661                         BPF_EXIT_INSN(),
3662                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3663                         BPF_JMP_A(-6),
3664                 },
3665                 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3666                 .result = REJECT,
3667                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3668                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3669         },
3670         {
3671                 "direct packet access: test18 (imm += pkt_ptr, 1)",
3672                 .insns = {
3673                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3674                                     offsetof(struct __sk_buff, data)),
3675                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3676                                     offsetof(struct __sk_buff, data_end)),
3677                         BPF_MOV64_IMM(BPF_REG_0, 8),
3678                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3679                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3680                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3681                         BPF_MOV64_IMM(BPF_REG_0, 0),
3682                         BPF_EXIT_INSN(),
3683                 },
3684                 .result = ACCEPT,
3685                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3686         },
3687         {
3688                 "direct packet access: test19 (imm += pkt_ptr, 2)",
3689                 .insns = {
3690                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3691                                     offsetof(struct __sk_buff, data)),
3692                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3693                                     offsetof(struct __sk_buff, data_end)),
3694                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3695                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3696                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3697                         BPF_MOV64_IMM(BPF_REG_4, 4),
3698                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3699                         BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3700                         BPF_MOV64_IMM(BPF_REG_0, 0),
3701                         BPF_EXIT_INSN(),
3702                 },
3703                 .result = ACCEPT,
3704                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3705         },
3706         {
3707                 "direct packet access: test20 (x += pkt_ptr, 1)",
3708                 .insns = {
3709                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3710                                     offsetof(struct __sk_buff, data)),
3711                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3712                                     offsetof(struct __sk_buff, data_end)),
3713                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3714                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3715                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3716                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3717                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3718                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3719                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3720                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3721                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3722                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3723                         BPF_MOV64_IMM(BPF_REG_0, 0),
3724                         BPF_EXIT_INSN(),
3725                 },
3726                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3727                 .result = ACCEPT,
3728         },
3729         {
3730                 "direct packet access: test21 (x += pkt_ptr, 2)",
3731                 .insns = {
3732                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3733                                     offsetof(struct __sk_buff, data)),
3734                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3735                                     offsetof(struct __sk_buff, data_end)),
3736                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3737                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3738                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3739                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3740                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3741                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3742                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3743                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3744                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3745                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3746                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3747                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3748                         BPF_MOV64_IMM(BPF_REG_0, 0),
3749                         BPF_EXIT_INSN(),
3750                 },
3751                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3752                 .result = ACCEPT,
3753         },
3754         {
3755                 "direct packet access: test22 (x += pkt_ptr, 3)",
3756                 .insns = {
3757                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3758                                     offsetof(struct __sk_buff, data)),
3759                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3760                                     offsetof(struct __sk_buff, data_end)),
3761                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3762                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3763                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3764                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3765                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3766                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3767                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3768                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3769                         BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3770                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3771                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3772                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3773                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3774                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3775                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3776                         BPF_MOV64_IMM(BPF_REG_2, 1),
3777                         BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3778                         BPF_MOV64_IMM(BPF_REG_0, 0),
3779                         BPF_EXIT_INSN(),
3780                 },
3781                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3782                 .result = ACCEPT,
3783         },
3784         {
3785                 "direct packet access: test23 (x += pkt_ptr, 4)",
3786                 .insns = {
3787                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3788                                     offsetof(struct __sk_buff, data)),
3789                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3790                                     offsetof(struct __sk_buff, data_end)),
3791                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3792                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3793                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3794                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3795                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3796                         BPF_MOV64_IMM(BPF_REG_0, 31),
3797                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3798                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3799                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3800                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3801                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3802                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3803                         BPF_MOV64_IMM(BPF_REG_0, 0),
3804                         BPF_EXIT_INSN(),
3805                 },
3806                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3807                 .result = REJECT,
3808                 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3809         },
3810         {
3811                 "direct packet access: test24 (x += pkt_ptr, 5)",
3812                 .insns = {
3813                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3814                                     offsetof(struct __sk_buff, data)),
3815                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3816                                     offsetof(struct __sk_buff, data_end)),
3817                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3818                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3819                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3820                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3821                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3822                         BPF_MOV64_IMM(BPF_REG_0, 64),
3823                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3824                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3825                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3826                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3827                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3828                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3829                         BPF_MOV64_IMM(BPF_REG_0, 0),
3830                         BPF_EXIT_INSN(),
3831                 },
3832                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3833                 .result = ACCEPT,
3834         },
3835         {
3836                 "direct packet access: test25 (marking on <, good access)",
3837                 .insns = {
3838                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3839                                     offsetof(struct __sk_buff, data)),
3840                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3841                                     offsetof(struct __sk_buff, data_end)),
3842                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3843                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3844                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3845                         BPF_MOV64_IMM(BPF_REG_0, 0),
3846                         BPF_EXIT_INSN(),
3847                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3848                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3849                 },
3850                 .result = ACCEPT,
3851                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3852         },
3853         {
3854                 "direct packet access: test26 (marking on <, bad access)",
3855                 .insns = {
3856                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3857                                     offsetof(struct __sk_buff, data)),
3858                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3859                                     offsetof(struct __sk_buff, data_end)),
3860                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3861                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3862                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3863                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3864                         BPF_MOV64_IMM(BPF_REG_0, 0),
3865                         BPF_EXIT_INSN(),
3866                         BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3867                 },
3868                 .result = REJECT,
3869                 .errstr = "invalid access to packet",
3870                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3871         },
3872         {
3873                 "direct packet access: test27 (marking on <=, good access)",
3874                 .insns = {
3875                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3876                                     offsetof(struct __sk_buff, data)),
3877                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3878                                     offsetof(struct __sk_buff, data_end)),
3879                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3880                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3881                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3882                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3883                         BPF_MOV64_IMM(BPF_REG_0, 1),
3884                         BPF_EXIT_INSN(),
3885                 },
3886                 .result = ACCEPT,
3887                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3888                 .retval = 1,
3889         },
3890         {
3891                 "direct packet access: test28 (marking on <=, bad access)",
3892                 .insns = {
3893                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3894                                     offsetof(struct __sk_buff, data)),
3895                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3896                                     offsetof(struct __sk_buff, data_end)),
3897                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3898                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3899                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3900                         BPF_MOV64_IMM(BPF_REG_0, 1),
3901                         BPF_EXIT_INSN(),
3902                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3903                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3904                 },
3905                 .result = REJECT,
3906                 .errstr = "invalid access to packet",
3907                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3908         },
3909         {
3910                 "helper access to packet: test1, valid packet_ptr range",
3911                 .insns = {
3912                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3913                                     offsetof(struct xdp_md, data)),
3914                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3915                                     offsetof(struct xdp_md, data_end)),
3916                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3917                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3918                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3919                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3920                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3921                         BPF_MOV64_IMM(BPF_REG_4, 0),
3922                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3923                                      BPF_FUNC_map_update_elem),
3924                         BPF_MOV64_IMM(BPF_REG_0, 0),
3925                         BPF_EXIT_INSN(),
3926                 },
3927                 .fixup_map1 = { 5 },
3928                 .result_unpriv = ACCEPT,
3929                 .result = ACCEPT,
3930                 .prog_type = BPF_PROG_TYPE_XDP,
3931         },
3932         {
3933                 "helper access to packet: test2, unchecked packet_ptr",
3934                 .insns = {
3935                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3936                                     offsetof(struct xdp_md, data)),
3937                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3938                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3939                                      BPF_FUNC_map_lookup_elem),
3940                         BPF_MOV64_IMM(BPF_REG_0, 0),
3941                         BPF_EXIT_INSN(),
3942                 },
3943                 .fixup_map1 = { 1 },
3944                 .result = REJECT,
3945                 .errstr = "invalid access to packet",
3946                 .prog_type = BPF_PROG_TYPE_XDP,
3947         },
3948         {
3949                 "helper access to packet: test3, variable add",
3950                 .insns = {
3951                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3952                                         offsetof(struct xdp_md, data)),
3953                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3954                                         offsetof(struct xdp_md, data_end)),
3955                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3956                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3957                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3958                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3959                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3960                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3961                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3962                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3963                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3964                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3965                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3966                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3967                                      BPF_FUNC_map_lookup_elem),
3968                         BPF_MOV64_IMM(BPF_REG_0, 0),
3969                         BPF_EXIT_INSN(),
3970                 },
3971                 .fixup_map1 = { 11 },
3972                 .result = ACCEPT,
3973                 .prog_type = BPF_PROG_TYPE_XDP,
3974         },
3975         {
3976                 "helper access to packet: test4, packet_ptr with bad range",
3977                 .insns = {
3978                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3979                                     offsetof(struct xdp_md, data)),
3980                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3981                                     offsetof(struct xdp_md, data_end)),
3982                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3983                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3984                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3985                         BPF_MOV64_IMM(BPF_REG_0, 0),
3986                         BPF_EXIT_INSN(),
3987                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3988                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3989                                      BPF_FUNC_map_lookup_elem),
3990                         BPF_MOV64_IMM(BPF_REG_0, 0),
3991                         BPF_EXIT_INSN(),
3992                 },
3993                 .fixup_map1 = { 7 },
3994                 .result = REJECT,
3995                 .errstr = "invalid access to packet",
3996                 .prog_type = BPF_PROG_TYPE_XDP,
3997         },
3998         {
3999                 "helper access to packet: test5, packet_ptr with too short range",
4000                 .insns = {
4001                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4002                                     offsetof(struct xdp_md, data)),
4003                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4004                                     offsetof(struct xdp_md, data_end)),
4005                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4006                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4007                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4008                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4009                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4010                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4011                                      BPF_FUNC_map_lookup_elem),
4012                         BPF_MOV64_IMM(BPF_REG_0, 0),
4013                         BPF_EXIT_INSN(),
4014                 },
4015                 .fixup_map1 = { 6 },
4016                 .result = REJECT,
4017                 .errstr = "invalid access to packet",
4018                 .prog_type = BPF_PROG_TYPE_XDP,
4019         },
4020         {
4021                 "helper access to packet: test6, cls valid packet_ptr range",
4022                 .insns = {
4023                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4024                                     offsetof(struct __sk_buff, data)),
4025                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4026                                     offsetof(struct __sk_buff, data_end)),
4027                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4028                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4029                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4030                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4031                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4032                         BPF_MOV64_IMM(BPF_REG_4, 0),
4033                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4034                                      BPF_FUNC_map_update_elem),
4035                         BPF_MOV64_IMM(BPF_REG_0, 0),
4036                         BPF_EXIT_INSN(),
4037                 },
4038                 .fixup_map1 = { 5 },
4039                 .result = ACCEPT,
4040                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4041         },
4042         {
4043                 "helper access to packet: test7, cls unchecked packet_ptr",
4044                 .insns = {
4045                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4046                                     offsetof(struct __sk_buff, data)),
4047                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4048                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4049                                      BPF_FUNC_map_lookup_elem),
4050                         BPF_MOV64_IMM(BPF_REG_0, 0),
4051                         BPF_EXIT_INSN(),
4052                 },
4053                 .fixup_map1 = { 1 },
4054                 .result = REJECT,
4055                 .errstr = "invalid access to packet",
4056                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4057         },
4058         {
4059                 "helper access to packet: test8, cls variable add",
4060                 .insns = {
4061                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4062                                         offsetof(struct __sk_buff, data)),
4063                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4064                                         offsetof(struct __sk_buff, data_end)),
4065                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4066                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4067                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4068                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4069                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4070                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4071                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4072                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4073                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4074                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4075                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4076                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4077                                      BPF_FUNC_map_lookup_elem),
4078                         BPF_MOV64_IMM(BPF_REG_0, 0),
4079                         BPF_EXIT_INSN(),
4080                 },
4081                 .fixup_map1 = { 11 },
4082                 .result = ACCEPT,
4083                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4084         },
4085         {
4086                 "helper access to packet: test9, cls packet_ptr with bad range",
4087                 .insns = {
4088                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4089                                     offsetof(struct __sk_buff, data)),
4090                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4091                                     offsetof(struct __sk_buff, data_end)),
4092                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4093                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4094                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4095                         BPF_MOV64_IMM(BPF_REG_0, 0),
4096                         BPF_EXIT_INSN(),
4097                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4098                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4099                                      BPF_FUNC_map_lookup_elem),
4100                         BPF_MOV64_IMM(BPF_REG_0, 0),
4101                         BPF_EXIT_INSN(),
4102                 },
4103                 .fixup_map1 = { 7 },
4104                 .result = REJECT,
4105                 .errstr = "invalid access to packet",
4106                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4107         },
4108         {
4109                 "helper access to packet: test10, cls packet_ptr with too short range",
4110                 .insns = {
4111                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4112                                     offsetof(struct __sk_buff, data)),
4113                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4114                                     offsetof(struct __sk_buff, data_end)),
4115                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4116                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4117                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4118                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4119                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4120                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4121                                      BPF_FUNC_map_lookup_elem),
4122                         BPF_MOV64_IMM(BPF_REG_0, 0),
4123                         BPF_EXIT_INSN(),
4124                 },
4125                 .fixup_map1 = { 6 },
4126                 .result = REJECT,
4127                 .errstr = "invalid access to packet",
4128                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4129         },
4130         {
4131                 "helper access to packet: test11, cls unsuitable helper 1",
4132                 .insns = {
4133                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4134                                     offsetof(struct __sk_buff, data)),
4135                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4136                                     offsetof(struct __sk_buff, data_end)),
4137                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4138                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4139                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4140                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4141                         BPF_MOV64_IMM(BPF_REG_2, 0),
4142                         BPF_MOV64_IMM(BPF_REG_4, 42),
4143                         BPF_MOV64_IMM(BPF_REG_5, 0),
4144                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4145                                      BPF_FUNC_skb_store_bytes),
4146                         BPF_MOV64_IMM(BPF_REG_0, 0),
4147                         BPF_EXIT_INSN(),
4148                 },
4149                 .result = REJECT,
4150                 .errstr = "helper access to the packet",
4151                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4152         },
4153         {
4154                 "helper access to packet: test12, cls unsuitable helper 2",
4155                 .insns = {
4156                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4157                                     offsetof(struct __sk_buff, data)),
4158                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4159                                     offsetof(struct __sk_buff, data_end)),
4160                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4161                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4162                         BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4163                         BPF_MOV64_IMM(BPF_REG_2, 0),
4164                         BPF_MOV64_IMM(BPF_REG_4, 4),
4165                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4166                                      BPF_FUNC_skb_load_bytes),
4167                         BPF_MOV64_IMM(BPF_REG_0, 0),
4168                         BPF_EXIT_INSN(),
4169                 },
4170                 .result = REJECT,
4171                 .errstr = "helper access to the packet",
4172                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4173         },
4174         {
4175                 "helper access to packet: test13, cls helper ok",
4176                 .insns = {
4177                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4178                                     offsetof(struct __sk_buff, data)),
4179                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4180                                     offsetof(struct __sk_buff, data_end)),
4181                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4182                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4183                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4184                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4185                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4186                         BPF_MOV64_IMM(BPF_REG_2, 4),
4187                         BPF_MOV64_IMM(BPF_REG_3, 0),
4188                         BPF_MOV64_IMM(BPF_REG_4, 0),
4189                         BPF_MOV64_IMM(BPF_REG_5, 0),
4190                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4191                                      BPF_FUNC_csum_diff),
4192                         BPF_MOV64_IMM(BPF_REG_0, 0),
4193                         BPF_EXIT_INSN(),
4194                 },
4195                 .result = ACCEPT,
4196                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4197         },
4198         {
4199                 "helper access to packet: test14, cls helper ok sub",
4200                 .insns = {
4201                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4202                                     offsetof(struct __sk_buff, data)),
4203                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4204                                     offsetof(struct __sk_buff, data_end)),
4205                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4206                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4207                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4208                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4209                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4210                         BPF_MOV64_IMM(BPF_REG_2, 4),
4211                         BPF_MOV64_IMM(BPF_REG_3, 0),
4212                         BPF_MOV64_IMM(BPF_REG_4, 0),
4213                         BPF_MOV64_IMM(BPF_REG_5, 0),
4214                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4215                                      BPF_FUNC_csum_diff),
4216                         BPF_MOV64_IMM(BPF_REG_0, 0),
4217                         BPF_EXIT_INSN(),
4218                 },
4219                 .result = ACCEPT,
4220                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4221         },
4222         {
4223                 "helper access to packet: test15, cls helper fail sub",
4224                 .insns = {
4225                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4226                                     offsetof(struct __sk_buff, data)),
4227                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4228                                     offsetof(struct __sk_buff, data_end)),
4229                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4230                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4231                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4232                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4233                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4234                         BPF_MOV64_IMM(BPF_REG_2, 4),
4235                         BPF_MOV64_IMM(BPF_REG_3, 0),
4236                         BPF_MOV64_IMM(BPF_REG_4, 0),
4237                         BPF_MOV64_IMM(BPF_REG_5, 0),
4238                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4239                                      BPF_FUNC_csum_diff),
4240                         BPF_MOV64_IMM(BPF_REG_0, 0),
4241                         BPF_EXIT_INSN(),
4242                 },
4243                 .result = REJECT,
4244                 .errstr = "invalid access to packet",
4245                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4246         },
4247         {
4248                 "helper access to packet: test16, cls helper fail range 1",
4249                 .insns = {
4250                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4251                                     offsetof(struct __sk_buff, data)),
4252                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4253                                     offsetof(struct __sk_buff, data_end)),
4254                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4255                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4256                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4257                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4258                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4259                         BPF_MOV64_IMM(BPF_REG_2, 8),
4260                         BPF_MOV64_IMM(BPF_REG_3, 0),
4261                         BPF_MOV64_IMM(BPF_REG_4, 0),
4262                         BPF_MOV64_IMM(BPF_REG_5, 0),
4263                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4264                                      BPF_FUNC_csum_diff),
4265                         BPF_MOV64_IMM(BPF_REG_0, 0),
4266                         BPF_EXIT_INSN(),
4267                 },
4268                 .result = REJECT,
4269                 .errstr = "invalid access to packet",
4270                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4271         },
4272         {
4273                 "helper access to packet: test17, cls helper fail range 2",
4274                 .insns = {
4275                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4276                                     offsetof(struct __sk_buff, data)),
4277                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4278                                     offsetof(struct __sk_buff, data_end)),
4279                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4280                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4281                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4282                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4283                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4284                         BPF_MOV64_IMM(BPF_REG_2, -9),
4285                         BPF_MOV64_IMM(BPF_REG_3, 0),
4286                         BPF_MOV64_IMM(BPF_REG_4, 0),
4287                         BPF_MOV64_IMM(BPF_REG_5, 0),
4288                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4289                                      BPF_FUNC_csum_diff),
4290                         BPF_MOV64_IMM(BPF_REG_0, 0),
4291                         BPF_EXIT_INSN(),
4292                 },
4293                 .result = REJECT,
4294                 .errstr = "R2 min value is negative",
4295                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4296         },
4297         {
4298                 "helper access to packet: test18, cls helper fail range 3",
4299                 .insns = {
4300                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4301                                     offsetof(struct __sk_buff, data)),
4302                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4303                                     offsetof(struct __sk_buff, data_end)),
4304                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4305                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4306                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4307                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4308                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4309                         BPF_MOV64_IMM(BPF_REG_2, ~0),
4310                         BPF_MOV64_IMM(BPF_REG_3, 0),
4311                         BPF_MOV64_IMM(BPF_REG_4, 0),
4312                         BPF_MOV64_IMM(BPF_REG_5, 0),
4313                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4314                                      BPF_FUNC_csum_diff),
4315                         BPF_MOV64_IMM(BPF_REG_0, 0),
4316                         BPF_EXIT_INSN(),
4317                 },
4318                 .result = REJECT,
4319                 .errstr = "R2 min value is negative",
4320                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4321         },
4322         {
4323                 "helper access to packet: test19, cls helper range zero",
4324                 .insns = {
4325                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4326                                     offsetof(struct __sk_buff, data)),
4327                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4328                                     offsetof(struct __sk_buff, data_end)),
4329                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4330                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4331                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4332                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4333                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4334                         BPF_MOV64_IMM(BPF_REG_2, 0),
4335                         BPF_MOV64_IMM(BPF_REG_3, 0),
4336                         BPF_MOV64_IMM(BPF_REG_4, 0),
4337                         BPF_MOV64_IMM(BPF_REG_5, 0),
4338                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4339                                      BPF_FUNC_csum_diff),
4340                         BPF_MOV64_IMM(BPF_REG_0, 0),
4341                         BPF_EXIT_INSN(),
4342                 },
4343                 .result = ACCEPT,
4344                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4345         },
4346         {
4347                 "helper access to packet: test20, pkt end as input",
4348                 .insns = {
4349                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4350                                     offsetof(struct __sk_buff, data)),
4351                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4352                                     offsetof(struct __sk_buff, data_end)),
4353                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4354                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4355                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4356                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4357                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4358                         BPF_MOV64_IMM(BPF_REG_2, 4),
4359                         BPF_MOV64_IMM(BPF_REG_3, 0),
4360                         BPF_MOV64_IMM(BPF_REG_4, 0),
4361                         BPF_MOV64_IMM(BPF_REG_5, 0),
4362                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4363                                      BPF_FUNC_csum_diff),
4364                         BPF_MOV64_IMM(BPF_REG_0, 0),
4365                         BPF_EXIT_INSN(),
4366                 },
4367                 .result = REJECT,
4368                 .errstr = "R1 type=pkt_end expected=fp",
4369                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4370         },
4371         {
4372                 "helper access to packet: test21, wrong reg",
4373                 .insns = {
4374                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4375                                     offsetof(struct __sk_buff, data)),
4376                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4377                                     offsetof(struct __sk_buff, data_end)),
4378                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4379                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4380                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4381                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4382                         BPF_MOV64_IMM(BPF_REG_2, 4),
4383                         BPF_MOV64_IMM(BPF_REG_3, 0),
4384                         BPF_MOV64_IMM(BPF_REG_4, 0),
4385                         BPF_MOV64_IMM(BPF_REG_5, 0),
4386                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4387                                      BPF_FUNC_csum_diff),
4388                         BPF_MOV64_IMM(BPF_REG_0, 0),
4389                         BPF_EXIT_INSN(),
4390                 },
4391                 .result = REJECT,
4392                 .errstr = "invalid access to packet",
4393                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4394         },
4395         {
4396                 "valid map access into an array with a constant",
4397                 .insns = {
4398                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4399                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4400                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4401                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4402                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4403                                      BPF_FUNC_map_lookup_elem),
4404                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4405                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4406                                    offsetof(struct test_val, foo)),
4407                         BPF_EXIT_INSN(),
4408                 },
4409                 .fixup_map2 = { 3 },
4410                 .errstr_unpriv = "R0 leaks addr",
4411                 .result_unpriv = REJECT,
4412                 .result = ACCEPT,
4413         },
4414         {
4415                 "valid map access into an array with a register",
4416                 .insns = {
4417                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4418                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4419                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4420                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4421                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4422                                      BPF_FUNC_map_lookup_elem),
4423                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4424                         BPF_MOV64_IMM(BPF_REG_1, 4),
4425                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4426                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4427                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4428                                    offsetof(struct test_val, foo)),
4429                         BPF_EXIT_INSN(),
4430                 },
4431                 .fixup_map2 = { 3 },
4432                 .errstr_unpriv = "R0 leaks addr",
4433                 .result_unpriv = REJECT,
4434                 .result = ACCEPT,
4435                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4436         },
4437         {
4438                 "valid map access into an array with a variable",
4439                 .insns = {
4440                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4441                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4442                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4443                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4444                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445                                      BPF_FUNC_map_lookup_elem),
4446                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4447                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4448                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4449                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4450                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4451                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4452                                    offsetof(struct test_val, foo)),
4453                         BPF_EXIT_INSN(),
4454                 },
4455                 .fixup_map2 = { 3 },
4456                 .errstr_unpriv = "R0 leaks addr",
4457                 .result_unpriv = REJECT,
4458                 .result = ACCEPT,
4459                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4460         },
4461         {
4462                 "valid map access into an array with a signed variable",
4463                 .insns = {
4464                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4465                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4466                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4467                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4468                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4469                                      BPF_FUNC_map_lookup_elem),
4470                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4471                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4472                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4473                         BPF_MOV32_IMM(BPF_REG_1, 0),
4474                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4475                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4476                         BPF_MOV32_IMM(BPF_REG_1, 0),
4477                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4478                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4479                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4480                                    offsetof(struct test_val, foo)),
4481                         BPF_EXIT_INSN(),
4482                 },
4483                 .fixup_map2 = { 3 },
4484                 .errstr_unpriv = "R0 leaks addr",
4485                 .result_unpriv = REJECT,
4486                 .result = ACCEPT,
4487                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4488         },
4489         {
4490                 "invalid map access into an array with a constant",
4491                 .insns = {
4492                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4493                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4494                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4495                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4496                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4497                                      BPF_FUNC_map_lookup_elem),
4498                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4499                         BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4500                                    offsetof(struct test_val, foo)),
4501                         BPF_EXIT_INSN(),
4502                 },
4503                 .fixup_map2 = { 3 },
4504                 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4505                 .result = REJECT,
4506         },
4507         {
4508                 "invalid map access into an array with a register",
4509                 .insns = {
4510                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4511                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4512                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4513                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4514                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4515                                      BPF_FUNC_map_lookup_elem),
4516                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4517                         BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4518                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4519                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4520                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4521                                    offsetof(struct test_val, foo)),
4522                         BPF_EXIT_INSN(),
4523                 },
4524                 .fixup_map2 = { 3 },
4525                 .errstr = "R0 min value is outside of the array range",
4526                 .result = REJECT,
4527                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4528         },
4529         {
4530                 "invalid map access into an array with a variable",
4531                 .insns = {
4532                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4533                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4534                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4535                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4536                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4537                                      BPF_FUNC_map_lookup_elem),
4538                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4539                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4540                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4541                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4542                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4543                                    offsetof(struct test_val, foo)),
4544                         BPF_EXIT_INSN(),
4545                 },
4546                 .fixup_map2 = { 3 },
4547                 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4548                 .result = REJECT,
4549                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4550         },
4551         {
4552                 "invalid map access into an array with no floor check",
4553                 .insns = {
4554                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4555                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4556                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4557                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4558                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4559                                      BPF_FUNC_map_lookup_elem),
4560                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4561                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4562                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4563                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4564                         BPF_MOV32_IMM(BPF_REG_1, 0),
4565                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4566                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4567                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4568                                    offsetof(struct test_val, foo)),
4569                         BPF_EXIT_INSN(),
4570                 },
4571                 .fixup_map2 = { 3 },
4572                 .errstr_unpriv = "R0 leaks addr",
4573                 .errstr = "R0 unbounded memory access",
4574                 .result_unpriv = REJECT,
4575                 .result = REJECT,
4576                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4577         },
4578         {
4579                 "invalid map access into an array with a invalid max check",
4580                 .insns = {
4581                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4582                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4583                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4584                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4585                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4586                                      BPF_FUNC_map_lookup_elem),
4587                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4588                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4589                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4590                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4591                         BPF_MOV32_IMM(BPF_REG_1, 0),
4592                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4593                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4594                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4595                                    offsetof(struct test_val, foo)),
4596                         BPF_EXIT_INSN(),
4597                 },
4598                 .fixup_map2 = { 3 },
4599                 .errstr_unpriv = "R0 leaks addr",
4600                 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4601                 .result_unpriv = REJECT,
4602                 .result = REJECT,
4603                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4604         },
4605         {
4606                 "invalid map access into an array with a invalid max check",
4607                 .insns = {
4608                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4609                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4610                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4611                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4612                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4613                                      BPF_FUNC_map_lookup_elem),
4614                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4615                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4616                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4617                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4618                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4619                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4620                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621                                      BPF_FUNC_map_lookup_elem),
4622                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4623                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4624                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4625                                     offsetof(struct test_val, foo)),
4626                         BPF_EXIT_INSN(),
4627                 },
4628                 .fixup_map2 = { 3, 11 },
4629                 .errstr = "R0 pointer += pointer",
4630                 .result = REJECT,
4631                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4632         },
4633         {
4634                 "multiple registers share map_lookup_elem result",
4635                 .insns = {
4636                         BPF_MOV64_IMM(BPF_REG_1, 10),
4637                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4638                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4639                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4640                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4641                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4642                                      BPF_FUNC_map_lookup_elem),
4643                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4644                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4645                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4646                         BPF_EXIT_INSN(),
4647                 },
4648                 .fixup_map1 = { 4 },
4649                 .result = ACCEPT,
4650                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4651         },
4652         {
4653                 "alu ops on ptr_to_map_value_or_null, 1",
4654                 .insns = {
4655                         BPF_MOV64_IMM(BPF_REG_1, 10),
4656                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4657                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4658                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4659                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4660                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4661                                      BPF_FUNC_map_lookup_elem),
4662                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4663                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4664                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4665                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4666                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4667                         BPF_EXIT_INSN(),
4668                 },
4669                 .fixup_map1 = { 4 },
4670                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4671                 .result = REJECT,
4672                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4673         },
4674         {
4675                 "alu ops on ptr_to_map_value_or_null, 2",
4676                 .insns = {
4677                         BPF_MOV64_IMM(BPF_REG_1, 10),
4678                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4679                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4680                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4681                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4682                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4683                                      BPF_FUNC_map_lookup_elem),
4684                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4685                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4686                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4687                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4688                         BPF_EXIT_INSN(),
4689                 },
4690                 .fixup_map1 = { 4 },
4691                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4692                 .result = REJECT,
4693                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4694         },
4695         {
4696                 "alu ops on ptr_to_map_value_or_null, 3",
4697                 .insns = {
4698                         BPF_MOV64_IMM(BPF_REG_1, 10),
4699                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4700                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4701                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4702                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4703                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4704                                      BPF_FUNC_map_lookup_elem),
4705                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4706                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4707                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4708                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4709                         BPF_EXIT_INSN(),
4710                 },
4711                 .fixup_map1 = { 4 },
4712                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4713                 .result = REJECT,
4714                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4715         },
4716         {
4717                 "invalid memory access with multiple map_lookup_elem calls",
4718                 .insns = {
4719                         BPF_MOV64_IMM(BPF_REG_1, 10),
4720                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4721                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4722                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4723                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4724                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4725                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4726                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4727                                      BPF_FUNC_map_lookup_elem),
4728                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4729                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4730                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4731                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4732                                      BPF_FUNC_map_lookup_elem),
4733                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4734                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4735                         BPF_EXIT_INSN(),
4736                 },
4737                 .fixup_map1 = { 4 },
4738                 .result = REJECT,
4739                 .errstr = "R4 !read_ok",
4740                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4741         },
4742         {
4743                 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4744                 .insns = {
4745                         BPF_MOV64_IMM(BPF_REG_1, 10),
4746                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4747                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4748                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4749                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4750                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4751                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4752                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4753                                      BPF_FUNC_map_lookup_elem),
4754                         BPF_MOV64_IMM(BPF_REG_2, 10),
4755                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4756                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4757                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4758                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4759                                      BPF_FUNC_map_lookup_elem),
4760                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4761                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4762                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4763                         BPF_EXIT_INSN(),
4764                 },
4765                 .fixup_map1 = { 4 },
4766                 .result = ACCEPT,
4767                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4768         },
4769         {
4770                 "invalid map access from else condition",
4771                 .insns = {
4772                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4773                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4774                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4775                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4776                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4777                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4778                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4779                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4780                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4781                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4782                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4783                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4784                         BPF_EXIT_INSN(),
4785                 },
4786                 .fixup_map2 = { 3 },
4787                 .errstr = "R0 unbounded memory access",
4788                 .result = REJECT,
4789                 .errstr_unpriv = "R0 leaks addr",
4790                 .result_unpriv = REJECT,
4791                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4792         },
4793         {
4794                 "constant register |= constant should keep constant type",
4795                 .insns = {
4796                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4797                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4798                         BPF_MOV64_IMM(BPF_REG_2, 34),
4799                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4800                         BPF_MOV64_IMM(BPF_REG_3, 0),
4801                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4802                         BPF_EXIT_INSN(),
4803                 },
4804                 .result = ACCEPT,
4805                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4806         },
4807         {
4808                 "constant register |= constant should not bypass stack boundary checks",
4809                 .insns = {
4810                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4811                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4812                         BPF_MOV64_IMM(BPF_REG_2, 34),
4813                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4814                         BPF_MOV64_IMM(BPF_REG_3, 0),
4815                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4816                         BPF_EXIT_INSN(),
4817                 },
4818                 .errstr = "invalid stack type R1 off=-48 access_size=58",
4819                 .result = REJECT,
4820                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4821         },
4822         {
4823                 "constant register |= constant register should keep constant type",
4824                 .insns = {
4825                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4826                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4827                         BPF_MOV64_IMM(BPF_REG_2, 34),
4828                         BPF_MOV64_IMM(BPF_REG_4, 13),
4829                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4830                         BPF_MOV64_IMM(BPF_REG_3, 0),
4831                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4832                         BPF_EXIT_INSN(),
4833                 },
4834                 .result = ACCEPT,
4835                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4836         },
4837         {
4838                 "constant register |= constant register should not bypass stack boundary checks",
4839                 .insns = {
4840                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4841                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4842                         BPF_MOV64_IMM(BPF_REG_2, 34),
4843                         BPF_MOV64_IMM(BPF_REG_4, 24),
4844                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4845                         BPF_MOV64_IMM(BPF_REG_3, 0),
4846                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4847                         BPF_EXIT_INSN(),
4848                 },
4849                 .errstr = "invalid stack type R1 off=-48 access_size=58",
4850                 .result = REJECT,
4851                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4852         },
4853         {
4854                 "invalid direct packet write for LWT_IN",
4855                 .insns = {
4856                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4857                                     offsetof(struct __sk_buff, data)),
4858                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4859                                     offsetof(struct __sk_buff, data_end)),
4860                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4861                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4862                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4863                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4864                         BPF_MOV64_IMM(BPF_REG_0, 0),
4865                         BPF_EXIT_INSN(),
4866                 },
4867                 .errstr = "cannot write into packet",
4868                 .result = REJECT,
4869                 .prog_type = BPF_PROG_TYPE_LWT_IN,
4870         },
4871         {
4872                 "invalid direct packet write for LWT_OUT",
4873                 .insns = {
4874                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4875                                     offsetof(struct __sk_buff, data)),
4876                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4877                                     offsetof(struct __sk_buff, data_end)),
4878                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4879                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4880                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4881                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4882                         BPF_MOV64_IMM(BPF_REG_0, 0),
4883                         BPF_EXIT_INSN(),
4884                 },
4885                 .errstr = "cannot write into packet",
4886                 .result = REJECT,
4887                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4888         },
4889         {
4890                 "direct packet write for LWT_XMIT",
4891                 .insns = {
4892                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4893                                     offsetof(struct __sk_buff, data)),
4894                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4895                                     offsetof(struct __sk_buff, data_end)),
4896                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4897                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4898                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4899                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4900                         BPF_MOV64_IMM(BPF_REG_0, 0),
4901                         BPF_EXIT_INSN(),
4902                 },
4903                 .result = ACCEPT,
4904                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4905         },
4906         {
4907                 "direct packet read for LWT_IN",
4908                 .insns = {
4909                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4910                                     offsetof(struct __sk_buff, data)),
4911                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4912                                     offsetof(struct __sk_buff, data_end)),
4913                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4914                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4915                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4916                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4917                         BPF_MOV64_IMM(BPF_REG_0, 0),
4918                         BPF_EXIT_INSN(),
4919                 },
4920                 .result = ACCEPT,
4921                 .prog_type = BPF_PROG_TYPE_LWT_IN,
4922         },
4923         {
4924                 "direct packet read for LWT_OUT",
4925                 .insns = {
4926                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4927                                     offsetof(struct __sk_buff, data)),
4928                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4929                                     offsetof(struct __sk_buff, data_end)),
4930                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4931                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4932                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4933                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4934                         BPF_MOV64_IMM(BPF_REG_0, 0),
4935                         BPF_EXIT_INSN(),
4936                 },
4937                 .result = ACCEPT,
4938                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4939         },
4940         {
4941                 "direct packet read for LWT_XMIT",
4942                 .insns = {
4943                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4944                                     offsetof(struct __sk_buff, data)),
4945                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4946                                     offsetof(struct __sk_buff, data_end)),
4947                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4948                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4949                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4950                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4951                         BPF_MOV64_IMM(BPF_REG_0, 0),
4952                         BPF_EXIT_INSN(),
4953                 },
4954                 .result = ACCEPT,
4955                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4956         },
4957         {
4958                 "overlapping checks for direct packet access",
4959                 .insns = {
4960                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4961                                     offsetof(struct __sk_buff, data)),
4962                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4963                                     offsetof(struct __sk_buff, data_end)),
4964                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4965                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4966                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4967                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4968                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4969                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4970                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4971                         BPF_MOV64_IMM(BPF_REG_0, 0),
4972                         BPF_EXIT_INSN(),
4973                 },
4974                 .result = ACCEPT,
4975                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4976         },
4977         {
4978                 "invalid access of tc_classid for LWT_IN",
4979                 .insns = {
4980                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4981                                     offsetof(struct __sk_buff, tc_classid)),
4982                         BPF_EXIT_INSN(),
4983                 },
4984                 .result = REJECT,
4985                 .errstr = "invalid bpf_context access",
4986         },
4987         {
4988                 "invalid access of tc_classid for LWT_OUT",
4989                 .insns = {
4990                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4991                                     offsetof(struct __sk_buff, tc_classid)),
4992                         BPF_EXIT_INSN(),
4993                 },
4994                 .result = REJECT,
4995                 .errstr = "invalid bpf_context access",
4996         },
4997         {
4998                 "invalid access of tc_classid for LWT_XMIT",
4999                 .insns = {
5000                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5001                                     offsetof(struct __sk_buff, tc_classid)),
5002                         BPF_EXIT_INSN(),
5003                 },
5004                 .result = REJECT,
5005                 .errstr = "invalid bpf_context access",
5006         },
5007         {
5008                 "leak pointer into ctx 1",
5009                 .insns = {
5010                         BPF_MOV64_IMM(BPF_REG_0, 0),
5011                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5012                                     offsetof(struct __sk_buff, cb[0])),
5013                         BPF_LD_MAP_FD(BPF_REG_2, 0),
5014                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
5015                                       offsetof(struct __sk_buff, cb[0])),
5016                         BPF_EXIT_INSN(),
5017                 },
5018                 .fixup_map1 = { 2 },
5019                 .errstr_unpriv = "R2 leaks addr into mem",
5020                 .result_unpriv = REJECT,
5021                 .result = REJECT,
5022                 .errstr = "BPF_XADD stores into R1 context is not allowed",
5023         },
5024         {
5025                 "leak pointer into ctx 2",
5026                 .insns = {
5027                         BPF_MOV64_IMM(BPF_REG_0, 0),
5028                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5029                                     offsetof(struct __sk_buff, cb[0])),
5030                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
5031                                       offsetof(struct __sk_buff, cb[0])),
5032                         BPF_EXIT_INSN(),
5033                 },
5034                 .errstr_unpriv = "R10 leaks addr into mem",
5035                 .result_unpriv = REJECT,
5036                 .result = REJECT,
5037                 .errstr = "BPF_XADD stores into R1 context is not allowed",
5038         },
5039         {
5040                 "leak pointer into ctx 3",
5041                 .insns = {
5042                         BPF_MOV64_IMM(BPF_REG_0, 0),
5043                         BPF_LD_MAP_FD(BPF_REG_2, 0),
5044                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
5045                                       offsetof(struct __sk_buff, cb[0])),
5046                         BPF_EXIT_INSN(),
5047                 },
5048                 .fixup_map1 = { 1 },
5049                 .errstr_unpriv = "R2 leaks addr into ctx",
5050                 .result_unpriv = REJECT,
5051                 .result = ACCEPT,
5052         },
5053         {
5054                 "leak pointer into map val",
5055                 .insns = {
5056                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
5057                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5058                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5059                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5060                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5061                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5062                                      BPF_FUNC_map_lookup_elem),
5063                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5064                         BPF_MOV64_IMM(BPF_REG_3, 0),
5065                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
5066                         BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
5067                         BPF_MOV64_IMM(BPF_REG_0, 0),
5068                         BPF_EXIT_INSN(),
5069                 },
5070                 .fixup_map1 = { 4 },
5071                 .errstr_unpriv = "R6 leaks addr into mem",
5072                 .result_unpriv = REJECT,
5073                 .result = ACCEPT,
5074         },
5075         {
5076                 "helper access to map: full range",
5077                 .insns = {
5078                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5079                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5080                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5081                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5082                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5083                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5084                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5085                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
5086                         BPF_MOV64_IMM(BPF_REG_3, 0),
5087                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5088                         BPF_EXIT_INSN(),
5089                 },
5090                 .fixup_map2 = { 3 },
5091                 .result = ACCEPT,
5092                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5093         },
5094         {
5095                 "helper access to map: partial range",
5096                 .insns = {
5097                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5098                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5099                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5100                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5101                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5102                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5103                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5104                         BPF_MOV64_IMM(BPF_REG_2, 8),
5105                         BPF_MOV64_IMM(BPF_REG_3, 0),
5106                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5107                         BPF_EXIT_INSN(),
5108                 },
5109                 .fixup_map2 = { 3 },
5110                 .result = ACCEPT,
5111                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5112         },
5113         {
5114                 "helper access to map: empty range",
5115                 .insns = {
5116                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5117                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5118                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5119                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5120                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5121                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
5122                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5123                         BPF_MOV64_IMM(BPF_REG_2, 0),
5124                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5125                         BPF_EXIT_INSN(),
5126                 },
5127                 .fixup_map2 = { 3 },
5128                 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
5129                 .result = REJECT,
5130                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5131         },
5132         {
5133                 "helper access to map: out-of-bound range",
5134                 .insns = {
5135                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5136                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5137                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5138                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5139                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5140                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5141                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5142                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
5143                         BPF_MOV64_IMM(BPF_REG_3, 0),
5144                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5145                         BPF_EXIT_INSN(),
5146                 },
5147                 .fixup_map2 = { 3 },
5148                 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
5149                 .result = REJECT,
5150                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5151         },
5152         {
5153                 "helper access to map: negative range",
5154                 .insns = {
5155                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5156                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5157                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5158                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5159                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5160                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5161                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5162                         BPF_MOV64_IMM(BPF_REG_2, -8),
5163                         BPF_MOV64_IMM(BPF_REG_3, 0),
5164                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5165                         BPF_EXIT_INSN(),
5166                 },
5167                 .fixup_map2 = { 3 },
5168                 .errstr = "R2 min value is negative",
5169                 .result = REJECT,
5170                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5171         },
5172         {
5173                 "helper access to adjusted map (via const imm): full range",
5174                 .insns = {
5175                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5176                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5177                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5178                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5179                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5180                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5181                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5182                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5183                                 offsetof(struct test_val, foo)),
5184                         BPF_MOV64_IMM(BPF_REG_2,
5185                                 sizeof(struct test_val) -
5186                                 offsetof(struct test_val, foo)),
5187                         BPF_MOV64_IMM(BPF_REG_3, 0),
5188                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5189                         BPF_EXIT_INSN(),
5190                 },
5191                 .fixup_map2 = { 3 },
5192                 .result = ACCEPT,
5193                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5194         },
5195         {
5196                 "helper access to adjusted map (via const imm): partial range",
5197                 .insns = {
5198                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5199                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5200                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5201                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5202                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5203                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5204                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5205                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5206                                 offsetof(struct test_val, foo)),
5207                         BPF_MOV64_IMM(BPF_REG_2, 8),
5208                         BPF_MOV64_IMM(BPF_REG_3, 0),
5209                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5210                         BPF_EXIT_INSN(),
5211                 },
5212                 .fixup_map2 = { 3 },
5213                 .result = ACCEPT,
5214                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5215         },
5216         {
5217                 "helper access to adjusted map (via const imm): empty range",
5218                 .insns = {
5219                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5220                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5221                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5222                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5223                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5224                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5225                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5226                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5227                                 offsetof(struct test_val, foo)),
5228                         BPF_MOV64_IMM(BPF_REG_2, 0),
5229                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5230                         BPF_EXIT_INSN(),
5231                 },
5232                 .fixup_map2 = { 3 },
5233                 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
5234                 .result = REJECT,
5235                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5236         },
5237         {
5238                 "helper access to adjusted map (via const imm): out-of-bound range",
5239                 .insns = {
5240                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5241                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5242                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5243                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5244                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5245                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5246                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5247                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5248                                 offsetof(struct test_val, foo)),
5249                         BPF_MOV64_IMM(BPF_REG_2,
5250                                 sizeof(struct test_val) -
5251                                 offsetof(struct test_val, foo) + 8),
5252                         BPF_MOV64_IMM(BPF_REG_3, 0),
5253                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5254                         BPF_EXIT_INSN(),
5255                 },
5256                 .fixup_map2 = { 3 },
5257                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5258                 .result = REJECT,
5259                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5260         },
5261         {
5262                 "helper access to adjusted map (via const imm): negative range (> adjustment)",
5263                 .insns = {
5264                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5265                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5266                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5267                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5268                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5269                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5270                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5271                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5272                                 offsetof(struct test_val, foo)),
5273                         BPF_MOV64_IMM(BPF_REG_2, -8),
5274                         BPF_MOV64_IMM(BPF_REG_3, 0),
5275                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5276                         BPF_EXIT_INSN(),
5277                 },
5278                 .fixup_map2 = { 3 },
5279                 .errstr = "R2 min value is negative",
5280                 .result = REJECT,
5281                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5282         },
5283         {
5284                 "helper access to adjusted map (via const imm): negative range (< adjustment)",
5285                 .insns = {
5286                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5287                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5288                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5289                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5290                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5291                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5292                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5293                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
5294                                 offsetof(struct test_val, foo)),
5295                         BPF_MOV64_IMM(BPF_REG_2, -1),
5296                         BPF_MOV64_IMM(BPF_REG_3, 0),
5297                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5298                         BPF_EXIT_INSN(),
5299                 },
5300                 .fixup_map2 = { 3 },
5301                 .errstr = "R2 min value is negative",
5302                 .result = REJECT,
5303                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5304         },
5305         {
5306                 "helper access to adjusted map (via const reg): full range",
5307                 .insns = {
5308                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5309                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5310                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5311                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5312                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5313                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5314                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5315                         BPF_MOV64_IMM(BPF_REG_3,
5316                                 offsetof(struct test_val, foo)),
5317                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5318                         BPF_MOV64_IMM(BPF_REG_2,
5319                                 sizeof(struct test_val) -
5320                                 offsetof(struct test_val, foo)),
5321                         BPF_MOV64_IMM(BPF_REG_3, 0),
5322                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5323                         BPF_EXIT_INSN(),
5324                 },
5325                 .fixup_map2 = { 3 },
5326                 .result = ACCEPT,
5327                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5328         },
5329         {
5330                 "helper access to adjusted map (via const reg): partial range",
5331                 .insns = {
5332                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5333                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5334                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5335                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5336                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5337                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5338                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5339                         BPF_MOV64_IMM(BPF_REG_3,
5340                                 offsetof(struct test_val, foo)),
5341                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5342                         BPF_MOV64_IMM(BPF_REG_2, 8),
5343                         BPF_MOV64_IMM(BPF_REG_3, 0),
5344                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5345                         BPF_EXIT_INSN(),
5346                 },
5347                 .fixup_map2 = { 3 },
5348                 .result = ACCEPT,
5349                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5350         },
5351         {
5352                 "helper access to adjusted map (via const reg): empty range",
5353                 .insns = {
5354                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5355                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5356                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5357                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5358                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5359                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5360                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5361                         BPF_MOV64_IMM(BPF_REG_3, 0),
5362                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5363                         BPF_MOV64_IMM(BPF_REG_2, 0),
5364                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5365                         BPF_EXIT_INSN(),
5366                 },
5367                 .fixup_map2 = { 3 },
5368                 .errstr = "R1 min value is outside of the array range",
5369                 .result = REJECT,
5370                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5371         },
5372         {
5373                 "helper access to adjusted map (via const reg): out-of-bound range",
5374                 .insns = {
5375                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5376                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5377                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5378                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5379                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5380                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5381                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5382                         BPF_MOV64_IMM(BPF_REG_3,
5383                                 offsetof(struct test_val, foo)),
5384                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5385                         BPF_MOV64_IMM(BPF_REG_2,
5386                                 sizeof(struct test_val) -
5387                                 offsetof(struct test_val, foo) + 8),
5388                         BPF_MOV64_IMM(BPF_REG_3, 0),
5389                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5390                         BPF_EXIT_INSN(),
5391                 },
5392                 .fixup_map2 = { 3 },
5393                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5394                 .result = REJECT,
5395                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5396         },
5397         {
5398                 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5399                 .insns = {
5400                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5401                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5402                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5403                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5404                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5405                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5406                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5407                         BPF_MOV64_IMM(BPF_REG_3,
5408                                 offsetof(struct test_val, foo)),
5409                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5410                         BPF_MOV64_IMM(BPF_REG_2, -8),
5411                         BPF_MOV64_IMM(BPF_REG_3, 0),
5412                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5413                         BPF_EXIT_INSN(),
5414                 },
5415                 .fixup_map2 = { 3 },
5416                 .errstr = "R2 min value is negative",
5417                 .result = REJECT,
5418                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5419         },
5420         {
5421                 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5422                 .insns = {
5423                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5424                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5425                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5426                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5427                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5428                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5429                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5430                         BPF_MOV64_IMM(BPF_REG_3,
5431                                 offsetof(struct test_val, foo)),
5432                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5433                         BPF_MOV64_IMM(BPF_REG_2, -1),
5434                         BPF_MOV64_IMM(BPF_REG_3, 0),
5435                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5436                         BPF_EXIT_INSN(),
5437                 },
5438                 .fixup_map2 = { 3 },
5439                 .errstr = "R2 min value is negative",
5440                 .result = REJECT,
5441                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5442         },
5443         {
5444                 "helper access to adjusted map (via variable): full range",
5445                 .insns = {
5446                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5447                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5448                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5449                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5450                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5451                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5452                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5453                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5454                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5455                                 offsetof(struct test_val, foo), 4),
5456                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5457                         BPF_MOV64_IMM(BPF_REG_2,
5458                                 sizeof(struct test_val) -
5459                                 offsetof(struct test_val, foo)),
5460                         BPF_MOV64_IMM(BPF_REG_3, 0),
5461                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5462                         BPF_EXIT_INSN(),
5463                 },
5464                 .fixup_map2 = { 3 },
5465                 .result = ACCEPT,
5466                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5467         },
5468         {
5469                 "helper access to adjusted map (via variable): partial range",
5470                 .insns = {
5471                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5472                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5473                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5474                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5475                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5476                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5477                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5478                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5479                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5480                                 offsetof(struct test_val, foo), 4),
5481                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5482                         BPF_MOV64_IMM(BPF_REG_2, 8),
5483                         BPF_MOV64_IMM(BPF_REG_3, 0),
5484                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5485                         BPF_EXIT_INSN(),
5486                 },
5487                 .fixup_map2 = { 3 },
5488                 .result = ACCEPT,
5489                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5490         },
5491         {
5492                 "helper access to adjusted map (via variable): empty range",
5493                 .insns = {
5494                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5495                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5496                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5497                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5498                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5499                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5500                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5501                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5502                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5503                                 offsetof(struct test_val, foo), 3),
5504                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5505                         BPF_MOV64_IMM(BPF_REG_2, 0),
5506                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5507                         BPF_EXIT_INSN(),
5508                 },
5509                 .fixup_map2 = { 3 },
5510                 .errstr = "R1 min value is outside of the array range",
5511                 .result = REJECT,
5512                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5513         },
5514         {
5515                 "helper access to adjusted map (via variable): no max check",
5516                 .insns = {
5517                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5518                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5519                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5520                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5521                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5522                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5523                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5524                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5525                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5526                         BPF_MOV64_IMM(BPF_REG_2, 1),
5527                         BPF_MOV64_IMM(BPF_REG_3, 0),
5528                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5529                         BPF_EXIT_INSN(),
5530                 },
5531                 .fixup_map2 = { 3 },
5532                 .errstr = "R1 unbounded memory access",
5533                 .result = REJECT,
5534                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5535         },
5536         {
5537                 "helper access to adjusted map (via variable): wrong max check",
5538                 .insns = {
5539                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5540                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5541                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5542                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5543                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5544                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5545                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5546                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5547                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5548                                 offsetof(struct test_val, foo), 4),
5549                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5550                         BPF_MOV64_IMM(BPF_REG_2,
5551                                 sizeof(struct test_val) -
5552                                 offsetof(struct test_val, foo) + 1),
5553                         BPF_MOV64_IMM(BPF_REG_3, 0),
5554                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5555                         BPF_EXIT_INSN(),
5556                 },
5557                 .fixup_map2 = { 3 },
5558                 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5559                 .result = REJECT,
5560                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5561         },
5562         {
5563                 "helper access to map: bounds check using <, good access",
5564                 .insns = {
5565                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5566                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5567                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5568                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5569                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5570                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5571                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5572                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5573                         BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5574                         BPF_MOV64_IMM(BPF_REG_0, 0),
5575                         BPF_EXIT_INSN(),
5576                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5577                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5578                         BPF_MOV64_IMM(BPF_REG_0, 0),
5579                         BPF_EXIT_INSN(),
5580                 },
5581                 .fixup_map2 = { 3 },
5582                 .result = ACCEPT,
5583                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5584         },
5585         {
5586                 "helper access to map: bounds check using <, bad access",
5587                 .insns = {
5588                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5589                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5590                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5591                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5592                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5593                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5594                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5595                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5596                         BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5597                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5598                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5599                         BPF_MOV64_IMM(BPF_REG_0, 0),
5600                         BPF_EXIT_INSN(),
5601                         BPF_MOV64_IMM(BPF_REG_0, 0),
5602                         BPF_EXIT_INSN(),
5603                 },
5604                 .fixup_map2 = { 3 },
5605                 .result = REJECT,
5606                 .errstr = "R1 unbounded memory access",
5607                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5608         },
5609         {
5610                 "helper access to map: bounds check using <=, good access",
5611                 .insns = {
5612                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5613                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5614                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5615                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5616                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5617                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5618                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5619                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5620                         BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
5621                         BPF_MOV64_IMM(BPF_REG_0, 0),
5622                         BPF_EXIT_INSN(),
5623                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5624                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5625                         BPF_MOV64_IMM(BPF_REG_0, 0),
5626                         BPF_EXIT_INSN(),
5627                 },
5628                 .fixup_map2 = { 3 },
5629                 .result = ACCEPT,
5630                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5631         },
5632         {
5633                 "helper access to map: bounds check using <=, bad access",
5634                 .insns = {
5635                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5636                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5637                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5638                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5639                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5640                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5641                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5642                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5643                         BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
5644                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5645                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5646                         BPF_MOV64_IMM(BPF_REG_0, 0),
5647                         BPF_EXIT_INSN(),
5648                         BPF_MOV64_IMM(BPF_REG_0, 0),
5649                         BPF_EXIT_INSN(),
5650                 },
5651                 .fixup_map2 = { 3 },
5652                 .result = REJECT,
5653                 .errstr = "R1 unbounded memory access",
5654                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5655         },
5656         {
5657                 "helper access to map: bounds check using s<, good access",
5658                 .insns = {
5659                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5660                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5661                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5662                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5663                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5664                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5665                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5666                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5667                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5668                         BPF_MOV64_IMM(BPF_REG_0, 0),
5669                         BPF_EXIT_INSN(),
5670                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
5671                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5672                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5673                         BPF_MOV64_IMM(BPF_REG_0, 0),
5674                         BPF_EXIT_INSN(),
5675                 },
5676                 .fixup_map2 = { 3 },
5677                 .result = ACCEPT,
5678                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5679         },
5680         {
5681                 "helper access to map: bounds check using s<, good access 2",
5682                 .insns = {
5683                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5684                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5685                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5686                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5687                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5688                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5689                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5690                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5691                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5692                         BPF_MOV64_IMM(BPF_REG_0, 0),
5693                         BPF_EXIT_INSN(),
5694                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5695                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5696                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5697                         BPF_MOV64_IMM(BPF_REG_0, 0),
5698                         BPF_EXIT_INSN(),
5699                 },
5700                 .fixup_map2 = { 3 },
5701                 .result = ACCEPT,
5702                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5703         },
5704         {
5705                 "helper access to map: bounds check using s<, bad access",
5706                 .insns = {
5707                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5708                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5709                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5710                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5711                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5712                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5713                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5714                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5715                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
5716                         BPF_MOV64_IMM(BPF_REG_0, 0),
5717                         BPF_EXIT_INSN(),
5718                         BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
5719                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5720                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5721                         BPF_MOV64_IMM(BPF_REG_0, 0),
5722                         BPF_EXIT_INSN(),
5723                 },
5724                 .fixup_map2 = { 3 },
5725                 .result = REJECT,
5726                 .errstr = "R1 min value is negative",
5727                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5728         },
5729         {
5730                 "helper access to map: bounds check using s<=, good access",
5731                 .insns = {
5732                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5733                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5734                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5735                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5736                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5737                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5738                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5739                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5740                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5741                         BPF_MOV64_IMM(BPF_REG_0, 0),
5742                         BPF_EXIT_INSN(),
5743                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
5744                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5745                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5746                         BPF_MOV64_IMM(BPF_REG_0, 0),
5747                         BPF_EXIT_INSN(),
5748                 },
5749                 .fixup_map2 = { 3 },
5750                 .result = ACCEPT,
5751                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5752         },
5753         {
5754                 "helper access to map: bounds check using s<=, good access 2",
5755                 .insns = {
5756                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5757                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5758                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5759                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5760                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5761                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5762                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5763                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5764                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5765                         BPF_MOV64_IMM(BPF_REG_0, 0),
5766                         BPF_EXIT_INSN(),
5767                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5768                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5769                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5770                         BPF_MOV64_IMM(BPF_REG_0, 0),
5771                         BPF_EXIT_INSN(),
5772                 },
5773                 .fixup_map2 = { 3 },
5774                 .result = ACCEPT,
5775                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5776         },
5777         {
5778                 "helper access to map: bounds check using s<=, bad access",
5779                 .insns = {
5780                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5781                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5782                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5783                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5784                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5785                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5786                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5787                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
5788                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
5789                         BPF_MOV64_IMM(BPF_REG_0, 0),
5790                         BPF_EXIT_INSN(),
5791                         BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
5792                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5793                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5794                         BPF_MOV64_IMM(BPF_REG_0, 0),
5795                         BPF_EXIT_INSN(),
5796                 },
5797                 .fixup_map2 = { 3 },
5798                 .result = REJECT,
5799                 .errstr = "R1 min value is negative",
5800                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5801         },
5802         {
5803                 "map lookup helper access to map",
5804                 .insns = {
5805                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5806                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5807                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5808                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5809                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5810                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5811                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5812                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5813                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5814                         BPF_EXIT_INSN(),
5815                 },
5816                 .fixup_map3 = { 3, 8 },
5817                 .result = ACCEPT,
5818                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5819         },
5820         {
5821                 "map update helper access to map",
5822                 .insns = {
5823                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5824                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5825                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5826                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5827                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5828                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5829                         BPF_MOV64_IMM(BPF_REG_4, 0),
5830                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5831                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5832                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5833                         BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5834                         BPF_EXIT_INSN(),
5835                 },
5836                 .fixup_map3 = { 3, 10 },
5837                 .result = ACCEPT,
5838                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5839         },
5840         {
5841                 "map update helper access to map: wrong size",
5842                 .insns = {
5843                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5844                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5845                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5846                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5847                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5848                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5849                         BPF_MOV64_IMM(BPF_REG_4, 0),
5850                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
5851                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5852                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5853                         BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
5854                         BPF_EXIT_INSN(),
5855                 },
5856                 .fixup_map1 = { 3 },
5857                 .fixup_map3 = { 10 },
5858                 .result = REJECT,
5859                 .errstr = "invalid access to map value, value_size=8 off=0 size=16",
5860                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5861         },
5862         {
5863                 "map helper access to adjusted map (via const imm)",
5864                 .insns = {
5865                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5866                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5867                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5868                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5869                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5870                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5871                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5872                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5873                                       offsetof(struct other_val, bar)),
5874                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5875                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5876                         BPF_EXIT_INSN(),
5877                 },
5878                 .fixup_map3 = { 3, 9 },
5879                 .result = ACCEPT,
5880                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5881         },
5882         {
5883                 "map helper access to adjusted map (via const imm): out-of-bound 1",
5884                 .insns = {
5885                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5886                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5887                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5888                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5889                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5890                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5891                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5892                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
5893                                       sizeof(struct other_val) - 4),
5894                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5895                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5896                         BPF_EXIT_INSN(),
5897                 },
5898                 .fixup_map3 = { 3, 9 },
5899                 .result = REJECT,
5900                 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
5901                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5902         },
5903         {
5904                 "map helper access to adjusted map (via const imm): out-of-bound 2",
5905                 .insns = {
5906                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5907                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5908                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5909                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5910                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5911                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5912                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5913                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
5914                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5915                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5916                         BPF_EXIT_INSN(),
5917                 },
5918                 .fixup_map3 = { 3, 9 },
5919                 .result = REJECT,
5920                 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5921                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5922         },
5923         {
5924                 "map helper access to adjusted map (via const reg)",
5925                 .insns = {
5926                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5927                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5928                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5929                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5930                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5931                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5932                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5933                         BPF_MOV64_IMM(BPF_REG_3,
5934                                       offsetof(struct other_val, bar)),
5935                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5936                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5937                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5938                         BPF_EXIT_INSN(),
5939                 },
5940                 .fixup_map3 = { 3, 10 },
5941                 .result = ACCEPT,
5942                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5943         },
5944         {
5945                 "map helper access to adjusted map (via const reg): out-of-bound 1",
5946                 .insns = {
5947                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5948                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5949                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5950                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5951                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5952                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5953                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5954                         BPF_MOV64_IMM(BPF_REG_3,
5955                                       sizeof(struct other_val) - 4),
5956                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5957                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5958                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5959                         BPF_EXIT_INSN(),
5960                 },
5961                 .fixup_map3 = { 3, 10 },
5962                 .result = REJECT,
5963                 .errstr = "invalid access to map value, value_size=16 off=12 size=8",
5964                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5965         },
5966         {
5967                 "map helper access to adjusted map (via const reg): out-of-bound 2",
5968                 .insns = {
5969                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5970                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5971                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5972                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5973                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5974                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5975                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5976                         BPF_MOV64_IMM(BPF_REG_3, -4),
5977                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
5978                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5979                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5980                         BPF_EXIT_INSN(),
5981                 },
5982                 .fixup_map3 = { 3, 10 },
5983                 .result = REJECT,
5984                 .errstr = "invalid access to map value, value_size=16 off=-4 size=8",
5985                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5986         },
5987         {
5988                 "map helper access to adjusted map (via variable)",
5989                 .insns = {
5990                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5991                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5992                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5993                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5994                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5995                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5996                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
5997                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5998                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5999                                     offsetof(struct other_val, bar), 4),
6000                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6001                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6002                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6003                         BPF_EXIT_INSN(),
6004                 },
6005                 .fixup_map3 = { 3, 11 },
6006                 .result = ACCEPT,
6007                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6008         },
6009         {
6010                 "map helper access to adjusted map (via variable): no max check",
6011                 .insns = {
6012                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6013                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6014                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6015                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6016                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6017                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6018                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6019                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6020                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6021                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6022                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6023                         BPF_EXIT_INSN(),
6024                 },
6025                 .fixup_map3 = { 3, 10 },
6026                 .result = REJECT,
6027                 .errstr = "R2 unbounded memory access, make sure to bounds check any array access into a map",
6028                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6029         },
6030         {
6031                 "map helper access to adjusted map (via variable): wrong max check",
6032                 .insns = {
6033                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6034                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6035                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6036                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6037                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6038                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
6039                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
6040                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
6041                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
6042                                     offsetof(struct other_val, bar) + 1, 4),
6043                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
6044                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6045                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6046                         BPF_EXIT_INSN(),
6047                 },
6048                 .fixup_map3 = { 3, 11 },
6049                 .result = REJECT,
6050                 .errstr = "invalid access to map value, value_size=16 off=9 size=8",
6051                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6052         },
6053         {
6054                 "map element value is preserved across register spilling",
6055                 .insns = {
6056                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6057                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6058                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6059                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6060                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6061                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
6062                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6063                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6064                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
6065                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6066                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6067                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6068                         BPF_EXIT_INSN(),
6069                 },
6070                 .fixup_map2 = { 3 },
6071                 .errstr_unpriv = "R0 leaks addr",
6072                 .result = ACCEPT,
6073                 .result_unpriv = REJECT,
6074         },
6075         {
6076                 "map element value or null is marked on register spilling",
6077                 .insns = {
6078                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6079                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6080                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6081                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6082                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6083                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
6084                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
6085                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
6086                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6087                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
6088                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
6089                         BPF_EXIT_INSN(),
6090                 },
6091                 .fixup_map2 = { 3 },
6092                 .errstr_unpriv = "R0 leaks addr",
6093                 .result = ACCEPT,
6094                 .result_unpriv = REJECT,
6095         },
6096         {
6097                 "map element value store of cleared call register",
6098                 .insns = {
6099                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6100                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6101                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6102                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6103                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6104                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
6105                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
6106                         BPF_EXIT_INSN(),
6107                 },
6108                 .fixup_map2 = { 3 },
6109                 .errstr_unpriv = "R1 !read_ok",
6110                 .errstr = "R1 !read_ok",
6111                 .result = REJECT,
6112                 .result_unpriv = REJECT,
6113         },
6114         {
6115                 "map element value with unaligned store",
6116                 .insns = {
6117                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6118                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6119                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6120                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6121                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6122                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
6123                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6124                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
6125                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
6126                         BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
6127                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6128                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
6129                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
6130                         BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
6131                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
6132                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
6133                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
6134                         BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
6135                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
6136                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
6137                         BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
6138                         BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
6139                         BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
6140                         BPF_EXIT_INSN(),
6141                 },
6142                 .fixup_map2 = { 3 },
6143                 .errstr_unpriv = "R0 leaks addr",
6144                 .result = ACCEPT,
6145                 .result_unpriv = REJECT,
6146                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6147         },
6148         {
6149                 "map element value with unaligned load",
6150                 .insns = {
6151                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6152                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6153                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6154                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6155                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6156                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
6157                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
6158                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
6159                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
6160                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6161                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
6162                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
6163                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
6164                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
6165                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
6166                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
6167                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
6168                         BPF_EXIT_INSN(),
6169                 },
6170                 .fixup_map2 = { 3 },
6171                 .errstr_unpriv = "R0 leaks addr",
6172                 .result = ACCEPT,
6173                 .result_unpriv = REJECT,
6174                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
6175         },
6176         {
6177                 "map element value illegal alu op, 1",
6178                 .insns = {
6179                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6180                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6181                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6182                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6183                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6184                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6185                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
6186                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6187                         BPF_EXIT_INSN(),
6188                 },
6189                 .fixup_map2 = { 3 },
6190                 .errstr = "R0 bitwise operator &= on pointer",
6191                 .result = REJECT,
6192         },
6193         {
6194                 "map element value illegal alu op, 2",
6195                 .insns = {
6196                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6197                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6198                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6199                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6200                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6201                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6202                         BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
6203                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6204                         BPF_EXIT_INSN(),
6205                 },
6206                 .fixup_map2 = { 3 },
6207                 .errstr = "R0 32-bit pointer arithmetic prohibited",
6208                 .result = REJECT,
6209         },
6210         {
6211                 "map element value illegal alu op, 3",
6212                 .insns = {
6213                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6214                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6215                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6216                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6217                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6218                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6219                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
6220                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
6221                         BPF_EXIT_INSN(),
6222                 },
6223                 .fixup_map2 = { 3 },
6224                 .errstr = "R0 pointer arithmetic with /= operator",
6225                 .result = REJECT,
6226         },
6227         {
6228                 "map element value illegal alu op, 4",
6229                 .insns = {
6230                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6231                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6232                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6233                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6234                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6235                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
6236                         BPF_ENDIAN(BPF_FROM_BE, BPF_R