~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/test_verifier.c

Version: ~ [ linux-5.0-rc2 ] ~ [ linux-4.20.2 ] ~ [ linux-4.19.15 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.93 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.150 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.170 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.132 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.62 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Testsuite for eBPF verifier
  3  *
  4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
  5  * Copyright (c) 2017 Facebook
  6  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
  7  *
  8  * This program is free software; you can redistribute it and/or
  9  * modify it under the terms of version 2 of the GNU General Public
 10  * License as published by the Free Software Foundation.
 11  */
 12 
 13 #include <endian.h>
 14 #include <asm/types.h>
 15 #include <linux/types.h>
 16 #include <stdint.h>
 17 #include <stdio.h>
 18 #include <stdlib.h>
 19 #include <unistd.h>
 20 #include <errno.h>
 21 #include <string.h>
 22 #include <stddef.h>
 23 #include <stdbool.h>
 24 #include <sched.h>
 25 #include <limits.h>
 26 #include <assert.h>
 27 
 28 #include <sys/capability.h>
 29 
 30 #include <linux/unistd.h>
 31 #include <linux/filter.h>
 32 #include <linux/bpf_perf_event.h>
 33 #include <linux/bpf.h>
 34 #include <linux/if_ether.h>
 35 
 36 #include <bpf/bpf.h>
 37 
 38 #ifdef HAVE_GENHDR
 39 # include "autoconf.h"
 40 #else
 41 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
 42 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
 43 # endif
 44 #endif
 45 #include "bpf_rlimit.h"
 46 #include "bpf_rand.h"
 47 #include "bpf_util.h"
 48 #include "../../../include/linux/filter.h"
 49 
 50 #define MAX_INSNS       BPF_MAXINSNS
 51 #define MAX_FIXUPS      8
 52 #define MAX_NR_MAPS     13
 53 #define MAX_TEST_RUNS   8
 54 #define POINTER_VALUE   0xcafe4all
 55 #define TEST_DATA_LEN   64
 56 
 57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
 58 #define F_LOAD_WITH_STRICT_ALIGNMENT            (1 << 1)
 59 
 60 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
 61 static bool unpriv_disabled = false;
 62 
 63 struct bpf_test {
 64         const char *descr;
 65         struct bpf_insn insns[MAX_INSNS];
 66         int fixup_map_hash_8b[MAX_FIXUPS];
 67         int fixup_map_hash_48b[MAX_FIXUPS];
 68         int fixup_map_hash_16b[MAX_FIXUPS];
 69         int fixup_map_array_48b[MAX_FIXUPS];
 70         int fixup_map_sockmap[MAX_FIXUPS];
 71         int fixup_map_sockhash[MAX_FIXUPS];
 72         int fixup_map_xskmap[MAX_FIXUPS];
 73         int fixup_map_stacktrace[MAX_FIXUPS];
 74         int fixup_prog1[MAX_FIXUPS];
 75         int fixup_prog2[MAX_FIXUPS];
 76         int fixup_map_in_map[MAX_FIXUPS];
 77         int fixup_cgroup_storage[MAX_FIXUPS];
 78         int fixup_percpu_cgroup_storage[MAX_FIXUPS];
 79         const char *errstr;
 80         const char *errstr_unpriv;
 81         uint32_t retval, retval_unpriv, insn_processed;
 82         enum {
 83                 UNDEF,
 84                 ACCEPT,
 85                 REJECT
 86         } result, result_unpriv;
 87         enum bpf_prog_type prog_type;
 88         uint8_t flags;
 89         __u8 data[TEST_DATA_LEN];
 90         void (*fill_helper)(struct bpf_test *self);
 91         uint8_t runs;
 92         struct {
 93                 uint32_t retval, retval_unpriv;
 94                 union {
 95                         __u8 data[TEST_DATA_LEN];
 96                         __u64 data64[TEST_DATA_LEN / 8];
 97                 };
 98         } retvals[MAX_TEST_RUNS];
 99 };
100 
101 /* Note we want this to be 64 bit aligned so that the end of our array is
102  * actually the end of the structure.
103  */
104 #define MAX_ENTRIES 11
105 
106 struct test_val {
107         unsigned int index;
108         int foo[MAX_ENTRIES];
109 };
110 
111 struct other_val {
112         long long foo;
113         long long bar;
114 };
115 
116 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
117 {
118         /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
119 #define PUSH_CNT 51
120         unsigned int len = BPF_MAXINSNS;
121         struct bpf_insn *insn = self->insns;
122         int i = 0, j, k = 0;
123 
124         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
125 loop:
126         for (j = 0; j < PUSH_CNT; j++) {
127                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
128                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
129                 i++;
130                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
131                 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
132                 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
133                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
134                                          BPF_FUNC_skb_vlan_push),
135                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
136                 i++;
137         }
138 
139         for (j = 0; j < PUSH_CNT; j++) {
140                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
141                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
142                 i++;
143                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
144                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
145                                          BPF_FUNC_skb_vlan_pop),
146                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
147                 i++;
148         }
149         if (++k < 5)
150                 goto loop;
151 
152         for (; i < len - 1; i++)
153                 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
154         insn[len - 1] = BPF_EXIT_INSN();
155 }
156 
157 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
158 {
159         struct bpf_insn *insn = self->insns;
160         unsigned int len = BPF_MAXINSNS;
161         int i = 0;
162 
163         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
164         insn[i++] = BPF_LD_ABS(BPF_B, 0);
165         insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
166         i++;
167         while (i < len - 1)
168                 insn[i++] = BPF_LD_ABS(BPF_B, 1);
169         insn[i] = BPF_EXIT_INSN();
170 }
171 
172 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
173 {
174         struct bpf_insn *insn = self->insns;
175         uint64_t res = 0;
176         int i = 0;
177 
178         insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
179         while (i < self->retval) {
180                 uint64_t val = bpf_semi_rand_get();
181                 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
182 
183                 res ^= val;
184                 insn[i++] = tmp[0];
185                 insn[i++] = tmp[1];
186                 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
187         }
188         insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
189         insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
190         insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
191         insn[i] = BPF_EXIT_INSN();
192         res ^= (res >> 32);
193         self->retval = (uint32_t)res;
194 }
195 
196 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
197 #define BPF_SK_LOOKUP                                                   \
198         /* struct bpf_sock_tuple tuple = {} */                          \
199         BPF_MOV64_IMM(BPF_REG_2, 0),                                    \
200         BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),                  \
201         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16),                \
202         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24),                \
203         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32),                \
204         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40),                \
205         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48),                \
206         /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */       \
207         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),                           \
208         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),                         \
209         BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),        \
210         BPF_MOV64_IMM(BPF_REG_4, 0),                                    \
211         BPF_MOV64_IMM(BPF_REG_5, 0),                                    \
212         BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
213 
214 static struct bpf_test tests[] = {
215         {
216                 "add+sub+mul",
217                 .insns = {
218                         BPF_MOV64_IMM(BPF_REG_1, 1),
219                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
220                         BPF_MOV64_IMM(BPF_REG_2, 3),
221                         BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
222                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
223                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
224                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
225                         BPF_EXIT_INSN(),
226                 },
227                 .result = ACCEPT,
228                 .retval = -3,
229         },
230         {
231                 "DIV32 by 0, zero check 1",
232                 .insns = {
233                         BPF_MOV32_IMM(BPF_REG_0, 42),
234                         BPF_MOV32_IMM(BPF_REG_1, 0),
235                         BPF_MOV32_IMM(BPF_REG_2, 1),
236                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
237                         BPF_EXIT_INSN(),
238                 },
239                 .result = ACCEPT,
240                 .retval = 42,
241         },
242         {
243                 "DIV32 by 0, zero check 2",
244                 .insns = {
245                         BPF_MOV32_IMM(BPF_REG_0, 42),
246                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
247                         BPF_MOV32_IMM(BPF_REG_2, 1),
248                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
249                         BPF_EXIT_INSN(),
250                 },
251                 .result = ACCEPT,
252                 .retval = 42,
253         },
254         {
255                 "DIV64 by 0, zero check",
256                 .insns = {
257                         BPF_MOV32_IMM(BPF_REG_0, 42),
258                         BPF_MOV32_IMM(BPF_REG_1, 0),
259                         BPF_MOV32_IMM(BPF_REG_2, 1),
260                         BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
261                         BPF_EXIT_INSN(),
262                 },
263                 .result = ACCEPT,
264                 .retval = 42,
265         },
266         {
267                 "MOD32 by 0, zero check 1",
268                 .insns = {
269                         BPF_MOV32_IMM(BPF_REG_0, 42),
270                         BPF_MOV32_IMM(BPF_REG_1, 0),
271                         BPF_MOV32_IMM(BPF_REG_2, 1),
272                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
273                         BPF_EXIT_INSN(),
274                 },
275                 .result = ACCEPT,
276                 .retval = 42,
277         },
278         {
279                 "MOD32 by 0, zero check 2",
280                 .insns = {
281                         BPF_MOV32_IMM(BPF_REG_0, 42),
282                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
283                         BPF_MOV32_IMM(BPF_REG_2, 1),
284                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
285                         BPF_EXIT_INSN(),
286                 },
287                 .result = ACCEPT,
288                 .retval = 42,
289         },
290         {
291                 "MOD64 by 0, zero check",
292                 .insns = {
293                         BPF_MOV32_IMM(BPF_REG_0, 42),
294                         BPF_MOV32_IMM(BPF_REG_1, 0),
295                         BPF_MOV32_IMM(BPF_REG_2, 1),
296                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
297                         BPF_EXIT_INSN(),
298                 },
299                 .result = ACCEPT,
300                 .retval = 42,
301         },
302         {
303                 "DIV32 by 0, zero check ok, cls",
304                 .insns = {
305                         BPF_MOV32_IMM(BPF_REG_0, 42),
306                         BPF_MOV32_IMM(BPF_REG_1, 2),
307                         BPF_MOV32_IMM(BPF_REG_2, 16),
308                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
309                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
310                         BPF_EXIT_INSN(),
311                 },
312                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
313                 .result = ACCEPT,
314                 .retval = 8,
315         },
316         {
317                 "DIV32 by 0, zero check 1, cls",
318                 .insns = {
319                         BPF_MOV32_IMM(BPF_REG_1, 0),
320                         BPF_MOV32_IMM(BPF_REG_0, 1),
321                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
322                         BPF_EXIT_INSN(),
323                 },
324                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
325                 .result = ACCEPT,
326                 .retval = 0,
327         },
328         {
329                 "DIV32 by 0, zero check 2, cls",
330                 .insns = {
331                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
332                         BPF_MOV32_IMM(BPF_REG_0, 1),
333                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
334                         BPF_EXIT_INSN(),
335                 },
336                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
337                 .result = ACCEPT,
338                 .retval = 0,
339         },
340         {
341                 "DIV64 by 0, zero check, cls",
342                 .insns = {
343                         BPF_MOV32_IMM(BPF_REG_1, 0),
344                         BPF_MOV32_IMM(BPF_REG_0, 1),
345                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
346                         BPF_EXIT_INSN(),
347                 },
348                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
349                 .result = ACCEPT,
350                 .retval = 0,
351         },
352         {
353                 "MOD32 by 0, zero check ok, cls",
354                 .insns = {
355                         BPF_MOV32_IMM(BPF_REG_0, 42),
356                         BPF_MOV32_IMM(BPF_REG_1, 3),
357                         BPF_MOV32_IMM(BPF_REG_2, 5),
358                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
359                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
360                         BPF_EXIT_INSN(),
361                 },
362                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
363                 .result = ACCEPT,
364                 .retval = 2,
365         },
366         {
367                 "MOD32 by 0, zero check 1, cls",
368                 .insns = {
369                         BPF_MOV32_IMM(BPF_REG_1, 0),
370                         BPF_MOV32_IMM(BPF_REG_0, 1),
371                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
372                         BPF_EXIT_INSN(),
373                 },
374                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
375                 .result = ACCEPT,
376                 .retval = 1,
377         },
378         {
379                 "MOD32 by 0, zero check 2, cls",
380                 .insns = {
381                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
382                         BPF_MOV32_IMM(BPF_REG_0, 1),
383                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
384                         BPF_EXIT_INSN(),
385                 },
386                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
387                 .result = ACCEPT,
388                 .retval = 1,
389         },
390         {
391                 "MOD64 by 0, zero check 1, cls",
392                 .insns = {
393                         BPF_MOV32_IMM(BPF_REG_1, 0),
394                         BPF_MOV32_IMM(BPF_REG_0, 2),
395                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
396                         BPF_EXIT_INSN(),
397                 },
398                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
399                 .result = ACCEPT,
400                 .retval = 2,
401         },
402         {
403                 "MOD64 by 0, zero check 2, cls",
404                 .insns = {
405                         BPF_MOV32_IMM(BPF_REG_1, 0),
406                         BPF_MOV32_IMM(BPF_REG_0, -1),
407                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
408                         BPF_EXIT_INSN(),
409                 },
410                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
411                 .result = ACCEPT,
412                 .retval = -1,
413         },
414         /* Just make sure that JITs used udiv/umod as otherwise we get
415          * an exception from INT_MIN/-1 overflow similarly as with div
416          * by zero.
417          */
418         {
419                 "DIV32 overflow, check 1",
420                 .insns = {
421                         BPF_MOV32_IMM(BPF_REG_1, -1),
422                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
423                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
424                         BPF_EXIT_INSN(),
425                 },
426                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
427                 .result = ACCEPT,
428                 .retval = 0,
429         },
430         {
431                 "DIV32 overflow, check 2",
432                 .insns = {
433                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
434                         BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
435                         BPF_EXIT_INSN(),
436                 },
437                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
438                 .result = ACCEPT,
439                 .retval = 0,
440         },
441         {
442                 "DIV64 overflow, check 1",
443                 .insns = {
444                         BPF_MOV64_IMM(BPF_REG_1, -1),
445                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
446                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
447                         BPF_EXIT_INSN(),
448                 },
449                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
450                 .result = ACCEPT,
451                 .retval = 0,
452         },
453         {
454                 "DIV64 overflow, check 2",
455                 .insns = {
456                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
457                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
458                         BPF_EXIT_INSN(),
459                 },
460                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
461                 .result = ACCEPT,
462                 .retval = 0,
463         },
464         {
465                 "MOD32 overflow, check 1",
466                 .insns = {
467                         BPF_MOV32_IMM(BPF_REG_1, -1),
468                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
469                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
470                         BPF_EXIT_INSN(),
471                 },
472                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
473                 .result = ACCEPT,
474                 .retval = INT_MIN,
475         },
476         {
477                 "MOD32 overflow, check 2",
478                 .insns = {
479                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
480                         BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
481                         BPF_EXIT_INSN(),
482                 },
483                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
484                 .result = ACCEPT,
485                 .retval = INT_MIN,
486         },
487         {
488                 "MOD64 overflow, check 1",
489                 .insns = {
490                         BPF_MOV64_IMM(BPF_REG_1, -1),
491                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
492                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
493                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
494                         BPF_MOV32_IMM(BPF_REG_0, 0),
495                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
496                         BPF_MOV32_IMM(BPF_REG_0, 1),
497                         BPF_EXIT_INSN(),
498                 },
499                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
500                 .result = ACCEPT,
501                 .retval = 1,
502         },
503         {
504                 "MOD64 overflow, check 2",
505                 .insns = {
506                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
507                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
508                         BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
509                         BPF_MOV32_IMM(BPF_REG_0, 0),
510                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
511                         BPF_MOV32_IMM(BPF_REG_0, 1),
512                         BPF_EXIT_INSN(),
513                 },
514                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
515                 .result = ACCEPT,
516                 .retval = 1,
517         },
518         {
519                 "xor32 zero extend check",
520                 .insns = {
521                         BPF_MOV32_IMM(BPF_REG_2, -1),
522                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
523                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
524                         BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
525                         BPF_MOV32_IMM(BPF_REG_0, 2),
526                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
527                         BPF_MOV32_IMM(BPF_REG_0, 1),
528                         BPF_EXIT_INSN(),
529                 },
530                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
531                 .result = ACCEPT,
532                 .retval = 1,
533         },
534         {
535                 "empty prog",
536                 .insns = {
537                 },
538                 .errstr = "unknown opcode 00",
539                 .result = REJECT,
540         },
541         {
542                 "only exit insn",
543                 .insns = {
544                         BPF_EXIT_INSN(),
545                 },
546                 .errstr = "R0 !read_ok",
547                 .result = REJECT,
548         },
549         {
550                 "unreachable",
551                 .insns = {
552                         BPF_EXIT_INSN(),
553                         BPF_EXIT_INSN(),
554                 },
555                 .errstr = "unreachable",
556                 .result = REJECT,
557         },
558         {
559                 "unreachable2",
560                 .insns = {
561                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
563                         BPF_EXIT_INSN(),
564                 },
565                 .errstr = "unreachable",
566                 .result = REJECT,
567         },
568         {
569                 "out of range jump",
570                 .insns = {
571                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
572                         BPF_EXIT_INSN(),
573                 },
574                 .errstr = "jump out of range",
575                 .result = REJECT,
576         },
577         {
578                 "out of range jump2",
579                 .insns = {
580                         BPF_JMP_IMM(BPF_JA, 0, 0, -2),
581                         BPF_EXIT_INSN(),
582                 },
583                 .errstr = "jump out of range",
584                 .result = REJECT,
585         },
586         {
587                 "test1 ld_imm64",
588                 .insns = {
589                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
590                         BPF_LD_IMM64(BPF_REG_0, 0),
591                         BPF_LD_IMM64(BPF_REG_0, 0),
592                         BPF_LD_IMM64(BPF_REG_0, 1),
593                         BPF_LD_IMM64(BPF_REG_0, 1),
594                         BPF_MOV64_IMM(BPF_REG_0, 2),
595                         BPF_EXIT_INSN(),
596                 },
597                 .errstr = "invalid BPF_LD_IMM insn",
598                 .errstr_unpriv = "R1 pointer comparison",
599                 .result = REJECT,
600         },
601         {
602                 "test2 ld_imm64",
603                 .insns = {
604                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
605                         BPF_LD_IMM64(BPF_REG_0, 0),
606                         BPF_LD_IMM64(BPF_REG_0, 0),
607                         BPF_LD_IMM64(BPF_REG_0, 1),
608                         BPF_LD_IMM64(BPF_REG_0, 1),
609                         BPF_EXIT_INSN(),
610                 },
611                 .errstr = "invalid BPF_LD_IMM insn",
612                 .errstr_unpriv = "R1 pointer comparison",
613                 .result = REJECT,
614         },
615         {
616                 "test3 ld_imm64",
617                 .insns = {
618                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
619                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
620                         BPF_LD_IMM64(BPF_REG_0, 0),
621                         BPF_LD_IMM64(BPF_REG_0, 0),
622                         BPF_LD_IMM64(BPF_REG_0, 1),
623                         BPF_LD_IMM64(BPF_REG_0, 1),
624                         BPF_EXIT_INSN(),
625                 },
626                 .errstr = "invalid bpf_ld_imm64 insn",
627                 .result = REJECT,
628         },
629         {
630                 "test4 ld_imm64",
631                 .insns = {
632                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
633                         BPF_EXIT_INSN(),
634                 },
635                 .errstr = "invalid bpf_ld_imm64 insn",
636                 .result = REJECT,
637         },
638         {
639                 "test5 ld_imm64",
640                 .insns = {
641                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
642                 },
643                 .errstr = "invalid bpf_ld_imm64 insn",
644                 .result = REJECT,
645         },
646         {
647                 "test6 ld_imm64",
648                 .insns = {
649                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
650                         BPF_RAW_INSN(0, 0, 0, 0, 0),
651                         BPF_EXIT_INSN(),
652                 },
653                 .result = ACCEPT,
654         },
655         {
656                 "test7 ld_imm64",
657                 .insns = {
658                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
659                         BPF_RAW_INSN(0, 0, 0, 0, 1),
660                         BPF_EXIT_INSN(),
661                 },
662                 .result = ACCEPT,
663                 .retval = 1,
664         },
665         {
666                 "test8 ld_imm64",
667                 .insns = {
668                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
669                         BPF_RAW_INSN(0, 0, 0, 0, 1),
670                         BPF_EXIT_INSN(),
671                 },
672                 .errstr = "uses reserved fields",
673                 .result = REJECT,
674         },
675         {
676                 "test9 ld_imm64",
677                 .insns = {
678                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679                         BPF_RAW_INSN(0, 0, 0, 1, 1),
680                         BPF_EXIT_INSN(),
681                 },
682                 .errstr = "invalid bpf_ld_imm64 insn",
683                 .result = REJECT,
684         },
685         {
686                 "test10 ld_imm64",
687                 .insns = {
688                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689                         BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
690                         BPF_EXIT_INSN(),
691                 },
692                 .errstr = "invalid bpf_ld_imm64 insn",
693                 .result = REJECT,
694         },
695         {
696                 "test11 ld_imm64",
697                 .insns = {
698                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
699                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
700                         BPF_EXIT_INSN(),
701                 },
702                 .errstr = "invalid bpf_ld_imm64 insn",
703                 .result = REJECT,
704         },
705         {
706                 "test12 ld_imm64",
707                 .insns = {
708                         BPF_MOV64_IMM(BPF_REG_1, 0),
709                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
710                         BPF_RAW_INSN(0, 0, 0, 0, 1),
711                         BPF_EXIT_INSN(),
712                 },
713                 .errstr = "not pointing to valid bpf_map",
714                 .result = REJECT,
715         },
716         {
717                 "test13 ld_imm64",
718                 .insns = {
719                         BPF_MOV64_IMM(BPF_REG_1, 0),
720                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
721                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
722                         BPF_EXIT_INSN(),
723                 },
724                 .errstr = "invalid bpf_ld_imm64 insn",
725                 .result = REJECT,
726         },
727         {
728                 "arsh32 on imm",
729                 .insns = {
730                         BPF_MOV64_IMM(BPF_REG_0, 1),
731                         BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
732                         BPF_EXIT_INSN(),
733                 },
734                 .result = ACCEPT,
735                 .retval = 0,
736         },
737         {
738                 "arsh32 on imm 2",
739                 .insns = {
740                         BPF_LD_IMM64(BPF_REG_0, 0x1122334485667788),
741                         BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 7),
742                         BPF_EXIT_INSN(),
743                 },
744                 .result = ACCEPT,
745                 .retval = -16069393,
746         },
747         {
748                 "arsh32 on reg",
749                 .insns = {
750                         BPF_MOV64_IMM(BPF_REG_0, 1),
751                         BPF_MOV64_IMM(BPF_REG_1, 5),
752                         BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
753                         BPF_EXIT_INSN(),
754                 },
755                 .result = ACCEPT,
756                 .retval = 0,
757         },
758         {
759                 "arsh32 on reg 2",
760                 .insns = {
761                         BPF_LD_IMM64(BPF_REG_0, 0xffff55667788),
762                         BPF_MOV64_IMM(BPF_REG_1, 15),
763                         BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
764                         BPF_EXIT_INSN(),
765                 },
766                 .result = ACCEPT,
767                 .retval = 43724,
768         },
769         {
770                 "arsh64 on imm",
771                 .insns = {
772                         BPF_MOV64_IMM(BPF_REG_0, 1),
773                         BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
774                         BPF_EXIT_INSN(),
775                 },
776                 .result = ACCEPT,
777         },
778         {
779                 "arsh64 on reg",
780                 .insns = {
781                         BPF_MOV64_IMM(BPF_REG_0, 1),
782                         BPF_MOV64_IMM(BPF_REG_1, 5),
783                         BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
784                         BPF_EXIT_INSN(),
785                 },
786                 .result = ACCEPT,
787         },
788         {
789                 "no bpf_exit",
790                 .insns = {
791                         BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
792                 },
793                 .errstr = "not an exit",
794                 .result = REJECT,
795         },
796         {
797                 "loop (back-edge)",
798                 .insns = {
799                         BPF_JMP_IMM(BPF_JA, 0, 0, -1),
800                         BPF_EXIT_INSN(),
801                 },
802                 .errstr = "back-edge",
803                 .result = REJECT,
804         },
805         {
806                 "loop2 (back-edge)",
807                 .insns = {
808                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
809                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
810                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
811                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
812                         BPF_EXIT_INSN(),
813                 },
814                 .errstr = "back-edge",
815                 .result = REJECT,
816         },
817         {
818                 "conditional loop",
819                 .insns = {
820                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
821                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
822                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
823                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
824                         BPF_EXIT_INSN(),
825                 },
826                 .errstr = "back-edge",
827                 .result = REJECT,
828         },
829         {
830                 "read uninitialized register",
831                 .insns = {
832                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
833                         BPF_EXIT_INSN(),
834                 },
835                 .errstr = "R2 !read_ok",
836                 .result = REJECT,
837         },
838         {
839                 "read invalid register",
840                 .insns = {
841                         BPF_MOV64_REG(BPF_REG_0, -1),
842                         BPF_EXIT_INSN(),
843                 },
844                 .errstr = "R15 is invalid",
845                 .result = REJECT,
846         },
847         {
848                 "program doesn't init R0 before exit",
849                 .insns = {
850                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
851                         BPF_EXIT_INSN(),
852                 },
853                 .errstr = "R0 !read_ok",
854                 .result = REJECT,
855         },
856         {
857                 "program doesn't init R0 before exit in all branches",
858                 .insns = {
859                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
860                         BPF_MOV64_IMM(BPF_REG_0, 1),
861                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
862                         BPF_EXIT_INSN(),
863                 },
864                 .errstr = "R0 !read_ok",
865                 .errstr_unpriv = "R1 pointer comparison",
866                 .result = REJECT,
867         },
868         {
869                 "stack out of bounds",
870                 .insns = {
871                         BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
872                         BPF_EXIT_INSN(),
873                 },
874                 .errstr = "invalid stack",
875                 .result = REJECT,
876         },
877         {
878                 "invalid call insn1",
879                 .insns = {
880                         BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
881                         BPF_EXIT_INSN(),
882                 },
883                 .errstr = "unknown opcode 8d",
884                 .result = REJECT,
885         },
886         {
887                 "invalid call insn2",
888                 .insns = {
889                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
890                         BPF_EXIT_INSN(),
891                 },
892                 .errstr = "BPF_CALL uses reserved",
893                 .result = REJECT,
894         },
895         {
896                 "invalid function call",
897                 .insns = {
898                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
899                         BPF_EXIT_INSN(),
900                 },
901                 .errstr = "invalid func unknown#1234567",
902                 .result = REJECT,
903         },
904         {
905                 "uninitialized stack1",
906                 .insns = {
907                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
908                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
909                         BPF_LD_MAP_FD(BPF_REG_1, 0),
910                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
911                                      BPF_FUNC_map_lookup_elem),
912                         BPF_EXIT_INSN(),
913                 },
914                 .fixup_map_hash_8b = { 2 },
915                 .errstr = "invalid indirect read from stack",
916                 .result = REJECT,
917         },
918         {
919                 "uninitialized stack2",
920                 .insns = {
921                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
922                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
923                         BPF_EXIT_INSN(),
924                 },
925                 .errstr = "invalid read from stack",
926                 .result = REJECT,
927         },
928         {
929                 "invalid fp arithmetic",
930                 /* If this gets ever changed, make sure JITs can deal with it. */
931                 .insns = {
932                         BPF_MOV64_IMM(BPF_REG_0, 0),
933                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
934                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
935                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
936                         BPF_EXIT_INSN(),
937                 },
938                 .errstr = "R1 subtraction from stack pointer",
939                 .result = REJECT,
940         },
941         {
942                 "non-invalid fp arithmetic",
943                 .insns = {
944                         BPF_MOV64_IMM(BPF_REG_0, 0),
945                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
946                         BPF_EXIT_INSN(),
947                 },
948                 .result = ACCEPT,
949         },
950         {
951                 "invalid argument register",
952                 .insns = {
953                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
954                                      BPF_FUNC_get_cgroup_classid),
955                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
956                                      BPF_FUNC_get_cgroup_classid),
957                         BPF_EXIT_INSN(),
958                 },
959                 .errstr = "R1 !read_ok",
960                 .result = REJECT,
961                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
962         },
963         {
964                 "non-invalid argument register",
965                 .insns = {
966                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
968                                      BPF_FUNC_get_cgroup_classid),
969                         BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
970                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
971                                      BPF_FUNC_get_cgroup_classid),
972                         BPF_EXIT_INSN(),
973                 },
974                 .result = ACCEPT,
975                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
976         },
977         {
978                 "check valid spill/fill",
979                 .insns = {
980                         /* spill R1(ctx) into stack */
981                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
982                         /* fill it back into R2 */
983                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
984                         /* should be able to access R0 = *(R2 + 8) */
985                         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
986                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
987                         BPF_EXIT_INSN(),
988                 },
989                 .errstr_unpriv = "R0 leaks addr",
990                 .result = ACCEPT,
991                 .result_unpriv = REJECT,
992                 .retval = POINTER_VALUE,
993         },
994         {
995                 "check valid spill/fill, skb mark",
996                 .insns = {
997                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
998                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
999                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1000                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1001                                     offsetof(struct __sk_buff, mark)),
1002                         BPF_EXIT_INSN(),
1003                 },
1004                 .result = ACCEPT,
1005                 .result_unpriv = ACCEPT,
1006         },
1007         {
1008                 "check corrupted spill/fill",
1009                 .insns = {
1010                         /* spill R1(ctx) into stack */
1011                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1012                         /* mess up with R1 pointer on stack */
1013                         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
1014                         /* fill back into R0 is fine for priv.
1015                          * R0 now becomes SCALAR_VALUE.
1016                          */
1017                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1018                         /* Load from R0 should fail. */
1019                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
1020                         BPF_EXIT_INSN(),
1021                 },
1022                 .errstr_unpriv = "attempt to corrupt spilled",
1023                 .errstr = "R0 invalid mem access 'inv",
1024                 .result = REJECT,
1025         },
1026         {
1027                 "check corrupted spill/fill, LSB",
1028                 .insns = {
1029                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1030                         BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
1031                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1032                         BPF_EXIT_INSN(),
1033                 },
1034                 .errstr_unpriv = "attempt to corrupt spilled",
1035                 .result_unpriv = REJECT,
1036                 .result = ACCEPT,
1037                 .retval = POINTER_VALUE,
1038         },
1039         {
1040                 "check corrupted spill/fill, MSB",
1041                 .insns = {
1042                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
1043                         BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
1044                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
1045                         BPF_EXIT_INSN(),
1046                 },
1047                 .errstr_unpriv = "attempt to corrupt spilled",
1048                 .result_unpriv = REJECT,
1049                 .result = ACCEPT,
1050                 .retval = POINTER_VALUE,
1051         },
1052         {
1053                 "invalid src register in STX",
1054                 .insns = {
1055                         BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
1056                         BPF_EXIT_INSN(),
1057                 },
1058                 .errstr = "R15 is invalid",
1059                 .result = REJECT,
1060         },
1061         {
1062                 "invalid dst register in STX",
1063                 .insns = {
1064                         BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1065                         BPF_EXIT_INSN(),
1066                 },
1067                 .errstr = "R14 is invalid",
1068                 .result = REJECT,
1069         },
1070         {
1071                 "invalid dst register in ST",
1072                 .insns = {
1073                         BPF_ST_MEM(BPF_B, 14, -1, -1),
1074                         BPF_EXIT_INSN(),
1075                 },
1076                 .errstr = "R14 is invalid",
1077                 .result = REJECT,
1078         },
1079         {
1080                 "invalid src register in LDX",
1081                 .insns = {
1082                         BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1083                         BPF_EXIT_INSN(),
1084                 },
1085                 .errstr = "R12 is invalid",
1086                 .result = REJECT,
1087         },
1088         {
1089                 "invalid dst register in LDX",
1090                 .insns = {
1091                         BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1092                         BPF_EXIT_INSN(),
1093                 },
1094                 .errstr = "R11 is invalid",
1095                 .result = REJECT,
1096         },
1097         {
1098                 "junk insn",
1099                 .insns = {
1100                         BPF_RAW_INSN(0, 0, 0, 0, 0),
1101                         BPF_EXIT_INSN(),
1102                 },
1103                 .errstr = "unknown opcode 00",
1104                 .result = REJECT,
1105         },
1106         {
1107                 "junk insn2",
1108                 .insns = {
1109                         BPF_RAW_INSN(1, 0, 0, 0, 0),
1110                         BPF_EXIT_INSN(),
1111                 },
1112                 .errstr = "BPF_LDX uses reserved fields",
1113                 .result = REJECT,
1114         },
1115         {
1116                 "junk insn3",
1117                 .insns = {
1118                         BPF_RAW_INSN(-1, 0, 0, 0, 0),
1119                         BPF_EXIT_INSN(),
1120                 },
1121                 .errstr = "unknown opcode ff",
1122                 .result = REJECT,
1123         },
1124         {
1125                 "junk insn4",
1126                 .insns = {
1127                         BPF_RAW_INSN(-1, -1, -1, -1, -1),
1128                         BPF_EXIT_INSN(),
1129                 },
1130                 .errstr = "unknown opcode ff",
1131                 .result = REJECT,
1132         },
1133         {
1134                 "junk insn5",
1135                 .insns = {
1136                         BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1137                         BPF_EXIT_INSN(),
1138                 },
1139                 .errstr = "BPF_ALU uses reserved fields",
1140                 .result = REJECT,
1141         },
1142         {
1143                 "misaligned read from stack",
1144                 .insns = {
1145                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1146                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1147                         BPF_EXIT_INSN(),
1148                 },
1149                 .errstr = "misaligned stack access",
1150                 .result = REJECT,
1151         },
1152         {
1153                 "invalid map_fd for function call",
1154                 .insns = {
1155                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1156                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1157                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1158                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1159                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1160                                      BPF_FUNC_map_delete_elem),
1161                         BPF_EXIT_INSN(),
1162                 },
1163                 .errstr = "fd 0 is not pointing to valid bpf_map",
1164                 .result = REJECT,
1165         },
1166         {
1167                 "don't check return value before access",
1168                 .insns = {
1169                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1170                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1171                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1172                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1173                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1174                                      BPF_FUNC_map_lookup_elem),
1175                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1176                         BPF_EXIT_INSN(),
1177                 },
1178                 .fixup_map_hash_8b = { 3 },
1179                 .errstr = "R0 invalid mem access 'map_value_or_null'",
1180                 .result = REJECT,
1181         },
1182         {
1183                 "access memory with incorrect alignment",
1184                 .insns = {
1185                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1186                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1187                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1188                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1189                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1190                                      BPF_FUNC_map_lookup_elem),
1191                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1192                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1193                         BPF_EXIT_INSN(),
1194                 },
1195                 .fixup_map_hash_8b = { 3 },
1196                 .errstr = "misaligned value access",
1197                 .result = REJECT,
1198                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1199         },
1200         {
1201                 "sometimes access memory with incorrect alignment",
1202                 .insns = {
1203                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1204                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1205                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1206                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1207                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1208                                      BPF_FUNC_map_lookup_elem),
1209                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1210                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1211                         BPF_EXIT_INSN(),
1212                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1213                         BPF_EXIT_INSN(),
1214                 },
1215                 .fixup_map_hash_8b = { 3 },
1216                 .errstr = "R0 invalid mem access",
1217                 .errstr_unpriv = "R0 leaks addr",
1218                 .result = REJECT,
1219                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1220         },
1221         {
1222                 "jump test 1",
1223                 .insns = {
1224                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1225                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1226                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1227                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1228                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1229                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1230                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1231                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1232                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1233                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1234                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1235                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1236                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1237                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1238                         BPF_MOV64_IMM(BPF_REG_0, 0),
1239                         BPF_EXIT_INSN(),
1240                 },
1241                 .errstr_unpriv = "R1 pointer comparison",
1242                 .result_unpriv = REJECT,
1243                 .result = ACCEPT,
1244         },
1245         {
1246                 "jump test 2",
1247                 .insns = {
1248                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1249                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1250                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1251                         BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1252                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1253                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1254                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1255                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1256                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1257                         BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1258                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1259                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1260                         BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1261                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1262                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1263                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1264                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1265                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1266                         BPF_MOV64_IMM(BPF_REG_0, 0),
1267                         BPF_EXIT_INSN(),
1268                 },
1269                 .errstr_unpriv = "R1 pointer comparison",
1270                 .result_unpriv = REJECT,
1271                 .result = ACCEPT,
1272         },
1273         {
1274                 "jump test 3",
1275                 .insns = {
1276                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1277                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1278                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1279                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1280                         BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1281                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1282                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1283                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1284                         BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1285                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1286                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1287                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1288                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1289                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1290                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1291                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1292                         BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1293                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1294                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1295                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1296                         BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1297                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1298                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1299                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1300                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1301                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1302                                      BPF_FUNC_map_delete_elem),
1303                         BPF_EXIT_INSN(),
1304                 },
1305                 .fixup_map_hash_8b = { 24 },
1306                 .errstr_unpriv = "R1 pointer comparison",
1307                 .result_unpriv = REJECT,
1308                 .result = ACCEPT,
1309                 .retval = -ENOENT,
1310         },
1311         {
1312                 "jump test 4",
1313                 .insns = {
1314                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1315                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1316                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1317                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1318                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1319                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1320                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1321                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1322                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1323                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1324                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1325                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1326                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1327                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1328                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1329                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1330                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1331                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1332                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1333                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1334                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1335                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1336                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1337                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1338                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1339                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1340                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1341                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1342                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1343                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1344                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1345                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1346                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1347                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1348                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1349                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1350                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1351                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1352                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1353                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1354                         BPF_MOV64_IMM(BPF_REG_0, 0),
1355                         BPF_EXIT_INSN(),
1356                 },
1357                 .errstr_unpriv = "R1 pointer comparison",
1358                 .result_unpriv = REJECT,
1359                 .result = ACCEPT,
1360         },
1361         {
1362                 "jump test 5",
1363                 .insns = {
1364                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1365                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1366                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1367                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1368                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1369                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1370                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1371                         BPF_MOV64_IMM(BPF_REG_0, 0),
1372                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1373                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1374                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1375                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1376                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1377                         BPF_MOV64_IMM(BPF_REG_0, 0),
1378                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1379                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1380                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1381                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1382                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1383                         BPF_MOV64_IMM(BPF_REG_0, 0),
1384                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1385                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1386                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1387                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1388                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1389                         BPF_MOV64_IMM(BPF_REG_0, 0),
1390                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1391                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1392                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1393                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1394                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1395                         BPF_MOV64_IMM(BPF_REG_0, 0),
1396                         BPF_EXIT_INSN(),
1397                 },
1398                 .errstr_unpriv = "R1 pointer comparison",
1399                 .result_unpriv = REJECT,
1400                 .result = ACCEPT,
1401         },
1402         {
1403                 "access skb fields ok",
1404                 .insns = {
1405                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1406                                     offsetof(struct __sk_buff, len)),
1407                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1408                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1409                                     offsetof(struct __sk_buff, mark)),
1410                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1411                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1412                                     offsetof(struct __sk_buff, pkt_type)),
1413                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1414                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1415                                     offsetof(struct __sk_buff, queue_mapping)),
1416                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1417                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1418                                     offsetof(struct __sk_buff, protocol)),
1419                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1420                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1421                                     offsetof(struct __sk_buff, vlan_present)),
1422                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1423                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1424                                     offsetof(struct __sk_buff, vlan_tci)),
1425                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1426                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1427                                     offsetof(struct __sk_buff, napi_id)),
1428                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1429                         BPF_EXIT_INSN(),
1430                 },
1431                 .result = ACCEPT,
1432         },
1433         {
1434                 "access skb fields bad1",
1435                 .insns = {
1436                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1437                         BPF_EXIT_INSN(),
1438                 },
1439                 .errstr = "invalid bpf_context access",
1440                 .result = REJECT,
1441         },
1442         {
1443                 "access skb fields bad2",
1444                 .insns = {
1445                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1446                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1447                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1448                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1449                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1450                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1451                                      BPF_FUNC_map_lookup_elem),
1452                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1453                         BPF_EXIT_INSN(),
1454                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1455                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1456                                     offsetof(struct __sk_buff, pkt_type)),
1457                         BPF_EXIT_INSN(),
1458                 },
1459                 .fixup_map_hash_8b = { 4 },
1460                 .errstr = "different pointers",
1461                 .errstr_unpriv = "R1 pointer comparison",
1462                 .result = REJECT,
1463         },
1464         {
1465                 "access skb fields bad3",
1466                 .insns = {
1467                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1468                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1469                                     offsetof(struct __sk_buff, pkt_type)),
1470                         BPF_EXIT_INSN(),
1471                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1472                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1473                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1474                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1475                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1476                                      BPF_FUNC_map_lookup_elem),
1477                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1478                         BPF_EXIT_INSN(),
1479                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1480                         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1481                 },
1482                 .fixup_map_hash_8b = { 6 },
1483                 .errstr = "different pointers",
1484                 .errstr_unpriv = "R1 pointer comparison",
1485                 .result = REJECT,
1486         },
1487         {
1488                 "access skb fields bad4",
1489                 .insns = {
1490                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1491                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1492                                     offsetof(struct __sk_buff, len)),
1493                         BPF_MOV64_IMM(BPF_REG_0, 0),
1494                         BPF_EXIT_INSN(),
1495                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1496                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1497                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1498                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1499                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1500                                      BPF_FUNC_map_lookup_elem),
1501                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1502                         BPF_EXIT_INSN(),
1503                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1504                         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1505                 },
1506                 .fixup_map_hash_8b = { 7 },
1507                 .errstr = "different pointers",
1508                 .errstr_unpriv = "R1 pointer comparison",
1509                 .result = REJECT,
1510         },
1511         {
1512                 "invalid access __sk_buff family",
1513                 .insns = {
1514                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1515                                     offsetof(struct __sk_buff, family)),
1516                         BPF_EXIT_INSN(),
1517                 },
1518                 .errstr = "invalid bpf_context access",
1519                 .result = REJECT,
1520         },
1521         {
1522                 "invalid access __sk_buff remote_ip4",
1523                 .insns = {
1524                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1525                                     offsetof(struct __sk_buff, remote_ip4)),
1526                         BPF_EXIT_INSN(),
1527                 },
1528                 .errstr = "invalid bpf_context access",
1529                 .result = REJECT,
1530         },
1531         {
1532                 "invalid access __sk_buff local_ip4",
1533                 .insns = {
1534                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1535                                     offsetof(struct __sk_buff, local_ip4)),
1536                         BPF_EXIT_INSN(),
1537                 },
1538                 .errstr = "invalid bpf_context access",
1539                 .result = REJECT,
1540         },
1541         {
1542                 "invalid access __sk_buff remote_ip6",
1543                 .insns = {
1544                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1545                                     offsetof(struct __sk_buff, remote_ip6)),
1546                         BPF_EXIT_INSN(),
1547                 },
1548                 .errstr = "invalid bpf_context access",
1549                 .result = REJECT,
1550         },
1551         {
1552                 "invalid access __sk_buff local_ip6",
1553                 .insns = {
1554                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1555                                     offsetof(struct __sk_buff, local_ip6)),
1556                         BPF_EXIT_INSN(),
1557                 },
1558                 .errstr = "invalid bpf_context access",
1559                 .result = REJECT,
1560         },
1561         {
1562                 "invalid access __sk_buff remote_port",
1563                 .insns = {
1564                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1565                                     offsetof(struct __sk_buff, remote_port)),
1566                         BPF_EXIT_INSN(),
1567                 },
1568                 .errstr = "invalid bpf_context access",
1569                 .result = REJECT,
1570         },
1571         {
1572                 "invalid access __sk_buff remote_port",
1573                 .insns = {
1574                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1575                                     offsetof(struct __sk_buff, local_port)),
1576                         BPF_EXIT_INSN(),
1577                 },
1578                 .errstr = "invalid bpf_context access",
1579                 .result = REJECT,
1580         },
1581         {
1582                 "valid access __sk_buff family",
1583                 .insns = {
1584                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1585                                     offsetof(struct __sk_buff, family)),
1586                         BPF_EXIT_INSN(),
1587                 },
1588                 .result = ACCEPT,
1589                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1590         },
1591         {
1592                 "valid access __sk_buff remote_ip4",
1593                 .insns = {
1594                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1595                                     offsetof(struct __sk_buff, remote_ip4)),
1596                         BPF_EXIT_INSN(),
1597                 },
1598                 .result = ACCEPT,
1599                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1600         },
1601         {
1602                 "valid access __sk_buff local_ip4",
1603                 .insns = {
1604                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1605                                     offsetof(struct __sk_buff, local_ip4)),
1606                         BPF_EXIT_INSN(),
1607                 },
1608                 .result = ACCEPT,
1609                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1610         },
1611         {
1612                 "valid access __sk_buff remote_ip6",
1613                 .insns = {
1614                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1615                                     offsetof(struct __sk_buff, remote_ip6[0])),
1616                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617                                     offsetof(struct __sk_buff, remote_ip6[1])),
1618                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1619                                     offsetof(struct __sk_buff, remote_ip6[2])),
1620                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1621                                     offsetof(struct __sk_buff, remote_ip6[3])),
1622                         BPF_EXIT_INSN(),
1623                 },
1624                 .result = ACCEPT,
1625                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1626         },
1627         {
1628                 "valid access __sk_buff local_ip6",
1629                 .insns = {
1630                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1631                                     offsetof(struct __sk_buff, local_ip6[0])),
1632                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1633                                     offsetof(struct __sk_buff, local_ip6[1])),
1634                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1635                                     offsetof(struct __sk_buff, local_ip6[2])),
1636                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1637                                     offsetof(struct __sk_buff, local_ip6[3])),
1638                         BPF_EXIT_INSN(),
1639                 },
1640                 .result = ACCEPT,
1641                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1642         },
1643         {
1644                 "valid access __sk_buff remote_port",
1645                 .insns = {
1646                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1647                                     offsetof(struct __sk_buff, remote_port)),
1648                         BPF_EXIT_INSN(),
1649                 },
1650                 .result = ACCEPT,
1651                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1652         },
1653         {
1654                 "valid access __sk_buff remote_port",
1655                 .insns = {
1656                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1657                                     offsetof(struct __sk_buff, local_port)),
1658                         BPF_EXIT_INSN(),
1659                 },
1660                 .result = ACCEPT,
1661                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1662         },
1663         {
1664                 "invalid access of tc_classid for SK_SKB",
1665                 .insns = {
1666                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1667                                     offsetof(struct __sk_buff, tc_classid)),
1668                         BPF_EXIT_INSN(),
1669                 },
1670                 .result = REJECT,
1671                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1672                 .errstr = "invalid bpf_context access",
1673         },
1674         {
1675                 "invalid access of skb->mark for SK_SKB",
1676                 .insns = {
1677                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1678                                     offsetof(struct __sk_buff, mark)),
1679                         BPF_EXIT_INSN(),
1680                 },
1681                 .result =  REJECT,
1682                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1683                 .errstr = "invalid bpf_context access",
1684         },
1685         {
1686                 "check skb->mark is not writeable by SK_SKB",
1687                 .insns = {
1688                         BPF_MOV64_IMM(BPF_REG_0, 0),
1689                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1690                                     offsetof(struct __sk_buff, mark)),
1691                         BPF_EXIT_INSN(),
1692                 },
1693                 .result =  REJECT,
1694                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1695                 .errstr = "invalid bpf_context access",
1696         },
1697         {
1698                 "check skb->tc_index is writeable by SK_SKB",
1699                 .insns = {
1700                         BPF_MOV64_IMM(BPF_REG_0, 0),
1701                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1702                                     offsetof(struct __sk_buff, tc_index)),
1703                         BPF_EXIT_INSN(),
1704                 },
1705                 .result = ACCEPT,
1706                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1707         },
1708         {
1709                 "check skb->priority is writeable by SK_SKB",
1710                 .insns = {
1711                         BPF_MOV64_IMM(BPF_REG_0, 0),
1712                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1713                                     offsetof(struct __sk_buff, priority)),
1714                         BPF_EXIT_INSN(),
1715                 },
1716                 .result = ACCEPT,
1717                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1718         },
1719         {
1720                 "direct packet read for SK_SKB",
1721                 .insns = {
1722                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1723                                     offsetof(struct __sk_buff, data)),
1724                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1725                                     offsetof(struct __sk_buff, data_end)),
1726                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1727                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1728                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1729                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1730                         BPF_MOV64_IMM(BPF_REG_0, 0),
1731                         BPF_EXIT_INSN(),
1732                 },
1733                 .result = ACCEPT,
1734                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1735         },
1736         {
1737                 "direct packet write for SK_SKB",
1738                 .insns = {
1739                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1740                                     offsetof(struct __sk_buff, data)),
1741                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1742                                     offsetof(struct __sk_buff, data_end)),
1743                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1744                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1745                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1746                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1747                         BPF_MOV64_IMM(BPF_REG_0, 0),
1748                         BPF_EXIT_INSN(),
1749                 },
1750                 .result = ACCEPT,
1751                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1752         },
1753         {
1754                 "overlapping checks for direct packet access SK_SKB",
1755                 .insns = {
1756                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1757                                     offsetof(struct __sk_buff, data)),
1758                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1759                                     offsetof(struct __sk_buff, data_end)),
1760                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1761                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1762                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1763                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1764                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1765                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1766                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1767                         BPF_MOV64_IMM(BPF_REG_0, 0),
1768                         BPF_EXIT_INSN(),
1769                 },
1770                 .result = ACCEPT,
1771                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1772         },
1773         {
1774                 "valid access family in SK_MSG",
1775                 .insns = {
1776                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1777                                     offsetof(struct sk_msg_md, family)),
1778                         BPF_EXIT_INSN(),
1779                 },
1780                 .result = ACCEPT,
1781                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1782         },
1783         {
1784                 "valid access remote_ip4 in SK_MSG",
1785                 .insns = {
1786                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1787                                     offsetof(struct sk_msg_md, remote_ip4)),
1788                         BPF_EXIT_INSN(),
1789                 },
1790                 .result = ACCEPT,
1791                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1792         },
1793         {
1794                 "valid access local_ip4 in SK_MSG",
1795                 .insns = {
1796                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1797                                     offsetof(struct sk_msg_md, local_ip4)),
1798                         BPF_EXIT_INSN(),
1799                 },
1800                 .result = ACCEPT,
1801                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1802         },
1803         {
1804                 "valid access remote_port in SK_MSG",
1805                 .insns = {
1806                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1807                                     offsetof(struct sk_msg_md, remote_port)),
1808                         BPF_EXIT_INSN(),
1809                 },
1810                 .result = ACCEPT,
1811                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1812         },
1813         {
1814                 "valid access local_port in SK_MSG",
1815                 .insns = {
1816                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1817                                     offsetof(struct sk_msg_md, local_port)),
1818                         BPF_EXIT_INSN(),
1819                 },
1820                 .result = ACCEPT,
1821                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1822         },
1823         {
1824                 "valid access remote_ip6 in SK_MSG",
1825                 .insns = {
1826                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1827                                     offsetof(struct sk_msg_md, remote_ip6[0])),
1828                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1829                                     offsetof(struct sk_msg_md, remote_ip6[1])),
1830                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1831                                     offsetof(struct sk_msg_md, remote_ip6[2])),
1832                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1833                                     offsetof(struct sk_msg_md, remote_ip6[3])),
1834                         BPF_EXIT_INSN(),
1835                 },
1836                 .result = ACCEPT,
1837                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1838         },
1839         {
1840                 "valid access local_ip6 in SK_MSG",
1841                 .insns = {
1842                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1843                                     offsetof(struct sk_msg_md, local_ip6[0])),
1844                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1845                                     offsetof(struct sk_msg_md, local_ip6[1])),
1846                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1847                                     offsetof(struct sk_msg_md, local_ip6[2])),
1848                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1849                                     offsetof(struct sk_msg_md, local_ip6[3])),
1850                         BPF_EXIT_INSN(),
1851                 },
1852                 .result = ACCEPT,
1853                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1854         },
1855         {
1856                 "valid access size in SK_MSG",
1857                 .insns = {
1858                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1859                                     offsetof(struct sk_msg_md, size)),
1860                         BPF_EXIT_INSN(),
1861                 },
1862                 .result = ACCEPT,
1863                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1864         },
1865         {
1866                 "invalid 64B read of size in SK_MSG",
1867                 .insns = {
1868                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1869                                     offsetof(struct sk_msg_md, size)),
1870                         BPF_EXIT_INSN(),
1871                 },
1872                 .errstr = "invalid bpf_context access",
1873                 .result = REJECT,
1874                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1875         },
1876         {
1877                 "invalid read past end of SK_MSG",
1878                 .insns = {
1879                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1880                                     offsetof(struct sk_msg_md, size) + 4),
1881                         BPF_EXIT_INSN(),
1882                 },
1883                 .errstr = "invalid bpf_context access",
1884                 .result = REJECT,
1885                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1886         },
1887         {
1888                 "invalid read offset in SK_MSG",
1889                 .insns = {
1890                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1891                                     offsetof(struct sk_msg_md, family) + 1),
1892                         BPF_EXIT_INSN(),
1893                 },
1894                 .errstr = "invalid bpf_context access",
1895                 .result = REJECT,
1896                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1897                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
1898         },
1899         {
1900                 "direct packet read for SK_MSG",
1901                 .insns = {
1902                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1903                                     offsetof(struct sk_msg_md, data)),
1904                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1905                                     offsetof(struct sk_msg_md, data_end)),
1906                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1907                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1908                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1909                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1910                         BPF_MOV64_IMM(BPF_REG_0, 0),
1911                         BPF_EXIT_INSN(),
1912                 },
1913                 .result = ACCEPT,
1914                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1915         },
1916         {
1917                 "direct packet write for SK_MSG",
1918                 .insns = {
1919                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1920                                     offsetof(struct sk_msg_md, data)),
1921                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1922                                     offsetof(struct sk_msg_md, data_end)),
1923                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1924                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1925                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1926                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1927                         BPF_MOV64_IMM(BPF_REG_0, 0),
1928                         BPF_EXIT_INSN(),
1929                 },
1930                 .result = ACCEPT,
1931                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1932         },
1933         {
1934                 "overlapping checks for direct packet access SK_MSG",
1935                 .insns = {
1936                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1937                                     offsetof(struct sk_msg_md, data)),
1938                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1939                                     offsetof(struct sk_msg_md, data_end)),
1940                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1941                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1942                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1943                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1944                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1945                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1946                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1947                         BPF_MOV64_IMM(BPF_REG_0, 0),
1948                         BPF_EXIT_INSN(),
1949                 },
1950                 .result = ACCEPT,
1951                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1952         },
1953         {
1954                 "check skb->mark is not writeable by sockets",
1955                 .insns = {
1956                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1957                                     offsetof(struct __sk_buff, mark)),
1958                         BPF_EXIT_INSN(),
1959                 },
1960                 .errstr = "invalid bpf_context access",
1961                 .errstr_unpriv = "R1 leaks addr",
1962                 .result = REJECT,
1963         },
1964         {
1965                 "check skb->tc_index is not writeable by sockets",
1966                 .insns = {
1967                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1968                                     offsetof(struct __sk_buff, tc_index)),
1969                         BPF_EXIT_INSN(),
1970                 },
1971                 .errstr = "invalid bpf_context access",
1972                 .errstr_unpriv = "R1 leaks addr",
1973                 .result = REJECT,
1974         },
1975         {
1976                 "check cb access: byte",
1977                 .insns = {
1978                         BPF_MOV64_IMM(BPF_REG_0, 0),
1979                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1980                                     offsetof(struct __sk_buff, cb[0])),
1981                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1982                                     offsetof(struct __sk_buff, cb[0]) + 1),
1983                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1984                                     offsetof(struct __sk_buff, cb[0]) + 2),
1985                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1986                                     offsetof(struct __sk_buff, cb[0]) + 3),
1987                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1988                                     offsetof(struct __sk_buff, cb[1])),
1989                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1990                                     offsetof(struct __sk_buff, cb[1]) + 1),
1991                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1992                                     offsetof(struct __sk_buff, cb[1]) + 2),
1993                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1994                                     offsetof(struct __sk_buff, cb[1]) + 3),
1995                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996                                     offsetof(struct __sk_buff, cb[2])),
1997                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1998                                     offsetof(struct __sk_buff, cb[2]) + 1),
1999                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2000                                     offsetof(struct __sk_buff, cb[2]) + 2),
2001                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2002                                     offsetof(struct __sk_buff, cb[2]) + 3),
2003                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2004                                     offsetof(struct __sk_buff, cb[3])),
2005                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2006                                     offsetof(struct __sk_buff, cb[3]) + 1),
2007                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2008                                     offsetof(struct __sk_buff, cb[3]) + 2),
2009                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2010                                     offsetof(struct __sk_buff, cb[3]) + 3),
2011                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2012                                     offsetof(struct __sk_buff, cb[4])),
2013                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2014                                     offsetof(struct __sk_buff, cb[4]) + 1),
2015                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2016                                     offsetof(struct __sk_buff, cb[4]) + 2),
2017                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2018                                     offsetof(struct __sk_buff, cb[4]) + 3),
2019                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2020                                     offsetof(struct __sk_buff, cb[0])),
2021                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022                                     offsetof(struct __sk_buff, cb[0]) + 1),
2023                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2024                                     offsetof(struct __sk_buff, cb[0]) + 2),
2025                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2026                                     offsetof(struct __sk_buff, cb[0]) + 3),
2027                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2028                                     offsetof(struct __sk_buff, cb[1])),
2029                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2030                                     offsetof(struct __sk_buff, cb[1]) + 1),
2031                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2032                                     offsetof(struct __sk_buff, cb[1]) + 2),
2033                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2034                                     offsetof(struct __sk_buff, cb[1]) + 3),
2035                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2036                                     offsetof(struct __sk_buff, cb[2])),
2037                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2038                                     offsetof(struct __sk_buff, cb[2]) + 1),
2039                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2040                                     offsetof(struct __sk_buff, cb[2]) + 2),
2041                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2042                                     offsetof(struct __sk_buff, cb[2]) + 3),
2043                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044                                     offsetof(struct __sk_buff, cb[3])),
2045                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2046                                     offsetof(struct __sk_buff, cb[3]) + 1),
2047                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2048                                     offsetof(struct __sk_buff, cb[3]) + 2),
2049                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2050                                     offsetof(struct __sk_buff, cb[3]) + 3),
2051                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2052                                     offsetof(struct __sk_buff, cb[4])),
2053                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2054                                     offsetof(struct __sk_buff, cb[4]) + 1),
2055                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056                                     offsetof(struct __sk_buff, cb[4]) + 2),
2057                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2058                                     offsetof(struct __sk_buff, cb[4]) + 3),
2059                         BPF_EXIT_INSN(),
2060                 },
2061                 .result = ACCEPT,
2062         },
2063         {
2064                 "__sk_buff->hash, offset 0, byte store not permitted",
2065                 .insns = {
2066                         BPF_MOV64_IMM(BPF_REG_0, 0),
2067                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2068                                     offsetof(struct __sk_buff, hash)),
2069                         BPF_EXIT_INSN(),
2070                 },
2071                 .errstr = "invalid bpf_context access",
2072                 .result = REJECT,
2073         },
2074         {
2075                 "__sk_buff->tc_index, offset 3, byte store not permitted",
2076                 .insns = {
2077                         BPF_MOV64_IMM(BPF_REG_0, 0),
2078                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2079                                     offsetof(struct __sk_buff, tc_index) + 3),
2080                         BPF_EXIT_INSN(),
2081                 },
2082                 .errstr = "invalid bpf_context access",
2083                 .result = REJECT,
2084         },
2085         {
2086                 "check skb->hash byte load permitted",
2087                 .insns = {
2088                         BPF_MOV64_IMM(BPF_REG_0, 0),
2089 #if __BYTE_ORDER == __LITTLE_ENDIAN
2090                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2091                                     offsetof(struct __sk_buff, hash)),
2092 #else
2093                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2094                                     offsetof(struct __sk_buff, hash) + 3),
2095 #endif
2096                         BPF_EXIT_INSN(),
2097                 },
2098                 .result = ACCEPT,
2099         },
2100         {
2101                 "check skb->hash byte load permitted 1",
2102                 .insns = {
2103                         BPF_MOV64_IMM(BPF_REG_0, 0),
2104                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2105                                     offsetof(struct __sk_buff, hash) + 1),
2106                         BPF_EXIT_INSN(),
2107                 },
2108                 .result = ACCEPT,
2109         },
2110         {
2111                 "check skb->hash byte load permitted 2",
2112                 .insns = {
2113                         BPF_MOV64_IMM(BPF_REG_0, 0),
2114                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2115                                     offsetof(struct __sk_buff, hash) + 2),
2116                         BPF_EXIT_INSN(),
2117                 },
2118                 .result = ACCEPT,
2119         },
2120         {
2121                 "check skb->hash byte load permitted 3",
2122                 .insns = {
2123                         BPF_MOV64_IMM(BPF_REG_0, 0),
2124 #if __BYTE_ORDER == __LITTLE_ENDIAN
2125                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2126                                     offsetof(struct __sk_buff, hash) + 3),
2127 #else
2128                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2129                                     offsetof(struct __sk_buff, hash)),
2130 #endif
2131                         BPF_EXIT_INSN(),
2132                 },
2133                 .result = ACCEPT,
2134         },
2135         {
2136                 "check cb access: byte, wrong type",
2137                 .insns = {
2138                         BPF_MOV64_IMM(BPF_REG_0, 0),
2139                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2140                                     offsetof(struct __sk_buff, cb[0])),
2141                         BPF_EXIT_INSN(),
2142                 },
2143                 .errstr = "invalid bpf_context access",
2144                 .result = REJECT,
2145                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2146         },
2147         {
2148                 "check cb access: half",
2149                 .insns = {
2150                         BPF_MOV64_IMM(BPF_REG_0, 0),
2151                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2152                                     offsetof(struct __sk_buff, cb[0])),
2153                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154                                     offsetof(struct __sk_buff, cb[0]) + 2),
2155                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2156                                     offsetof(struct __sk_buff, cb[1])),
2157                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2158                                     offsetof(struct __sk_buff, cb[1]) + 2),
2159                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2160                                     offsetof(struct __sk_buff, cb[2])),
2161                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2162                                     offsetof(struct __sk_buff, cb[2]) + 2),
2163                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2164                                     offsetof(struct __sk_buff, cb[3])),
2165                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2166                                     offsetof(struct __sk_buff, cb[3]) + 2),
2167                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2168                                     offsetof(struct __sk_buff, cb[4])),
2169                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2170                                     offsetof(struct __sk_buff, cb[4]) + 2),
2171                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2172                                     offsetof(struct __sk_buff, cb[0])),
2173                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2174                                     offsetof(struct __sk_buff, cb[0]) + 2),
2175                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2176                                     offsetof(struct __sk_buff, cb[1])),
2177                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2178                                     offsetof(struct __sk_buff, cb[1]) + 2),
2179                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2180                                     offsetof(struct __sk_buff, cb[2])),
2181                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2182                                     offsetof(struct __sk_buff, cb[2]) + 2),
2183                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184                                     offsetof(struct __sk_buff, cb[3])),
2185                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2186                                     offsetof(struct __sk_buff, cb[3]) + 2),
2187                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2188                                     offsetof(struct __sk_buff, cb[4])),
2189                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2190                                     offsetof(struct __sk_buff, cb[4]) + 2),
2191                         BPF_EXIT_INSN(),
2192                 },
2193                 .result = ACCEPT,
2194         },
2195         {
2196                 "check cb access: half, unaligned",
2197                 .insns = {
2198                         BPF_MOV64_IMM(BPF_REG_0, 0),
2199                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2200                                     offsetof(struct __sk_buff, cb[0]) + 1),
2201                         BPF_EXIT_INSN(),
2202                 },
2203                 .errstr = "misaligned context access",
2204                 .result = REJECT,
2205                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2206         },
2207         {
2208                 "check __sk_buff->hash, offset 0, half store not permitted",
2209                 .insns = {
2210                         BPF_MOV64_IMM(BPF_REG_0, 0),
2211                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2212                                     offsetof(struct __sk_buff, hash)),
2213                         BPF_EXIT_INSN(),
2214                 },
2215                 .errstr = "invalid bpf_context access",
2216                 .result = REJECT,
2217         },
2218         {
2219                 "check __sk_buff->tc_index, offset 2, half store not permitted",
2220                 .insns = {
2221                         BPF_MOV64_IMM(BPF_REG_0, 0),
2222                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2223                                     offsetof(struct __sk_buff, tc_index) + 2),
2224                         BPF_EXIT_INSN(),
2225                 },
2226                 .errstr = "invalid bpf_context access",
2227                 .result = REJECT,
2228         },
2229         {
2230                 "check skb->hash half load permitted",
2231                 .insns = {
2232                         BPF_MOV64_IMM(BPF_REG_0, 0),
2233 #if __BYTE_ORDER == __LITTLE_ENDIAN
2234                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2235                                     offsetof(struct __sk_buff, hash)),
2236 #else
2237                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2238                                     offsetof(struct __sk_buff, hash) + 2),
2239 #endif
2240                         BPF_EXIT_INSN(),
2241                 },
2242                 .result = ACCEPT,
2243         },
2244         {
2245                 "check skb->hash half load permitted 2",
2246                 .insns = {
2247                         BPF_MOV64_IMM(BPF_REG_0, 0),
2248 #if __BYTE_ORDER == __LITTLE_ENDIAN
2249                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2250                                     offsetof(struct __sk_buff, hash) + 2),
2251 #else
2252                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2253                                     offsetof(struct __sk_buff, hash)),
2254 #endif
2255                         BPF_EXIT_INSN(),
2256                 },
2257                 .result = ACCEPT,
2258         },
2259         {
2260                 "check skb->hash half load not permitted, unaligned 1",
2261                 .insns = {
2262                         BPF_MOV64_IMM(BPF_REG_0, 0),
2263 #if __BYTE_ORDER == __LITTLE_ENDIAN
2264                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2265                                     offsetof(struct __sk_buff, hash) + 1),
2266 #else
2267                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2268                                     offsetof(struct __sk_buff, hash) + 3),
2269 #endif
2270                         BPF_EXIT_INSN(),
2271                 },
2272                 .errstr = "invalid bpf_context access",
2273                 .result = REJECT,
2274         },
2275         {
2276                 "check skb->hash half load not permitted, unaligned 3",
2277                 .insns = {
2278                         BPF_MOV64_IMM(BPF_REG_0, 0),
2279 #if __BYTE_ORDER == __LITTLE_ENDIAN
2280                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2281                                     offsetof(struct __sk_buff, hash) + 3),
2282 #else
2283                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2284                                     offsetof(struct __sk_buff, hash) + 1),
2285 #endif
2286                         BPF_EXIT_INSN(),
2287                 },
2288                 .errstr = "invalid bpf_context access",
2289                 .result = REJECT,
2290                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2291                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2292         },
2293         {
2294                 "check cb access: half, wrong type",
2295                 .insns = {
2296                         BPF_MOV64_IMM(BPF_REG_0, 0),
2297                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2298                                     offsetof(struct __sk_buff, cb[0])),
2299                         BPF_EXIT_INSN(),
2300                 },
2301                 .errstr = "invalid bpf_context access",
2302                 .result = REJECT,
2303                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2304         },
2305         {
2306                 "check cb access: word",
2307                 .insns = {
2308                         BPF_MOV64_IMM(BPF_REG_0, 0),
2309                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2310                                     offsetof(struct __sk_buff, cb[0])),
2311                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2312                                     offsetof(struct __sk_buff, cb[1])),
2313                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2314                                     offsetof(struct __sk_buff, cb[2])),
2315                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2316                                     offsetof(struct __sk_buff, cb[3])),
2317                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2318                                     offsetof(struct __sk_buff, cb[4])),
2319                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2320                                     offsetof(struct __sk_buff, cb[0])),
2321                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2322                                     offsetof(struct __sk_buff, cb[1])),
2323                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2324                                     offsetof(struct __sk_buff, cb[2])),
2325                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2326                                     offsetof(struct __sk_buff, cb[3])),
2327                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2328                                     offsetof(struct __sk_buff, cb[4])),
2329                         BPF_EXIT_INSN(),
2330                 },
2331                 .result = ACCEPT,
2332         },
2333         {
2334                 "check cb access: word, unaligned 1",
2335                 .insns = {
2336                         BPF_MOV64_IMM(BPF_REG_0, 0),
2337                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2338                                     offsetof(struct __sk_buff, cb[0]) + 2),
2339                         BPF_EXIT_INSN(),
2340                 },
2341                 .errstr = "misaligned context access",
2342                 .result = REJECT,
2343                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2344         },
2345         {
2346                 "check cb access: word, unaligned 2",
2347                 .insns = {
2348                         BPF_MOV64_IMM(BPF_REG_0, 0),
2349                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2350                                     offsetof(struct __sk_buff, cb[4]) + 1),
2351                         BPF_EXIT_INSN(),
2352                 },
2353                 .errstr = "misaligned context access",
2354                 .result = REJECT,
2355                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2356         },
2357         {
2358                 "check cb access: word, unaligned 3",
2359                 .insns = {
2360                         BPF_MOV64_IMM(BPF_REG_0, 0),
2361                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2362                                     offsetof(struct __sk_buff, cb[4]) + 2),
2363                         BPF_EXIT_INSN(),
2364                 },
2365                 .errstr = "misaligned context access",
2366                 .result = REJECT,
2367                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2368         },
2369         {
2370                 "check cb access: word, unaligned 4",
2371                 .insns = {
2372                         BPF_MOV64_IMM(BPF_REG_0, 0),
2373                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2374                                     offsetof(struct __sk_buff, cb[4]) + 3),
2375                         BPF_EXIT_INSN(),
2376                 },
2377                 .errstr = "misaligned context access",
2378                 .result = REJECT,
2379                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2380         },
2381         {
2382                 "check cb access: double",
2383                 .insns = {
2384                         BPF_MOV64_IMM(BPF_REG_0, 0),
2385                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2386                                     offsetof(struct __sk_buff, cb[0])),
2387                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2388                                     offsetof(struct __sk_buff, cb[2])),
2389                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2390                                     offsetof(struct __sk_buff, cb[0])),
2391                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2392                                     offsetof(struct __sk_buff, cb[2])),
2393                         BPF_EXIT_INSN(),
2394                 },
2395                 .result = ACCEPT,
2396         },
2397         {
2398                 "check cb access: double, unaligned 1",
2399                 .insns = {
2400                         BPF_MOV64_IMM(BPF_REG_0, 0),
2401                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2402                                     offsetof(struct __sk_buff, cb[1])),
2403                         BPF_EXIT_INSN(),
2404                 },
2405                 .errstr = "misaligned context access",
2406                 .result = REJECT,
2407                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2408         },
2409         {
2410                 "check cb access: double, unaligned 2",
2411                 .insns = {
2412                         BPF_MOV64_IMM(BPF_REG_0, 0),
2413                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2414                                     offsetof(struct __sk_buff, cb[3])),
2415                         BPF_EXIT_INSN(),
2416                 },
2417                 .errstr = "misaligned context access",
2418                 .result = REJECT,
2419                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2420         },
2421         {
2422                 "check cb access: double, oob 1",
2423                 .insns = {
2424                         BPF_MOV64_IMM(BPF_REG_0, 0),
2425                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2426                                     offsetof(struct __sk_buff, cb[4])),
2427                         BPF_EXIT_INSN(),
2428                 },
2429                 .errstr = "invalid bpf_context access",
2430                 .result = REJECT,
2431         },
2432         {
2433                 "check cb access: double, oob 2",
2434                 .insns = {
2435                         BPF_MOV64_IMM(BPF_REG_0, 0),
2436                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2437                                     offsetof(struct __sk_buff, cb[4])),
2438                         BPF_EXIT_INSN(),
2439                 },
2440                 .errstr = "invalid bpf_context access",
2441                 .result = REJECT,
2442         },
2443         {
2444                 "check __sk_buff->ifindex dw store not permitted",
2445                 .insns = {
2446                         BPF_MOV64_IMM(BPF_REG_0, 0),
2447                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2448                                     offsetof(struct __sk_buff, ifindex)),
2449                         BPF_EXIT_INSN(),
2450                 },
2451                 .errstr = "invalid bpf_context access",
2452                 .result = REJECT,
2453         },
2454         {
2455                 "check __sk_buff->ifindex dw load not permitted",
2456                 .insns = {
2457                         BPF_MOV64_IMM(BPF_REG_0, 0),
2458                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2459                                     offsetof(struct __sk_buff, ifindex)),
2460                         BPF_EXIT_INSN(),
2461                 },
2462                 .errstr = "invalid bpf_context access",
2463                 .result = REJECT,
2464         },
2465         {
2466                 "check cb access: double, wrong type",
2467                 .insns = {
2468                         BPF_MOV64_IMM(BPF_REG_0, 0),
2469                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2470                                     offsetof(struct __sk_buff, cb[0])),
2471                         BPF_EXIT_INSN(),
2472                 },
2473                 .errstr = "invalid bpf_context access",
2474                 .result = REJECT,
2475                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2476         },
2477         {
2478                 "check out of range skb->cb access",
2479                 .insns = {
2480                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2481                                     offsetof(struct __sk_buff, cb[0]) + 256),
2482                         BPF_EXIT_INSN(),
2483                 },
2484                 .errstr = "invalid bpf_context access",
2485                 .errstr_unpriv = "",
2486                 .result = REJECT,
2487                 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2488         },
2489         {
2490                 "write skb fields from socket prog",
2491                 .insns = {
2492                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2493                                     offsetof(struct __sk_buff, cb[4])),
2494                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2495                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2496                                     offsetof(struct __sk_buff, mark)),
2497                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2498                                     offsetof(struct __sk_buff, tc_index)),
2499                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2500                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2501                                     offsetof(struct __sk_buff, cb[0])),
2502                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2503                                     offsetof(struct __sk_buff, cb[2])),
2504                         BPF_EXIT_INSN(),
2505                 },
2506                 .result = ACCEPT,
2507                 .errstr_unpriv = "R1 leaks addr",
2508                 .result_unpriv = REJECT,
2509         },
2510         {
2511                 "write skb fields from tc_cls_act prog",
2512                 .insns = {
2513                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2514                                     offsetof(struct __sk_buff, cb[0])),
2515                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2516                                     offsetof(struct __sk_buff, mark)),
2517                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2518                                     offsetof(struct __sk_buff, tc_index)),
2519                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2520                                     offsetof(struct __sk_buff, tc_index)),
2521                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2522                                     offsetof(struct __sk_buff, cb[3])),
2523                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2524                                     offsetof(struct __sk_buff, tstamp)),
2525                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2526                                     offsetof(struct __sk_buff, tstamp)),
2527                         BPF_EXIT_INSN(),
2528                 },
2529                 .errstr_unpriv = "",
2530                 .result_unpriv = REJECT,
2531                 .result = ACCEPT,
2532                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2533         },
2534         {
2535                 "PTR_TO_STACK store/load",
2536                 .insns = {
2537                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2538                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2539                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2540                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2541                         BPF_EXIT_INSN(),
2542                 },
2543                 .result = ACCEPT,
2544                 .retval = 0xfaceb00c,
2545         },
2546         {
2547                 "PTR_TO_STACK store/load - bad alignment on off",
2548                 .insns = {
2549                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2550                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2551                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2552                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2553                         BPF_EXIT_INSN(),
2554                 },
2555                 .result = REJECT,
2556                 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2557         },
2558         {
2559                 "PTR_TO_STACK store/load - bad alignment on reg",
2560                 .insns = {
2561                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2562                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2563                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2564                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2565                         BPF_EXIT_INSN(),
2566                 },
2567                 .result = REJECT,
2568                 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2569         },
2570         {
2571                 "PTR_TO_STACK store/load - out of bounds low",
2572                 .insns = {
2573                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2574                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2575                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2576                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2577                         BPF_EXIT_INSN(),
2578                 },
2579                 .result = REJECT,
2580                 .errstr = "invalid stack off=-79992 size=8",
2581                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
2582         },
2583         {
2584                 "PTR_TO_STACK store/load - out of bounds high",
2585                 .insns = {
2586                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2587                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2588                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2589                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2590                         BPF_EXIT_INSN(),
2591                 },
2592                 .result = REJECT,
2593                 .errstr = "invalid stack off=0 size=8",
2594         },
2595         {
2596                 "unpriv: return pointer",
2597                 .insns = {
2598                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2599                         BPF_EXIT_INSN(),
2600                 },
2601                 .result = ACCEPT,
2602                 .result_unpriv = REJECT,
2603                 .errstr_unpriv = "R0 leaks addr",
2604                 .retval = POINTER_VALUE,
2605         },
2606         {
2607                 "unpriv: add const to pointer",
2608                 .insns = {
2609                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2610                         BPF_MOV64_IMM(BPF_REG_0, 0),
2611                         BPF_EXIT_INSN(),
2612                 },
2613                 .result = ACCEPT,
2614         },
2615         {
2616                 "unpriv: add pointer to pointer",
2617                 .insns = {
2618                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2619                         BPF_MOV64_IMM(BPF_REG_0, 0),
2620                         BPF_EXIT_INSN(),
2621                 },
2622                 .result = REJECT,
2623                 .errstr = "R1 pointer += pointer",
2624         },
2625         {
2626                 "unpriv: neg pointer",
2627                 .insns = {
2628                         BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2629                         BPF_MOV64_IMM(BPF_REG_0, 0),
2630                         BPF_EXIT_INSN(),
2631                 },
2632                 .result = ACCEPT,
2633                 .result_unpriv = REJECT,
2634                 .errstr_unpriv = "R1 pointer arithmetic",
2635         },
2636         {
2637                 "unpriv: cmp pointer with const",
2638                 .insns = {
2639                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2640                         BPF_MOV64_IMM(BPF_REG_0, 0),
2641                         BPF_EXIT_INSN(),
2642                 },
2643                 .result = ACCEPT,
2644                 .result_unpriv = REJECT,
2645                 .errstr_unpriv = "R1 pointer comparison",
2646         },
2647         {
2648                 "unpriv: cmp pointer with pointer",
2649                 .insns = {
2650                         BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2651                         BPF_MOV64_IMM(BPF_REG_0, 0),
2652                         BPF_EXIT_INSN(),
2653                 },
2654                 .result = ACCEPT,
2655                 .result_unpriv = REJECT,
2656                 .errstr_unpriv = "R10 pointer comparison",
2657         },
2658         {
2659                 "unpriv: check that printk is disallowed",
2660                 .insns = {
2661                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2662                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2663                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2664                         BPF_MOV64_IMM(BPF_REG_2, 8),
2665                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2666                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2667                                      BPF_FUNC_trace_printk),
2668                         BPF_MOV64_IMM(BPF_REG_0, 0),
2669                         BPF_EXIT_INSN(),
2670                 },
2671                 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2672                 .result_unpriv = REJECT,
2673                 .result = ACCEPT,
2674         },
2675         {
2676                 "unpriv: pass pointer to helper function",
2677                 .insns = {
2678                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2679                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2680                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2681                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2682                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2683                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2684                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2685                                      BPF_FUNC_map_update_elem),
2686                         BPF_MOV64_IMM(BPF_REG_0, 0),
2687                         BPF_EXIT_INSN(),
2688                 },
2689                 .fixup_map_hash_8b = { 3 },
2690                 .errstr_unpriv = "R4 leaks addr",
2691                 .result_unpriv = REJECT,
2692                 .result = ACCEPT,
2693         },
2694         {
2695                 "unpriv: indirectly pass pointer on stack to helper function",
2696                 .insns = {
2697                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2698                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2699                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2700                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2701                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2702                                      BPF_FUNC_map_lookup_elem),
2703                         BPF_MOV64_IMM(BPF_REG_0, 0),
2704                         BPF_EXIT_INSN(),
2705                 },
2706                 .fixup_map_hash_8b = { 3 },
2707                 .errstr = "invalid indirect read from stack off -8+0 size 8",
2708                 .result = REJECT,
2709         },
2710         {
2711                 "unpriv: mangle pointer on stack 1",
2712                 .insns = {
2713                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2714                         BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2715                         BPF_MOV64_IMM(BPF_REG_0, 0),
2716                         BPF_EXIT_INSN(),
2717                 },
2718                 .errstr_unpriv = "attempt to corrupt spilled",
2719                 .result_unpriv = REJECT,
2720                 .result = ACCEPT,
2721         },
2722         {
2723                 "unpriv: mangle pointer on stack 2",
2724                 .insns = {
2725                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2726                         BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2727                         BPF_MOV64_IMM(BPF_REG_0, 0),
2728                         BPF_EXIT_INSN(),
2729                 },
2730                 .errstr_unpriv = "attempt to corrupt spilled",
2731                 .result_unpriv = REJECT,
2732                 .result = ACCEPT,
2733         },
2734         {
2735                 "unpriv: read pointer from stack in small chunks",
2736                 .insns = {
2737                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2738                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2739                         BPF_MOV64_IMM(BPF_REG_0, 0),
2740                         BPF_EXIT_INSN(),
2741                 },
2742                 .errstr = "invalid size",
2743                 .result = REJECT,
2744         },
2745         {
2746                 "unpriv: write pointer into ctx",
2747                 .insns = {
2748                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2749                         BPF_MOV64_IMM(BPF_REG_0, 0),
2750                         BPF_EXIT_INSN(),
2751                 },
2752                 .errstr_unpriv = "R1 leaks addr",
2753                 .result_unpriv = REJECT,
2754                 .errstr = "invalid bpf_context access",
2755                 .result = REJECT,
2756         },
2757         {
2758                 "unpriv: spill/fill of ctx",
2759                 .insns = {
2760                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2761                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2762                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2763                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2764                         BPF_MOV64_IMM(BPF_REG_0, 0),
2765                         BPF_EXIT_INSN(),
2766                 },
2767                 .result = ACCEPT,
2768         },
2769         {
2770                 "unpriv: spill/fill of ctx 2",
2771                 .insns = {
2772                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2773                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2774                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2775                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2776                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2777                                      BPF_FUNC_get_hash_recalc),
2778                         BPF_MOV64_IMM(BPF_REG_0, 0),
2779                         BPF_EXIT_INSN(),
2780                 },
2781                 .result = ACCEPT,
2782                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2783         },
2784         {
2785                 "unpriv: spill/fill of ctx 3",
2786                 .insns = {
2787                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2788                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2789                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2790                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2791                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2792                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2793                                      BPF_FUNC_get_hash_recalc),
2794                         BPF_EXIT_INSN(),
2795                 },
2796                 .result = REJECT,
2797                 .errstr = "R1 type=fp expected=ctx",
2798                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2799         },
2800         {
2801                 "unpriv: spill/fill of ctx 4",
2802                 .insns = {
2803                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2804                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2805                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2806                         BPF_MOV64_IMM(BPF_REG_0, 1),
2807                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2808                                      BPF_REG_0, -8, 0),
2809                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2810                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2811                                      BPF_FUNC_get_hash_recalc),
2812                         BPF_EXIT_INSN(),
2813                 },
2814                 .result = REJECT,
2815                 .errstr = "R1 type=inv expected=ctx",
2816                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2817         },
2818         {
2819                 "unpriv: spill/fill of different pointers stx",
2820                 .insns = {
2821                         BPF_MOV64_IMM(BPF_REG_3, 42),
2822                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2823                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2824                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2825                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2826                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2827                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2828                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2829                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2830                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2831                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2832                                     offsetof(struct __sk_buff, mark)),
2833                         BPF_MOV64_IMM(BPF_REG_0, 0),
2834                         BPF_EXIT_INSN(),
2835                 },
2836                 .result = REJECT,
2837                 .errstr = "same insn cannot be used with different pointers",
2838                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2839         },
2840         {
2841                 "unpriv: spill/fill of different pointers stx - ctx and sock",
2842                 .insns = {
2843                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2844                         /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2845                         BPF_SK_LOOKUP,
2846                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2847                         /* u64 foo; */
2848                         /* void *target = &foo; */
2849                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2850                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2851                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2852                         /* if (skb == NULL) *target = sock; */
2853                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2854                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2855                         /* else *target = skb; */
2856                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2857                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2858                         /* struct __sk_buff *skb = *target; */
2859                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2860                         /* skb->mark = 42; */
2861                         BPF_MOV64_IMM(BPF_REG_3, 42),
2862                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2863                                     offsetof(struct __sk_buff, mark)),
2864                         /* if (sk) bpf_sk_release(sk) */
2865                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2866                                 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2867                         BPF_MOV64_IMM(BPF_REG_0, 0),
2868                         BPF_EXIT_INSN(),
2869                 },
2870                 .result = REJECT,
2871                 .errstr = "type=ctx expected=sock",
2872                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2873         },
2874         {
2875                 "unpriv: spill/fill of different pointers stx - leak sock",
2876                 .insns = {
2877                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2878                         /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2879                         BPF_SK_LOOKUP,
2880                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2881                         /* u64 foo; */
2882                         /* void *target = &foo; */
2883                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2884                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2885                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2886                         /* if (skb == NULL) *target = sock; */
2887                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2888                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2889                         /* else *target = skb; */
2890                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2891                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2892                         /* struct __sk_buff *skb = *target; */
2893                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2894                         /* skb->mark = 42; */
2895                         BPF_MOV64_IMM(BPF_REG_3, 42),
2896                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2897                                     offsetof(struct __sk_buff, mark)),
2898                         BPF_EXIT_INSN(),
2899                 },
2900                 .result = REJECT,
2901                 //.errstr = "same insn cannot be used with different pointers",
2902                 .errstr = "Unreleased reference",
2903                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2904         },
2905         {
2906                 "unpriv: spill/fill of different pointers stx - sock and ctx (read)",
2907                 .insns = {
2908                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2909                         /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2910                         BPF_SK_LOOKUP,
2911                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2912                         /* u64 foo; */
2913                         /* void *target = &foo; */
2914                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2915                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2916                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2917                         /* if (skb) *target = skb */
2918                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2919                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2920                         /* else *target = sock */
2921                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2922                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2923                         /* struct bpf_sock *sk = *target; */
2924                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2925                         /* if (sk) u32 foo = sk->mark; bpf_sk_release(sk); */
2926                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
2927                                 BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2928                                             offsetof(struct bpf_sock, mark)),
2929                                 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2930                         BPF_MOV64_IMM(BPF_REG_0, 0),
2931                         BPF_EXIT_INSN(),
2932                 },
2933                 .result = REJECT,
2934                 .errstr = "same insn cannot be used with different pointers",
2935                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2936         },
2937         {
2938                 "unpriv: spill/fill of different pointers stx - sock and ctx (write)",
2939                 .insns = {
2940                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2941                         /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2942                         BPF_SK_LOOKUP,
2943                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2944                         /* u64 foo; */
2945                         /* void *target = &foo; */
2946                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2947                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2948                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2949                         /* if (skb) *target = skb */
2950                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2951                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2952                         /* else *target = sock */
2953                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2954                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2955                         /* struct bpf_sock *sk = *target; */
2956                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2957                         /* if (sk) sk->mark = 42; bpf_sk_release(sk); */
2958                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2959                                 BPF_MOV64_IMM(BPF_REG_3, 42),
2960                                 BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2961                                             offsetof(struct bpf_sock, mark)),
2962                                 BPF_EMIT_CALL(BPF_FUNC_sk_release),
2963                         BPF_MOV64_IMM(BPF_REG_0, 0),
2964                         BPF_EXIT_INSN(),
2965                 },
2966                 .result = REJECT,
2967                 //.errstr = "same insn cannot be used with different pointers",
2968                 .errstr = "cannot write into socket",
2969                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2970         },
2971         {
2972                 "unpriv: spill/fill of different pointers ldx",
2973                 .insns = {
2974                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2975                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2976                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2977                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2978                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2979                                       -(__s32)offsetof(struct bpf_perf_event_data,
2980                                                        sample_period) - 8),
2981                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2982                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2983                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2984                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2985                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2986                                     offsetof(struct bpf_perf_event_data,
2987                                              sample_period)),
2988                         BPF_MOV64_IMM(BPF_REG_0, 0),
2989                         BPF_EXIT_INSN(),
2990                 },
2991                 .result = REJECT,
2992                 .errstr = "same insn cannot be used with different pointers",
2993                 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2994         },
2995         {
2996                 "unpriv: write pointer into map elem value",
2997                 .insns = {
2998                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2999                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3000                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3001                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3002                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3003                                      BPF_FUNC_map_lookup_elem),
3004                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3005                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
3006                         BPF_EXIT_INSN(),
3007                 },
3008                 .fixup_map_hash_8b = { 3 },
3009                 .errstr_unpriv = "R0 leaks addr",
3010                 .result_unpriv = REJECT,
3011                 .result = ACCEPT,
3012         },
3013         {
3014                 "alu32: mov u32 const",
3015                 .insns = {
3016                         BPF_MOV32_IMM(BPF_REG_7, 0),
3017                         BPF_ALU32_IMM(BPF_AND, BPF_REG_7, 1),
3018                         BPF_MOV32_REG(BPF_REG_0, BPF_REG_7),
3019                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3020                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_7, 0),
3021                         BPF_EXIT_INSN(),
3022                 },
3023                 .result = ACCEPT,
3024                 .retval = 0,
3025         },
3026         {
3027                 "unpriv: partial copy of pointer",
3028                 .insns = {
3029                         BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
3030                         BPF_MOV64_IMM(BPF_REG_0, 0),
3031                         BPF_EXIT_INSN(),
3032                 },
3033                 .errstr_unpriv = "R10 partial copy",
3034                 .result_unpriv = REJECT,
3035                 .result = ACCEPT,
3036         },
3037         {
3038                 "unpriv: pass pointer to tail_call",
3039                 .insns = {
3040                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
3041                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3042                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3043                                      BPF_FUNC_tail_call),
3044                         BPF_MOV64_IMM(BPF_REG_0, 0),
3045                         BPF_EXIT_INSN(),
3046                 },
3047                 .fixup_prog1 = { 1 },
3048                 .errstr_unpriv = "R3 leaks addr into helper",
3049                 .result_unpriv = REJECT,
3050                 .result = ACCEPT,
3051         },
3052         {
3053                 "unpriv: cmp map pointer with zero",
3054                 .insns = {
3055                         BPF_MOV64_IMM(BPF_REG_1, 0),
3056                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3057                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
3058                         BPF_MOV64_IMM(BPF_REG_0, 0),
3059                         BPF_EXIT_INSN(),
3060                 },
3061                 .fixup_map_hash_8b = { 1 },
3062                 .errstr_unpriv = "R1 pointer comparison",
3063                 .result_unpriv = REJECT,
3064                 .result = ACCEPT,
3065         },
3066         {
3067                 "unpriv: write into frame pointer",
3068                 .insns = {
3069                         BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
3070                         BPF_MOV64_IMM(BPF_REG_0, 0),
3071                         BPF_EXIT_INSN(),
3072                 },
3073                 .errstr = "frame pointer is read only",
3074                 .result = REJECT,
3075         },
3076         {
3077                 "unpriv: spill/fill frame pointer",
3078                 .insns = {
3079                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3080                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3081                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
3082                         BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
3083                         BPF_MOV64_IMM(BPF_REG_0, 0),
3084                         BPF_EXIT_INSN(),
3085                 },
3086                 .errstr = "frame pointer is read only",
3087                 .result = REJECT,
3088         },
3089         {
3090                 "unpriv: cmp of frame pointer",
3091                 .insns = {
3092                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
3093                         BPF_MOV64_IMM(BPF_REG_0, 0),
3094                         BPF_EXIT_INSN(),
3095                 },
3096                 .errstr_unpriv = "R10 pointer comparison",
3097                 .result_unpriv = REJECT,
3098                 .result = ACCEPT,
3099         },
3100         {
3101                 "unpriv: adding of fp",
3102                 .insns = {
3103                         BPF_MOV64_IMM(BPF_REG_0, 0),
3104                         BPF_MOV64_IMM(BPF_REG_1, 0),
3105                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
3106                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
3107                         BPF_EXIT_INSN(),
3108                 },
3109                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3110                 .result_unpriv = REJECT,
3111                 .result = ACCEPT,
3112         },
3113         {
3114                 "unpriv: cmp of stack pointer",
3115                 .insns = {
3116                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3117                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3118                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
3119                         BPF_MOV64_IMM(BPF_REG_0, 0),
3120                         BPF_EXIT_INSN(),
3121                 },
3122                 .errstr_unpriv = "R2 pointer comparison",
3123                 .result_unpriv = REJECT,
3124                 .result = ACCEPT,
3125         },
3126         {
3127                 "runtime/jit: tail_call within bounds, prog once",
3128                 .insns = {
3129                         BPF_MOV64_IMM(BPF_REG_3, 0),
3130                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3131                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3132                                      BPF_FUNC_tail_call),
3133                         BPF_MOV64_IMM(BPF_REG_0, 1),
3134                         BPF_EXIT_INSN(),
3135                 },
3136                 .fixup_prog1 = { 1 },
3137                 .result = ACCEPT,
3138                 .retval = 42,
3139         },
3140         {
3141                 "runtime/jit: tail_call within bounds, prog loop",
3142                 .insns = {
3143                         BPF_MOV64_IMM(BPF_REG_3, 1),
3144                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3145                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3146                                      BPF_FUNC_tail_call),
3147                         BPF_MOV64_IMM(BPF_REG_0, 1),
3148                         BPF_EXIT_INSN(),
3149                 },
3150                 .fixup_prog1 = { 1 },
3151                 .result = ACCEPT,
3152                 .retval = 41,
3153         },
3154         {
3155                 "runtime/jit: tail_call within bounds, no prog",
3156                 .insns = {
3157                         BPF_MOV64_IMM(BPF_REG_3, 2),
3158                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3159                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3160                                      BPF_FUNC_tail_call),
3161                         BPF_MOV64_IMM(BPF_REG_0, 1),
3162                         BPF_EXIT_INSN(),
3163                 },
3164                 .fixup_prog1 = { 1 },
3165                 .result = ACCEPT,
3166                 .retval = 1,
3167         },
3168         {
3169                 "runtime/jit: tail_call out of bounds",
3170                 .insns = {
3171                         BPF_MOV64_IMM(BPF_REG_3, 256),
3172                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3173                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3174                                      BPF_FUNC_tail_call),
3175                         BPF_MOV64_IMM(BPF_REG_0, 2),
3176                         BPF_EXIT_INSN(),
3177                 },
3178                 .fixup_prog1 = { 1 },
3179                 .result = ACCEPT,
3180                 .retval = 2,
3181         },
3182         {
3183                 "runtime/jit: pass negative index to tail_call",
3184                 .insns = {
3185                         BPF_MOV64_IMM(BPF_REG_3, -1),
3186                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3187                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3188                                      BPF_FUNC_tail_call),
3189                         BPF_MOV64_IMM(BPF_REG_0, 2),
3190                         BPF_EXIT_INSN(),
3191                 },
3192                 .fixup_prog1 = { 1 },
3193                 .result = ACCEPT,
3194                 .retval = 2,
3195         },
3196         {
3197                 "runtime/jit: pass > 32bit index to tail_call",
3198                 .insns = {
3199                         BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
3200                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3201                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3202                                      BPF_FUNC_tail_call),
3203                         BPF_MOV64_IMM(BPF_REG_0, 2),
3204                         BPF_EXIT_INSN(),
3205                 },
3206                 .fixup_prog1 = { 2 },
3207                 .result = ACCEPT,
3208                 .retval = 42,
3209                 /* Verifier rewrite for unpriv skips tail call here. */
3210                 .retval_unpriv = 2,
3211         },
3212         {
3213                 "PTR_TO_STACK check high 1",
3214                 .insns = {
3215                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3216                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
3217                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3218                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3219                         BPF_EXIT_INSN(),
3220                 },
3221                 .result = ACCEPT,
3222                 .retval = 42,
3223         },
3224         {
3225                 "PTR_TO_STACK check high 2",
3226                 .insns = {
3227                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3228                         BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3229                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3230                         BPF_EXIT_INSN(),
3231                 },
3232                 .result = ACCEPT,
3233                 .retval = 42,
3234         },
3235         {
3236                 "PTR_TO_STACK check high 3",
3237                 .insns = {
3238                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3239                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3240                         BPF_ST_MEM(BPF_B, BPF_REG_1, -1, 42),
3241                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, -1),
3242                         BPF_EXIT_INSN(),
3243                 },
3244                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3245                 .result_unpriv = REJECT,
3246                 .result = ACCEPT,
3247                 .retval = 42,
3248         },
3249         {
3250                 "PTR_TO_STACK check high 4",
3251                 .insns = {
3252                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3253                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
3254                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3255                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3256                         BPF_EXIT_INSN(),
3257                 },
3258                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3259                 .errstr = "invalid stack off=0 size=1",
3260                 .result = REJECT,
3261         },
3262         {
3263                 "PTR_TO_STACK check high 5",
3264                 .insns = {
3265                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3266                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3267                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3268                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3269                         BPF_EXIT_INSN(),
3270                 },
3271                 .result = REJECT,
3272                 .errstr = "invalid stack off",
3273         },
3274         {
3275                 "PTR_TO_STACK check high 6",
3276                 .insns = {
3277                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3278                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3279                         BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3280                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3281                         BPF_EXIT_INSN(),
3282                 },
3283                 .result = REJECT,
3284                 .errstr = "invalid stack off",
3285         },
3286         {
3287                 "PTR_TO_STACK check high 7",
3288                 .insns = {
3289                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3290                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3291                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, (1 << 29) - 1),
3292                         BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MAX, 42),
3293                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MAX),
3294                         BPF_EXIT_INSN(),
3295                 },
3296                 .result = REJECT,
3297                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3298                 .errstr = "fp pointer offset",
3299         },
3300         {
3301                 "PTR_TO_STACK check low 1",
3302                 .insns = {
3303                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3304                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -512),
3305                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3306                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3307                         BPF_EXIT_INSN(),
3308                 },
3309                 .result = ACCEPT,
3310                 .retval = 42,
3311         },
3312         {
3313                 "PTR_TO_STACK check low 2",
3314                 .insns = {
3315                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3316                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3317                         BPF_ST_MEM(BPF_B, BPF_REG_1, 1, 42),
3318                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 1),
3319                         BPF_EXIT_INSN(),
3320                 },
3321                 .result_unpriv = REJECT,
3322                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3323                 .result = ACCEPT,
3324                 .retval = 42,
3325         },
3326         {
3327                 "PTR_TO_STACK check low 3",
3328                 .insns = {
3329                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3330                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -513),
3331                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3332                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3333                         BPF_EXIT_INSN(),
3334                 },
3335                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3336                 .errstr = "invalid stack off=-513 size=1",
3337                 .result = REJECT,
3338         },
3339         {
3340                 "PTR_TO_STACK check low 4",
3341                 .insns = {
3342                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3343                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, INT_MIN),
3344                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3345                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3346                         BPF_EXIT_INSN(),
3347                 },
3348                 .result = REJECT,
3349                 .errstr = "math between fp pointer",
3350         },
3351         {
3352                 "PTR_TO_STACK check low 5",
3353                 .insns = {
3354                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3355                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3356                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3357                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3358                         BPF_EXIT_INSN(),
3359                 },
3360                 .result = REJECT,
3361                 .errstr = "invalid stack off",
3362         },
3363         {
3364                 "PTR_TO_STACK check low 6",
3365                 .insns = {
3366                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3367                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3368                         BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3369                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3370                         BPF_EXIT_INSN(),
3371                 },
3372                 .result = REJECT,
3373                 .errstr = "invalid stack off",
3374         },
3375         {
3376                 "PTR_TO_STACK check low 7",
3377                 .insns = {
3378                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3379                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3380                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -((1 << 29) - 1)),
3381                         BPF_ST_MEM(BPF_B, BPF_REG_1, SHRT_MIN, 42),
3382                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, SHRT_MIN),
3383                         BPF_EXIT_INSN(),
3384                 },
3385                 .result = REJECT,
3386                 .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
3387                 .errstr = "fp pointer offset",
3388         },
3389         {
3390                 "PTR_TO_STACK mixed reg/k, 1",
3391                 .insns = {
3392                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3393                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3394                         BPF_MOV64_IMM(BPF_REG_2, -3),
3395                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3396                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3397                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3398                         BPF_EXIT_INSN(),
3399                 },
3400                 .result = ACCEPT,
3401                 .retval = 42,
3402         },
3403         {
3404                 "PTR_TO_STACK mixed reg/k, 2",
3405                 .insns = {
3406                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3407                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -16, 0),
3408                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3409                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3410                         BPF_MOV64_IMM(BPF_REG_2, -3),
3411                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3412                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3413                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_10),
3414                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_5, -6),
3415                         BPF_EXIT_INSN(),
3416                 },
3417                 .result = ACCEPT,
3418                 .retval = 42,
3419         },
3420         {
3421                 "PTR_TO_STACK mixed reg/k, 3",
3422                 .insns = {
3423                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3424                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -3),
3425                         BPF_MOV64_IMM(BPF_REG_2, -3),
3426                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3427                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3428                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3429                         BPF_EXIT_INSN(),
3430                 },
3431                 .result = ACCEPT,
3432                 .retval = -3,
3433         },
3434         {
3435                 "PTR_TO_STACK reg",
3436                 .insns = {
3437                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3438                         BPF_MOV64_IMM(BPF_REG_2, -3),
3439                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_2),
3440                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 42),
3441                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, 0),
3442                         BPF_EXIT_INSN(),
3443                 },
3444                 .result_unpriv = REJECT,
3445                 .errstr_unpriv = "invalid stack off=0 size=1",
3446                 .result = ACCEPT,
3447                 .retval = 42,
3448         },
3449         {
3450                 "stack pointer arithmetic",
3451                 .insns = {
3452                         BPF_MOV64_IMM(BPF_REG_1, 4),
3453                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
3454                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
3455                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3456                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
3457                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3458                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
3459                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3460                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3461                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3462                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
3463                         BPF_MOV64_IMM(BPF_REG_0, 0),
3464                         BPF_EXIT_INSN(),
3465                 },
3466                 .result = ACCEPT,
3467         },
3468         {
3469                 "raw_stack: no skb_load_bytes",
3470                 .insns = {
3471                         BPF_MOV64_IMM(BPF_REG_2, 4),
3472                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3473                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3474                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3475                         BPF_MOV64_IMM(BPF_REG_4, 8),
3476                         /* Call to skb_load_bytes() omitted. */
3477                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3478                         BPF_EXIT_INSN(),
3479                 },
3480                 .result = REJECT,
3481                 .errstr = "invalid read from stack off -8+0 size 8",
3482                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3483         },
3484         {
3485                 "raw_stack: skb_load_bytes, negative len",
3486                 .insns = {
3487                         BPF_MOV64_IMM(BPF_REG_2, 4),
3488                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3489                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3490                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3491                         BPF_MOV64_IMM(BPF_REG_4, -8),
3492                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3493                                      BPF_FUNC_skb_load_bytes),
3494                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3495                         BPF_EXIT_INSN(),
3496                 },
3497                 .result = REJECT,
3498                 .errstr = "R4 min value is negative",
3499                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3500         },
3501         {
3502                 "raw_stack: skb_load_bytes, negative len 2",
3503                 .insns = {
3504                         BPF_MOV64_IMM(BPF_REG_2, 4),
3505                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3506                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3507                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3508                         BPF_MOV64_IMM(BPF_REG_4, ~0),
3509                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3510                                      BPF_FUNC_skb_load_bytes),
3511                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3512                         BPF_EXIT_INSN(),
3513                 },
3514                 .result = REJECT,
3515                 .errstr = "R4 min value is negative",
3516                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3517         },
3518         {
3519                 "raw_stack: skb_load_bytes, zero len",
3520                 .insns = {
3521                         BPF_MOV64_IMM(BPF_REG_2, 4),
3522                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3523                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3524                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3525                         BPF_MOV64_IMM(BPF_REG_4, 0),
3526                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3527                                      BPF_FUNC_skb_load_bytes),
3528                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3529                         BPF_EXIT_INSN(),
3530                 },
3531                 .result = REJECT,
3532                 .errstr = "invalid stack type R3",
3533                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3534         },
3535         {
3536                 "raw_stack: skb_load_bytes, no init",
3537                 .insns = {
3538                         BPF_MOV64_IMM(BPF_REG_2, 4),
3539                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3540                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3541                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3542                         BPF_MOV64_IMM(BPF_REG_4, 8),
3543                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3544                                      BPF_FUNC_skb_load_bytes),
3545                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3546                         BPF_EXIT_INSN(),
3547                 },
3548                 .result = ACCEPT,
3549                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3550         },
3551         {
3552                 "raw_stack: skb_load_bytes, init",
3553                 .insns = {
3554                         BPF_MOV64_IMM(BPF_REG_2, 4),
3555                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3556                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3557                         BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
3558                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3559                         BPF_MOV64_IMM(BPF_REG_4, 8),
3560                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3561                                      BPF_FUNC_skb_load_bytes),
3562                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3563                         BPF_EXIT_INSN(),
3564                 },
3565                 .result = ACCEPT,
3566                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3567         },
3568         {
3569                 "raw_stack: skb_load_bytes, spilled regs around bounds",
3570                 .insns = {
3571                         BPF_MOV64_IMM(BPF_REG_2, 4),
3572                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3573                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3574                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3575                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3576                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3577                         BPF_MOV64_IMM(BPF_REG_4, 8),
3578                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3579                                      BPF_FUNC_skb_load_bytes),
3580                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3581                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3582                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3583                                     offsetof(struct __sk_buff, mark)),
3584                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3585                                     offsetof(struct __sk_buff, priority)),
3586                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3587                         BPF_EXIT_INSN(),
3588                 },
3589                 .result = ACCEPT,
3590                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3591         },
3592         {
3593                 "raw_stack: skb_load_bytes, spilled regs corruption",
3594                 .insns = {
3595                         BPF_MOV64_IMM(BPF_REG_2, 4),
3596                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3597                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
3598                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
3599                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3600                         BPF_MOV64_IMM(BPF_REG_4, 8),
3601                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3602                                      BPF_FUNC_skb_load_bytes),
3603                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3604                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3605                                     offsetof(struct __sk_buff, mark)),
3606                         BPF_EXIT_INSN(),
3607                 },
3608                 .result = REJECT,
3609                 .errstr = "R0 invalid mem access 'inv'",
3610                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3611                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3612         },
3613         {
3614                 "raw_stack: skb_load_bytes, spilled regs corruption 2",
3615                 .insns = {
3616                         BPF_MOV64_IMM(BPF_REG_2, 4),
3617                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3618                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3619                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3620                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3621                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3622                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3623                         BPF_MOV64_IMM(BPF_REG_4, 8),
3624                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3625                                      BPF_FUNC_skb_load_bytes),
3626                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3627                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3628                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3629                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3630                                     offsetof(struct __sk_buff, mark)),
3631                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3632                                     offsetof(struct __sk_buff, priority)),
3633                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3634                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
3635                                     offsetof(struct __sk_buff, pkt_type)),
3636                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3637                         BPF_EXIT_INSN(),
3638                 },
3639                 .result = REJECT,
3640                 .errstr = "R3 invalid mem access 'inv'",
3641                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3642                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3643         },
3644         {
3645                 "raw_stack: skb_load_bytes, spilled regs + data",
3646                 .insns = {
3647                         BPF_MOV64_IMM(BPF_REG_2, 4),
3648                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3649                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
3650                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
3651                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
3652                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
3653                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3654                         BPF_MOV64_IMM(BPF_REG_4, 8),
3655                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3656                                      BPF_FUNC_skb_load_bytes),
3657                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
3658                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
3659                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
3660                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3661                                     offsetof(struct __sk_buff, mark)),
3662                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
3663                                     offsetof(struct __sk_buff, priority)),
3664                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3665                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
3666                         BPF_EXIT_INSN(),
3667                 },
3668                 .result = ACCEPT,
3669                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3670         },
3671         {
3672                 "raw_stack: skb_load_bytes, invalid access 1",
3673                 .insns = {
3674                         BPF_MOV64_IMM(BPF_REG_2, 4),
3675                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3676                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
3677                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3678                         BPF_MOV64_IMM(BPF_REG_4, 8),
3679                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3680                                      BPF_FUNC_skb_load_bytes),
3681                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3682                         BPF_EXIT_INSN(),
3683                 },
3684                 .result = REJECT,
3685                 .errstr = "invalid stack type R3 off=-513 access_size=8",
3686                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3687         },
3688         {
3689                 "raw_stack: skb_load_bytes, invalid access 2",
3690                 .insns = {
3691                         BPF_MOV64_IMM(BPF_REG_2, 4),
3692                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3693                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3694                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3695                         BPF_MOV64_IMM(BPF_REG_4, 8),
3696                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3697                                      BPF_FUNC_skb_load_bytes),
3698                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3699                         BPF_EXIT_INSN(),
3700                 },
3701                 .result = REJECT,
3702                 .errstr = "invalid stack type R3 off=-1 access_size=8",
3703                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3704         },
3705         {
3706                 "raw_stack: skb_load_bytes, invalid access 3",
3707                 .insns = {
3708                         BPF_MOV64_IMM(BPF_REG_2, 4),
3709                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3710                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
3711                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3712                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3713                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3714                                      BPF_FUNC_skb_load_bytes),
3715                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3716                         BPF_EXIT_INSN(),
3717                 },
3718                 .result = REJECT,
3719                 .errstr = "R4 min value is negative",
3720                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3721         },
3722         {
3723                 "raw_stack: skb_load_bytes, invalid access 4",
3724                 .insns = {
3725                         BPF_MOV64_IMM(BPF_REG_2, 4),
3726                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3727                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
3728                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3729                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3730                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3731                                      BPF_FUNC_skb_load_bytes),
3732                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3733                         BPF_EXIT_INSN(),
3734                 },
3735                 .result = REJECT,
3736                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3737                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3738         },
3739         {
3740                 "raw_stack: skb_load_bytes, invalid access 5",
3741                 .insns = {
3742                         BPF_MOV64_IMM(BPF_REG_2, 4),
3743                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3744                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3745                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3746                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
3747                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3748                                      BPF_FUNC_skb_load_bytes),
3749                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3750                         BPF_EXIT_INSN(),
3751                 },
3752                 .result = REJECT,
3753                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
3754                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3755         },
3756         {
3757                 "raw_stack: skb_load_bytes, invalid access 6",
3758                 .insns = {
3759                         BPF_MOV64_IMM(BPF_REG_2, 4),
3760                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3761                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3762                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3763                         BPF_MOV64_IMM(BPF_REG_4, 0),
3764                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3765                                      BPF_FUNC_skb_load_bytes),
3766                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3767                         BPF_EXIT_INSN(),
3768                 },
3769                 .result = REJECT,
3770                 .errstr = "invalid stack type R3 off=-512 access_size=0",
3771                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3772         },
3773         {
3774                 "raw_stack: skb_load_bytes, large access",
3775                 .insns = {
3776                         BPF_MOV64_IMM(BPF_REG_2, 4),
3777                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
3778                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
3779                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3780                         BPF_MOV64_IMM(BPF_REG_4, 512),
3781                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3782                                      BPF_FUNC_skb_load_bytes),
3783                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3784                         BPF_EXIT_INSN(),
3785                 },
3786                 .result = ACCEPT,
3787                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3788         },
3789         {
3790                 "context stores via ST",
3791                 .insns = {
3792                         BPF_MOV64_IMM(BPF_REG_0, 0),
3793                         BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
3794                         BPF_EXIT_INSN(),
3795                 },
3796                 .errstr = "BPF_ST stores into R1 ctx is not allowed",
3797                 .result = REJECT,
3798                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3799         },
3800         {
3801                 "context stores via XADD",
3802                 .insns = {
3803                         BPF_MOV64_IMM(BPF_REG_0, 0),
3804                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
3805                                      BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
3806                         BPF_EXIT_INSN(),
3807                 },
3808                 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
3809                 .result = REJECT,
3810                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3811         },
3812         {
3813                 "direct packet access: test1",
3814                 .insns = {
3815                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3816                                     offsetof(struct __sk_buff, data)),
3817                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3818                                     offsetof(struct __sk_buff, data_end)),
3819                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3820                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3821                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3822                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3823                         BPF_MOV64_IMM(BPF_REG_0, 0),
3824                         BPF_EXIT_INSN(),
3825                 },
3826                 .result = ACCEPT,
3827                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3828         },
3829         {
3830                 "direct packet access: test2",
3831                 .insns = {
3832                         BPF_MOV64_IMM(BPF_REG_0, 1),
3833                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
3834                                     offsetof(struct __sk_buff, data_end)),
3835                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3836                                     offsetof(struct __sk_buff, data)),
3837                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3838                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3839                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3840                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3841                         BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3842                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3843                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3844                                     offsetof(struct __sk_buff, data)),
3845                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3846                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3847                                     offsetof(struct __sk_buff, len)),
3848                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3849                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3850                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3851                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3852                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3853                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3854                                     offsetof(struct __sk_buff, data_end)),
3855                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3856                         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3857                         BPF_MOV64_IMM(BPF_REG_0, 0),
3858                         BPF_EXIT_INSN(),
3859                 },
3860                 .result = ACCEPT,
3861                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3862         },
3863         {
3864                 "direct packet access: test3",
3865                 .insns = {
3866                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3867                                     offsetof(struct __sk_buff, data)),
3868                         BPF_MOV64_IMM(BPF_REG_0, 0),
3869                         BPF_EXIT_INSN(),
3870                 },
3871                 .errstr = "invalid bpf_context access off=76",
3872                 .result = REJECT,
3873                 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3874         },
3875         {
3876                 "direct packet access: test4 (write)",
3877                 .insns = {
3878                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3879                                     offsetof(struct __sk_buff, data)),
3880                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3881                                     offsetof(struct __sk_buff, data_end)),
3882                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3883                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3884                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3885                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3886                         BPF_MOV64_IMM(BPF_REG_0, 0),
3887                         BPF_EXIT_INSN(),
3888                 },
3889                 .result = ACCEPT,
3890                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3891         },
3892         {
3893                 "direct packet access: test5 (pkt_end >= reg, good access)",
3894                 .insns = {
3895                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3896                                     offsetof(struct __sk_buff, data)),
3897                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3898                                     offsetof(struct __sk_buff, data_end)),
3899                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3900                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3901                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3902                         BPF_MOV64_IMM(BPF_REG_0, 1),
3903                         BPF_EXIT_INSN(),
3904                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3905                         BPF_MOV64_IMM(BPF_REG_0, 0),
3906                         BPF_EXIT_INSN(),
3907                 },
3908                 .result = ACCEPT,
3909                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3910         },
3911         {
3912                 "direct packet access: test6 (pkt_end >= reg, bad access)",
3913                 .insns = {
3914                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3915                                     offsetof(struct __sk_buff, data)),
3916                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3917                                     offsetof(struct __sk_buff, data_end)),
3918                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3919                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3920                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3921                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3922                         BPF_MOV64_IMM(BPF_REG_0, 1),
3923                         BPF_EXIT_INSN(),
3924                         BPF_MOV64_IMM(BPF_REG_0, 0),
3925                         BPF_EXIT_INSN(),
3926                 },
3927                 .errstr = "invalid access to packet",
3928                 .result = REJECT,
3929                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3930         },
3931         {
3932                 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3933                 .insns = {
3934                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3935                                     offsetof(struct __sk_buff, data)),
3936                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3937                                     offsetof(struct __sk_buff, data_end)),
3938                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3939                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3940                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3941                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3942                         BPF_MOV64_IMM(BPF_REG_0, 1),
3943                         BPF_EXIT_INSN(),
3944                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3945                         BPF_MOV64_IMM(BPF_REG_0, 0),
3946                         BPF_EXIT_INSN(),
3947                 },
3948                 .errstr = "invalid access to packet",
3949                 .result = REJECT,
3950                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3951         },
3952         {
3953                 "direct packet access: test8 (double test, variant 1)",
3954                 .insns = {
3955                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3956                                     offsetof(struct __sk_buff, data)),
3957                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3958                                     offsetof(struct __sk_buff, data_end)),
3959                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3960                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3961                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3962                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3963                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3964                         BPF_MOV64_IMM(BPF_REG_0, 1),
3965                         BPF_EXIT_INSN(),
3966                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3967                         BPF_MOV64_IMM(BPF_REG_0, 0),
3968                         BPF_EXIT_INSN(),
3969                 },
3970                 .result = ACCEPT,
3971                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3972         },
3973         {
3974                 "direct packet access: test9 (double test, variant 2)",
3975                 .insns = {
3976                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3977                                     offsetof(struct __sk_buff, data)),
3978                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3979                                     offsetof(struct __sk_buff, data_end)),
3980                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3981                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3982                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3983                         BPF_MOV64_IMM(BPF_REG_0, 1),
3984                         BPF_EXIT_INSN(),
3985                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3986                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3987                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3988                         BPF_MOV64_IMM(BPF_REG_0, 0),
3989                         BPF_EXIT_INSN(),
3990                 },
3991                 .result = ACCEPT,
3992                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3993         },
3994         {
3995                 "direct packet access: test10 (write invalid)",
3996                 .insns = {
3997                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3998                                     offsetof(struct __sk_buff, data)),
3999                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4000                                     offsetof(struct __sk_buff, data_end)),
4001                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4002                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4003                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4004                         BPF_MOV64_IMM(BPF_REG_0, 0),
4005                         BPF_EXIT_INSN(),
4006                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4007                         BPF_MOV64_IMM(BPF_REG_0, 0),
4008                         BPF_EXIT_INSN(),
4009                 },
4010                 .errstr = "invalid access to packet",
4011                 .result = REJECT,
4012                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4013         },
4014         {
4015                 "direct packet access: test11 (shift, good access)",
4016                 .insns = {
4017                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4018                                     offsetof(struct __sk_buff, data)),
4019                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4020                                     offsetof(struct __sk_buff, data_end)),
4021                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4022                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4023                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4024                         BPF_MOV64_IMM(BPF_REG_3, 144),
4025                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4026                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4027                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
4028                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4029                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4030                         BPF_MOV64_IMM(BPF_REG_0, 1),
4031                         BPF_EXIT_INSN(),
4032                         BPF_MOV64_IMM(BPF_REG_0, 0),
4033                         BPF_EXIT_INSN(),
4034                 },
4035                 .result = ACCEPT,
4036                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4037                 .retval = 1,
4038         },
4039         {
4040                 "direct packet access: test12 (and, good access)",
4041                 .insns = {
4042                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4043                                     offsetof(struct __sk_buff, data)),
4044                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4045                                     offsetof(struct __sk_buff, data_end)),
4046                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4047                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4048                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4049                         BPF_MOV64_IMM(BPF_REG_3, 144),
4050                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4051                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4052                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4053                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4054                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4055                         BPF_MOV64_IMM(BPF_REG_0, 1),
4056                         BPF_EXIT_INSN(),
4057                         BPF_MOV64_IMM(BPF_REG_0, 0),
4058                         BPF_EXIT_INSN(),
4059                 },
4060                 .result = ACCEPT,
4061                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4062                 .retval = 1,
4063         },
4064         {
4065                 "direct packet access: test13 (branches, good access)",
4066                 .insns = {
4067                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4068                                     offsetof(struct __sk_buff, data)),
4069                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4070                                     offsetof(struct __sk_buff, data_end)),
4071                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4072                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4073                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
4074                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4075                                     offsetof(struct __sk_buff, mark)),
4076                         BPF_MOV64_IMM(BPF_REG_4, 1),
4077                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
4078                         BPF_MOV64_IMM(BPF_REG_3, 14),
4079                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
4080                         BPF_MOV64_IMM(BPF_REG_3, 24),
4081                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
4082                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
4083                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
4084                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4085                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4086                         BPF_MOV64_IMM(BPF_REG_0, 1),
4087                         BPF_EXIT_INSN(),
4088                         BPF_MOV64_IMM(BPF_REG_0, 0),
4089                         BPF_EXIT_INSN(),
4090                 },
4091                 .result = ACCEPT,
4092                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4093                 .retval = 1,
4094         },
4095         {
4096                 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
4097                 .insns = {
4098                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4099                                     offsetof(struct __sk_buff, data)),
4100                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4101                                     offsetof(struct __sk_buff, data_end)),
4102                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4103                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
4104                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
4105                         BPF_MOV64_IMM(BPF_REG_5, 12),
4106                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
4107                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
4108                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
4109                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
4110                         BPF_MOV64_IMM(BPF_REG_0, 1),
4111                         BPF_EXIT_INSN(),
4112                         BPF_MOV64_IMM(BPF_REG_0, 0),
4113                         BPF_EXIT_INSN(),
4114                 },
4115                 .result = ACCEPT,
4116                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4117                 .retval = 1,
4118         },
4119         {
4120                 "direct packet access: test15 (spill with xadd)",
4121                 .insns = {
4122                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4123                                     offsetof(struct __sk_buff, data)),
4124                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4125                                     offsetof(struct __sk_buff, data_end)),
4126                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4127                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4128                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
4129                         BPF_MOV64_IMM(BPF_REG_5, 4096),
4130                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
4131                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
4132                         BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
4133                         BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
4134                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
4135                         BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
4136                         BPF_MOV64_IMM(BPF_REG_0, 0),
4137                         BPF_EXIT_INSN(),
4138                 },
4139                 .errstr = "R2 invalid mem access 'inv'",
4140                 .result = REJECT,
4141                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4142                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4143         },
4144         {
4145                 "direct packet access: test16 (arith on data_end)",
4146                 .insns = {
4147                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4148                                     offsetof(struct __sk_buff, data)),
4149                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4150                                     offsetof(struct __sk_buff, data_end)),
4151                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4152                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4153                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
4154                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4155                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4156                         BPF_MOV64_IMM(BPF_REG_0, 0),
4157                         BPF_EXIT_INSN(),
4158                 },
4159                 .errstr = "R3 pointer arithmetic on pkt_end",
4160                 .result = REJECT,
4161                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4162         },
4163         {
4164                 "direct packet access: test17 (pruning, alignment)",
4165                 .insns = {
4166                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4167                                     offsetof(struct __sk_buff, data)),
4168                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4169                                     offsetof(struct __sk_buff, data_end)),
4170                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4171                                     offsetof(struct __sk_buff, mark)),
4172                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4173                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
4174                         BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
4175                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4176                         BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
4177                         BPF_MOV64_IMM(BPF_REG_0, 0),
4178                         BPF_EXIT_INSN(),
4179                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
4180                         BPF_JMP_A(-6),
4181                 },
4182                 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
4183                 .result = REJECT,
4184                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4185                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
4186         },
4187         {
4188                 "direct packet access: test18 (imm += pkt_ptr, 1)",
4189                 .insns = {
4190                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4191                                     offsetof(struct __sk_buff, data)),
4192                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4193                                     offsetof(struct __sk_buff, data_end)),
4194                         BPF_MOV64_IMM(BPF_REG_0, 8),
4195                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4196                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4197                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4198                         BPF_MOV64_IMM(BPF_REG_0, 0),
4199                         BPF_EXIT_INSN(),
4200                 },
4201                 .result = ACCEPT,
4202                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4203         },
4204         {
4205                 "direct packet access: test19 (imm += pkt_ptr, 2)",
4206                 .insns = {
4207                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4208                                     offsetof(struct __sk_buff, data)),
4209                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4210                                     offsetof(struct __sk_buff, data_end)),
4211                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4212                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4213                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
4214                         BPF_MOV64_IMM(BPF_REG_4, 4),
4215                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4216                         BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
4217                         BPF_MOV64_IMM(BPF_REG_0, 0),
4218                         BPF_EXIT_INSN(),
4219                 },
4220                 .result = ACCEPT,
4221                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4222         },
4223         {
4224                 "direct packet access: test20 (x += pkt_ptr, 1)",
4225                 .insns = {
4226                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4227                                     offsetof(struct __sk_buff, data)),
4228                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4229                                     offsetof(struct __sk_buff, data_end)),
4230                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4231                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4232                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4233                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
4234                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4235                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4236                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4237                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4238                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4239                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4240                         BPF_MOV64_IMM(BPF_REG_0, 0),
4241                         BPF_EXIT_INSN(),
4242                 },
4243                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4244                 .result = ACCEPT,
4245                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4246         },
4247         {
4248                 "direct packet access: test21 (x += pkt_ptr, 2)",
4249                 .insns = {
4250                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4251                                     offsetof(struct __sk_buff, data)),
4252                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4253                                     offsetof(struct __sk_buff, data_end)),
4254                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4255                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4256                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
4257                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4258                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4259                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4260                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
4261                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4262                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4263                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
4264                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
4265                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
4266                         BPF_MOV64_IMM(BPF_REG_0, 0),
4267                         BPF_EXIT_INSN(),
4268                 },
4269                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4270                 .result = ACCEPT,
4271                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4272         },
4273         {
4274                 "direct packet access: test22 (x += pkt_ptr, 3)",
4275                 .insns = {
4276                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4277                                     offsetof(struct __sk_buff, data)),
4278                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4279                                     offsetof(struct __sk_buff, data_end)),
4280                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4281                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4282                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
4283                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
4284                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
4285                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
4286                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
4287                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
4288                         BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
4289                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
4290                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
4291                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
4292                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
4293                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
4294                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
4295                         BPF_MOV64_IMM(BPF_REG_2, 1),
4296                         BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
4297                         BPF_MOV64_IMM(BPF_REG_0, 0),
4298                         BPF_EXIT_INSN(),
4299                 },
4300                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4301                 .result = ACCEPT,
4302                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4303         },
4304         {
4305                 "direct packet access: test23 (x += pkt_ptr, 4)",
4306                 .insns = {
4307                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4308                                     offsetof(struct __sk_buff, data)),
4309                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4310                                     offsetof(struct __sk_buff, data_end)),
4311                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4312                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4313                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4314                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
4315                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4316                         BPF_MOV64_IMM(BPF_REG_0, 31),
4317                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4318                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4319                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4320                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
4321                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4322                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4323                         BPF_MOV64_IMM(BPF_REG_0, 0),
4324                         BPF_EXIT_INSN(),
4325                 },
4326                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4327                 .result = REJECT,
4328                 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
4329                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4330         },
4331         {
4332                 "direct packet access: test24 (x += pkt_ptr, 5)",
4333                 .insns = {
4334                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4335                                     offsetof(struct __sk_buff, data)),
4336                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4337                                     offsetof(struct __sk_buff, data_end)),
4338                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
4339                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4340                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
4341                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
4342                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4343                         BPF_MOV64_IMM(BPF_REG_0, 64),
4344                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
4345                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
4346                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
4347                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
4348                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4349                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
4350                         BPF_MOV64_IMM(BPF_REG_0, 0),
4351                         BPF_EXIT_INSN(),
4352                 },
4353                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4354                 .result = ACCEPT,
4355                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4356         },
4357         {
4358                 "direct packet access: test25 (marking on <, good access)",
4359                 .insns = {
4360                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4361                                     offsetof(struct __sk_buff, data)),
4362                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4363                                     offsetof(struct __sk_buff, data_end)),
4364                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4365                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4366                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
4367                         BPF_MOV64_IMM(BPF_REG_0, 0),
4368                         BPF_EXIT_INSN(),
4369                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4370                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4371                 },
4372                 .result = ACCEPT,
4373                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4374         },
4375         {
4376                 "direct packet access: test26 (marking on <, bad access)",
4377                 .insns = {
4378                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4379                                     offsetof(struct __sk_buff, data)),
4380                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4381                                     offsetof(struct __sk_buff, data_end)),
4382                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4383                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4384                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
4385                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4386                         BPF_MOV64_IMM(BPF_REG_0, 0),
4387                         BPF_EXIT_INSN(),
4388                         BPF_JMP_IMM(BPF_JA, 0, 0, -3),
4389                 },
4390                 .result = REJECT,
4391                 .errstr = "invalid access to packet",
4392                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4393         },
4394         {
4395                 "direct packet access: test27 (marking on <=, good access)",
4396                 .insns = {
4397                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4398                                     offsetof(struct __sk_buff, data)),
4399                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4400                                     offsetof(struct __sk_buff, data_end)),
4401                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4402                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4403                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
4404                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4405                         BPF_MOV64_IMM(BPF_REG_0, 1),
4406                         BPF_EXIT_INSN(),
4407                 },
4408                 .result = ACCEPT,
4409                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4410                 .retval = 1,
4411         },
4412         {
4413                 "direct packet access: test28 (marking on <=, bad access)",
4414                 .insns = {
4415                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4416                                     offsetof(struct __sk_buff, data)),
4417                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4418                                     offsetof(struct __sk_buff, data_end)),
4419                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4420                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4421                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
4422                         BPF_MOV64_IMM(BPF_REG_0, 1),
4423                         BPF_EXIT_INSN(),
4424                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4425                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
4426                 },
4427                 .result = REJECT,
4428                 .errstr = "invalid access to packet",
4429                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4430         },
4431         {
4432                 "helper access to packet: test1, valid packet_ptr range",
4433                 .insns = {
4434                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4435                                     offsetof(struct xdp_md, data)),
4436                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4437                                     offsetof(struct xdp_md, data_end)),
4438                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4439                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4440                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4441                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4442                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4443                         BPF_MOV64_IMM(BPF_REG_4, 0),
4444                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4445                                      BPF_FUNC_map_update_elem),
4446                         BPF_MOV64_IMM(BPF_REG_0, 0),
4447                         BPF_EXIT_INSN(),
4448                 },
4449                 .fixup_map_hash_8b = { 5 },
4450                 .result_unpriv = ACCEPT,
4451                 .result = ACCEPT,
4452                 .prog_type = BPF_PROG_TYPE_XDP,
4453         },
4454         {
4455                 "helper access to packet: test2, unchecked packet_ptr",
4456                 .insns = {
4457                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4458                                     offsetof(struct xdp_md, data)),
4459                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4460                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4461                                      BPF_FUNC_map_lookup_elem),
4462                         BPF_MOV64_IMM(BPF_REG_0, 0),
4463                         BPF_EXIT_INSN(),
4464                 },
4465                 .fixup_map_hash_8b = { 1 },
4466                 .result = REJECT,
4467                 .errstr = "invalid access to packet",
4468                 .prog_type = BPF_PROG_TYPE_XDP,
4469         },
4470         {
4471                 "helper access to packet: test3, variable add",
4472                 .insns = {
4473                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4474                                         offsetof(struct xdp_md, data)),
4475                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4476                                         offsetof(struct xdp_md, data_end)),
4477                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4478                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4479                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4480                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4481                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4482                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4483                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4484                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4485                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4486                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4487                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4488                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4489                                      BPF_FUNC_map_lookup_elem),
4490                         BPF_MOV64_IMM(BPF_REG_0, 0),
4491                         BPF_EXIT_INSN(),
4492                 },
4493                 .fixup_map_hash_8b = { 11 },
4494                 .result = ACCEPT,
4495                 .prog_type = BPF_PROG_TYPE_XDP,
4496         },
4497         {
4498                 "helper access to packet: test4, packet_ptr with bad range",
4499                 .insns = {
4500                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4501                                     offsetof(struct xdp_md, data)),
4502                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4503                                     offsetof(struct xdp_md, data_end)),
4504                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4505                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4506                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4507                         BPF_MOV64_IMM(BPF_REG_0, 0),
4508                         BPF_EXIT_INSN(),
4509                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4510                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4511                                      BPF_FUNC_map_lookup_elem),
4512                         BPF_MOV64_IMM(BPF_REG_0, 0),
4513                         BPF_EXIT_INSN(),
4514                 },
4515                 .fixup_map_hash_8b = { 7 },
4516                 .result = REJECT,
4517                 .errstr = "invalid access to packet",
4518                 .prog_type = BPF_PROG_TYPE_XDP,
4519         },
4520         {
4521                 "helper access to packet: test5, packet_ptr with too short range",
4522                 .insns = {
4523                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4524                                     offsetof(struct xdp_md, data)),
4525                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4526                                     offsetof(struct xdp_md, data_end)),
4527                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4528                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4529                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4530                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4531                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4532                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4533                                      BPF_FUNC_map_lookup_elem),
4534                         BPF_MOV64_IMM(BPF_REG_0, 0),
4535                         BPF_EXIT_INSN(),
4536                 },
4537                 .fixup_map_hash_8b = { 6 },
4538                 .result = REJECT,
4539                 .errstr = "invalid access to packet",
4540                 .prog_type = BPF_PROG_TYPE_XDP,
4541         },
4542         {
4543                 "helper access to packet: test6, cls valid packet_ptr range",
4544                 .insns = {
4545                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4546                                     offsetof(struct __sk_buff, data)),
4547                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4548                                     offsetof(struct __sk_buff, data_end)),
4549                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4550                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
4551                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
4552                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4553                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
4554                         BPF_MOV64_IMM(BPF_REG_4, 0),
4555                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4556                                      BPF_FUNC_map_update_elem),
4557                         BPF_MOV64_IMM(BPF_REG_0, 0),
4558                         BPF_EXIT_INSN(),
4559                 },
4560                 .fixup_map_hash_8b = { 5 },
4561                 .result = ACCEPT,
4562                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4563         },
4564         {
4565                 "helper access to packet: test7, cls unchecked packet_ptr",
4566                 .insns = {
4567                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4568                                     offsetof(struct __sk_buff, data)),
4569                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4570                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4571                                      BPF_FUNC_map_lookup_elem),
4572                         BPF_MOV64_IMM(BPF_REG_0, 0),
4573                         BPF_EXIT_INSN(),
4574                 },
4575                 .fixup_map_hash_8b = { 1 },
4576                 .result = REJECT,
4577                 .errstr = "invalid access to packet",
4578                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4579         },
4580         {
4581                 "helper access to packet: test8, cls variable add",
4582                 .insns = {
4583                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4584                                         offsetof(struct __sk_buff, data)),
4585                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4586                                         offsetof(struct __sk_buff, data_end)),
4587                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4588                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
4589                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
4590                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
4591                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4592                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
4593                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
4594                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
4595                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
4596                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4597                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
4598                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4599                                      BPF_FUNC_map_lookup_elem),
4600                         BPF_MOV64_IMM(BPF_REG_0, 0),
4601                         BPF_EXIT_INSN(),
4602                 },
4603                 .fixup_map_hash_8b = { 11 },
4604                 .result = ACCEPT,
4605                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4606         },
4607         {
4608                 "helper access to packet: test9, cls packet_ptr with bad range",
4609                 .insns = {
4610                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4611                                     offsetof(struct __sk_buff, data)),
4612                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4613                                     offsetof(struct __sk_buff, data_end)),
4614                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4615                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
4616                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
4617                         BPF_MOV64_IMM(BPF_REG_0, 0),
4618                         BPF_EXIT_INSN(),
4619                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4620                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4621                                      BPF_FUNC_map_lookup_elem),
4622                         BPF_MOV64_IMM(BPF_REG_0, 0),
4623                         BPF_EXIT_INSN(),
4624                 },
4625                 .fixup_map_hash_8b = { 7 },
4626                 .result = REJECT,
4627                 .errstr = "invalid access to packet",
4628                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4629         },
4630         {
4631                 "helper access to packet: test10, cls packet_ptr with too short range",
4632                 .insns = {
4633                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4634                                     offsetof(struct __sk_buff, data)),
4635                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4636                                     offsetof(struct __sk_buff, data_end)),
4637                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4638                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
4639                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
4640                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
4641                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4642                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4643                                      BPF_FUNC_map_lookup_elem),
4644                         BPF_MOV64_IMM(BPF_REG_0, 0),
4645                         BPF_EXIT_INSN(),
4646                 },
4647                 .fixup_map_hash_8b = { 6 },
4648                 .result = REJECT,
4649                 .errstr = "invalid access to packet",
4650                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4651         },
4652         {
4653                 "helper access to packet: test11, cls unsuitable helper 1",
4654                 .insns = {
4655                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4656                                     offsetof(struct __sk_buff, data)),
4657                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4658                                     offsetof(struct __sk_buff, data_end)),
4659                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4660                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4661                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
4662                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
4663                         BPF_MOV64_IMM(BPF_REG_2, 0),
4664                         BPF_MOV64_IMM(BPF_REG_4, 42),
4665                         BPF_MOV64_IMM(BPF_REG_5, 0),
4666                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4667                                      BPF_FUNC_skb_store_bytes),
4668                         BPF_MOV64_IMM(BPF_REG_0, 0),
4669                         BPF_EXIT_INSN(),
4670                 },
4671                 .result = REJECT,
4672                 .errstr = "helper access to the packet",
4673                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4674         },
4675         {
4676                 "helper access to packet: test12, cls unsuitable helper 2",
4677                 .insns = {
4678                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4679                                     offsetof(struct __sk_buff, data)),
4680                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4681                                     offsetof(struct __sk_buff, data_end)),
4682                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
4683                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
4684                         BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
4685                         BPF_MOV64_IMM(BPF_REG_2, 0),
4686                         BPF_MOV64_IMM(BPF_REG_4, 4),
4687                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4688                                      BPF_FUNC_skb_load_bytes),
4689                         BPF_MOV64_IMM(BPF_REG_0, 0),
4690                         BPF_EXIT_INSN(),
4691                 },
4692                 .result = REJECT,
4693                 .errstr = "helper access to the packet",
4694                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4695         },
4696         {
4697                 "helper access to packet: test13, cls helper ok",
4698                 .insns = {
4699                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4700                                     offsetof(struct __sk_buff, data)),
4701                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4702                                     offsetof(struct __sk_buff, data_end)),
4703                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4704                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4705                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4706                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4707                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4708                         BPF_MOV64_IMM(BPF_REG_2, 4),
4709                         BPF_MOV64_IMM(BPF_REG_3, 0),
4710                         BPF_MOV64_IMM(BPF_REG_4, 0),
4711                         BPF_MOV64_IMM(BPF_REG_5, 0),
4712                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4713                                      BPF_FUNC_csum_diff),
4714                         BPF_MOV64_IMM(BPF_REG_0, 0),
4715                         BPF_EXIT_INSN(),
4716                 },
4717                 .result = ACCEPT,
4718                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4719         },
4720         {
4721                 "helper access to packet: test14, cls helper ok sub",
4722                 .insns = {
4723                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4724                                     offsetof(struct __sk_buff, data)),
4725                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4726                                     offsetof(struct __sk_buff, data_end)),
4727                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4728                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4729                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4730                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4731                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
4732                         BPF_MOV64_IMM(BPF_REG_2, 4),
4733                         BPF_MOV64_IMM(BPF_REG_3, 0),
4734                         BPF_MOV64_IMM(BPF_REG_4, 0),
4735                         BPF_MOV64_IMM(BPF_REG_5, 0),
4736                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4737                                      BPF_FUNC_csum_diff),
4738                         BPF_MOV64_IMM(BPF_REG_0, 0),
4739                         BPF_EXIT_INSN(),
4740                 },
4741                 .result = ACCEPT,
4742                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4743         },
4744         {
4745                 "helper access to packet: test15, cls helper fail sub",
4746                 .insns = {
4747                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4748                                     offsetof(struct __sk_buff, data)),
4749                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4750                                     offsetof(struct __sk_buff, data_end)),
4751                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4752                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4753                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4754                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4755                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
4756                         BPF_MOV64_IMM(BPF_REG_2, 4),
4757                         BPF_MOV64_IMM(BPF_REG_3, 0),
4758                         BPF_MOV64_IMM(BPF_REG_4, 0),
4759                         BPF_MOV64_IMM(BPF_REG_5, 0),
4760                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4761                                      BPF_FUNC_csum_diff),
4762                         BPF_MOV64_IMM(BPF_REG_0, 0),
4763                         BPF_EXIT_INSN(),
4764                 },
4765                 .result = REJECT,
4766                 .errstr = "invalid access to packet",
4767                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4768         },
4769         {
4770                 "helper access to packet: test16, cls helper fail range 1",
4771                 .insns = {
4772                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4773                                     offsetof(struct __sk_buff, data)),
4774                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4775                                     offsetof(struct __sk_buff, data_end)),
4776                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4777                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4778                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4779                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4780                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4781                         BPF_MOV64_IMM(BPF_REG_2, 8),
4782                         BPF_MOV64_IMM(BPF_REG_3, 0),
4783                         BPF_MOV64_IMM(BPF_REG_4, 0),
4784                         BPF_MOV64_IMM(BPF_REG_5, 0),
4785                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4786                                      BPF_FUNC_csum_diff),
4787                         BPF_MOV64_IMM(BPF_REG_0, 0),
4788                         BPF_EXIT_INSN(),
4789                 },
4790                 .result = REJECT,
4791                 .errstr = "invalid access to packet",
4792                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4793         },
4794         {
4795                 "helper access to packet: test17, cls helper fail range 2",
4796                 .insns = {
4797                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4798                                     offsetof(struct __sk_buff, data)),
4799                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4800                                     offsetof(struct __sk_buff, data_end)),
4801                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4802                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4803                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4804                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4805                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4806                         BPF_MOV64_IMM(BPF_REG_2, -9),
4807                         BPF_MOV64_IMM(BPF_REG_3, 0),
4808                         BPF_MOV64_IMM(BPF_REG_4, 0),
4809                         BPF_MOV64_IMM(BPF_REG_5, 0),
4810                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4811                                      BPF_FUNC_csum_diff),
4812                         BPF_MOV64_IMM(BPF_REG_0, 0),
4813                         BPF_EXIT_INSN(),
4814                 },
4815                 .result = REJECT,
4816                 .errstr = "R2 min value is negative",
4817                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4818         },
4819         {
4820                 "helper access to packet: test18, cls helper fail range 3",
4821                 .insns = {
4822                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4823                                     offsetof(struct __sk_buff, data)),
4824                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4825                                     offsetof(struct __sk_buff, data_end)),
4826                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4827                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4828                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4829                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4830                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4831                         BPF_MOV64_IMM(BPF_REG_2, ~0),
4832                         BPF_MOV64_IMM(BPF_REG_3, 0),
4833                         BPF_MOV64_IMM(BPF_REG_4, 0),
4834                         BPF_MOV64_IMM(BPF_REG_5, 0),
4835                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4836                                      BPF_FUNC_csum_diff),
4837                         BPF_MOV64_IMM(BPF_REG_0, 0),
4838                         BPF_EXIT_INSN(),
4839                 },
4840                 .result = REJECT,
4841                 .errstr = "R2 min value is negative",
4842                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4843         },
4844         {
4845                 "helper access to packet: test19, cls helper range zero",
4846                 .insns = {
4847                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4848                                     offsetof(struct __sk_buff, data)),
4849                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4850                                     offsetof(struct __sk_buff, data_end)),
4851                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4852                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4853                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4854                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4855                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4856                         BPF_MOV64_IMM(BPF_REG_2, 0),
4857                         BPF_MOV64_IMM(BPF_REG_3, 0),
4858                         BPF_MOV64_IMM(BPF_REG_4, 0),
4859                         BPF_MOV64_IMM(BPF_REG_5, 0),
4860                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4861                                      BPF_FUNC_csum_diff),
4862                         BPF_MOV64_IMM(BPF_REG_0, 0),
4863                         BPF_EXIT_INSN(),
4864                 },
4865                 .result = ACCEPT,
4866                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4867         },
4868         {
4869                 "helper access to packet: test20, pkt end as input",
4870                 .insns = {
4871                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4872                                     offsetof(struct __sk_buff, data)),
4873                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4874                                     offsetof(struct __sk_buff, data_end)),
4875                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4876                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4877                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4878                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4879                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4880                         BPF_MOV64_IMM(BPF_REG_2, 4),
4881                         BPF_MOV64_IMM(BPF_REG_3, 0),
4882                         BPF_MOV64_IMM(BPF_REG_4, 0),
4883                         BPF_MOV64_IMM(BPF_REG_5, 0),
4884                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4885                                      BPF_FUNC_csum_diff),
4886                         BPF_MOV64_IMM(BPF_REG_0, 0),
4887                         BPF_EXIT_INSN(),
4888                 },
4889                 .result = REJECT,
4890                 .errstr = "R1 type=pkt_end expected=fp",
4891                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4892         },
4893         {
4894                 "helper access to packet: test21, wrong reg",
4895                 .insns = {
4896                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4897                                     offsetof(struct __sk_buff, data)),
4898                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4899                                     offsetof(struct __sk_buff, data_end)),
4900                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4901                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4902                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4903                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4904                         BPF_MOV64_IMM(BPF_REG_2, 4),
4905                         BPF_MOV64_IMM(BPF_REG_3, 0),
4906                         BPF_MOV64_IMM(BPF_REG_4, 0),
4907                         BPF_MOV64_IMM(BPF_REG_5, 0),
4908                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4909                                      BPF_FUNC_csum_diff),
4910                         BPF_MOV64_IMM(BPF_REG_0, 0),
4911                         BPF_EXIT_INSN(),
4912                 },
4913                 .result = REJECT,
4914                 .errstr = "invalid access to packet",
4915                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4916         },
4917         {
4918                 "prevent map lookup in sockmap",
4919                 .insns = {
4920                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4921                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4922                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4923                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4924                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4925                                      BPF_FUNC_map_lookup_elem),
4926                         BPF_EXIT_INSN(),
4927                 },
4928                 .fixup_map_sockmap = { 3 },
4929                 .result = REJECT,
4930                 .errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
4931                 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4932         },
4933         {
4934                 "prevent map lookup in sockhash",
4935                 .insns = {
4936                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4937                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4938                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4939                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4940                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4941                                      BPF_FUNC_map_lookup_elem),
4942                         BPF_EXIT_INSN(),
4943                 },
4944                 .fixup_map_sockhash = { 3 },
4945                 .result = REJECT,
4946                 .errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
4947                 .prog_type = BPF_PROG_TYPE_SOCK_OPS,
4948         },
4949         {
4950                 "prevent map lookup in xskmap",
4951                 .insns = {
4952                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4953                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4954                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4955                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4956                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4957                                      BPF_FUNC_map_lookup_elem),
4958                         BPF_EXIT_INSN(),
4959                 },
4960                 .fixup_map_xskmap = { 3 },
4961                 .result = REJECT,
4962                 .errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
4963                 .prog_type = BPF_PROG_TYPE_XDP,
4964         },
4965         {
4966                 "prevent map lookup in stack trace",
4967                 .insns = {
4968                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4969                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4970                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4971                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4972                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4973                                      BPF_FUNC_map_lookup_elem),
4974                         BPF_EXIT_INSN(),
4975                 },
4976                 .fixup_map_stacktrace = { 3 },
4977                 .result = REJECT,
4978                 .errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
4979                 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
4980         },
4981         {
4982                 "prevent map lookup in prog array",
4983                 .insns = {
4984                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4985                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4986                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4987                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4988                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4989                                      BPF_FUNC_map_lookup_elem),
4990                         BPF_EXIT_INSN(),
4991                 },
4992                 .fixup_prog2 = { 3 },
4993                 .result = REJECT,
4994                 .errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
4995         },
4996         {
4997                 "valid map access into an array with a constant",
4998                 .insns = {
4999                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5000                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5001                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5002                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5003                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5004                                      BPF_FUNC_map_lookup_elem),
5005                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5006                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5007                                    offsetof(struct test_val, foo)),
5008                         BPF_EXIT_INSN(),
5009                 },
5010                 .fixup_map_hash_48b = { 3 },
5011                 .errstr_unpriv = "R0 leaks addr",
5012                 .result_unpriv = REJECT,
5013                 .result = ACCEPT,
5014         },
5015         {
5016                 "valid map access into an array with a register",
5017                 .insns = {
5018                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5019                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5020                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5021                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5022                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5023                                      BPF_FUNC_map_lookup_elem),
5024                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5025                         BPF_MOV64_IMM(BPF_REG_1, 4),
5026                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5027                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5028                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5029                                    offsetof(struct test_val, foo)),
5030                         BPF_EXIT_INSN(),
5031                 },
5032                 .fixup_map_hash_48b = { 3 },
5033                 .errstr_unpriv = "R0 leaks addr",
5034                 .result_unpriv = REJECT,
5035                 .result = ACCEPT,
5036                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5037         },
5038         {
5039                 "valid map access into an array with a variable",
5040                 .insns = {
5041                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5042                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5043                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5044                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5045                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5046                                      BPF_FUNC_map_lookup_elem),
5047                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5048                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5049                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
5050                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5051                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5052                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5053                                    offsetof(struct test_val, foo)),
5054                         BPF_EXIT_INSN(),
5055                 },
5056                 .fixup_map_hash_48b = { 3 },
5057                 .errstr_unpriv = "R0 leaks addr",
5058                 .result_unpriv = REJECT,
5059                 .result = ACCEPT,
5060                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5061         },
5062         {
5063                 "valid map access into an array with a signed variable",
5064                 .insns = {
5065                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5066                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5067                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5068                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5069                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5070                                      BPF_FUNC_map_lookup_elem),
5071                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
5072                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5073                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
5074                         BPF_MOV32_IMM(BPF_REG_1, 0),
5075                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5076                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5077                         BPF_MOV32_IMM(BPF_REG_1, 0),
5078                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5079                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5080                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5081                                    offsetof(struct test_val, foo)),
5082                         BPF_EXIT_INSN(),
5083                 },
5084                 .fixup_map_hash_48b = { 3 },
5085                 .errstr_unpriv = "R0 leaks addr",
5086                 .result_unpriv = REJECT,
5087                 .result = ACCEPT,
5088                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5089         },
5090         {
5091                 "invalid map access into an array with a constant",
5092                 .insns = {
5093                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5094                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5095                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5096                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5097                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5098                                      BPF_FUNC_map_lookup_elem),
5099                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5100                         BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
5101                                    offsetof(struct test_val, foo)),
5102                         BPF_EXIT_INSN(),
5103                 },
5104                 .fixup_map_hash_48b = { 3 },
5105                 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
5106                 .result = REJECT,
5107         },
5108         {
5109                 "invalid map access into an array with a register",
5110                 .insns = {
5111                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5112                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5113                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5114                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5115                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5116                                      BPF_FUNC_map_lookup_elem),
5117                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5118                         BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
5119                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5120                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5121                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5122                                    offsetof(struct test_val, foo)),
5123                         BPF_EXIT_INSN(),
5124                 },
5125                 .fixup_map_hash_48b = { 3 },
5126                 .errstr = "R0 min value is outside of the array range",
5127                 .result = REJECT,
5128                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5129         },
5130         {
5131                 "invalid map access into an array with a variable",
5132                 .insns = {
5133                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5134                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5135                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5136                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5137                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5138                                      BPF_FUNC_map_lookup_elem),
5139                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5140                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5141                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5142                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5143                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5144                                    offsetof(struct test_val, foo)),
5145                         BPF_EXIT_INSN(),
5146                 },
5147                 .fixup_map_hash_48b = { 3 },
5148                 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
5149                 .result = REJECT,
5150                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5151         },
5152         {
5153                 "invalid map access into an array with no floor check",
5154                 .insns = {
5155                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5156                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5157                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5158                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5159                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5160                                      BPF_FUNC_map_lookup_elem),
5161                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5162                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
5163                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
5164                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
5165                         BPF_MOV32_IMM(BPF_REG_1, 0),
5166                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5167                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5168                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5169                                    offsetof(struct test_val, foo)),
5170                         BPF_EXIT_INSN(),
5171                 },
5172                 .fixup_map_hash_48b = { 3 },
5173                 .errstr_unpriv = "R0 leaks addr",
5174                 .errstr = "R0 unbounded memory access",
5175                 .result_unpriv = REJECT,
5176                 .result = REJECT,
5177                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5178         },
5179         {
5180                 "invalid map access into an array with a invalid max check",
5181                 .insns = {
5182                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5183                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5184                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5185                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5186                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5187                                      BPF_FUNC_map_lookup_elem),
5188                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5189                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5190                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
5191                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
5192                         BPF_MOV32_IMM(BPF_REG_1, 0),
5193                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
5194                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5195                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
5196                                    offsetof(struct test_val, foo)),
5197                         BPF_EXIT_INSN(),
5198                 },
5199                 .fixup_map_hash_48b = { 3 },
5200                 .errstr_unpriv = "R0 leaks addr",
5201                 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
5202                 .result_unpriv = REJECT,
5203                 .result = REJECT,
5204                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5205         },
5206         {
5207                 "invalid map access into an array with a invalid max check",
5208                 .insns = {
5209                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5210                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5211                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5212                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5213                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5214                                      BPF_FUNC_map_lookup_elem),
5215                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
5216                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
5217                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5218                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5219                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5220                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5221                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5222                                      BPF_FUNC_map_lookup_elem),
5223                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
5224                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
5225                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
5226                                     offsetof(struct test_val, foo)),
5227                         BPF_EXIT_INSN(),
5228                 },
5229                 .fixup_map_hash_48b = { 3, 11 },
5230                 .errstr = "R0 pointer += pointer",
5231                 .result = REJECT,
5232                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5233         },
5234         {
5235                 "direct packet read test#1 for CGROUP_SKB",
5236                 .insns = {
5237                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5238                                     offsetof(struct __sk_buff, data)),
5239                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5240                                     offsetof(struct __sk_buff, data_end)),
5241                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5242                                     offsetof(struct __sk_buff, len)),
5243                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5244                                     offsetof(struct __sk_buff, pkt_type)),
5245                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5246                                     offsetof(struct __sk_buff, mark)),
5247                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5248                                     offsetof(struct __sk_buff, mark)),
5249                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5250                                     offsetof(struct __sk_buff, queue_mapping)),
5251                         BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5252                                     offsetof(struct __sk_buff, protocol)),
5253                         BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5254                                     offsetof(struct __sk_buff, vlan_present)),
5255                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5256                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5257                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5258                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5259                         BPF_MOV64_IMM(BPF_REG_0, 0),
5260                         BPF_EXIT_INSN(),
5261                 },
5262                 .result = ACCEPT,
5263                 .result_unpriv = REJECT,
5264                 .errstr_unpriv = "invalid bpf_context access off=76 size=4",
5265                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5266         },
5267         {
5268                 "direct packet read test#2 for CGROUP_SKB",
5269                 .insns = {
5270                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5271                                     offsetof(struct __sk_buff, vlan_tci)),
5272                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5273                                     offsetof(struct __sk_buff, vlan_proto)),
5274                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5275                                     offsetof(struct __sk_buff, priority)),
5276                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5277                                     offsetof(struct __sk_buff, priority)),
5278                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5279                                     offsetof(struct __sk_buff,
5280                                              ingress_ifindex)),
5281                         BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5282                                     offsetof(struct __sk_buff, tc_index)),
5283                         BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5284                                     offsetof(struct __sk_buff, hash)),
5285                         BPF_MOV64_IMM(BPF_REG_0, 0),
5286                         BPF_EXIT_INSN(),
5287                 },
5288                 .result = ACCEPT,
5289                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5290         },
5291         {
5292                 "direct packet read test#3 for CGROUP_SKB",
5293                 .insns = {
5294                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5295                                     offsetof(struct __sk_buff, cb[0])),
5296                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5297                                     offsetof(struct __sk_buff, cb[1])),
5298                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5299                                     offsetof(struct __sk_buff, cb[2])),
5300                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5301                                     offsetof(struct __sk_buff, cb[3])),
5302                         BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5303                                     offsetof(struct __sk_buff, cb[4])),
5304                         BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5305                                     offsetof(struct __sk_buff, napi_id)),
5306                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_4,
5307                                     offsetof(struct __sk_buff, cb[0])),
5308                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_5,
5309                                     offsetof(struct __sk_buff, cb[1])),
5310                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_6,
5311                                     offsetof(struct __sk_buff, cb[2])),
5312                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_7,
5313                                     offsetof(struct __sk_buff, cb[3])),
5314                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_8,
5315                                     offsetof(struct __sk_buff, cb[4])),
5316                         BPF_MOV64_IMM(BPF_REG_0, 0),
5317                         BPF_EXIT_INSN(),
5318                 },
5319                 .result = ACCEPT,
5320                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5321         },
5322         {
5323                 "direct packet read test#4 for CGROUP_SKB",
5324                 .insns = {
5325                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5326                                     offsetof(struct __sk_buff, family)),
5327                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5328                                     offsetof(struct __sk_buff, remote_ip4)),
5329                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
5330                                     offsetof(struct __sk_buff, local_ip4)),
5331                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5332                                     offsetof(struct __sk_buff, remote_ip6[0])),
5333                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5334                                     offsetof(struct __sk_buff, remote_ip6[1])),
5335                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5336                                     offsetof(struct __sk_buff, remote_ip6[2])),
5337                         BPF_LDX_MEM(BPF_W, BPF_REG_5, BPF_REG_1,
5338                                     offsetof(struct __sk_buff, remote_ip6[3])),
5339                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5340                                     offsetof(struct __sk_buff, local_ip6[0])),
5341                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5342                                     offsetof(struct __sk_buff, local_ip6[1])),
5343                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5344                                     offsetof(struct __sk_buff, local_ip6[2])),
5345                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
5346                                     offsetof(struct __sk_buff, local_ip6[3])),
5347                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
5348                                     offsetof(struct __sk_buff, remote_port)),
5349                         BPF_LDX_MEM(BPF_W, BPF_REG_8, BPF_REG_1,
5350                                     offsetof(struct __sk_buff, local_port)),
5351                         BPF_MOV64_IMM(BPF_REG_0, 0),
5352                         BPF_EXIT_INSN(),
5353                 },
5354                 .result = ACCEPT,
5355                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5356         },
5357         {
5358                 "invalid access of tc_classid for CGROUP_SKB",
5359                 .insns = {
5360                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5361                                     offsetof(struct __sk_buff, tc_classid)),
5362                         BPF_MOV64_IMM(BPF_REG_0, 0),
5363                         BPF_EXIT_INSN(),
5364                 },
5365                 .result = REJECT,
5366                 .errstr = "invalid bpf_context access",
5367                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5368         },
5369         {
5370                 "invalid access of data_meta for CGROUP_SKB",
5371                 .insns = {
5372                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5373                                     offsetof(struct __sk_buff, data_meta)),
5374                         BPF_MOV64_IMM(BPF_REG_0, 0),
5375                         BPF_EXIT_INSN(),
5376                 },
5377                 .result = REJECT,
5378                 .errstr = "invalid bpf_context access",
5379                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5380         },
5381         {
5382                 "invalid access of flow_keys for CGROUP_SKB",
5383                 .insns = {
5384                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5385                                     offsetof(struct __sk_buff, flow_keys)),
5386                         BPF_MOV64_IMM(BPF_REG_0, 0),
5387                         BPF_EXIT_INSN(),
5388                 },
5389                 .result = REJECT,
5390                 .errstr = "invalid bpf_context access",
5391                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5392         },
5393         {
5394                 "invalid write access to napi_id for CGROUP_SKB",
5395                 .insns = {
5396                         BPF_LDX_MEM(BPF_W, BPF_REG_9, BPF_REG_1,
5397                                     offsetof(struct __sk_buff, napi_id)),
5398                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_9,
5399                                     offsetof(struct __sk_buff, napi_id)),
5400                         BPF_MOV64_IMM(BPF_REG_0, 0),
5401                         BPF_EXIT_INSN(),
5402                 },
5403                 .result = REJECT,
5404                 .errstr = "invalid bpf_context access",
5405                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5406         },
5407         {
5408                 "valid cgroup storage access",
5409                 .insns = {
5410                         BPF_MOV64_IMM(BPF_REG_2, 0),
5411                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5412                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5413                                      BPF_FUNC_get_local_storage),
5414                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5415                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5416                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5417                         BPF_EXIT_INSN(),
5418                 },
5419                 .fixup_cgroup_storage = { 1 },
5420                 .result = ACCEPT,
5421                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5422         },
5423         {
5424                 "invalid cgroup storage access 1",
5425                 .insns = {
5426                         BPF_MOV64_IMM(BPF_REG_2, 0),
5427                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5428                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5429                                      BPF_FUNC_get_local_storage),
5430                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5431                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5432                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5433                         BPF_EXIT_INSN(),
5434                 },
5435                 .fixup_map_hash_8b = { 1 },
5436                 .result = REJECT,
5437                 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5438                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5439         },
5440         {
5441                 "invalid cgroup storage access 2",
5442                 .insns = {
5443                         BPF_MOV64_IMM(BPF_REG_2, 0),
5444                         BPF_LD_MAP_FD(BPF_REG_1, 1),
5445                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5446                                      BPF_FUNC_get_local_storage),
5447                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5448                         BPF_EXIT_INSN(),
5449                 },
5450                 .result = REJECT,
5451                 .errstr = "fd 1 is not pointing to valid bpf_map",
5452                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5453         },
5454         {
5455                 "invalid cgroup storage access 3",
5456                 .insns = {
5457                         BPF_MOV64_IMM(BPF_REG_2, 0),
5458                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5459                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5460                                      BPF_FUNC_get_local_storage),
5461                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5462                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5463                         BPF_MOV64_IMM(BPF_REG_0, 0),
5464                         BPF_EXIT_INSN(),
5465                 },
5466                 .fixup_cgroup_storage = { 1 },
5467                 .result = REJECT,
5468                 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5469                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5470         },
5471         {
5472                 "invalid cgroup storage access 4",
5473                 .insns = {
5474                         BPF_MOV64_IMM(BPF_REG_2, 0),
5475                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5476                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5477                                      BPF_FUNC_get_local_storage),
5478                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5479                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5480                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5481                         BPF_EXIT_INSN(),
5482                 },
5483                 .fixup_cgroup_storage = { 1 },
5484                 .result = REJECT,
5485                 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5486                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5487                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5488         },
5489         {
5490                 "invalid cgroup storage access 5",
5491                 .insns = {
5492                         BPF_MOV64_IMM(BPF_REG_2, 7),
5493                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5494                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5495                                      BPF_FUNC_get_local_storage),
5496                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5497                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5498                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5499                         BPF_EXIT_INSN(),
5500                 },
5501                 .fixup_cgroup_storage = { 1 },
5502                 .result = REJECT,
5503                 .errstr = "get_local_storage() doesn't support non-zero flags",
5504                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5505         },
5506         {
5507                 "invalid cgroup storage access 6",
5508                 .insns = {
5509                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5510                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5511                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5512                                      BPF_FUNC_get_local_storage),
5513                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5514                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5515                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5516                         BPF_EXIT_INSN(),
5517                 },
5518                 .fixup_cgroup_storage = { 1 },
5519                 .result = REJECT,
5520                 .errstr = "get_local_storage() doesn't support non-zero flags",
5521                 .errstr_unpriv = "R2 leaks addr into helper function",
5522                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5523         },
5524         {
5525                 "valid per-cpu cgroup storage access",
5526                 .insns = {
5527                         BPF_MOV64_IMM(BPF_REG_2, 0),
5528                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5529                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5530                                      BPF_FUNC_get_local_storage),
5531                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5532                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5533                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5534                         BPF_EXIT_INSN(),
5535                 },
5536                 .fixup_percpu_cgroup_storage = { 1 },
5537                 .result = ACCEPT,
5538                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5539         },
5540         {
5541                 "invalid per-cpu cgroup storage access 1",
5542                 .insns = {
5543                         BPF_MOV64_IMM(BPF_REG_2, 0),
5544                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5545                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5546                                      BPF_FUNC_get_local_storage),
5547                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5548                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5549                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5550                         BPF_EXIT_INSN(),
5551                 },
5552                 .fixup_map_hash_8b = { 1 },
5553                 .result = REJECT,
5554                 .errstr = "cannot pass map_type 1 into func bpf_get_local_storage",
5555                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5556         },
5557         {
5558                 "invalid per-cpu cgroup storage access 2",
5559                 .insns = {
5560                         BPF_MOV64_IMM(BPF_REG_2, 0),
5561                         BPF_LD_MAP_FD(BPF_REG_1, 1),
5562                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5563                                      BPF_FUNC_get_local_storage),
5564                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5565                         BPF_EXIT_INSN(),
5566                 },
5567                 .result = REJECT,
5568                 .errstr = "fd 1 is not pointing to valid bpf_map",
5569                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5570         },
5571         {
5572                 "invalid per-cpu cgroup storage access 3",
5573                 .insns = {
5574                         BPF_MOV64_IMM(BPF_REG_2, 0),
5575                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5576                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5577                                      BPF_FUNC_get_local_storage),
5578                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 256),
5579                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5580                         BPF_MOV64_IMM(BPF_REG_0, 0),
5581                         BPF_EXIT_INSN(),
5582                 },
5583                 .fixup_percpu_cgroup_storage = { 1 },
5584                 .result = REJECT,
5585                 .errstr = "invalid access to map value, value_size=64 off=256 size=4",
5586                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5587         },
5588         {
5589                 "invalid per-cpu cgroup storage access 4",
5590                 .insns = {
5591                         BPF_MOV64_IMM(BPF_REG_2, 0),
5592                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5593                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5594                                      BPF_FUNC_get_local_storage),
5595                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, -2),
5596                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5597                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5598                         BPF_EXIT_INSN(),
5599                 },
5600                 .fixup_cgroup_storage = { 1 },
5601                 .result = REJECT,
5602                 .errstr = "invalid access to map value, value_size=64 off=-2 size=4",
5603                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5604                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5605         },
5606         {
5607                 "invalid per-cpu cgroup storage access 5",
5608                 .insns = {
5609                         BPF_MOV64_IMM(BPF_REG_2, 7),
5610                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5611                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5612                                      BPF_FUNC_get_local_storage),
5613                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5614                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5615                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5616                         BPF_EXIT_INSN(),
5617                 },
5618                 .fixup_percpu_cgroup_storage = { 1 },
5619                 .result = REJECT,
5620                 .errstr = "get_local_storage() doesn't support non-zero flags",
5621                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5622         },
5623         {
5624                 "invalid per-cpu cgroup storage access 6",
5625                 .insns = {
5626                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
5627                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5628                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5629                                      BPF_FUNC_get_local_storage),
5630                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5631                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
5632                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 1),
5633                         BPF_EXIT_INSN(),
5634                 },
5635                 .fixup_percpu_cgroup_storage = { 1 },
5636                 .result = REJECT,
5637                 .errstr = "get_local_storage() doesn't support non-zero flags",
5638                 .errstr_unpriv = "R2 leaks addr into helper function",
5639                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5640         },
5641         {
5642                 "write tstamp from CGROUP_SKB",
5643                 .insns = {
5644                         BPF_MOV64_IMM(BPF_REG_0, 0),
5645                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
5646                                     offsetof(struct __sk_buff, tstamp)),
5647                         BPF_MOV64_IMM(BPF_REG_0, 0),
5648                         BPF_EXIT_INSN(),
5649                 },
5650                 .result = ACCEPT,
5651                 .result_unpriv = REJECT,
5652                 .errstr_unpriv = "invalid bpf_context access off=152 size=8",
5653                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5654         },
5655         {
5656                 "read tstamp from CGROUP_SKB",
5657                 .insns = {
5658                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
5659                                     offsetof(struct __sk_buff, tstamp)),
5660                         BPF_MOV64_IMM(BPF_REG_0, 0),
5661                         BPF_EXIT_INSN(),
5662                 },
5663                 .result = ACCEPT,
5664                 .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
5665         },
5666         {
5667                 "multiple registers share map_lookup_elem result",
5668                 .insns = {
5669                         BPF_MOV64_IMM(BPF_REG_1, 10),
5670                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5671                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5672                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5673                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5674                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5675                                      BPF_FUNC_map_lookup_elem),
5676                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5677                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5678                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5679                         BPF_EXIT_INSN(),
5680                 },
5681                 .fixup_map_hash_8b = { 4 },
5682                 .result = ACCEPT,
5683                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5684         },
5685         {
5686                 "alu ops on ptr_to_map_value_or_null, 1",
5687                 .insns = {
5688                         BPF_MOV64_IMM(BPF_REG_1, 10),
5689                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5690                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5691                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5692                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5693                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5694                                      BPF_FUNC_map_lookup_elem),
5695                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5696                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
5697                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
5698                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5699                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5700                         BPF_EXIT_INSN(),
5701                 },
5702                 .fixup_map_hash_8b = { 4 },
5703                 .errstr = "R4 pointer arithmetic on map_value_or_null",
5704                 .result = REJECT,
5705                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5706         },
5707         {
5708                 "alu ops on ptr_to_map_value_or_null, 2",
5709                 .insns = {
5710                         BPF_MOV64_IMM(BPF_REG_1, 10),
5711                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5712                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5713                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5714                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5715                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5716                                      BPF_FUNC_map_lookup_elem),
5717                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5718                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
5719                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5720                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5721                         BPF_EXIT_INSN(),
5722                 },
5723                 .fixup_map_hash_8b = { 4 },
5724                 .errstr = "R4 pointer arithmetic on map_value_or_null",
5725                 .result = REJECT,
5726                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5727         },
5728         {
5729                 "alu ops on ptr_to_map_value_or_null, 3",
5730                 .insns = {
5731                         BPF_MOV64_IMM(BPF_REG_1, 10),
5732                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5733                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5734                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5735                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5736                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5737                                      BPF_FUNC_map_lookup_elem),
5738                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5739                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
5740                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5741                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5742                         BPF_EXIT_INSN(),
5743                 },
5744                 .fixup_map_hash_8b = { 4 },
5745                 .errstr = "R4 pointer arithmetic on map_value_or_null",
5746                 .result = REJECT,
5747                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5748         },
5749         {
5750                 "invalid memory access with multiple map_lookup_elem calls",
5751                 .insns = {
5752                         BPF_MOV64_IMM(BPF_REG_1, 10),
5753                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5754                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5755                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5756                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5757                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5758                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5759                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5760                                      BPF_FUNC_map_lookup_elem),
5761                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5762                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5763                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5764                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5765                                      BPF_FUNC_map_lookup_elem),
5766                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5767                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5768                         BPF_EXIT_INSN(),
5769                 },
5770                 .fixup_map_hash_8b = { 4 },
5771                 .result = REJECT,
5772                 .errstr = "R4 !read_ok",
5773                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5774         },
5775         {
5776                 "valid indirect map_lookup_elem access with 2nd lookup in branch",
5777                 .insns = {
5778                         BPF_MOV64_IMM(BPF_REG_1, 10),
5779                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
5780                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5781                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5782                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5783                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
5784                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
5785                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5786                                      BPF_FUNC_map_lookup_elem),
5787                         BPF_MOV64_IMM(BPF_REG_2, 10),
5788                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
5789                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
5790                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
5791                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
5792                                      BPF_FUNC_map_lookup_elem),
5793                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
5794                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
5795                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
5796                         BPF_EXIT_INSN(),
5797                 },
5798                 .fixup_map_hash_8b = { 4 },
5799                 .result = ACCEPT,
5800                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
5801         },
5802         {
5803                 "invalid map access from else condition",
5804                 .insns = {
5805                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
5806                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5807                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5808                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5809                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
5810                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5811                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
5812                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
5813                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
5814                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
5815                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
5816                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
5817                         BPF_EXIT_INSN(),
5818                 },
5819                 .fixup_map_hash_48b = { 3 },
5820                 .errstr = "R0 unbounded memory access",
5821                 .result = REJECT,
5822                 .errstr_unpriv = "R0 leaks addr",
5823                 .result_unpriv = REJECT,
5824                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
5825         },
5826         {
5827                 "constant register |= constant should keep constant type",
5828                 .insns = {
5829                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5830                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5831                         BPF_MOV64_IMM(BPF_REG_2, 34),
5832                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
5833                         BPF_MOV64_IMM(BPF_REG_3, 0),
5834                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5835                         BPF_EXIT_INSN(),
5836                 },
5837                 .result = ACCEPT,
5838                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5839         },
5840         {
5841                 "constant register |= constant should not bypass stack boundary checks",
5842                 .insns = {
5843                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5844                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5845                         BPF_MOV64_IMM(BPF_REG_2, 34),
5846                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
5847                         BPF_MOV64_IMM(BPF_REG_3, 0),
5848                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5849                         BPF_EXIT_INSN(),
5850                 },
5851                 .errstr = "invalid stack type R1 off=-48 access_size=58",
5852                 .result = REJECT,
5853                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5854         },
5855         {
5856                 "constant register |= constant register should keep constant type",
5857                 .insns = {
5858                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5859                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5860                         BPF_MOV64_IMM(BPF_REG_2, 34),
5861                         BPF_MOV64_IMM(BPF_REG_4, 13),
5862                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5863                         BPF_MOV64_IMM(BPF_REG_3, 0),
5864                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5865                         BPF_EXIT_INSN(),
5866                 },
5867                 .result = ACCEPT,
5868                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5869         },
5870         {
5871                 "constant register |= constant register should not bypass stack boundary checks",
5872                 .insns = {
5873                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
5874                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
5875                         BPF_MOV64_IMM(BPF_REG_2, 34),
5876                         BPF_MOV64_IMM(BPF_REG_4, 24),
5877                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
5878                         BPF_MOV64_IMM(BPF_REG_3, 0),
5879                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5880                         BPF_EXIT_INSN(),
5881                 },
5882                 .errstr = "invalid stack type R1 off=-48 access_size=58",
5883                 .result = REJECT,
5884                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5885         },
5886         {
5887                 "invalid direct packet write for LWT_IN",
5888                 .insns = {
5889                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5890                                     offsetof(struct __sk_buff, data)),
5891                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5892                                     offsetof(struct __sk_buff, data_end)),
5893                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5894                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5895                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5896                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5897                         BPF_MOV64_IMM(BPF_REG_0, 0),
5898                         BPF_EXIT_INSN(),
5899                 },
5900                 .errstr = "cannot write into packet",
5901                 .result = REJECT,
5902                 .prog_type = BPF_PROG_TYPE_LWT_IN,
5903         },
5904         {
5905                 "invalid direct packet write for LWT_OUT",
5906                 .insns = {
5907                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5908                                     offsetof(struct __sk_buff, data)),
5909                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5910                                     offsetof(struct __sk_buff, data_end)),
5911                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5912                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5913                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5914                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5915                         BPF_MOV64_IMM(BPF_REG_0, 0),
5916                         BPF_EXIT_INSN(),
5917                 },
5918                 .errstr = "cannot write into packet",
5919                 .result = REJECT,
5920                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5921         },
5922         {
5923                 "direct packet write for LWT_XMIT",
5924                 .insns = {
5925                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5926                                     offsetof(struct __sk_buff, data)),
5927                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5928                                     offsetof(struct __sk_buff, data_end)),
5929                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5930                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5931                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5932                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
5933                         BPF_MOV64_IMM(BPF_REG_0, 0),
5934                         BPF_EXIT_INSN(),
5935                 },
5936                 .result = ACCEPT,
5937                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5938         },
5939         {
5940                 "direct packet read for LWT_IN",
5941                 .insns = {
5942                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5943                                     offsetof(struct __sk_buff, data)),
5944                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5945                                     offsetof(struct __sk_buff, data_end)),
5946                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5947                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5948                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5949                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5950                         BPF_MOV64_IMM(BPF_REG_0, 0),
5951                         BPF_EXIT_INSN(),
5952                 },
5953                 .result = ACCEPT,
5954                 .prog_type = BPF_PROG_TYPE_LWT_IN,
5955         },
5956         {
5957                 "direct packet read for LWT_OUT",
5958                 .insns = {
5959                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5960                                     offsetof(struct __sk_buff, data)),
5961                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5962                                     offsetof(struct __sk_buff, data_end)),
5963                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5964                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5965                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5966                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5967                         BPF_MOV64_IMM(BPF_REG_0, 0),
5968                         BPF_EXIT_INSN(),
5969                 },
5970                 .result = ACCEPT,
5971                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
5972         },
5973         {
5974                 "direct packet read for LWT_XMIT",
5975                 .insns = {
5976                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5977                                     offsetof(struct __sk_buff, data)),
5978                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5979                                     offsetof(struct __sk_buff, data_end)),
5980                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5981                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5982                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
5983                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
5984                         BPF_MOV64_IMM(BPF_REG_0, 0),
5985                         BPF_EXIT_INSN(),
5986                 },
5987                 .result = ACCEPT,
5988                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
5989         },
5990         {
5991                 "overlapping checks for direct packet access",
5992                 .insns = {
5993                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
5994                                     offsetof(struct __sk_buff, data)),
5995                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
5996                                     offsetof(struct __sk_buff, data_end)),
5997                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
5998                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
5999                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
6000                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
6001                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
6002                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
6003                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
6004                         BPF_MOV64_IMM(BPF_REG_0, 0),
6005                         BPF_EXIT_INSN(),
6006                 },
6007                 .result = ACCEPT,
6008                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6009         },
6010         {
6011                 "make headroom for LWT_XMIT",
6012                 .insns = {
6013                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6014                         BPF_MOV64_IMM(BPF_REG_2, 34),
6015                         BPF_MOV64_IMM(BPF_REG_3, 0),
6016                         BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6017                         /* split for s390 to succeed */
6018                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
6019                         BPF_MOV64_IMM(BPF_REG_2, 42),
6020                         BPF_MOV64_IMM(BPF_REG_3, 0),
6021                         BPF_EMIT_CALL(BPF_FUNC_skb_change_head),
6022                         BPF_MOV64_IMM(BPF_REG_0, 0),
6023                         BPF_EXIT_INSN(),
6024                 },
6025                 .result = ACCEPT,
6026                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
6027         },
6028         {
6029                 "invalid access of tc_classid for LWT_IN",
6030                 .insns = {
6031                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6032                                     offsetof(struct __sk_buff, tc_classid)),
6033                         BPF_EXIT_INSN(),
6034                 },
6035                 .result = REJECT,
6036                 .errstr = "invalid bpf_context access",
6037         },
6038         {
6039                 "invalid access of tc_classid for LWT_OUT",
6040                 .insns = {
6041                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6042                                     offsetof(struct __sk_buff, tc_classid)),
6043                         BPF_EXIT_INSN(),
6044                 },
6045                 .result = REJECT,
6046                 .errstr = "invalid bpf_context access",
6047         },
6048         {
6049                 "invalid access of tc_classid for LWT_XMIT",
6050                 .insns = {
6051                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
6052                                     offsetof(struct __sk_buff, tc_classid)),
6053                         BPF_EXIT_INSN(),
6054                 },
6055                 .result = REJECT,
6056                 .errstr = "invalid bpf_context access",
6057         },
6058         {
6059                 "leak pointer into ctx 1",
6060                 .insns = {
6061                         BPF_MOV64_IMM(BPF_REG_0, 0),
6062                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6063                                     offsetof(struct __sk_buff, cb[0])),
6064                         BPF_LD_MAP_FD(BPF_REG_2, 0),
6065                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
6066                                       offsetof(struct __sk_buff, cb[0])),
6067                         BPF_EXIT_INSN(),
6068                 },
6069                 .fixup_map_hash_8b = { 2 },
6070                 .errstr_unpriv = "R2 leaks addr into mem",
6071                 .result_unpriv = REJECT,
6072                 .result = REJECT,
6073                 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6074         },
6075         {
6076                 "leak pointer into ctx 2",
6077                 .insns = {
6078                         BPF_MOV64_IMM(BPF_REG_0, 0),
6079                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
6080                                     offsetof(struct __sk_buff, cb[0])),
6081                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
6082                                       offsetof(struct __sk_buff, cb[0])),
6083                         BPF_EXIT_INSN(),
6084                 },
6085                 .errstr_unpriv = "R10 leaks addr into mem",
6086                 .result_unpriv = REJECT,
6087                 .result = REJECT,
6088                 .errstr = "BPF_XADD stores into R1 ctx is not allowed",
6089         },
6090         {
6091                 "leak pointer into ctx 3",
6092                 .insns = {
6093                         BPF_MOV64_IMM(BPF_REG_0, 0),
6094                         BPF_LD_MAP_FD(BPF_REG_2, 0),
6095                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
6096                                       offsetof(struct __sk_buff, cb[0])),
6097                         BPF_EXIT_INSN(),
6098                 },
6099                 .fixup_map_hash_8b = { 1 },
6100                 .errstr_unpriv = "R2 leaks addr into ctx",
6101                 .result_unpriv = REJECT,
6102                 .result = ACCEPT,
6103         },
6104         {
6105                 "leak pointer into map val",
6106                 .insns = {
6107                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
6108                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
6109                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6110                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6111                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6112                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
6113                                      BPF_FUNC_map_lookup_elem),
6114                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6115                         BPF_MOV64_IMM(BPF_REG_3, 0),
6116                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
6117                         BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
6118                         BPF_MOV64_IMM(BPF_REG_0, 0),
6119                         BPF_EXIT_INSN(),
6120                 },
6121                 .fixup_map_hash_8b = { 4 },
6122                 .errstr_unpriv = "R6 leaks addr into mem",
6123                 .result_unpriv = REJECT,
6124                 .result = ACCEPT,
6125         },
6126         {
6127                 "helper access to map: full range",
6128                 .insns = {
6129                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6130                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6131                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6132                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6133                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6134                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6135                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6136                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
6137                         BPF_MOV64_IMM(BPF_REG_3, 0),
6138                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
6139                         BPF_EXIT_INSN(),
6140                 },
6141                 .fixup_map_hash_48b = { 3 },
6142                 .result = ACCEPT,
6143                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6144         },
6145         {
6146                 "helper access to map: partial range",
6147                 .insns = {
6148                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6149                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6150                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6151                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6152                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6153                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6154                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6155                         BPF_MOV64_IMM(BPF_REG_2, 8),
6156                         BPF_MOV64_IMM(BPF_REG_3, 0),
6157                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
6158                         BPF_EXIT_INSN(),
6159                 },
6160                 .fixup_map_hash_48b = { 3 },
6161                 .result = ACCEPT,
6162                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6163         },
6164         {
6165                 "helper access to map: empty range",
6166                 .insns = {
6167                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6168                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6169                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6170                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6171                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6172                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
6173                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6174                         BPF_MOV64_IMM(BPF_REG_2, 0),
6175                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
6176                         BPF_EXIT_INSN(),
6177                 },
6178                 .fixup_map_hash_48b = { 3 },
6179                 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
6180                 .result = REJECT,
6181                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6182         },
6183         {
6184                 "helper access to map: out-of-bound range",
6185                 .insns = {
6186                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6187                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6188                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6189                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6190                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6191                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6192                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6193                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
6194                         BPF_MOV64_IMM(BPF_REG_3, 0),
6195                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
6196                         BPF_EXIT_INSN(),
6197                 },
6198                 .fixup_map_hash_48b = { 3 },
6199                 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
6200                 .result = REJECT,
6201                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6202         },
6203         {
6204                 "helper access to map: negative range",
6205                 .insns = {
6206                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6207                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6208                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6209                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6210                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6211                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6212                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6213                         BPF_MOV64_IMM(BPF_REG_2, -8),
6214                         BPF_MOV64_IMM(BPF_REG_3, 0),
6215                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
6216                         BPF_EXIT_INSN(),
6217                 },
6218                 .fixup_map_hash_48b = { 3 },
6219                 .errstr = "R2 min value is negative",
6220                 .result = REJECT,
6221                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6222         },
6223         {
6224                 "helper access to adjusted map (via const imm): full range",
6225                 .insns = {
6226                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6227                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6228                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6229                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6230                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6231                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6232                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6233                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6234                                 offsetof(struct test_val, foo)),
6235                         BPF_MOV64_IMM(BPF_REG_2,
6236                                 sizeof(struct test_val) -
6237                                 offsetof(struct test_val, foo)),
6238                         BPF_MOV64_IMM(BPF_REG_3, 0),
6239                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
6240                         BPF_EXIT_INSN(),
6241                 },
6242                 .fixup_map_hash_48b = { 3 },
6243                 .result = ACCEPT,
6244                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6245         },
6246         {
6247                 "helper access to adjusted map (via const imm): partial range",
6248                 .insns = {
6249                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6250                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6251                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6252                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6253                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6254                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
6255                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6256                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
6257                                 offsetof(struct test_val, foo)),
6258                         BPF_MOV64_IMM(BPF_REG_2, 8),
6259                         BPF_MOV64_IMM(BPF_REG_3, 0),
6260                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
6261                         BPF_EXIT_INSN(),
6262                 },
6263                 .fixup_map_hash_48b = { 3 },
6264                 .result = ACCEPT,
6265                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
6266         },
6267         {
6268                 "helper access to adjusted map (via const imm): empty range",
6269                 .insns = {
6270                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
6271                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6272                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
6273                         BPF_LD_MAP_FD(BPF_REG_1, 0),
6274                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
6275                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
6276                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
6277                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,