~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/test_verifier.c

Version: ~ [ linux-5.15-rc6 ] ~ [ linux-5.14.14 ] ~ [ linux-5.13.19 ] ~ [ linux-5.12.19 ] ~ [ linux-5.11.22 ] ~ [ linux-5.10.75 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.155 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.213 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.252 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.287 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.289 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.18.140 ] ~ [ linux-3.16.85 ] ~ [ linux-3.14.79 ] ~ [ linux-3.12.74 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Testsuite for eBPF verifier
  3  *
  4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
  5  *
  6  * This program is free software; you can redistribute it and/or
  7  * modify it under the terms of version 2 of the GNU General Public
  8  * License as published by the Free Software Foundation.
  9  */
 10 
 11 #include <asm/types.h>
 12 #include <linux/types.h>
 13 #include <stdint.h>
 14 #include <stdio.h>
 15 #include <stdlib.h>
 16 #include <unistd.h>
 17 #include <errno.h>
 18 #include <string.h>
 19 #include <stddef.h>
 20 #include <stdbool.h>
 21 #include <sched.h>
 22 
 23 #include <sys/capability.h>
 24 #include <sys/resource.h>
 25 
 26 #include <linux/unistd.h>
 27 #include <linux/filter.h>
 28 #include <linux/bpf_perf_event.h>
 29 #include <linux/bpf.h>
 30 
 31 #include <bpf/bpf.h>
 32 
 33 #ifdef HAVE_GENHDR
 34 # include "autoconf.h"
 35 #else
 36 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
 37 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
 38 # endif
 39 #endif
 40 
 41 #include "../../../include/linux/filter.h"
 42 
 43 #ifndef ARRAY_SIZE
 44 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
 45 #endif
 46 
 47 #define MAX_INSNS       512
 48 #define MAX_FIXUPS      8
 49 
 50 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
 51 
 52 struct bpf_test {
 53         const char *descr;
 54         struct bpf_insn insns[MAX_INSNS];
 55         int fixup_map1[MAX_FIXUPS];
 56         int fixup_map2[MAX_FIXUPS];
 57         int fixup_prog[MAX_FIXUPS];
 58         const char *errstr;
 59         const char *errstr_unpriv;
 60         enum {
 61                 UNDEF,
 62                 ACCEPT,
 63                 REJECT
 64         } result, result_unpriv;
 65         enum bpf_prog_type prog_type;
 66         uint8_t flags;
 67 };
 68 
 69 /* Note we want this to be 64 bit aligned so that the end of our array is
 70  * actually the end of the structure.
 71  */
 72 #define MAX_ENTRIES 11
 73 
 74 struct test_val {
 75         unsigned int index;
 76         int foo[MAX_ENTRIES];
 77 };
 78 
 79 static struct bpf_test tests[] = {
 80         {
 81                 "add+sub+mul",
 82                 .insns = {
 83                         BPF_MOV64_IMM(BPF_REG_1, 1),
 84                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
 85                         BPF_MOV64_IMM(BPF_REG_2, 3),
 86                         BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
 87                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
 88                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
 89                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
 90                         BPF_EXIT_INSN(),
 91                 },
 92                 .result = ACCEPT,
 93         },
 94         {
 95                 "unreachable",
 96                 .insns = {
 97                         BPF_EXIT_INSN(),
 98                         BPF_EXIT_INSN(),
 99                 },
100                 .errstr = "unreachable",
101                 .result = REJECT,
102         },
103         {
104                 "unreachable2",
105                 .insns = {
106                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
107                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
108                         BPF_EXIT_INSN(),
109                 },
110                 .errstr = "unreachable",
111                 .result = REJECT,
112         },
113         {
114                 "out of range jump",
115                 .insns = {
116                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
117                         BPF_EXIT_INSN(),
118                 },
119                 .errstr = "jump out of range",
120                 .result = REJECT,
121         },
122         {
123                 "out of range jump2",
124                 .insns = {
125                         BPF_JMP_IMM(BPF_JA, 0, 0, -2),
126                         BPF_EXIT_INSN(),
127                 },
128                 .errstr = "jump out of range",
129                 .result = REJECT,
130         },
131         {
132                 "test1 ld_imm64",
133                 .insns = {
134                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
135                         BPF_LD_IMM64(BPF_REG_0, 0),
136                         BPF_LD_IMM64(BPF_REG_0, 0),
137                         BPF_LD_IMM64(BPF_REG_0, 1),
138                         BPF_LD_IMM64(BPF_REG_0, 1),
139                         BPF_MOV64_IMM(BPF_REG_0, 2),
140                         BPF_EXIT_INSN(),
141                 },
142                 .errstr = "invalid BPF_LD_IMM insn",
143                 .errstr_unpriv = "R1 pointer comparison",
144                 .result = REJECT,
145         },
146         {
147                 "test2 ld_imm64",
148                 .insns = {
149                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
150                         BPF_LD_IMM64(BPF_REG_0, 0),
151                         BPF_LD_IMM64(BPF_REG_0, 0),
152                         BPF_LD_IMM64(BPF_REG_0, 1),
153                         BPF_LD_IMM64(BPF_REG_0, 1),
154                         BPF_EXIT_INSN(),
155                 },
156                 .errstr = "invalid BPF_LD_IMM insn",
157                 .errstr_unpriv = "R1 pointer comparison",
158                 .result = REJECT,
159         },
160         {
161                 "test3 ld_imm64",
162                 .insns = {
163                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
164                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
165                         BPF_LD_IMM64(BPF_REG_0, 0),
166                         BPF_LD_IMM64(BPF_REG_0, 0),
167                         BPF_LD_IMM64(BPF_REG_0, 1),
168                         BPF_LD_IMM64(BPF_REG_0, 1),
169                         BPF_EXIT_INSN(),
170                 },
171                 .errstr = "invalid bpf_ld_imm64 insn",
172                 .result = REJECT,
173         },
174         {
175                 "test4 ld_imm64",
176                 .insns = {
177                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
178                         BPF_EXIT_INSN(),
179                 },
180                 .errstr = "invalid bpf_ld_imm64 insn",
181                 .result = REJECT,
182         },
183         {
184                 "test5 ld_imm64",
185                 .insns = {
186                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
187                 },
188                 .errstr = "invalid bpf_ld_imm64 insn",
189                 .result = REJECT,
190         },
191         {
192                 "no bpf_exit",
193                 .insns = {
194                         BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
195                 },
196                 .errstr = "jump out of range",
197                 .result = REJECT,
198         },
199         {
200                 "loop (back-edge)",
201                 .insns = {
202                         BPF_JMP_IMM(BPF_JA, 0, 0, -1),
203                         BPF_EXIT_INSN(),
204                 },
205                 .errstr = "back-edge",
206                 .result = REJECT,
207         },
208         {
209                 "loop2 (back-edge)",
210                 .insns = {
211                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
212                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
213                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
214                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
215                         BPF_EXIT_INSN(),
216                 },
217                 .errstr = "back-edge",
218                 .result = REJECT,
219         },
220         {
221                 "conditional loop",
222                 .insns = {
223                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
224                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
225                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
226                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
227                         BPF_EXIT_INSN(),
228                 },
229                 .errstr = "back-edge",
230                 .result = REJECT,
231         },
232         {
233                 "read uninitialized register",
234                 .insns = {
235                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
236                         BPF_EXIT_INSN(),
237                 },
238                 .errstr = "R2 !read_ok",
239                 .result = REJECT,
240         },
241         {
242                 "read invalid register",
243                 .insns = {
244                         BPF_MOV64_REG(BPF_REG_0, -1),
245                         BPF_EXIT_INSN(),
246                 },
247                 .errstr = "R15 is invalid",
248                 .result = REJECT,
249         },
250         {
251                 "program doesn't init R0 before exit",
252                 .insns = {
253                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
254                         BPF_EXIT_INSN(),
255                 },
256                 .errstr = "R0 !read_ok",
257                 .result = REJECT,
258         },
259         {
260                 "program doesn't init R0 before exit in all branches",
261                 .insns = {
262                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
263                         BPF_MOV64_IMM(BPF_REG_0, 1),
264                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
265                         BPF_EXIT_INSN(),
266                 },
267                 .errstr = "R0 !read_ok",
268                 .errstr_unpriv = "R1 pointer comparison",
269                 .result = REJECT,
270         },
271         {
272                 "stack out of bounds",
273                 .insns = {
274                         BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
275                         BPF_EXIT_INSN(),
276                 },
277                 .errstr = "invalid stack",
278                 .result = REJECT,
279         },
280         {
281                 "invalid call insn1",
282                 .insns = {
283                         BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
284                         BPF_EXIT_INSN(),
285                 },
286                 .errstr = "BPF_CALL uses reserved",
287                 .result = REJECT,
288         },
289         {
290                 "invalid call insn2",
291                 .insns = {
292                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
293                         BPF_EXIT_INSN(),
294                 },
295                 .errstr = "BPF_CALL uses reserved",
296                 .result = REJECT,
297         },
298         {
299                 "invalid function call",
300                 .insns = {
301                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
302                         BPF_EXIT_INSN(),
303                 },
304                 .errstr = "invalid func unknown#1234567",
305                 .result = REJECT,
306         },
307         {
308                 "uninitialized stack1",
309                 .insns = {
310                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
311                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
312                         BPF_LD_MAP_FD(BPF_REG_1, 0),
313                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
314                                      BPF_FUNC_map_lookup_elem),
315                         BPF_EXIT_INSN(),
316                 },
317                 .fixup_map1 = { 2 },
318                 .errstr = "invalid indirect read from stack",
319                 .result = REJECT,
320         },
321         {
322                 "uninitialized stack2",
323                 .insns = {
324                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
325                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
326                         BPF_EXIT_INSN(),
327                 },
328                 .errstr = "invalid read from stack",
329                 .result = REJECT,
330         },
331         {
332                 "invalid argument register",
333                 .insns = {
334                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
335                                      BPF_FUNC_get_cgroup_classid),
336                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
337                                      BPF_FUNC_get_cgroup_classid),
338                         BPF_EXIT_INSN(),
339                 },
340                 .errstr = "R1 !read_ok",
341                 .result = REJECT,
342                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
343         },
344         {
345                 "non-invalid argument register",
346                 .insns = {
347                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
348                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
349                                      BPF_FUNC_get_cgroup_classid),
350                         BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
351                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
352                                      BPF_FUNC_get_cgroup_classid),
353                         BPF_EXIT_INSN(),
354                 },
355                 .result = ACCEPT,
356                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
357         },
358         {
359                 "check valid spill/fill",
360                 .insns = {
361                         /* spill R1(ctx) into stack */
362                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
363                         /* fill it back into R2 */
364                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
365                         /* should be able to access R0 = *(R2 + 8) */
366                         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
367                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
368                         BPF_EXIT_INSN(),
369                 },
370                 .errstr_unpriv = "R0 leaks addr",
371                 .result = ACCEPT,
372                 .result_unpriv = REJECT,
373         },
374         {
375                 "check valid spill/fill, skb mark",
376                 .insns = {
377                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
378                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
379                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
380                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
381                                     offsetof(struct __sk_buff, mark)),
382                         BPF_EXIT_INSN(),
383                 },
384                 .result = ACCEPT,
385                 .result_unpriv = ACCEPT,
386         },
387         {
388                 "check corrupted spill/fill",
389                 .insns = {
390                         /* spill R1(ctx) into stack */
391                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
392                         /* mess up with R1 pointer on stack */
393                         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
394                         /* fill back into R0 should fail */
395                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
396                         BPF_EXIT_INSN(),
397                 },
398                 .errstr_unpriv = "attempt to corrupt spilled",
399                 .errstr = "corrupted spill",
400                 .result = REJECT,
401         },
402         {
403                 "invalid src register in STX",
404                 .insns = {
405                         BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
406                         BPF_EXIT_INSN(),
407                 },
408                 .errstr = "R15 is invalid",
409                 .result = REJECT,
410         },
411         {
412                 "invalid dst register in STX",
413                 .insns = {
414                         BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
415                         BPF_EXIT_INSN(),
416                 },
417                 .errstr = "R14 is invalid",
418                 .result = REJECT,
419         },
420         {
421                 "invalid dst register in ST",
422                 .insns = {
423                         BPF_ST_MEM(BPF_B, 14, -1, -1),
424                         BPF_EXIT_INSN(),
425                 },
426                 .errstr = "R14 is invalid",
427                 .result = REJECT,
428         },
429         {
430                 "invalid src register in LDX",
431                 .insns = {
432                         BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
433                         BPF_EXIT_INSN(),
434                 },
435                 .errstr = "R12 is invalid",
436                 .result = REJECT,
437         },
438         {
439                 "invalid dst register in LDX",
440                 .insns = {
441                         BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
442                         BPF_EXIT_INSN(),
443                 },
444                 .errstr = "R11 is invalid",
445                 .result = REJECT,
446         },
447         {
448                 "junk insn",
449                 .insns = {
450                         BPF_RAW_INSN(0, 0, 0, 0, 0),
451                         BPF_EXIT_INSN(),
452                 },
453                 .errstr = "invalid BPF_LD_IMM",
454                 .result = REJECT,
455         },
456         {
457                 "junk insn2",
458                 .insns = {
459                         BPF_RAW_INSN(1, 0, 0, 0, 0),
460                         BPF_EXIT_INSN(),
461                 },
462                 .errstr = "BPF_LDX uses reserved fields",
463                 .result = REJECT,
464         },
465         {
466                 "junk insn3",
467                 .insns = {
468                         BPF_RAW_INSN(-1, 0, 0, 0, 0),
469                         BPF_EXIT_INSN(),
470                 },
471                 .errstr = "invalid BPF_ALU opcode f0",
472                 .result = REJECT,
473         },
474         {
475                 "junk insn4",
476                 .insns = {
477                         BPF_RAW_INSN(-1, -1, -1, -1, -1),
478                         BPF_EXIT_INSN(),
479                 },
480                 .errstr = "invalid BPF_ALU opcode f0",
481                 .result = REJECT,
482         },
483         {
484                 "junk insn5",
485                 .insns = {
486                         BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
487                         BPF_EXIT_INSN(),
488                 },
489                 .errstr = "BPF_ALU uses reserved fields",
490                 .result = REJECT,
491         },
492         {
493                 "misaligned read from stack",
494                 .insns = {
495                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
496                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
497                         BPF_EXIT_INSN(),
498                 },
499                 .errstr = "misaligned access",
500                 .result = REJECT,
501         },
502         {
503                 "invalid map_fd for function call",
504                 .insns = {
505                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
506                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
507                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
508                         BPF_LD_MAP_FD(BPF_REG_1, 0),
509                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
510                                      BPF_FUNC_map_delete_elem),
511                         BPF_EXIT_INSN(),
512                 },
513                 .errstr = "fd 0 is not pointing to valid bpf_map",
514                 .result = REJECT,
515         },
516         {
517                 "don't check return value before access",
518                 .insns = {
519                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
520                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
521                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
522                         BPF_LD_MAP_FD(BPF_REG_1, 0),
523                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
524                                      BPF_FUNC_map_lookup_elem),
525                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
526                         BPF_EXIT_INSN(),
527                 },
528                 .fixup_map1 = { 3 },
529                 .errstr = "R0 invalid mem access 'map_value_or_null'",
530                 .result = REJECT,
531         },
532         {
533                 "access memory with incorrect alignment",
534                 .insns = {
535                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
536                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
537                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
538                         BPF_LD_MAP_FD(BPF_REG_1, 0),
539                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
540                                      BPF_FUNC_map_lookup_elem),
541                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
542                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
543                         BPF_EXIT_INSN(),
544                 },
545                 .fixup_map1 = { 3 },
546                 .errstr = "misaligned access",
547                 .result = REJECT,
548         },
549         {
550                 "sometimes access memory with incorrect alignment",
551                 .insns = {
552                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
553                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
554                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
555                         BPF_LD_MAP_FD(BPF_REG_1, 0),
556                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
557                                      BPF_FUNC_map_lookup_elem),
558                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
559                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
560                         BPF_EXIT_INSN(),
561                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
562                         BPF_EXIT_INSN(),
563                 },
564                 .fixup_map1 = { 3 },
565                 .errstr = "R0 invalid mem access",
566                 .errstr_unpriv = "R0 leaks addr",
567                 .result = REJECT,
568         },
569         {
570                 "jump test 1",
571                 .insns = {
572                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
573                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
574                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
575                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
576                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
577                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
578                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
579                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
580                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
581                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
582                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
583                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
584                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
585                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
586                         BPF_MOV64_IMM(BPF_REG_0, 0),
587                         BPF_EXIT_INSN(),
588                 },
589                 .errstr_unpriv = "R1 pointer comparison",
590                 .result_unpriv = REJECT,
591                 .result = ACCEPT,
592         },
593         {
594                 "jump test 2",
595                 .insns = {
596                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
597                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
598                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
599                         BPF_JMP_IMM(BPF_JA, 0, 0, 14),
600                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
601                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
602                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
603                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
604                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
605                         BPF_JMP_IMM(BPF_JA, 0, 0, 8),
606                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
607                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
608                         BPF_JMP_IMM(BPF_JA, 0, 0, 5),
609                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
610                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
611                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
612                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
613                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
614                         BPF_MOV64_IMM(BPF_REG_0, 0),
615                         BPF_EXIT_INSN(),
616                 },
617                 .errstr_unpriv = "R1 pointer comparison",
618                 .result_unpriv = REJECT,
619                 .result = ACCEPT,
620         },
621         {
622                 "jump test 3",
623                 .insns = {
624                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
625                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
626                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
627                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
628                         BPF_JMP_IMM(BPF_JA, 0, 0, 19),
629                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
630                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
631                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
632                         BPF_JMP_IMM(BPF_JA, 0, 0, 15),
633                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
634                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
635                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
636                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
637                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
638                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
639                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
640                         BPF_JMP_IMM(BPF_JA, 0, 0, 7),
641                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
642                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
643                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
644                         BPF_JMP_IMM(BPF_JA, 0, 0, 3),
645                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
646                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
647                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
648                         BPF_LD_MAP_FD(BPF_REG_1, 0),
649                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
650                                      BPF_FUNC_map_delete_elem),
651                         BPF_EXIT_INSN(),
652                 },
653                 .fixup_map1 = { 24 },
654                 .errstr_unpriv = "R1 pointer comparison",
655                 .result_unpriv = REJECT,
656                 .result = ACCEPT,
657         },
658         {
659                 "jump test 4",
660                 .insns = {
661                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
662                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
663                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
664                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
665                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
666                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
667                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
668                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
669                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
670                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
671                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
672                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
673                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
674                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
675                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
676                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
677                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
678                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
679                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
680                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
681                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
682                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
683                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
684                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
685                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
686                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
687                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
688                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
689                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
690                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
691                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
692                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
693                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
694                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
695                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
696                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
697                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
698                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
699                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
700                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
701                         BPF_MOV64_IMM(BPF_REG_0, 0),
702                         BPF_EXIT_INSN(),
703                 },
704                 .errstr_unpriv = "R1 pointer comparison",
705                 .result_unpriv = REJECT,
706                 .result = ACCEPT,
707         },
708         {
709                 "jump test 5",
710                 .insns = {
711                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
712                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
713                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
714                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
715                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
716                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
717                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
718                         BPF_MOV64_IMM(BPF_REG_0, 0),
719                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
720                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
721                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
722                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
723                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
724                         BPF_MOV64_IMM(BPF_REG_0, 0),
725                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
726                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
727                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
728                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
729                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
730                         BPF_MOV64_IMM(BPF_REG_0, 0),
731                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
732                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
733                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
734                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
735                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
736                         BPF_MOV64_IMM(BPF_REG_0, 0),
737                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
738                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
739                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
740                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
741                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
742                         BPF_MOV64_IMM(BPF_REG_0, 0),
743                         BPF_EXIT_INSN(),
744                 },
745                 .errstr_unpriv = "R1 pointer comparison",
746                 .result_unpriv = REJECT,
747                 .result = ACCEPT,
748         },
749         {
750                 "access skb fields ok",
751                 .insns = {
752                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
753                                     offsetof(struct __sk_buff, len)),
754                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
755                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
756                                     offsetof(struct __sk_buff, mark)),
757                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
758                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
759                                     offsetof(struct __sk_buff, pkt_type)),
760                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
761                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
762                                     offsetof(struct __sk_buff, queue_mapping)),
763                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
764                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
765                                     offsetof(struct __sk_buff, protocol)),
766                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
767                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
768                                     offsetof(struct __sk_buff, vlan_present)),
769                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
770                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
771                                     offsetof(struct __sk_buff, vlan_tci)),
772                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
773                         BPF_EXIT_INSN(),
774                 },
775                 .result = ACCEPT,
776         },
777         {
778                 "access skb fields bad1",
779                 .insns = {
780                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
781                         BPF_EXIT_INSN(),
782                 },
783                 .errstr = "invalid bpf_context access",
784                 .result = REJECT,
785         },
786         {
787                 "access skb fields bad2",
788                 .insns = {
789                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
790                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
791                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
792                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
793                         BPF_LD_MAP_FD(BPF_REG_1, 0),
794                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
795                                      BPF_FUNC_map_lookup_elem),
796                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
797                         BPF_EXIT_INSN(),
798                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
799                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
800                                     offsetof(struct __sk_buff, pkt_type)),
801                         BPF_EXIT_INSN(),
802                 },
803                 .fixup_map1 = { 4 },
804                 .errstr = "different pointers",
805                 .errstr_unpriv = "R1 pointer comparison",
806                 .result = REJECT,
807         },
808         {
809                 "access skb fields bad3",
810                 .insns = {
811                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
812                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
813                                     offsetof(struct __sk_buff, pkt_type)),
814                         BPF_EXIT_INSN(),
815                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
816                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
817                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
818                         BPF_LD_MAP_FD(BPF_REG_1, 0),
819                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
820                                      BPF_FUNC_map_lookup_elem),
821                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
822                         BPF_EXIT_INSN(),
823                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
824                         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
825                 },
826                 .fixup_map1 = { 6 },
827                 .errstr = "different pointers",
828                 .errstr_unpriv = "R1 pointer comparison",
829                 .result = REJECT,
830         },
831         {
832                 "access skb fields bad4",
833                 .insns = {
834                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
835                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
836                                     offsetof(struct __sk_buff, len)),
837                         BPF_MOV64_IMM(BPF_REG_0, 0),
838                         BPF_EXIT_INSN(),
839                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
840                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
841                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
842                         BPF_LD_MAP_FD(BPF_REG_1, 0),
843                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
844                                      BPF_FUNC_map_lookup_elem),
845                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
846                         BPF_EXIT_INSN(),
847                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
848                         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
849                 },
850                 .fixup_map1 = { 7 },
851                 .errstr = "different pointers",
852                 .errstr_unpriv = "R1 pointer comparison",
853                 .result = REJECT,
854         },
855         {
856                 "check skb->mark is not writeable by sockets",
857                 .insns = {
858                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
859                                     offsetof(struct __sk_buff, mark)),
860                         BPF_EXIT_INSN(),
861                 },
862                 .errstr = "invalid bpf_context access",
863                 .errstr_unpriv = "R1 leaks addr",
864                 .result = REJECT,
865         },
866         {
867                 "check skb->tc_index is not writeable by sockets",
868                 .insns = {
869                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
870                                     offsetof(struct __sk_buff, tc_index)),
871                         BPF_EXIT_INSN(),
872                 },
873                 .errstr = "invalid bpf_context access",
874                 .errstr_unpriv = "R1 leaks addr",
875                 .result = REJECT,
876         },
877         {
878                 "check cb access: byte",
879                 .insns = {
880                         BPF_MOV64_IMM(BPF_REG_0, 0),
881                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
882                                     offsetof(struct __sk_buff, cb[0])),
883                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
884                                     offsetof(struct __sk_buff, cb[0]) + 1),
885                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
886                                     offsetof(struct __sk_buff, cb[0]) + 2),
887                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
888                                     offsetof(struct __sk_buff, cb[0]) + 3),
889                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
890                                     offsetof(struct __sk_buff, cb[1])),
891                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
892                                     offsetof(struct __sk_buff, cb[1]) + 1),
893                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
894                                     offsetof(struct __sk_buff, cb[1]) + 2),
895                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
896                                     offsetof(struct __sk_buff, cb[1]) + 3),
897                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
898                                     offsetof(struct __sk_buff, cb[2])),
899                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
900                                     offsetof(struct __sk_buff, cb[2]) + 1),
901                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
902                                     offsetof(struct __sk_buff, cb[2]) + 2),
903                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
904                                     offsetof(struct __sk_buff, cb[2]) + 3),
905                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
906                                     offsetof(struct __sk_buff, cb[3])),
907                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
908                                     offsetof(struct __sk_buff, cb[3]) + 1),
909                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
910                                     offsetof(struct __sk_buff, cb[3]) + 2),
911                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
912                                     offsetof(struct __sk_buff, cb[3]) + 3),
913                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
914                                     offsetof(struct __sk_buff, cb[4])),
915                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
916                                     offsetof(struct __sk_buff, cb[4]) + 1),
917                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
918                                     offsetof(struct __sk_buff, cb[4]) + 2),
919                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
920                                     offsetof(struct __sk_buff, cb[4]) + 3),
921                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
922                                     offsetof(struct __sk_buff, cb[0])),
923                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
924                                     offsetof(struct __sk_buff, cb[0]) + 1),
925                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
926                                     offsetof(struct __sk_buff, cb[0]) + 2),
927                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
928                                     offsetof(struct __sk_buff, cb[0]) + 3),
929                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
930                                     offsetof(struct __sk_buff, cb[1])),
931                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
932                                     offsetof(struct __sk_buff, cb[1]) + 1),
933                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
934                                     offsetof(struct __sk_buff, cb[1]) + 2),
935                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
936                                     offsetof(struct __sk_buff, cb[1]) + 3),
937                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
938                                     offsetof(struct __sk_buff, cb[2])),
939                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
940                                     offsetof(struct __sk_buff, cb[2]) + 1),
941                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
942                                     offsetof(struct __sk_buff, cb[2]) + 2),
943                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
944                                     offsetof(struct __sk_buff, cb[2]) + 3),
945                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
946                                     offsetof(struct __sk_buff, cb[3])),
947                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
948                                     offsetof(struct __sk_buff, cb[3]) + 1),
949                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
950                                     offsetof(struct __sk_buff, cb[3]) + 2),
951                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
952                                     offsetof(struct __sk_buff, cb[3]) + 3),
953                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
954                                     offsetof(struct __sk_buff, cb[4])),
955                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
956                                     offsetof(struct __sk_buff, cb[4]) + 1),
957                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
958                                     offsetof(struct __sk_buff, cb[4]) + 2),
959                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
960                                     offsetof(struct __sk_buff, cb[4]) + 3),
961                         BPF_EXIT_INSN(),
962                 },
963                 .result = ACCEPT,
964         },
965         {
966                 "check cb access: byte, oob 1",
967                 .insns = {
968                         BPF_MOV64_IMM(BPF_REG_0, 0),
969                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
970                                     offsetof(struct __sk_buff, cb[4]) + 4),
971                         BPF_EXIT_INSN(),
972                 },
973                 .errstr = "invalid bpf_context access",
974                 .result = REJECT,
975         },
976         {
977                 "check cb access: byte, oob 2",
978                 .insns = {
979                         BPF_MOV64_IMM(BPF_REG_0, 0),
980                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
981                                     offsetof(struct __sk_buff, cb[0]) - 1),
982                         BPF_EXIT_INSN(),
983                 },
984                 .errstr = "invalid bpf_context access",
985                 .result = REJECT,
986         },
987         {
988                 "check cb access: byte, oob 3",
989                 .insns = {
990                         BPF_MOV64_IMM(BPF_REG_0, 0),
991                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
992                                     offsetof(struct __sk_buff, cb[4]) + 4),
993                         BPF_EXIT_INSN(),
994                 },
995                 .errstr = "invalid bpf_context access",
996                 .result = REJECT,
997         },
998         {
999                 "check cb access: byte, oob 4",
1000                 .insns = {
1001                         BPF_MOV64_IMM(BPF_REG_0, 0),
1002                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1003                                     offsetof(struct __sk_buff, cb[0]) - 1),
1004                         BPF_EXIT_INSN(),
1005                 },
1006                 .errstr = "invalid bpf_context access",
1007                 .result = REJECT,
1008         },
1009         {
1010                 "check cb access: byte, wrong type",
1011                 .insns = {
1012                         BPF_MOV64_IMM(BPF_REG_0, 0),
1013                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1014                                     offsetof(struct __sk_buff, cb[0])),
1015                         BPF_EXIT_INSN(),
1016                 },
1017                 .errstr = "invalid bpf_context access",
1018                 .result = REJECT,
1019                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1020         },
1021         {
1022                 "check cb access: half",
1023                 .insns = {
1024                         BPF_MOV64_IMM(BPF_REG_0, 0),
1025                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1026                                     offsetof(struct __sk_buff, cb[0])),
1027                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1028                                     offsetof(struct __sk_buff, cb[0]) + 2),
1029                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1030                                     offsetof(struct __sk_buff, cb[1])),
1031                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1032                                     offsetof(struct __sk_buff, cb[1]) + 2),
1033                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1034                                     offsetof(struct __sk_buff, cb[2])),
1035                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1036                                     offsetof(struct __sk_buff, cb[2]) + 2),
1037                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1038                                     offsetof(struct __sk_buff, cb[3])),
1039                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1040                                     offsetof(struct __sk_buff, cb[3]) + 2),
1041                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1042                                     offsetof(struct __sk_buff, cb[4])),
1043                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1044                                     offsetof(struct __sk_buff, cb[4]) + 2),
1045                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1046                                     offsetof(struct __sk_buff, cb[0])),
1047                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1048                                     offsetof(struct __sk_buff, cb[0]) + 2),
1049                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1050                                     offsetof(struct __sk_buff, cb[1])),
1051                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1052                                     offsetof(struct __sk_buff, cb[1]) + 2),
1053                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1054                                     offsetof(struct __sk_buff, cb[2])),
1055                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1056                                     offsetof(struct __sk_buff, cb[2]) + 2),
1057                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1058                                     offsetof(struct __sk_buff, cb[3])),
1059                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1060                                     offsetof(struct __sk_buff, cb[3]) + 2),
1061                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1062                                     offsetof(struct __sk_buff, cb[4])),
1063                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1064                                     offsetof(struct __sk_buff, cb[4]) + 2),
1065                         BPF_EXIT_INSN(),
1066                 },
1067                 .result = ACCEPT,
1068         },
1069         {
1070                 "check cb access: half, unaligned",
1071                 .insns = {
1072                         BPF_MOV64_IMM(BPF_REG_0, 0),
1073                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1074                                     offsetof(struct __sk_buff, cb[0]) + 1),
1075                         BPF_EXIT_INSN(),
1076                 },
1077                 .errstr = "misaligned access",
1078                 .result = REJECT,
1079         },
1080         {
1081                 "check cb access: half, oob 1",
1082                 .insns = {
1083                         BPF_MOV64_IMM(BPF_REG_0, 0),
1084                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1085                                     offsetof(struct __sk_buff, cb[4]) + 4),
1086                         BPF_EXIT_INSN(),
1087                 },
1088                 .errstr = "invalid bpf_context access",
1089                 .result = REJECT,
1090         },
1091         {
1092                 "check cb access: half, oob 2",
1093                 .insns = {
1094                         BPF_MOV64_IMM(BPF_REG_0, 0),
1095                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1096                                     offsetof(struct __sk_buff, cb[0]) - 2),
1097                         BPF_EXIT_INSN(),
1098                 },
1099                 .errstr = "invalid bpf_context access",
1100                 .result = REJECT,
1101         },
1102         {
1103                 "check cb access: half, oob 3",
1104                 .insns = {
1105                         BPF_MOV64_IMM(BPF_REG_0, 0),
1106                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1107                                     offsetof(struct __sk_buff, cb[4]) + 4),
1108                         BPF_EXIT_INSN(),
1109                 },
1110                 .errstr = "invalid bpf_context access",
1111                 .result = REJECT,
1112         },
1113         {
1114                 "check cb access: half, oob 4",
1115                 .insns = {
1116                         BPF_MOV64_IMM(BPF_REG_0, 0),
1117                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1118                                     offsetof(struct __sk_buff, cb[0]) - 2),
1119                         BPF_EXIT_INSN(),
1120                 },
1121                 .errstr = "invalid bpf_context access",
1122                 .result = REJECT,
1123         },
1124         {
1125                 "check cb access: half, wrong type",
1126                 .insns = {
1127                         BPF_MOV64_IMM(BPF_REG_0, 0),
1128                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1129                                     offsetof(struct __sk_buff, cb[0])),
1130                         BPF_EXIT_INSN(),
1131                 },
1132                 .errstr = "invalid bpf_context access",
1133                 .result = REJECT,
1134                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1135         },
1136         {
1137                 "check cb access: word",
1138                 .insns = {
1139                         BPF_MOV64_IMM(BPF_REG_0, 0),
1140                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1141                                     offsetof(struct __sk_buff, cb[0])),
1142                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1143                                     offsetof(struct __sk_buff, cb[1])),
1144                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1145                                     offsetof(struct __sk_buff, cb[2])),
1146                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1147                                     offsetof(struct __sk_buff, cb[3])),
1148                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1149                                     offsetof(struct __sk_buff, cb[4])),
1150                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1151                                     offsetof(struct __sk_buff, cb[0])),
1152                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1153                                     offsetof(struct __sk_buff, cb[1])),
1154                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1155                                     offsetof(struct __sk_buff, cb[2])),
1156                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1157                                     offsetof(struct __sk_buff, cb[3])),
1158                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1159                                     offsetof(struct __sk_buff, cb[4])),
1160                         BPF_EXIT_INSN(),
1161                 },
1162                 .result = ACCEPT,
1163         },
1164         {
1165                 "check cb access: word, unaligned 1",
1166                 .insns = {
1167                         BPF_MOV64_IMM(BPF_REG_0, 0),
1168                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1169                                     offsetof(struct __sk_buff, cb[0]) + 2),
1170                         BPF_EXIT_INSN(),
1171                 },
1172                 .errstr = "misaligned access",
1173                 .result = REJECT,
1174         },
1175         {
1176                 "check cb access: word, unaligned 2",
1177                 .insns = {
1178                         BPF_MOV64_IMM(BPF_REG_0, 0),
1179                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1180                                     offsetof(struct __sk_buff, cb[4]) + 1),
1181                         BPF_EXIT_INSN(),
1182                 },
1183                 .errstr = "misaligned access",
1184                 .result = REJECT,
1185         },
1186         {
1187                 "check cb access: word, unaligned 3",
1188                 .insns = {
1189                         BPF_MOV64_IMM(BPF_REG_0, 0),
1190                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1191                                     offsetof(struct __sk_buff, cb[4]) + 2),
1192                         BPF_EXIT_INSN(),
1193                 },
1194                 .errstr = "misaligned access",
1195                 .result = REJECT,
1196         },
1197         {
1198                 "check cb access: word, unaligned 4",
1199                 .insns = {
1200                         BPF_MOV64_IMM(BPF_REG_0, 0),
1201                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1202                                     offsetof(struct __sk_buff, cb[4]) + 3),
1203                         BPF_EXIT_INSN(),
1204                 },
1205                 .errstr = "misaligned access",
1206                 .result = REJECT,
1207         },
1208         {
1209                 "check cb access: double",
1210                 .insns = {
1211                         BPF_MOV64_IMM(BPF_REG_0, 0),
1212                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1213                                     offsetof(struct __sk_buff, cb[0])),
1214                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1215                                     offsetof(struct __sk_buff, cb[2])),
1216                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1217                                     offsetof(struct __sk_buff, cb[0])),
1218                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1219                                     offsetof(struct __sk_buff, cb[2])),
1220                         BPF_EXIT_INSN(),
1221                 },
1222                 .result = ACCEPT,
1223         },
1224         {
1225                 "check cb access: double, unaligned 1",
1226                 .insns = {
1227                         BPF_MOV64_IMM(BPF_REG_0, 0),
1228                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1229                                     offsetof(struct __sk_buff, cb[1])),
1230                         BPF_EXIT_INSN(),
1231                 },
1232                 .errstr = "misaligned access",
1233                 .result = REJECT,
1234         },
1235         {
1236                 "check cb access: double, unaligned 2",
1237                 .insns = {
1238                         BPF_MOV64_IMM(BPF_REG_0, 0),
1239                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1240                                     offsetof(struct __sk_buff, cb[3])),
1241                         BPF_EXIT_INSN(),
1242                 },
1243                 .errstr = "misaligned access",
1244                 .result = REJECT,
1245         },
1246         {
1247                 "check cb access: double, oob 1",
1248                 .insns = {
1249                         BPF_MOV64_IMM(BPF_REG_0, 0),
1250                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1251                                     offsetof(struct __sk_buff, cb[4])),
1252                         BPF_EXIT_INSN(),
1253                 },
1254                 .errstr = "invalid bpf_context access",
1255                 .result = REJECT,
1256         },
1257         {
1258                 "check cb access: double, oob 2",
1259                 .insns = {
1260                         BPF_MOV64_IMM(BPF_REG_0, 0),
1261                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1262                                     offsetof(struct __sk_buff, cb[4]) + 8),
1263                         BPF_EXIT_INSN(),
1264                 },
1265                 .errstr = "invalid bpf_context access",
1266                 .result = REJECT,
1267         },
1268         {
1269                 "check cb access: double, oob 3",
1270                 .insns = {
1271                         BPF_MOV64_IMM(BPF_REG_0, 0),
1272                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1273                                     offsetof(struct __sk_buff, cb[0]) - 8),
1274                         BPF_EXIT_INSN(),
1275                 },
1276                 .errstr = "invalid bpf_context access",
1277                 .result = REJECT,
1278         },
1279         {
1280                 "check cb access: double, oob 4",
1281                 .insns = {
1282                         BPF_MOV64_IMM(BPF_REG_0, 0),
1283                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1284                                     offsetof(struct __sk_buff, cb[4])),
1285                         BPF_EXIT_INSN(),
1286                 },
1287                 .errstr = "invalid bpf_context access",
1288                 .result = REJECT,
1289         },
1290         {
1291                 "check cb access: double, oob 5",
1292                 .insns = {
1293                         BPF_MOV64_IMM(BPF_REG_0, 0),
1294                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1295                                     offsetof(struct __sk_buff, cb[4]) + 8),
1296                         BPF_EXIT_INSN(),
1297                 },
1298                 .errstr = "invalid bpf_context access",
1299                 .result = REJECT,
1300         },
1301         {
1302                 "check cb access: double, oob 6",
1303                 .insns = {
1304                         BPF_MOV64_IMM(BPF_REG_0, 0),
1305                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
1306                                     offsetof(struct __sk_buff, cb[0]) - 8),
1307                         BPF_EXIT_INSN(),
1308                 },
1309                 .errstr = "invalid bpf_context access",
1310                 .result = REJECT,
1311         },
1312         {
1313                 "check cb access: double, wrong type",
1314                 .insns = {
1315                         BPF_MOV64_IMM(BPF_REG_0, 0),
1316                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
1317                                     offsetof(struct __sk_buff, cb[0])),
1318                         BPF_EXIT_INSN(),
1319                 },
1320                 .errstr = "invalid bpf_context access",
1321                 .result = REJECT,
1322                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1323         },
1324         {
1325                 "check out of range skb->cb access",
1326                 .insns = {
1327                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1328                                     offsetof(struct __sk_buff, cb[0]) + 256),
1329                         BPF_EXIT_INSN(),
1330                 },
1331                 .errstr = "invalid bpf_context access",
1332                 .errstr_unpriv = "",
1333                 .result = REJECT,
1334                 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
1335         },
1336         {
1337                 "write skb fields from socket prog",
1338                 .insns = {
1339                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1340                                     offsetof(struct __sk_buff, cb[4])),
1341                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1342                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1343                                     offsetof(struct __sk_buff, mark)),
1344                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345                                     offsetof(struct __sk_buff, tc_index)),
1346                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1348                                     offsetof(struct __sk_buff, cb[0])),
1349                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1350                                     offsetof(struct __sk_buff, cb[2])),
1351                         BPF_EXIT_INSN(),
1352                 },
1353                 .result = ACCEPT,
1354                 .errstr_unpriv = "R1 leaks addr",
1355                 .result_unpriv = REJECT,
1356         },
1357         {
1358                 "write skb fields from tc_cls_act prog",
1359                 .insns = {
1360                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1361                                     offsetof(struct __sk_buff, cb[0])),
1362                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1363                                     offsetof(struct __sk_buff, mark)),
1364                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1365                                     offsetof(struct __sk_buff, tc_index)),
1366                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1367                                     offsetof(struct __sk_buff, tc_index)),
1368                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1369                                     offsetof(struct __sk_buff, cb[3])),
1370                         BPF_EXIT_INSN(),
1371                 },
1372                 .errstr_unpriv = "",
1373                 .result_unpriv = REJECT,
1374                 .result = ACCEPT,
1375                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1376         },
1377         {
1378                 "PTR_TO_STACK store/load",
1379                 .insns = {
1380                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1381                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1382                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1383                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1384                         BPF_EXIT_INSN(),
1385                 },
1386                 .result = ACCEPT,
1387         },
1388         {
1389                 "PTR_TO_STACK store/load - bad alignment on off",
1390                 .insns = {
1391                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1392                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1393                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
1394                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
1395                         BPF_EXIT_INSN(),
1396                 },
1397                 .result = REJECT,
1398                 .errstr = "misaligned access off -6 size 8",
1399         },
1400         {
1401                 "PTR_TO_STACK store/load - bad alignment on reg",
1402                 .insns = {
1403                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1404                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
1405                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1406                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1407                         BPF_EXIT_INSN(),
1408                 },
1409                 .result = REJECT,
1410                 .errstr = "misaligned access off -2 size 8",
1411         },
1412         {
1413                 "PTR_TO_STACK store/load - out of bounds low",
1414                 .insns = {
1415                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1416                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
1417                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1418                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1419                         BPF_EXIT_INSN(),
1420                 },
1421                 .result = REJECT,
1422                 .errstr = "invalid stack off=-79992 size=8",
1423         },
1424         {
1425                 "PTR_TO_STACK store/load - out of bounds high",
1426                 .insns = {
1427                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1428                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1429                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
1430                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
1431                         BPF_EXIT_INSN(),
1432                 },
1433                 .result = REJECT,
1434                 .errstr = "invalid stack off=0 size=8",
1435         },
1436         {
1437                 "unpriv: return pointer",
1438                 .insns = {
1439                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
1440                         BPF_EXIT_INSN(),
1441                 },
1442                 .result = ACCEPT,
1443                 .result_unpriv = REJECT,
1444                 .errstr_unpriv = "R0 leaks addr",
1445         },
1446         {
1447                 "unpriv: add const to pointer",
1448                 .insns = {
1449                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
1450                         BPF_MOV64_IMM(BPF_REG_0, 0),
1451                         BPF_EXIT_INSN(),
1452                 },
1453                 .result = ACCEPT,
1454                 .result_unpriv = REJECT,
1455                 .errstr_unpriv = "R1 pointer arithmetic",
1456         },
1457         {
1458                 "unpriv: add pointer to pointer",
1459                 .insns = {
1460                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
1461                         BPF_MOV64_IMM(BPF_REG_0, 0),
1462                         BPF_EXIT_INSN(),
1463                 },
1464                 .result = ACCEPT,
1465                 .result_unpriv = REJECT,
1466                 .errstr_unpriv = "R1 pointer arithmetic",
1467         },
1468         {
1469                 "unpriv: neg pointer",
1470                 .insns = {
1471                         BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
1472                         BPF_MOV64_IMM(BPF_REG_0, 0),
1473                         BPF_EXIT_INSN(),
1474                 },
1475                 .result = ACCEPT,
1476                 .result_unpriv = REJECT,
1477                 .errstr_unpriv = "R1 pointer arithmetic",
1478         },
1479         {
1480                 "unpriv: cmp pointer with const",
1481                 .insns = {
1482                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1483                         BPF_MOV64_IMM(BPF_REG_0, 0),
1484                         BPF_EXIT_INSN(),
1485                 },
1486                 .result = ACCEPT,
1487                 .result_unpriv = REJECT,
1488                 .errstr_unpriv = "R1 pointer comparison",
1489         },
1490         {
1491                 "unpriv: cmp pointer with pointer",
1492                 .insns = {
1493                         BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1494                         BPF_MOV64_IMM(BPF_REG_0, 0),
1495                         BPF_EXIT_INSN(),
1496                 },
1497                 .result = ACCEPT,
1498                 .result_unpriv = REJECT,
1499                 .errstr_unpriv = "R10 pointer comparison",
1500         },
1501         {
1502                 "unpriv: check that printk is disallowed",
1503                 .insns = {
1504                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1505                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
1506                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
1507                         BPF_MOV64_IMM(BPF_REG_2, 8),
1508                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1509                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1510                                      BPF_FUNC_trace_printk),
1511                         BPF_MOV64_IMM(BPF_REG_0, 0),
1512                         BPF_EXIT_INSN(),
1513                 },
1514                 .errstr_unpriv = "unknown func bpf_trace_printk#6",
1515                 .result_unpriv = REJECT,
1516                 .result = ACCEPT,
1517         },
1518         {
1519                 "unpriv: pass pointer to helper function",
1520                 .insns = {
1521                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1522                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1523                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1524                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1525                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1526                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
1527                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1528                                      BPF_FUNC_map_update_elem),
1529                         BPF_MOV64_IMM(BPF_REG_0, 0),
1530                         BPF_EXIT_INSN(),
1531                 },
1532                 .fixup_map1 = { 3 },
1533                 .errstr_unpriv = "R4 leaks addr",
1534                 .result_unpriv = REJECT,
1535                 .result = ACCEPT,
1536         },
1537         {
1538                 "unpriv: indirectly pass pointer on stack to helper function",
1539                 .insns = {
1540                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1541                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1542                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1543                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1544                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1545                                      BPF_FUNC_map_lookup_elem),
1546                         BPF_MOV64_IMM(BPF_REG_0, 0),
1547                         BPF_EXIT_INSN(),
1548                 },
1549                 .fixup_map1 = { 3 },
1550                 .errstr = "invalid indirect read from stack off -8+0 size 8",
1551                 .result = REJECT,
1552         },
1553         {
1554                 "unpriv: mangle pointer on stack 1",
1555                 .insns = {
1556                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1557                         BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
1558                         BPF_MOV64_IMM(BPF_REG_0, 0),
1559                         BPF_EXIT_INSN(),
1560                 },
1561                 .errstr_unpriv = "attempt to corrupt spilled",
1562                 .result_unpriv = REJECT,
1563                 .result = ACCEPT,
1564         },
1565         {
1566                 "unpriv: mangle pointer on stack 2",
1567                 .insns = {
1568                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1569                         BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
1570                         BPF_MOV64_IMM(BPF_REG_0, 0),
1571                         BPF_EXIT_INSN(),
1572                 },
1573                 .errstr_unpriv = "attempt to corrupt spilled",
1574                 .result_unpriv = REJECT,
1575                 .result = ACCEPT,
1576         },
1577         {
1578                 "unpriv: read pointer from stack in small chunks",
1579                 .insns = {
1580                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
1581                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
1582                         BPF_MOV64_IMM(BPF_REG_0, 0),
1583                         BPF_EXIT_INSN(),
1584                 },
1585                 .errstr = "invalid size",
1586                 .result = REJECT,
1587         },
1588         {
1589                 "unpriv: write pointer into ctx",
1590                 .insns = {
1591                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
1592                         BPF_MOV64_IMM(BPF_REG_0, 0),
1593                         BPF_EXIT_INSN(),
1594                 },
1595                 .errstr_unpriv = "R1 leaks addr",
1596                 .result_unpriv = REJECT,
1597                 .errstr = "invalid bpf_context access",
1598                 .result = REJECT,
1599         },
1600         {
1601                 "unpriv: spill/fill of ctx",
1602                 .insns = {
1603                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1604                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1605                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1606                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1607                         BPF_MOV64_IMM(BPF_REG_0, 0),
1608                         BPF_EXIT_INSN(),
1609                 },
1610                 .result = ACCEPT,
1611         },
1612         {
1613                 "unpriv: spill/fill of ctx 2",
1614                 .insns = {
1615                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1616                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1617                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1618                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1619                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1620                                      BPF_FUNC_get_hash_recalc),
1621                         BPF_EXIT_INSN(),
1622                 },
1623                 .result = ACCEPT,
1624                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1625         },
1626         {
1627                 "unpriv: spill/fill of ctx 3",
1628                 .insns = {
1629                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1630                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1631                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1632                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1633                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1634                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1635                                      BPF_FUNC_get_hash_recalc),
1636                         BPF_EXIT_INSN(),
1637                 },
1638                 .result = REJECT,
1639                 .errstr = "R1 type=fp expected=ctx",
1640                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1641         },
1642         {
1643                 "unpriv: spill/fill of ctx 4",
1644                 .insns = {
1645                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1646                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1647                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1648                         BPF_MOV64_IMM(BPF_REG_0, 1),
1649                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
1650                                      BPF_REG_0, -8, 0),
1651                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1652                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1653                                      BPF_FUNC_get_hash_recalc),
1654                         BPF_EXIT_INSN(),
1655                 },
1656                 .result = REJECT,
1657                 .errstr = "R1 type=inv expected=ctx",
1658                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1659         },
1660         {
1661                 "unpriv: spill/fill of different pointers stx",
1662                 .insns = {
1663                         BPF_MOV64_IMM(BPF_REG_3, 42),
1664                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1665                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1666                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1667                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1668                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1669                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1670                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1671                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1672                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1673                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
1674                                     offsetof(struct __sk_buff, mark)),
1675                         BPF_MOV64_IMM(BPF_REG_0, 0),
1676                         BPF_EXIT_INSN(),
1677                 },
1678                 .result = REJECT,
1679                 .errstr = "same insn cannot be used with different pointers",
1680                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1681         },
1682         {
1683                 "unpriv: spill/fill of different pointers ldx",
1684                 .insns = {
1685                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1686                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1687                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1688                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1689                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
1690                                       -(__s32)offsetof(struct bpf_perf_event_data,
1691                                                        sample_period) - 8),
1692                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
1693                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
1694                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1695                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
1696                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
1697                                     offsetof(struct bpf_perf_event_data,
1698                                              sample_period)),
1699                         BPF_MOV64_IMM(BPF_REG_0, 0),
1700                         BPF_EXIT_INSN(),
1701                 },
1702                 .result = REJECT,
1703                 .errstr = "same insn cannot be used with different pointers",
1704                 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
1705         },
1706         {
1707                 "unpriv: write pointer into map elem value",
1708                 .insns = {
1709                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1710                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1711                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1712                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1713                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1714                                      BPF_FUNC_map_lookup_elem),
1715                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1716                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
1717                         BPF_EXIT_INSN(),
1718                 },
1719                 .fixup_map1 = { 3 },
1720                 .errstr_unpriv = "R0 leaks addr",
1721                 .result_unpriv = REJECT,
1722                 .result = ACCEPT,
1723         },
1724         {
1725                 "unpriv: partial copy of pointer",
1726                 .insns = {
1727                         BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
1728                         BPF_MOV64_IMM(BPF_REG_0, 0),
1729                         BPF_EXIT_INSN(),
1730                 },
1731                 .errstr_unpriv = "R10 partial copy",
1732                 .result_unpriv = REJECT,
1733                 .result = ACCEPT,
1734         },
1735         {
1736                 "unpriv: pass pointer to tail_call",
1737                 .insns = {
1738                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
1739                         BPF_LD_MAP_FD(BPF_REG_2, 0),
1740                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1741                                      BPF_FUNC_tail_call),
1742                         BPF_MOV64_IMM(BPF_REG_0, 0),
1743                         BPF_EXIT_INSN(),
1744                 },
1745                 .fixup_prog = { 1 },
1746                 .errstr_unpriv = "R3 leaks addr into helper",
1747                 .result_unpriv = REJECT,
1748                 .result = ACCEPT,
1749         },
1750         {
1751                 "unpriv: cmp map pointer with zero",
1752                 .insns = {
1753                         BPF_MOV64_IMM(BPF_REG_1, 0),
1754                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1755                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
1756                         BPF_MOV64_IMM(BPF_REG_0, 0),
1757                         BPF_EXIT_INSN(),
1758                 },
1759                 .fixup_map1 = { 1 },
1760                 .errstr_unpriv = "R1 pointer comparison",
1761                 .result_unpriv = REJECT,
1762                 .result = ACCEPT,
1763         },
1764         {
1765                 "unpriv: write into frame pointer",
1766                 .insns = {
1767                         BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
1768                         BPF_MOV64_IMM(BPF_REG_0, 0),
1769                         BPF_EXIT_INSN(),
1770                 },
1771                 .errstr = "frame pointer is read only",
1772                 .result = REJECT,
1773         },
1774         {
1775                 "unpriv: spill/fill frame pointer",
1776                 .insns = {
1777                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1778                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1779                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
1780                         BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
1781                         BPF_MOV64_IMM(BPF_REG_0, 0),
1782                         BPF_EXIT_INSN(),
1783                 },
1784                 .errstr = "frame pointer is read only",
1785                 .result = REJECT,
1786         },
1787         {
1788                 "unpriv: cmp of frame pointer",
1789                 .insns = {
1790                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
1791                         BPF_MOV64_IMM(BPF_REG_0, 0),
1792                         BPF_EXIT_INSN(),
1793                 },
1794                 .errstr_unpriv = "R10 pointer comparison",
1795                 .result_unpriv = REJECT,
1796                 .result = ACCEPT,
1797         },
1798         {
1799                 "unpriv: cmp of stack pointer",
1800                 .insns = {
1801                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1802                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1803                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
1804                         BPF_MOV64_IMM(BPF_REG_0, 0),
1805                         BPF_EXIT_INSN(),
1806                 },
1807                 .errstr_unpriv = "R2 pointer comparison",
1808                 .result_unpriv = REJECT,
1809                 .result = ACCEPT,
1810         },
1811         {
1812                 "stack pointer arithmetic",
1813                 .insns = {
1814                         BPF_MOV64_IMM(BPF_REG_1, 4),
1815                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1816                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
1817                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1818                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
1819                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1820                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
1821                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1822                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
1823                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
1824                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
1825                         BPF_MOV64_IMM(BPF_REG_0, 0),
1826                         BPF_EXIT_INSN(),
1827                 },
1828                 .result = ACCEPT,
1829         },
1830         {
1831                 "raw_stack: no skb_load_bytes",
1832                 .insns = {
1833                         BPF_MOV64_IMM(BPF_REG_2, 4),
1834                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1835                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1836                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1837                         BPF_MOV64_IMM(BPF_REG_4, 8),
1838                         /* Call to skb_load_bytes() omitted. */
1839                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1840                         BPF_EXIT_INSN(),
1841                 },
1842                 .result = REJECT,
1843                 .errstr = "invalid read from stack off -8+0 size 8",
1844                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1845         },
1846         {
1847                 "raw_stack: skb_load_bytes, negative len",
1848                 .insns = {
1849                         BPF_MOV64_IMM(BPF_REG_2, 4),
1850                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1851                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1852                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1853                         BPF_MOV64_IMM(BPF_REG_4, -8),
1854                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1855                                      BPF_FUNC_skb_load_bytes),
1856                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1857                         BPF_EXIT_INSN(),
1858                 },
1859                 .result = REJECT,
1860                 .errstr = "invalid stack type R3",
1861                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1862         },
1863         {
1864                 "raw_stack: skb_load_bytes, negative len 2",
1865                 .insns = {
1866                         BPF_MOV64_IMM(BPF_REG_2, 4),
1867                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1868                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1869                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1870                         BPF_MOV64_IMM(BPF_REG_4, ~0),
1871                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1872                                      BPF_FUNC_skb_load_bytes),
1873                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1874                         BPF_EXIT_INSN(),
1875                 },
1876                 .result = REJECT,
1877                 .errstr = "invalid stack type R3",
1878                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1879         },
1880         {
1881                 "raw_stack: skb_load_bytes, zero len",
1882                 .insns = {
1883                         BPF_MOV64_IMM(BPF_REG_2, 4),
1884                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1885                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1886                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1887                         BPF_MOV64_IMM(BPF_REG_4, 0),
1888                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1889                                      BPF_FUNC_skb_load_bytes),
1890                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1891                         BPF_EXIT_INSN(),
1892                 },
1893                 .result = REJECT,
1894                 .errstr = "invalid stack type R3",
1895                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1896         },
1897         {
1898                 "raw_stack: skb_load_bytes, no init",
1899                 .insns = {
1900                         BPF_MOV64_IMM(BPF_REG_2, 4),
1901                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1902                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1903                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1904                         BPF_MOV64_IMM(BPF_REG_4, 8),
1905                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1906                                      BPF_FUNC_skb_load_bytes),
1907                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1908                         BPF_EXIT_INSN(),
1909                 },
1910                 .result = ACCEPT,
1911                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1912         },
1913         {
1914                 "raw_stack: skb_load_bytes, init",
1915                 .insns = {
1916                         BPF_MOV64_IMM(BPF_REG_2, 4),
1917                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1918                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1919                         BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
1920                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1921                         BPF_MOV64_IMM(BPF_REG_4, 8),
1922                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1923                                      BPF_FUNC_skb_load_bytes),
1924                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1925                         BPF_EXIT_INSN(),
1926                 },
1927                 .result = ACCEPT,
1928                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1929         },
1930         {
1931                 "raw_stack: skb_load_bytes, spilled regs around bounds",
1932                 .insns = {
1933                         BPF_MOV64_IMM(BPF_REG_2, 4),
1934                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1935                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
1936                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
1937                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
1938                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1939                         BPF_MOV64_IMM(BPF_REG_4, 8),
1940                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1941                                      BPF_FUNC_skb_load_bytes),
1942                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
1943                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
1944                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1945                                     offsetof(struct __sk_buff, mark)),
1946                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
1947                                     offsetof(struct __sk_buff, priority)),
1948                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
1949                         BPF_EXIT_INSN(),
1950                 },
1951                 .result = ACCEPT,
1952                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1953         },
1954         {
1955                 "raw_stack: skb_load_bytes, spilled regs corruption",
1956                 .insns = {
1957                         BPF_MOV64_IMM(BPF_REG_2, 4),
1958                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1959                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
1960                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
1961                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1962                         BPF_MOV64_IMM(BPF_REG_4, 8),
1963                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1964                                      BPF_FUNC_skb_load_bytes),
1965                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
1966                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1967                                     offsetof(struct __sk_buff, mark)),
1968                         BPF_EXIT_INSN(),
1969                 },
1970                 .result = REJECT,
1971                 .errstr = "R0 invalid mem access 'inv'",
1972                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
1973         },
1974         {
1975                 "raw_stack: skb_load_bytes, spilled regs corruption 2",
1976                 .insns = {
1977                         BPF_MOV64_IMM(BPF_REG_2, 4),
1978                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
1979                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
1980                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
1981                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
1982                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
1983                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
1984                         BPF_MOV64_IMM(BPF_REG_4, 8),
1985                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1986                                      BPF_FUNC_skb_load_bytes),
1987                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
1988                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
1989                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
1990                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
1991                                     offsetof(struct __sk_buff, mark)),
1992                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
1993                                     offsetof(struct __sk_buff, priority)),
1994                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
1995                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
1996                                     offsetof(struct __sk_buff, pkt_type)),
1997                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
1998                         BPF_EXIT_INSN(),
1999                 },
2000                 .result = REJECT,
2001                 .errstr = "R3 invalid mem access 'inv'",
2002                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2003         },
2004         {
2005                 "raw_stack: skb_load_bytes, spilled regs + data",
2006                 .insns = {
2007                         BPF_MOV64_IMM(BPF_REG_2, 4),
2008                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2009                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2010                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2011                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2012                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2013                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2014                         BPF_MOV64_IMM(BPF_REG_4, 8),
2015                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2016                                      BPF_FUNC_skb_load_bytes),
2017                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2018                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2019                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2020                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2021                                     offsetof(struct __sk_buff, mark)),
2022                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2023                                     offsetof(struct __sk_buff, priority)),
2024                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2025                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2026                         BPF_EXIT_INSN(),
2027                 },
2028                 .result = ACCEPT,
2029                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2030         },
2031         {
2032                 "raw_stack: skb_load_bytes, invalid access 1",
2033                 .insns = {
2034                         BPF_MOV64_IMM(BPF_REG_2, 4),
2035                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2036                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2037                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2038                         BPF_MOV64_IMM(BPF_REG_4, 8),
2039                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2040                                      BPF_FUNC_skb_load_bytes),
2041                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2042                         BPF_EXIT_INSN(),
2043                 },
2044                 .result = REJECT,
2045                 .errstr = "invalid stack type R3 off=-513 access_size=8",
2046                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2047         },
2048         {
2049                 "raw_stack: skb_load_bytes, invalid access 2",
2050                 .insns = {
2051                         BPF_MOV64_IMM(BPF_REG_2, 4),
2052                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2053                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2054                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2055                         BPF_MOV64_IMM(BPF_REG_4, 8),
2056                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2057                                      BPF_FUNC_skb_load_bytes),
2058                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2059                         BPF_EXIT_INSN(),
2060                 },
2061                 .result = REJECT,
2062                 .errstr = "invalid stack type R3 off=-1 access_size=8",
2063                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2064         },
2065         {
2066                 "raw_stack: skb_load_bytes, invalid access 3",
2067                 .insns = {
2068                         BPF_MOV64_IMM(BPF_REG_2, 4),
2069                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2070                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2071                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2072                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2073                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2074                                      BPF_FUNC_skb_load_bytes),
2075                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2076                         BPF_EXIT_INSN(),
2077                 },
2078                 .result = REJECT,
2079                 .errstr = "invalid stack type R3 off=-1 access_size=-1",
2080                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2081         },
2082         {
2083                 "raw_stack: skb_load_bytes, invalid access 4",
2084                 .insns = {
2085                         BPF_MOV64_IMM(BPF_REG_2, 4),
2086                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2087                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2088                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2089                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2090                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2091                                      BPF_FUNC_skb_load_bytes),
2092                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2093                         BPF_EXIT_INSN(),
2094                 },
2095                 .result = REJECT,
2096                 .errstr = "invalid stack type R3 off=-1 access_size=2147483647",
2097                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2098         },
2099         {
2100                 "raw_stack: skb_load_bytes, invalid access 5",
2101                 .insns = {
2102                         BPF_MOV64_IMM(BPF_REG_2, 4),
2103                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2104                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2105                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2106                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2107                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2108                                      BPF_FUNC_skb_load_bytes),
2109                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2110                         BPF_EXIT_INSN(),
2111                 },
2112                 .result = REJECT,
2113                 .errstr = "invalid stack type R3 off=-512 access_size=2147483647",
2114                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2115         },
2116         {
2117                 "raw_stack: skb_load_bytes, invalid access 6",
2118                 .insns = {
2119                         BPF_MOV64_IMM(BPF_REG_2, 4),
2120                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2121                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2122                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2123                         BPF_MOV64_IMM(BPF_REG_4, 0),
2124                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2125                                      BPF_FUNC_skb_load_bytes),
2126                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2127                         BPF_EXIT_INSN(),
2128                 },
2129                 .result = REJECT,
2130                 .errstr = "invalid stack type R3 off=-512 access_size=0",
2131                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2132         },
2133         {
2134                 "raw_stack: skb_load_bytes, large access",
2135                 .insns = {
2136                         BPF_MOV64_IMM(BPF_REG_2, 4),
2137                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2138                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2139                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2140                         BPF_MOV64_IMM(BPF_REG_4, 512),
2141                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2142                                      BPF_FUNC_skb_load_bytes),
2143                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2144                         BPF_EXIT_INSN(),
2145                 },
2146                 .result = ACCEPT,
2147                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2148         },
2149         {
2150                 "direct packet access: test1",
2151                 .insns = {
2152                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2153                                     offsetof(struct __sk_buff, data)),
2154                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2155                                     offsetof(struct __sk_buff, data_end)),
2156                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2157                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2158                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2159                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2160                         BPF_MOV64_IMM(BPF_REG_0, 0),
2161                         BPF_EXIT_INSN(),
2162                 },
2163                 .result = ACCEPT,
2164                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2165         },
2166         {
2167                 "direct packet access: test2",
2168                 .insns = {
2169                         BPF_MOV64_IMM(BPF_REG_0, 1),
2170                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2171                                     offsetof(struct __sk_buff, data_end)),
2172                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2173                                     offsetof(struct __sk_buff, data)),
2174                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2175                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
2176                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
2177                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
2178                         BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
2179                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
2180                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2181                                     offsetof(struct __sk_buff, data)),
2182                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
2183                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_1),
2184                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 48),
2185                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 48),
2186                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
2187                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
2188                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2189                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2190                                     offsetof(struct __sk_buff, data_end)),
2191                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
2192                         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
2193                         BPF_MOV64_IMM(BPF_REG_0, 0),
2194                         BPF_EXIT_INSN(),
2195                 },
2196                 .result = ACCEPT,
2197                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2198         },
2199         {
2200                 "direct packet access: test3",
2201                 .insns = {
2202                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2203                                     offsetof(struct __sk_buff, data)),
2204                         BPF_MOV64_IMM(BPF_REG_0, 0),
2205                         BPF_EXIT_INSN(),
2206                 },
2207                 .errstr = "invalid bpf_context access off=76",
2208                 .result = REJECT,
2209                 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
2210         },
2211         {
2212                 "direct packet access: test4 (write)",
2213                 .insns = {
2214                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2215                                     offsetof(struct __sk_buff, data)),
2216                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2217                                     offsetof(struct __sk_buff, data_end)),
2218                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2219                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2220                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2221                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2222                         BPF_MOV64_IMM(BPF_REG_0, 0),
2223                         BPF_EXIT_INSN(),
2224                 },
2225                 .result = ACCEPT,
2226                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2227         },
2228         {
2229                 "direct packet access: test5 (pkt_end >= reg, good access)",
2230                 .insns = {
2231                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2232                                     offsetof(struct __sk_buff, data)),
2233                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2234                                     offsetof(struct __sk_buff, data_end)),
2235                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2236                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2237                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2238                         BPF_MOV64_IMM(BPF_REG_0, 1),
2239                         BPF_EXIT_INSN(),
2240                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2241                         BPF_MOV64_IMM(BPF_REG_0, 0),
2242                         BPF_EXIT_INSN(),
2243                 },
2244                 .result = ACCEPT,
2245                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2246         },
2247         {
2248                 "direct packet access: test6 (pkt_end >= reg, bad access)",
2249                 .insns = {
2250                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2251                                     offsetof(struct __sk_buff, data)),
2252                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2253                                     offsetof(struct __sk_buff, data_end)),
2254                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2255                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2256                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2257                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2258                         BPF_MOV64_IMM(BPF_REG_0, 1),
2259                         BPF_EXIT_INSN(),
2260                         BPF_MOV64_IMM(BPF_REG_0, 0),
2261                         BPF_EXIT_INSN(),
2262                 },
2263                 .errstr = "invalid access to packet",
2264                 .result = REJECT,
2265                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2266         },
2267         {
2268                 "direct packet access: test7 (pkt_end >= reg, both accesses)",
2269                 .insns = {
2270                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2271                                     offsetof(struct __sk_buff, data)),
2272                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2273                                     offsetof(struct __sk_buff, data_end)),
2274                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2275                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2276                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
2277                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2278                         BPF_MOV64_IMM(BPF_REG_0, 1),
2279                         BPF_EXIT_INSN(),
2280                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2281                         BPF_MOV64_IMM(BPF_REG_0, 0),
2282                         BPF_EXIT_INSN(),
2283                 },
2284                 .errstr = "invalid access to packet",
2285                 .result = REJECT,
2286                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2287         },
2288         {
2289                 "direct packet access: test8 (double test, variant 1)",
2290                 .insns = {
2291                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2292                                     offsetof(struct __sk_buff, data)),
2293                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2294                                     offsetof(struct __sk_buff, data_end)),
2295                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2296                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2297                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
2298                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2299                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2300                         BPF_MOV64_IMM(BPF_REG_0, 1),
2301                         BPF_EXIT_INSN(),
2302                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2303                         BPF_MOV64_IMM(BPF_REG_0, 0),
2304                         BPF_EXIT_INSN(),
2305                 },
2306                 .result = ACCEPT,
2307                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2308         },
2309         {
2310                 "direct packet access: test9 (double test, variant 2)",
2311                 .insns = {
2312                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2313                                     offsetof(struct __sk_buff, data)),
2314                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2315                                     offsetof(struct __sk_buff, data_end)),
2316                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2317                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2318                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
2319                         BPF_MOV64_IMM(BPF_REG_0, 1),
2320                         BPF_EXIT_INSN(),
2321                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2322                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2323                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2324                         BPF_MOV64_IMM(BPF_REG_0, 0),
2325                         BPF_EXIT_INSN(),
2326                 },
2327                 .result = ACCEPT,
2328                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2329         },
2330         {
2331                 "direct packet access: test10 (write invalid)",
2332                 .insns = {
2333                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2334                                     offsetof(struct __sk_buff, data)),
2335                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2336                                     offsetof(struct __sk_buff, data_end)),
2337                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2338                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2339                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
2340                         BPF_MOV64_IMM(BPF_REG_0, 0),
2341                         BPF_EXIT_INSN(),
2342                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
2343                         BPF_MOV64_IMM(BPF_REG_0, 0),
2344                         BPF_EXIT_INSN(),
2345                 },
2346                 .errstr = "invalid access to packet",
2347                 .result = REJECT,
2348                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2349         },
2350         {
2351                 "direct packet access: test11 (shift, good access)",
2352                 .insns = {
2353                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2354                                     offsetof(struct __sk_buff, data)),
2355                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2356                                     offsetof(struct __sk_buff, data_end)),
2357                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2358                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2359                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2360                         BPF_MOV64_IMM(BPF_REG_3, 144),
2361                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2362                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2363                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
2364                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2365                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2366                         BPF_MOV64_IMM(BPF_REG_0, 1),
2367                         BPF_EXIT_INSN(),
2368                         BPF_MOV64_IMM(BPF_REG_0, 0),
2369                         BPF_EXIT_INSN(),
2370                 },
2371                 .result = ACCEPT,
2372                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2373         },
2374         {
2375                 "direct packet access: test12 (and, good access)",
2376                 .insns = {
2377                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2378                                     offsetof(struct __sk_buff, data)),
2379                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2380                                     offsetof(struct __sk_buff, data_end)),
2381                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2382                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2383                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2384                         BPF_MOV64_IMM(BPF_REG_3, 144),
2385                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2386                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2387                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2388                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2389                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2390                         BPF_MOV64_IMM(BPF_REG_0, 1),
2391                         BPF_EXIT_INSN(),
2392                         BPF_MOV64_IMM(BPF_REG_0, 0),
2393                         BPF_EXIT_INSN(),
2394                 },
2395                 .result = ACCEPT,
2396                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2397         },
2398         {
2399                 "direct packet access: test13 (branches, good access)",
2400                 .insns = {
2401                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2402                                     offsetof(struct __sk_buff, data)),
2403                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2404                                     offsetof(struct __sk_buff, data_end)),
2405                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2406                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2407                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
2408                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2409                                     offsetof(struct __sk_buff, mark)),
2410                         BPF_MOV64_IMM(BPF_REG_4, 1),
2411                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
2412                         BPF_MOV64_IMM(BPF_REG_3, 14),
2413                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
2414                         BPF_MOV64_IMM(BPF_REG_3, 24),
2415                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
2416                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
2417                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
2418                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2419                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2420                         BPF_MOV64_IMM(BPF_REG_0, 1),
2421                         BPF_EXIT_INSN(),
2422                         BPF_MOV64_IMM(BPF_REG_0, 0),
2423                         BPF_EXIT_INSN(),
2424                 },
2425                 .result = ACCEPT,
2426                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2427         },
2428         {
2429                 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
2430                 .insns = {
2431                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2432                                     offsetof(struct __sk_buff, data)),
2433                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2434                                     offsetof(struct __sk_buff, data_end)),
2435                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2436                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
2437                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
2438                         BPF_MOV64_IMM(BPF_REG_5, 12),
2439                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
2440                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
2441                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
2442                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
2443                         BPF_MOV64_IMM(BPF_REG_0, 1),
2444                         BPF_EXIT_INSN(),
2445                         BPF_MOV64_IMM(BPF_REG_0, 0),
2446                         BPF_EXIT_INSN(),
2447                 },
2448                 .result = ACCEPT,
2449                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2450         },
2451         {
2452                 "direct packet access: test15 (spill with xadd)",
2453                 .insns = {
2454                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2455                                     offsetof(struct __sk_buff, data)),
2456                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2457                                     offsetof(struct __sk_buff, data_end)),
2458                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2459                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2460                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
2461                         BPF_MOV64_IMM(BPF_REG_5, 4096),
2462                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
2463                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
2464                         BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
2465                         BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
2466                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
2467                         BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
2468                         BPF_MOV64_IMM(BPF_REG_0, 0),
2469                         BPF_EXIT_INSN(),
2470                 },
2471                 .errstr = "R2 invalid mem access 'inv'",
2472                 .result = REJECT,
2473                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2474         },
2475         {
2476                 "helper access to packet: test1, valid packet_ptr range",
2477                 .insns = {
2478                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2479                                     offsetof(struct xdp_md, data)),
2480                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2481                                     offsetof(struct xdp_md, data_end)),
2482                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2483                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2484                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2485                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2486                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2487                         BPF_MOV64_IMM(BPF_REG_4, 0),
2488                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2489                                      BPF_FUNC_map_update_elem),
2490                         BPF_MOV64_IMM(BPF_REG_0, 0),
2491                         BPF_EXIT_INSN(),
2492                 },
2493                 .fixup_map1 = { 5 },
2494                 .result_unpriv = ACCEPT,
2495                 .result = ACCEPT,
2496                 .prog_type = BPF_PROG_TYPE_XDP,
2497         },
2498         {
2499                 "helper access to packet: test2, unchecked packet_ptr",
2500                 .insns = {
2501                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2502                                     offsetof(struct xdp_md, data)),
2503                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2504                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2505                                      BPF_FUNC_map_lookup_elem),
2506                         BPF_MOV64_IMM(BPF_REG_0, 0),
2507                         BPF_EXIT_INSN(),
2508                 },
2509                 .fixup_map1 = { 1 },
2510                 .result = REJECT,
2511                 .errstr = "invalid access to packet",
2512                 .prog_type = BPF_PROG_TYPE_XDP,
2513         },
2514         {
2515                 "helper access to packet: test3, variable add",
2516                 .insns = {
2517                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2518                                         offsetof(struct xdp_md, data)),
2519                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2520                                         offsetof(struct xdp_md, data_end)),
2521                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2522                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2523                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2524                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2525                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2526                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2527                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2528                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2529                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2530                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2531                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2532                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2533                                      BPF_FUNC_map_lookup_elem),
2534                         BPF_MOV64_IMM(BPF_REG_0, 0),
2535                         BPF_EXIT_INSN(),
2536                 },
2537                 .fixup_map1 = { 11 },
2538                 .result = ACCEPT,
2539                 .prog_type = BPF_PROG_TYPE_XDP,
2540         },
2541         {
2542                 "helper access to packet: test4, packet_ptr with bad range",
2543                 .insns = {
2544                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2545                                     offsetof(struct xdp_md, data)),
2546                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2547                                     offsetof(struct xdp_md, data_end)),
2548                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2549                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2550                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2551                         BPF_MOV64_IMM(BPF_REG_0, 0),
2552                         BPF_EXIT_INSN(),
2553                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2554                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2555                                      BPF_FUNC_map_lookup_elem),
2556                         BPF_MOV64_IMM(BPF_REG_0, 0),
2557                         BPF_EXIT_INSN(),
2558                 },
2559                 .fixup_map1 = { 7 },
2560                 .result = REJECT,
2561                 .errstr = "invalid access to packet",
2562                 .prog_type = BPF_PROG_TYPE_XDP,
2563         },
2564         {
2565                 "helper access to packet: test5, packet_ptr with too short range",
2566                 .insns = {
2567                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2568                                     offsetof(struct xdp_md, data)),
2569                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2570                                     offsetof(struct xdp_md, data_end)),
2571                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2572                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2573                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2574                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2575                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2576                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2577                                      BPF_FUNC_map_lookup_elem),
2578                         BPF_MOV64_IMM(BPF_REG_0, 0),
2579                         BPF_EXIT_INSN(),
2580                 },
2581                 .fixup_map1 = { 6 },
2582                 .result = REJECT,
2583                 .errstr = "invalid access to packet",
2584                 .prog_type = BPF_PROG_TYPE_XDP,
2585         },
2586         {
2587                 "helper access to packet: test6, cls valid packet_ptr range",
2588                 .insns = {
2589                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2590                                     offsetof(struct __sk_buff, data)),
2591                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2592                                     offsetof(struct __sk_buff, data_end)),
2593                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
2594                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2595                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
2596                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2597                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2598                         BPF_MOV64_IMM(BPF_REG_4, 0),
2599                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2600                                      BPF_FUNC_map_update_elem),
2601                         BPF_MOV64_IMM(BPF_REG_0, 0),
2602                         BPF_EXIT_INSN(),
2603                 },
2604                 .fixup_map1 = { 5 },
2605                 .result = ACCEPT,
2606                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2607         },
2608         {
2609                 "helper access to packet: test7, cls unchecked packet_ptr",
2610                 .insns = {
2611                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2612                                     offsetof(struct __sk_buff, data)),
2613                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2614                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2615                                      BPF_FUNC_map_lookup_elem),
2616                         BPF_MOV64_IMM(BPF_REG_0, 0),
2617                         BPF_EXIT_INSN(),
2618                 },
2619                 .fixup_map1 = { 1 },
2620                 .result = REJECT,
2621                 .errstr = "invalid access to packet",
2622                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2623         },
2624         {
2625                 "helper access to packet: test8, cls variable add",
2626                 .insns = {
2627                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2628                                         offsetof(struct __sk_buff, data)),
2629                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2630                                         offsetof(struct __sk_buff, data_end)),
2631                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2632                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
2633                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
2634                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
2635                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2636                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
2637                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
2638                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
2639                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
2640                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2641                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
2642                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2643                                      BPF_FUNC_map_lookup_elem),
2644                         BPF_MOV64_IMM(BPF_REG_0, 0),
2645                         BPF_EXIT_INSN(),
2646                 },
2647                 .fixup_map1 = { 11 },
2648                 .result = ACCEPT,
2649                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2650         },
2651         {
2652                 "helper access to packet: test9, cls packet_ptr with bad range",
2653                 .insns = {
2654                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2655                                     offsetof(struct __sk_buff, data)),
2656                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2657                                     offsetof(struct __sk_buff, data_end)),
2658                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2659                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
2660                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
2661                         BPF_MOV64_IMM(BPF_REG_0, 0),
2662                         BPF_EXIT_INSN(),
2663                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2664                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2665                                      BPF_FUNC_map_lookup_elem),
2666                         BPF_MOV64_IMM(BPF_REG_0, 0),
2667                         BPF_EXIT_INSN(),
2668                 },
2669                 .fixup_map1 = { 7 },
2670                 .result = REJECT,
2671                 .errstr = "invalid access to packet",
2672                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2673         },
2674         {
2675                 "helper access to packet: test10, cls packet_ptr with too short range",
2676                 .insns = {
2677                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2678                                     offsetof(struct __sk_buff, data)),
2679                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2680                                     offsetof(struct __sk_buff, data_end)),
2681                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
2682                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2683                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
2684                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
2685                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2686                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2687                                      BPF_FUNC_map_lookup_elem),
2688                         BPF_MOV64_IMM(BPF_REG_0, 0),
2689                         BPF_EXIT_INSN(),
2690                 },
2691                 .fixup_map1 = { 6 },
2692                 .result = REJECT,
2693                 .errstr = "invalid access to packet",
2694                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2695         },
2696         {
2697                 "helper access to packet: test11, cls unsuitable helper 1",
2698                 .insns = {
2699                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2700                                     offsetof(struct __sk_buff, data)),
2701                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2702                                     offsetof(struct __sk_buff, data_end)),
2703                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2704                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2705                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
2706                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
2707                         BPF_MOV64_IMM(BPF_REG_2, 0),
2708                         BPF_MOV64_IMM(BPF_REG_4, 42),
2709                         BPF_MOV64_IMM(BPF_REG_5, 0),
2710                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2711                                      BPF_FUNC_skb_store_bytes),
2712                         BPF_MOV64_IMM(BPF_REG_0, 0),
2713                         BPF_EXIT_INSN(),
2714                 },
2715                 .result = REJECT,
2716                 .errstr = "helper access to the packet",
2717                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2718         },
2719         {
2720                 "helper access to packet: test12, cls unsuitable helper 2",
2721                 .insns = {
2722                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2723                                     offsetof(struct __sk_buff, data)),
2724                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2725                                     offsetof(struct __sk_buff, data_end)),
2726                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2727                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
2728                         BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
2729                         BPF_MOV64_IMM(BPF_REG_2, 0),
2730                         BPF_MOV64_IMM(BPF_REG_4, 4),
2731                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2732                                      BPF_FUNC_skb_load_bytes),
2733                         BPF_MOV64_IMM(BPF_REG_0, 0),
2734                         BPF_EXIT_INSN(),
2735                 },
2736                 .result = REJECT,
2737                 .errstr = "helper access to the packet",
2738                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2739         },
2740         {
2741                 "helper access to packet: test13, cls helper ok",
2742                 .insns = {
2743                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2744                                     offsetof(struct __sk_buff, data)),
2745                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2746                                     offsetof(struct __sk_buff, data_end)),
2747                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2748                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2749                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2750                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2751                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2752                         BPF_MOV64_IMM(BPF_REG_2, 4),
2753                         BPF_MOV64_IMM(BPF_REG_3, 0),
2754                         BPF_MOV64_IMM(BPF_REG_4, 0),
2755                         BPF_MOV64_IMM(BPF_REG_5, 0),
2756                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2757                                      BPF_FUNC_csum_diff),
2758                         BPF_MOV64_IMM(BPF_REG_0, 0),
2759                         BPF_EXIT_INSN(),
2760                 },
2761                 .result = ACCEPT,
2762                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2763         },
2764         {
2765                 "helper access to packet: test14, cls helper fail sub",
2766                 .insns = {
2767                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2768                                     offsetof(struct __sk_buff, data)),
2769                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2770                                     offsetof(struct __sk_buff, data_end)),
2771                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2772                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2773                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2774                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2775                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
2776                         BPF_MOV64_IMM(BPF_REG_2, 4),
2777                         BPF_MOV64_IMM(BPF_REG_3, 0),
2778                         BPF_MOV64_IMM(BPF_REG_4, 0),
2779                         BPF_MOV64_IMM(BPF_REG_5, 0),
2780                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2781                                      BPF_FUNC_csum_diff),
2782                         BPF_MOV64_IMM(BPF_REG_0, 0),
2783                         BPF_EXIT_INSN(),
2784                 },
2785                 .result = REJECT,
2786                 .errstr = "type=inv expected=fp",
2787                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2788         },
2789         {
2790                 "helper access to packet: test15, cls helper fail range 1",
2791                 .insns = {
2792                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2793                                     offsetof(struct __sk_buff, data)),
2794                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2795                                     offsetof(struct __sk_buff, data_end)),
2796                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2797                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2798                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2799                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2800                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2801                         BPF_MOV64_IMM(BPF_REG_2, 8),
2802                         BPF_MOV64_IMM(BPF_REG_3, 0),
2803                         BPF_MOV64_IMM(BPF_REG_4, 0),
2804                         BPF_MOV64_IMM(BPF_REG_5, 0),
2805                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2806                                      BPF_FUNC_csum_diff),
2807                         BPF_MOV64_IMM(BPF_REG_0, 0),
2808                         BPF_EXIT_INSN(),
2809                 },
2810                 .result = REJECT,
2811                 .errstr = "invalid access to packet",
2812                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2813         },
2814         {
2815                 "helper access to packet: test16, cls helper fail range 2",
2816                 .insns = {
2817                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2818                                     offsetof(struct __sk_buff, data)),
2819                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2820                                     offsetof(struct __sk_buff, data_end)),
2821                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2822                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2823                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2824                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2825                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2826                         BPF_MOV64_IMM(BPF_REG_2, -9),
2827                         BPF_MOV64_IMM(BPF_REG_3, 0),
2828                         BPF_MOV64_IMM(BPF_REG_4, 0),
2829                         BPF_MOV64_IMM(BPF_REG_5, 0),
2830                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2831                                      BPF_FUNC_csum_diff),
2832                         BPF_MOV64_IMM(BPF_REG_0, 0),
2833                         BPF_EXIT_INSN(),
2834                 },
2835                 .result = REJECT,
2836                 .errstr = "invalid access to packet",
2837                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2838         },
2839         {
2840                 "helper access to packet: test17, cls helper fail range 3",
2841                 .insns = {
2842                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2843                                     offsetof(struct __sk_buff, data)),
2844                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2845                                     offsetof(struct __sk_buff, data_end)),
2846                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2847                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2848                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2849                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2850                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2851                         BPF_MOV64_IMM(BPF_REG_2, ~0),
2852                         BPF_MOV64_IMM(BPF_REG_3, 0),
2853                         BPF_MOV64_IMM(BPF_REG_4, 0),
2854                         BPF_MOV64_IMM(BPF_REG_5, 0),
2855                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2856                                      BPF_FUNC_csum_diff),
2857                         BPF_MOV64_IMM(BPF_REG_0, 0),
2858                         BPF_EXIT_INSN(),
2859                 },
2860                 .result = REJECT,
2861                 .errstr = "invalid access to packet",
2862                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2863         },
2864         {
2865                 "helper access to packet: test18, cls helper fail range zero",
2866                 .insns = {
2867                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2868                                     offsetof(struct __sk_buff, data)),
2869                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2870                                     offsetof(struct __sk_buff, data_end)),
2871                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2872                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2873                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2874                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2875                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2876                         BPF_MOV64_IMM(BPF_REG_2, 0),
2877                         BPF_MOV64_IMM(BPF_REG_3, 0),
2878                         BPF_MOV64_IMM(BPF_REG_4, 0),
2879                         BPF_MOV64_IMM(BPF_REG_5, 0),
2880                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2881                                      BPF_FUNC_csum_diff),
2882                         BPF_MOV64_IMM(BPF_REG_0, 0),
2883                         BPF_EXIT_INSN(),
2884                 },
2885                 .result = REJECT,
2886                 .errstr = "invalid access to packet",
2887                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2888         },
2889         {
2890                 "helper access to packet: test19, pkt end as input",
2891                 .insns = {
2892                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2893                                     offsetof(struct __sk_buff, data)),
2894                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2895                                     offsetof(struct __sk_buff, data_end)),
2896                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2897                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2898                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2899                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2900                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
2901                         BPF_MOV64_IMM(BPF_REG_2, 4),
2902                         BPF_MOV64_IMM(BPF_REG_3, 0),
2903                         BPF_MOV64_IMM(BPF_REG_4, 0),
2904                         BPF_MOV64_IMM(BPF_REG_5, 0),
2905                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2906                                      BPF_FUNC_csum_diff),
2907                         BPF_MOV64_IMM(BPF_REG_0, 0),
2908                         BPF_EXIT_INSN(),
2909                 },
2910                 .result = REJECT,
2911                 .errstr = "R1 type=pkt_end expected=fp",
2912                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2913         },
2914         {
2915                 "helper access to packet: test20, wrong reg",
2916                 .insns = {
2917                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
2918                                     offsetof(struct __sk_buff, data)),
2919                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
2920                                     offsetof(struct __sk_buff, data_end)),
2921                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
2922                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
2923                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
2924                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
2925                         BPF_MOV64_IMM(BPF_REG_2, 4),
2926                         BPF_MOV64_IMM(BPF_REG_3, 0),
2927                         BPF_MOV64_IMM(BPF_REG_4, 0),
2928                         BPF_MOV64_IMM(BPF_REG_5, 0),
2929                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2930                                      BPF_FUNC_csum_diff),
2931                         BPF_MOV64_IMM(BPF_REG_0, 0),
2932                         BPF_EXIT_INSN(),
2933                 },
2934                 .result = REJECT,
2935                 .errstr = "invalid access to packet",
2936                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2937         },
2938         {
2939                 "valid map access into an array with a constant",
2940                 .insns = {
2941                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2942                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2943                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2944                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2945                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2946                                      BPF_FUNC_map_lookup_elem),
2947                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2948                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2949                                    offsetof(struct test_val, foo)),
2950                         BPF_EXIT_INSN(),
2951                 },
2952                 .fixup_map2 = { 3 },
2953                 .errstr_unpriv = "R0 leaks addr",
2954                 .result_unpriv = REJECT,
2955                 .result = ACCEPT,
2956         },
2957         {
2958                 "valid map access into an array with a register",
2959                 .insns = {
2960                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2961                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2962                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2963                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2964                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2965                                      BPF_FUNC_map_lookup_elem),
2966                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
2967                         BPF_MOV64_IMM(BPF_REG_1, 4),
2968                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
2969                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2970                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2971                                    offsetof(struct test_val, foo)),
2972                         BPF_EXIT_INSN(),
2973                 },
2974                 .fixup_map2 = { 3 },
2975                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
2976                 .result_unpriv = REJECT,
2977                 .result = ACCEPT,
2978                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
2979         },
2980         {
2981                 "valid map access into an array with a variable",
2982                 .insns = {
2983                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2984                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2985                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2986                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2987                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2988                                      BPF_FUNC_map_lookup_elem),
2989                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
2990                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
2991                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
2992                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
2993                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
2994                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
2995                                    offsetof(struct test_val, foo)),
2996                         BPF_EXIT_INSN(),
2997                 },
2998                 .fixup_map2 = { 3 },
2999                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3000                 .result_unpriv = REJECT,
3001                 .result = ACCEPT,
3002                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3003         },
3004         {
3005                 "valid map access into an array with a signed variable",
3006                 .insns = {
3007                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3008                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3009                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3010                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3011                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3012                                      BPF_FUNC_map_lookup_elem),
3013                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
3014                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3015                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
3016                         BPF_MOV32_IMM(BPF_REG_1, 0),
3017                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3018                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3019                         BPF_MOV32_IMM(BPF_REG_1, 0),
3020                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3021                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3022                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3023                                    offsetof(struct test_val, foo)),
3024                         BPF_EXIT_INSN(),
3025                 },
3026                 .fixup_map2 = { 3 },
3027                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3028                 .result_unpriv = REJECT,
3029                 .result = ACCEPT,
3030                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3031         },
3032         {
3033                 "invalid map access into an array with a constant",
3034                 .insns = {
3035                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3036                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3037                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3038                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3039                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3040                                      BPF_FUNC_map_lookup_elem),
3041                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3042                         BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
3043                                    offsetof(struct test_val, foo)),
3044                         BPF_EXIT_INSN(),
3045                 },
3046                 .fixup_map2 = { 3 },
3047                 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
3048                 .result = REJECT,
3049         },
3050         {
3051                 "invalid map access into an array with a register",
3052                 .insns = {
3053                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3054                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3055                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3056                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3057                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3058                                      BPF_FUNC_map_lookup_elem),
3059                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3060                         BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
3061                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3062                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3063                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3064                                    offsetof(struct test_val, foo)),
3065                         BPF_EXIT_INSN(),
3066                 },
3067                 .fixup_map2 = { 3 },
3068                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3069                 .errstr = "R0 min value is outside of the array range",
3070                 .result_unpriv = REJECT,
3071                 .result = REJECT,
3072                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3073         },
3074         {
3075                 "invalid map access into an array with a variable",
3076                 .insns = {
3077                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3078                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3079                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3080                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3081                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3082                                      BPF_FUNC_map_lookup_elem),
3083                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3084                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3085                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3086                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3087                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3088                                    offsetof(struct test_val, foo)),
3089                         BPF_EXIT_INSN(),
3090                 },
3091                 .fixup_map2 = { 3 },
3092                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3093                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3094                 .result_unpriv = REJECT,
3095                 .result = REJECT,
3096                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3097         },
3098         {
3099                 "invalid map access into an array with no floor check",
3100                 .insns = {
3101                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3102                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3103                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3104                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3105                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3106                                      BPF_FUNC_map_lookup_elem),
3107                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3108                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3109                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
3110                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
3111                         BPF_MOV32_IMM(BPF_REG_1, 0),
3112                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3113                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3114                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3115                                    offsetof(struct test_val, foo)),
3116                         BPF_EXIT_INSN(),
3117                 },
3118                 .fixup_map2 = { 3 },
3119                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3120                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3121                 .result_unpriv = REJECT,
3122                 .result = REJECT,
3123                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3124         },
3125         {
3126                 "invalid map access into an array with a invalid max check",
3127                 .insns = {
3128                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3129                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3130                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3131                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3132                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3133                                      BPF_FUNC_map_lookup_elem),
3134                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3135                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3136                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
3137                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3138                         BPF_MOV32_IMM(BPF_REG_1, 0),
3139                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
3140                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3141                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
3142                                    offsetof(struct test_val, foo)),
3143                         BPF_EXIT_INSN(),
3144                 },
3145                 .fixup_map2 = { 3 },
3146                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3147                 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
3148                 .result_unpriv = REJECT,
3149                 .result = REJECT,
3150                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3151         },
3152         {
3153                 "invalid map access into an array with a invalid max check",
3154                 .insns = {
3155                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3156                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3157                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3158                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3159                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3160                                      BPF_FUNC_map_lookup_elem),
3161                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
3162                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
3163                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3164                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3165                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3166                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3167                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3168                                      BPF_FUNC_map_lookup_elem),
3169                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
3170                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
3171                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
3172                                     offsetof(struct test_val, foo)),
3173                         BPF_EXIT_INSN(),
3174                 },
3175                 .fixup_map2 = { 3, 11 },
3176                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3177                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
3178                 .result_unpriv = REJECT,
3179                 .result = REJECT,
3180                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3181         },
3182         {
3183                 "multiple registers share map_lookup_elem result",
3184                 .insns = {
3185                         BPF_MOV64_IMM(BPF_REG_1, 10),
3186                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3187                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3188                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3189                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3190                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3191                                      BPF_FUNC_map_lookup_elem),
3192                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3193                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3194                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3195                         BPF_EXIT_INSN(),
3196                 },
3197                 .fixup_map1 = { 4 },
3198                 .result = ACCEPT,
3199                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3200         },
3201         {
3202                 "invalid memory access with multiple map_lookup_elem calls",
3203                 .insns = {
3204                         BPF_MOV64_IMM(BPF_REG_1, 10),
3205                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3206                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3207                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3208                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3209                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3210                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3211                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3212                                      BPF_FUNC_map_lookup_elem),
3213                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3214                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3215                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3216                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3217                                      BPF_FUNC_map_lookup_elem),
3218                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3219                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3220                         BPF_EXIT_INSN(),
3221                 },
3222                 .fixup_map1 = { 4 },
3223                 .result = REJECT,
3224                 .errstr = "R4 !read_ok",
3225                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3226         },
3227         {
3228                 "valid indirect map_lookup_elem access with 2nd lookup in branch",
3229                 .insns = {
3230                         BPF_MOV64_IMM(BPF_REG_1, 10),
3231                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3232                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3233                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3234                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3235                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
3236                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
3237                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3238                                      BPF_FUNC_map_lookup_elem),
3239                         BPF_MOV64_IMM(BPF_REG_2, 10),
3240                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
3241                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
3242                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
3243                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3244                                      BPF_FUNC_map_lookup_elem),
3245                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3246                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3247                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
3248                         BPF_EXIT_INSN(),
3249                 },
3250                 .fixup_map1 = { 4 },
3251                 .result = ACCEPT,
3252                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3253         },
3254         {
3255                 "multiple registers share map_lookup_elem bad reg type",
3256                 .insns = {
3257                         BPF_MOV64_IMM(BPF_REG_1, 10),
3258                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
3259                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3260                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3261                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3262                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3263                                      BPF_FUNC_map_lookup_elem),
3264                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
3265                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
3266                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3267                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3268                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3269                         BPF_MOV64_IMM(BPF_REG_1, 1),
3270                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
3271                         BPF_MOV64_IMM(BPF_REG_1, 2),
3272                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_3, 0, 1),
3273                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 0),
3274                         BPF_MOV64_IMM(BPF_REG_1, 3),
3275                         BPF_EXIT_INSN(),
3276                 },
3277                 .fixup_map1 = { 4 },
3278                 .result = REJECT,
3279                 .errstr = "R3 invalid mem access 'inv'",
3280                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
3281         },
3282         {
3283                 "invalid map access from else condition",
3284                 .insns = {
3285                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3286                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3287                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3288                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3289                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
3290                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3291                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
3292                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
3293                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
3294                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
3295                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
3296                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
3297                         BPF_EXIT_INSN(),
3298                 },
3299                 .fixup_map2 = { 3 },
3300                 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
3301                 .result = REJECT,
3302                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
3303                 .result_unpriv = REJECT,
3304                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
3305         },
3306         {
3307                 "constant register |= constant should keep constant type",
3308                 .insns = {
3309                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3310                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3311                         BPF_MOV64_IMM(BPF_REG_2, 34),
3312                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
3313                         BPF_MOV64_IMM(BPF_REG_3, 0),
3314                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3315                         BPF_EXIT_INSN(),
3316                 },
3317                 .result = ACCEPT,
3318                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3319         },
3320         {
3321                 "constant register |= constant should not bypass stack boundary checks",
3322                 .insns = {
3323                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3324                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3325                         BPF_MOV64_IMM(BPF_REG_2, 34),
3326                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
3327                         BPF_MOV64_IMM(BPF_REG_3, 0),
3328                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3329                         BPF_EXIT_INSN(),
3330                 },
3331                 .errstr = "invalid stack type R1 off=-48 access_size=58",
3332                 .result = REJECT,
3333                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3334         },
3335         {
3336                 "constant register |= constant register should keep constant type",
3337                 .insns = {
3338                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3339                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3340                         BPF_MOV64_IMM(BPF_REG_2, 34),
3341                         BPF_MOV64_IMM(BPF_REG_4, 13),
3342                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3343                         BPF_MOV64_IMM(BPF_REG_3, 0),
3344                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3345                         BPF_EXIT_INSN(),
3346                 },
3347                 .result = ACCEPT,
3348                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3349         },
3350         {
3351                 "constant register |= constant register should not bypass stack boundary checks",
3352                 .insns = {
3353                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
3354                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
3355                         BPF_MOV64_IMM(BPF_REG_2, 34),
3356                         BPF_MOV64_IMM(BPF_REG_4, 24),
3357                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
3358                         BPF_MOV64_IMM(BPF_REG_3, 0),
3359                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3360                         BPF_EXIT_INSN(),
3361                 },
3362                 .errstr = "invalid stack type R1 off=-48 access_size=58",
3363                 .result = REJECT,
3364                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3365         },
3366         {
3367                 "invalid direct packet write for LWT_IN",
3368                 .insns = {
3369                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3370                                     offsetof(struct __sk_buff, data)),
3371                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3372                                     offsetof(struct __sk_buff, data_end)),
3373                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3374                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3375                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3376                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3377                         BPF_MOV64_IMM(BPF_REG_0, 0),
3378                         BPF_EXIT_INSN(),
3379                 },
3380                 .errstr = "cannot write into packet",
3381                 .result = REJECT,
3382                 .prog_type = BPF_PROG_TYPE_LWT_IN,
3383         },
3384         {
3385                 "invalid direct packet write for LWT_OUT",
3386                 .insns = {
3387                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3388                                     offsetof(struct __sk_buff, data)),
3389                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3390                                     offsetof(struct __sk_buff, data_end)),
3391                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3392                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3393                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3394                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3395                         BPF_MOV64_IMM(BPF_REG_0, 0),
3396                         BPF_EXIT_INSN(),
3397                 },
3398                 .errstr = "cannot write into packet",
3399                 .result = REJECT,
3400                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3401         },
3402         {
3403                 "direct packet write for LWT_XMIT",
3404                 .insns = {
3405                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3406                                     offsetof(struct __sk_buff, data)),
3407                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3408                                     offsetof(struct __sk_buff, data_end)),
3409                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3410                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3411                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3412                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3413                         BPF_MOV64_IMM(BPF_REG_0, 0),
3414                         BPF_EXIT_INSN(),
3415                 },
3416                 .result = ACCEPT,
3417                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3418         },
3419         {
3420                 "direct packet read for LWT_IN",
3421                 .insns = {
3422                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3423                                     offsetof(struct __sk_buff, data)),
3424                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3425                                     offsetof(struct __sk_buff, data_end)),
3426                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3427                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3428                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3429                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3430                         BPF_MOV64_IMM(BPF_REG_0, 0),
3431                         BPF_EXIT_INSN(),
3432                 },
3433                 .result = ACCEPT,
3434                 .prog_type = BPF_PROG_TYPE_LWT_IN,
3435         },
3436         {
3437                 "direct packet read for LWT_OUT",
3438                 .insns = {
3439                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3440                                     offsetof(struct __sk_buff, data)),
3441                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3442                                     offsetof(struct __sk_buff, data_end)),
3443                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3444                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3445                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3446                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3447                         BPF_MOV64_IMM(BPF_REG_0, 0),
3448                         BPF_EXIT_INSN(),
3449                 },
3450                 .result = ACCEPT,
3451                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
3452         },
3453         {
3454                 "direct packet read for LWT_XMIT",
3455                 .insns = {
3456                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3457                                     offsetof(struct __sk_buff, data)),
3458                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3459                                     offsetof(struct __sk_buff, data_end)),
3460                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3461                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3462                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3463                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3464                         BPF_MOV64_IMM(BPF_REG_0, 0),
3465                         BPF_EXIT_INSN(),
3466                 },
3467                 .result = ACCEPT,
3468                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3469         },
3470         {
3471                 "overlapping checks for direct packet access",
3472                 .insns = {
3473                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3474                                     offsetof(struct __sk_buff, data)),
3475                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3476                                     offsetof(struct __sk_buff, data_end)),
3477                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3478                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3479                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
3480                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3481                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
3482                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
3483                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
3484                         BPF_MOV64_IMM(BPF_REG_0, 0),
3485                         BPF_EXIT_INSN(),
3486                 },
3487                 .result = ACCEPT,
3488                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
3489         },
3490         {
3491                 "invalid access of tc_classid for LWT_IN",
3492                 .insns = {
3493                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3494                                     offsetof(struct __sk_buff, tc_classid)),
3495                         BPF_EXIT_INSN(),
3496                 },
3497                 .result = REJECT,
3498                 .errstr = "invalid bpf_context access",
3499         },
3500         {
3501                 "invalid access of tc_classid for LWT_OUT",
3502                 .insns = {
3503                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3504                                     offsetof(struct __sk_buff, tc_classid)),
3505                         BPF_EXIT_INSN(),
3506                 },
3507                 .result = REJECT,
3508                 .errstr = "invalid bpf_context access",
3509         },
3510         {
3511                 "invalid access of tc_classid for LWT_XMIT",
3512                 .insns = {
3513                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
3514                                     offsetof(struct __sk_buff, tc_classid)),
3515                         BPF_EXIT_INSN(),
3516                 },
3517                 .result = REJECT,
3518                 .errstr = "invalid bpf_context access",
3519         },
3520         {
3521                 "leak pointer into ctx 1",
3522                 .insns = {
3523                         BPF_MOV64_IMM(BPF_REG_0, 0),
3524                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
3525                                     offsetof(struct __sk_buff, cb[0])),
3526                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3527                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
3528                                       offsetof(struct __sk_buff, cb[0])),
3529                         BPF_EXIT_INSN(),
3530                 },
3531                 .fixup_map1 = { 2 },
3532                 .errstr_unpriv = "R2 leaks addr into mem",
3533                 .result_unpriv = REJECT,
3534                 .result = ACCEPT,
3535         },
3536         {
3537                 "leak pointer into ctx 2",
3538                 .insns = {
3539                         BPF_MOV64_IMM(BPF_REG_0, 0),
3540                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
3541                                     offsetof(struct __sk_buff, cb[0])),
3542                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
3543                                       offsetof(struct __sk_buff, cb[0])),
3544                         BPF_EXIT_INSN(),
3545                 },
3546                 .errstr_unpriv = "R10 leaks addr into mem",
3547                 .result_unpriv = REJECT,
3548                 .result = ACCEPT,
3549         },
3550         {
3551                 "leak pointer into ctx 3",
3552                 .insns = {
3553                         BPF_MOV64_IMM(BPF_REG_0, 0),
3554                         BPF_LD_MAP_FD(BPF_REG_2, 0),
3555                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
3556                                       offsetof(struct __sk_buff, cb[0])),
3557                         BPF_EXIT_INSN(),
3558                 },
3559                 .fixup_map1 = { 1 },
3560                 .errstr_unpriv = "R2 leaks addr into ctx",
3561                 .result_unpriv = REJECT,
3562                 .result = ACCEPT,
3563         },
3564         {
3565                 "leak pointer into map val",
3566                 .insns = {
3567                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
3568                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
3569                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3570                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3571                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3572                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3573                                      BPF_FUNC_map_lookup_elem),
3574                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
3575                         BPF_MOV64_IMM(BPF_REG_3, 0),
3576                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
3577                         BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
3578                         BPF_MOV64_IMM(BPF_REG_0, 0),
3579                         BPF_EXIT_INSN(),
3580                 },
3581                 .fixup_map1 = { 4 },
3582                 .errstr_unpriv = "R6 leaks addr into mem",
3583                 .result_unpriv = REJECT,
3584                 .result = ACCEPT,
3585         },
3586         {
3587                 "helper access to map: full range",
3588                 .insns = {
3589                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3590                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3591                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3592                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3593                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3594                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3595                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3596                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
3597                         BPF_MOV64_IMM(BPF_REG_3, 0),
3598                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3599                         BPF_EXIT_INSN(),
3600                 },
3601                 .fixup_map2 = { 3 },
3602                 .result = ACCEPT,
3603                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3604         },
3605         {
3606                 "helper access to map: partial range",
3607                 .insns = {
3608                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3609                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3610                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3611                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3612                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3613                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3614                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3615                         BPF_MOV64_IMM(BPF_REG_2, 8),
3616                         BPF_MOV64_IMM(BPF_REG_3, 0),
3617                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3618                         BPF_EXIT_INSN(),
3619                 },
3620                 .fixup_map2 = { 3 },
3621                 .result = ACCEPT,
3622                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3623         },
3624         {
3625                 "helper access to map: empty range",
3626                 .insns = {
3627                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3628                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3629                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3630                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3631                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3632                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3633                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3634                         BPF_MOV64_IMM(BPF_REG_2, 0),
3635                         BPF_MOV64_IMM(BPF_REG_3, 0),
3636                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3637                         BPF_EXIT_INSN(),
3638                 },
3639                 .fixup_map2 = { 3 },
3640                 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
3641                 .result = REJECT,
3642                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3643         },
3644         {
3645                 "helper access to map: out-of-bound range",
3646                 .insns = {
3647                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3648                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3649                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3650                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3651                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3652                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3653                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3654                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
3655                         BPF_MOV64_IMM(BPF_REG_3, 0),
3656                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3657                         BPF_EXIT_INSN(),
3658                 },
3659                 .fixup_map2 = { 3 },
3660                 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
3661                 .result = REJECT,
3662                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3663         },
3664         {
3665                 "helper access to map: negative range",
3666                 .insns = {
3667                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3668                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3669                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3670                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3671                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3672                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
3673                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3674                         BPF_MOV64_IMM(BPF_REG_2, -8),
3675                         BPF_MOV64_IMM(BPF_REG_3, 0),
3676                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3677                         BPF_EXIT_INSN(),
3678                 },
3679                 .fixup_map2 = { 3 },
3680                 .errstr = "invalid access to map value, value_size=48 off=0 size=-8",
3681                 .result = REJECT,
3682                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3683         },
3684         {
3685                 "helper access to adjusted map (via const imm): full range",
3686                 .insns = {
3687                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3688                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3689                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3690                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3691                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3692                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3693                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3694                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3695                                 offsetof(struct test_val, foo)),
3696                         BPF_MOV64_IMM(BPF_REG_2,
3697                                 sizeof(struct test_val) -
3698                                 offsetof(struct test_val, foo)),
3699                         BPF_MOV64_IMM(BPF_REG_3, 0),
3700                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3701                         BPF_EXIT_INSN(),
3702                 },
3703                 .fixup_map2 = { 3 },
3704                 .result = ACCEPT,
3705                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3706         },
3707         {
3708                 "helper access to adjusted map (via const imm): partial range",
3709                 .insns = {
3710                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3711                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3712                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3713                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3714                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3715                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3716                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3717                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3718                                 offsetof(struct test_val, foo)),
3719                         BPF_MOV64_IMM(BPF_REG_2, 8),
3720                         BPF_MOV64_IMM(BPF_REG_3, 0),
3721                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3722                         BPF_EXIT_INSN(),
3723                 },
3724                 .fixup_map2 = { 3 },
3725                 .result = ACCEPT,
3726                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3727         },
3728         {
3729                 "helper access to adjusted map (via const imm): empty range",
3730                 .insns = {
3731                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3732                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3733                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3734                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3735                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3736                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3737                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3738                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3739                                 offsetof(struct test_val, foo)),
3740                         BPF_MOV64_IMM(BPF_REG_2, 0),
3741                         BPF_MOV64_IMM(BPF_REG_3, 0),
3742                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3743                         BPF_EXIT_INSN(),
3744                 },
3745                 .fixup_map2 = { 3 },
3746                 .errstr = "R1 min value is outside of the array range",
3747                 .result = REJECT,
3748                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3749         },
3750         {
3751                 "helper access to adjusted map (via const imm): out-of-bound range",
3752                 .insns = {
3753                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3754                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3755                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3756                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3757                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3758                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3759                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3760                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3761                                 offsetof(struct test_val, foo)),
3762                         BPF_MOV64_IMM(BPF_REG_2,
3763                                 sizeof(struct test_val) -
3764                                 offsetof(struct test_val, foo) + 8),
3765                         BPF_MOV64_IMM(BPF_REG_3, 0),
3766                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3767                         BPF_EXIT_INSN(),
3768                 },
3769                 .fixup_map2 = { 3 },
3770                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
3771                 .result = REJECT,
3772                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3773         },
3774         {
3775                 "helper access to adjusted map (via const imm): negative range (> adjustment)",
3776                 .insns = {
3777                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3778                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3779                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3780                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3781                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3782                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3783                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3784                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3785                                 offsetof(struct test_val, foo)),
3786                         BPF_MOV64_IMM(BPF_REG_2, -8),
3787                         BPF_MOV64_IMM(BPF_REG_3, 0),
3788                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3789                         BPF_EXIT_INSN(),
3790                 },
3791                 .fixup_map2 = { 3 },
3792                 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
3793                 .result = REJECT,
3794                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3795         },
3796         {
3797                 "helper access to adjusted map (via const imm): negative range (< adjustment)",
3798                 .insns = {
3799                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3800                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3801                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3802                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3803                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3804                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
3805                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3806                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
3807                                 offsetof(struct test_val, foo)),
3808                         BPF_MOV64_IMM(BPF_REG_2, -1),
3809                         BPF_MOV64_IMM(BPF_REG_3, 0),
3810                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3811                         BPF_EXIT_INSN(),
3812                 },
3813                 .fixup_map2 = { 3 },
3814                 .errstr = "R1 min value is outside of the array range",
3815                 .result = REJECT,
3816                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3817         },
3818         {
3819                 "helper access to adjusted map (via const reg): full range",
3820                 .insns = {
3821                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3822                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3823                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3824                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3825                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3826                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3827                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3828                         BPF_MOV64_IMM(BPF_REG_3,
3829                                 offsetof(struct test_val, foo)),
3830                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3831                         BPF_MOV64_IMM(BPF_REG_2,
3832                                 sizeof(struct test_val) -
3833                                 offsetof(struct test_val, foo)),
3834                         BPF_MOV64_IMM(BPF_REG_3, 0),
3835                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3836                         BPF_EXIT_INSN(),
3837                 },
3838                 .fixup_map2 = { 3 },
3839                 .result = ACCEPT,
3840                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3841         },
3842         {
3843                 "helper access to adjusted map (via const reg): partial range",
3844                 .insns = {
3845                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3846                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3847                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3848                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3849                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3850                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3851                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3852                         BPF_MOV64_IMM(BPF_REG_3,
3853                                 offsetof(struct test_val, foo)),
3854                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3855                         BPF_MOV64_IMM(BPF_REG_2, 8),
3856                         BPF_MOV64_IMM(BPF_REG_3, 0),
3857                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3858                         BPF_EXIT_INSN(),
3859                 },
3860                 .fixup_map2 = { 3 },
3861                 .result = ACCEPT,
3862                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3863         },
3864         {
3865                 "helper access to adjusted map (via const reg): empty range",
3866                 .insns = {
3867                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3868                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3869                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3870                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3871                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3872                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3873                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3874                         BPF_MOV64_IMM(BPF_REG_3, 0),
3875                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3876                         BPF_MOV64_IMM(BPF_REG_2, 0),
3877                         BPF_MOV64_IMM(BPF_REG_3, 0),
3878                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3879                         BPF_EXIT_INSN(),
3880                 },
3881                 .fixup_map2 = { 3 },
3882                 .errstr = "R1 min value is outside of the array range",
3883                 .result = REJECT,
3884                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3885         },
3886         {
3887                 "helper access to adjusted map (via const reg): out-of-bound range",
3888                 .insns = {
3889                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3890                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3891                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3892                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3893                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3894                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3895                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3896                         BPF_MOV64_IMM(BPF_REG_3,
3897                                 offsetof(struct test_val, foo)),
3898                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3899                         BPF_MOV64_IMM(BPF_REG_2,
3900                                 sizeof(struct test_val) -
3901                                 offsetof(struct test_val, foo) + 8),
3902                         BPF_MOV64_IMM(BPF_REG_3, 0),
3903                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3904                         BPF_EXIT_INSN(),
3905                 },
3906                 .fixup_map2 = { 3 },
3907                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
3908                 .result = REJECT,
3909                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3910         },
3911         {
3912                 "helper access to adjusted map (via const reg): negative range (> adjustment)",
3913                 .insns = {
3914                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3915                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3916                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3917                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3918                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3919                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3920                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3921                         BPF_MOV64_IMM(BPF_REG_3,
3922                                 offsetof(struct test_val, foo)),
3923                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3924                         BPF_MOV64_IMM(BPF_REG_2, -8),
3925                         BPF_MOV64_IMM(BPF_REG_3, 0),
3926                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3927                         BPF_EXIT_INSN(),
3928                 },
3929                 .fixup_map2 = { 3 },
3930                 .errstr = "invalid access to map value, value_size=48 off=4 size=-8",
3931                 .result = REJECT,
3932                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3933         },
3934         {
3935                 "helper access to adjusted map (via const reg): negative range (< adjustment)",
3936                 .insns = {
3937                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3938                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3939                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3940                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3941                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3942                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
3943                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3944                         BPF_MOV64_IMM(BPF_REG_3,
3945                                 offsetof(struct test_val, foo)),
3946                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3947                         BPF_MOV64_IMM(BPF_REG_2, -1),
3948                         BPF_MOV64_IMM(BPF_REG_3, 0),
3949                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3950                         BPF_EXIT_INSN(),
3951                 },
3952                 .fixup_map2 = { 3 },
3953                 .errstr = "R1 min value is outside of the array range",
3954                 .result = REJECT,
3955                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3956         },
3957         {
3958                 "helper access to adjusted map (via variable): full range",
3959                 .insns = {
3960                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3961                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3962                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3963                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3964                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3965                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3966                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3967                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3968                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
3969                                 offsetof(struct test_val, foo), 4),
3970                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3971                         BPF_MOV64_IMM(BPF_REG_2,
3972                                 sizeof(struct test_val) -
3973                                 offsetof(struct test_val, foo)),
3974                         BPF_MOV64_IMM(BPF_REG_3, 0),
3975                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3976                         BPF_EXIT_INSN(),
3977                 },
3978                 .fixup_map2 = { 3 },
3979                 .result = ACCEPT,
3980                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
3981         },
3982         {
3983                 "helper access to adjusted map (via variable): partial range",
3984                 .insns = {
3985                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
3986                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
3987                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
3988                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3989                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
3990                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
3991                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
3992                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
3993                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
3994                                 offsetof(struct test_val, foo), 4),
3995                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
3996                         BPF_MOV64_IMM(BPF_REG_2, 8),
3997                         BPF_MOV64_IMM(BPF_REG_3, 0),
3998                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
3999                         BPF_EXIT_INSN(),
4000                 },
4001                 .fixup_map2 = { 3 },
4002                 .result = ACCEPT,
4003                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4004         },
4005         {
4006                 "helper access to adjusted map (via variable): empty range",
4007                 .insns = {
4008                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4009                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4010                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4011                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4012                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4013                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4014                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4015                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4016                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4017                                 offsetof(struct test_val, foo), 4),
4018                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4019                         BPF_MOV64_IMM(BPF_REG_2, 0),
4020                         BPF_MOV64_IMM(BPF_REG_3, 0),
4021                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4022                         BPF_EXIT_INSN(),
4023                 },
4024                 .fixup_map2 = { 3 },
4025                 .errstr = "R1 min value is outside of the array range",
4026                 .result = REJECT,
4027                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4028         },
4029         {
4030                 "helper access to adjusted map (via variable): no max check",
4031                 .insns = {
4032                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4033                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4034                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4035                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4036                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4037                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4038                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4039                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4040                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4041                         BPF_MOV64_IMM(BPF_REG_2, 0),
4042                         BPF_MOV64_IMM(BPF_REG_3, 0),
4043                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4044                         BPF_EXIT_INSN(),
4045                 },
4046                 .fixup_map2 = { 3 },
4047                 .errstr = "R1 min value is negative, either use unsigned index or do a if (index >=0) check",
4048                 .result = REJECT,
4049                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4050         },
4051         {
4052                 "helper access to adjusted map (via variable): wrong max check",
4053                 .insns = {
4054                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4055                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4056                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4057                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4058                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4059                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4060                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4061                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
4062                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
4063                                 offsetof(struct test_val, foo), 4),
4064                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4065                         BPF_MOV64_IMM(BPF_REG_2,
4066                                 sizeof(struct test_val) -
4067                                 offsetof(struct test_val, foo) + 1),
4068                         BPF_MOV64_IMM(BPF_REG_3, 0),
4069                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4070                         BPF_EXIT_INSN(),
4071                 },
4072                 .fixup_map2 = { 3 },
4073                 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
4074                 .result = REJECT,
4075                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4076         },
4077         {
4078                 "map element value is preserved across register spilling",
4079                 .insns = {
4080                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4081                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4082                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4083                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4084                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4085                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4086                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4087                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4088                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4089                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4090                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4091                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4092                         BPF_EXIT_INSN(),
4093                 },
4094                 .fixup_map2 = { 3 },
4095                 .errstr_unpriv = "R0 leaks addr",
4096                 .result = ACCEPT,
4097                 .result_unpriv = REJECT,
4098         },
4099         {
4100                 "map element value or null is marked on register spilling",
4101                 .insns = {
4102                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4103                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4104                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4105                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4106                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4107                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4108                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -152),
4109                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4110                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4111                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4112                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4113                         BPF_EXIT_INSN(),
4114                 },
4115                 .fixup_map2 = { 3 },
4116                 .errstr_unpriv = "R0 leaks addr",
4117                 .result = ACCEPT,
4118                 .result_unpriv = REJECT,
4119         },
4120         {
4121                 "map element value store of cleared call register",
4122                 .insns = {
4123                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4124                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4125                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4126                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4127                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4128                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4129                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 0),
4130                         BPF_EXIT_INSN(),
4131                 },
4132                 .fixup_map2 = { 3 },
4133                 .errstr_unpriv = "R1 !read_ok",
4134                 .errstr = "R1 !read_ok",
4135                 .result = REJECT,
4136                 .result_unpriv = REJECT,
4137         },
4138         {
4139                 "map element value with unaligned store",
4140                 .insns = {
4141                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4142                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4143                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4144                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4145                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4146                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 17),
4147                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4148                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4149                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 2, 43),
4150                         BPF_ST_MEM(BPF_DW, BPF_REG_0, -2, 44),
4151                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4152                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 32),
4153                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 2, 33),
4154                         BPF_ST_MEM(BPF_DW, BPF_REG_8, -2, 34),
4155                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_8, 5),
4156                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 0, 22),
4157                         BPF_ST_MEM(BPF_DW, BPF_REG_8, 4, 23),
4158                         BPF_ST_MEM(BPF_DW, BPF_REG_8, -7, 24),
4159                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_8),
4160                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, 3),
4161                         BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 22),
4162                         BPF_ST_MEM(BPF_DW, BPF_REG_7, 4, 23),
4163                         BPF_ST_MEM(BPF_DW, BPF_REG_7, -4, 24),
4164                         BPF_EXIT_INSN(),
4165                 },
4166                 .fixup_map2 = { 3 },
4167                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4168                 .result = ACCEPT,
4169                 .result_unpriv = REJECT,
4170                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4171         },
4172         {
4173                 "map element value with unaligned load",
4174                 .insns = {
4175                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4176                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4177                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4178                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4179                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4180                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4181                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4182                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 9),
4183                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 3),
4184                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4185                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 2),
4186                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4187                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0),
4188                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 2),
4189                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 5),
4190                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 0),
4191                         BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_0, 4),
4192                         BPF_EXIT_INSN(),
4193                 },
4194                 .fixup_map2 = { 3 },
4195                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4196                 .result = ACCEPT,
4197                 .result_unpriv = REJECT,
4198                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4199         },
4200         {
4201                 "map element value illegal alu op, 1",
4202                 .insns = {
4203                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4204                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4205                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4206                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4207                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4208                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4209                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 8),
4210                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4211                         BPF_EXIT_INSN(),
4212                 },
4213                 .fixup_map2 = { 3 },
4214                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4215                 .errstr = "invalid mem access 'inv'",
4216                 .result = REJECT,
4217                 .result_unpriv = REJECT,
4218         },
4219         {
4220                 "map element value illegal alu op, 2",
4221                 .insns = {
4222                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4223                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4224                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4225                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4226                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4227                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4228                         BPF_ALU32_IMM(BPF_ADD, BPF_REG_0, 0),
4229                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4230                         BPF_EXIT_INSN(),
4231                 },
4232                 .fixup_map2 = { 3 },
4233                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4234                 .errstr = "invalid mem access 'inv'",
4235                 .result = REJECT,
4236                 .result_unpriv = REJECT,
4237         },
4238         {
4239                 "map element value illegal alu op, 3",
4240                 .insns = {
4241                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4242                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4243                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4244                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4245                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4246                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4247                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 42),
4248                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4249                         BPF_EXIT_INSN(),
4250                 },
4251                 .fixup_map2 = { 3 },
4252                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4253                 .errstr = "invalid mem access 'inv'",
4254                 .result = REJECT,
4255                 .result_unpriv = REJECT,
4256         },
4257         {
4258                 "map element value illegal alu op, 4",
4259                 .insns = {
4260                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4261                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4262                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4263                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4264                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4265                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4266                         BPF_ENDIAN(BPF_FROM_BE, BPF_REG_0, 64),
4267                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4268                         BPF_EXIT_INSN(),
4269                 },
4270                 .fixup_map2 = { 3 },
4271                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4272                 .errstr = "invalid mem access 'inv'",
4273                 .result = REJECT,
4274                 .result_unpriv = REJECT,
4275         },
4276         {
4277                 "map element value illegal alu op, 5",
4278                 .insns = {
4279                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4280                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4281                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4282                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4283                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4284                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4285                         BPF_MOV64_IMM(BPF_REG_3, 4096),
4286                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4287                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4288                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_0, 0),
4289                         BPF_STX_XADD(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
4290                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 0),
4291                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 22),
4292                         BPF_EXIT_INSN(),
4293                 },
4294                 .fixup_map2 = { 3 },
4295                 .errstr_unpriv = "R0 invalid mem access 'inv'",
4296                 .errstr = "R0 invalid mem access 'inv'",
4297                 .result = REJECT,
4298                 .result_unpriv = REJECT,
4299         },
4300         {
4301                 "map element value is preserved across register spilling",
4302                 .insns = {
4303                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4304                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4305                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4306                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4307                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4308                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4309                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0,
4310                                 offsetof(struct test_val, foo)),
4311                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 42),
4312                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4313                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -184),
4314                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4315                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1, 0),
4316                         BPF_ST_MEM(BPF_DW, BPF_REG_3, 0, 42),
4317                         BPF_EXIT_INSN(),
4318                 },
4319                 .fixup_map2 = { 3 },
4320                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4321                 .result = ACCEPT,
4322                 .result_unpriv = REJECT,
4323                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4324         },
4325         {
4326                 "helper access to variable memory: stack, bitwise AND + JMP, correct bounds",
4327                 .insns = {
4328                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4329                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4330                         BPF_MOV64_IMM(BPF_REG_0, 0),
4331                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4332                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4333                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4334                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4335                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4336                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4337                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4338                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4339                         BPF_MOV64_IMM(BPF_REG_2, 16),
4340                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4341                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4342                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4343                         BPF_MOV64_IMM(BPF_REG_4, 0),
4344                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4345                         BPF_MOV64_IMM(BPF_REG_3, 0),
4346                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4347                         BPF_MOV64_IMM(BPF_REG_0, 0),
4348                         BPF_EXIT_INSN(),
4349                 },
4350                 .result = ACCEPT,
4351                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4352         },
4353         {
4354                 "helper access to variable memory: stack, bitwise AND, zero included",
4355                 .insns = {
4356                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4357                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4358                         BPF_MOV64_IMM(BPF_REG_2, 16),
4359                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4360                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4361                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4362                         BPF_MOV64_IMM(BPF_REG_3, 0),
4363                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4364                         BPF_EXIT_INSN(),
4365                 },
4366                 .errstr = "invalid stack type R1 off=-64 access_size=0",
4367                 .result = REJECT,
4368                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4369         },
4370         {
4371                 "helper access to variable memory: stack, bitwise AND + JMP, wrong max",
4372                 .insns = {
4373                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4374                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4375                         BPF_MOV64_IMM(BPF_REG_2, 16),
4376                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4377                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4378                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 65),
4379                         BPF_MOV64_IMM(BPF_REG_4, 0),
4380                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4381                         BPF_MOV64_IMM(BPF_REG_3, 0),
4382                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4383                         BPF_MOV64_IMM(BPF_REG_0, 0),
4384                         BPF_EXIT_INSN(),
4385                 },
4386                 .errstr = "invalid stack type R1 off=-64 access_size=65",
4387                 .result = REJECT,
4388                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4389         },
4390         {
4391                 "helper access to variable memory: stack, JMP, correct bounds",
4392                 .insns = {
4393                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4394                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4395                         BPF_MOV64_IMM(BPF_REG_0, 0),
4396                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4397                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4398                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4399                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4400                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4401                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4402                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4403                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4404                         BPF_MOV64_IMM(BPF_REG_2, 16),
4405                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4406                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4407                         BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 4),
4408                         BPF_MOV64_IMM(BPF_REG_4, 0),
4409                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4410                         BPF_MOV64_IMM(BPF_REG_3, 0),
4411                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4412                         BPF_MOV64_IMM(BPF_REG_0, 0),
4413                         BPF_EXIT_INSN(),
4414                 },
4415                 .result = ACCEPT,
4416                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4417         },
4418         {
4419                 "helper access to variable memory: stack, JMP (signed), correct bounds",
4420                 .insns = {
4421                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4422                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4423                         BPF_MOV64_IMM(BPF_REG_0, 0),
4424                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4425                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4426                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4427                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4428                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4429                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4430                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4431                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4432                         BPF_MOV64_IMM(BPF_REG_2, 16),
4433                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4434                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4435                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 4),
4436                         BPF_MOV64_IMM(BPF_REG_4, 0),
4437                         BPF_JMP_REG(BPF_JSGE, BPF_REG_4, BPF_REG_2, 2),
4438                         BPF_MOV64_IMM(BPF_REG_3, 0),
4439                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4440                         BPF_MOV64_IMM(BPF_REG_0, 0),
4441                         BPF_EXIT_INSN(),
4442                 },
4443                 .result = ACCEPT,
4444                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4445         },
4446         {
4447                 "helper access to variable memory: stack, JMP, bounds + offset",
4448                 .insns = {
4449                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4450                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4451                         BPF_MOV64_IMM(BPF_REG_2, 16),
4452                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4453                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4454                         BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 5),
4455                         BPF_MOV64_IMM(BPF_REG_4, 0),
4456                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 3),
4457                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4458                         BPF_MOV64_IMM(BPF_REG_3, 0),
4459                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4460                         BPF_MOV64_IMM(BPF_REG_0, 0),
4461                         BPF_EXIT_INSN(),
4462                 },
4463                 .errstr = "invalid stack type R1 off=-64 access_size=65",
4464                 .result = REJECT,
4465                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4466         },
4467         {
4468                 "helper access to variable memory: stack, JMP, wrong max",
4469                 .insns = {
4470                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4471                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4472                         BPF_MOV64_IMM(BPF_REG_2, 16),
4473                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4474                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4475                         BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 65, 4),
4476                         BPF_MOV64_IMM(BPF_REG_4, 0),
4477                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4478                         BPF_MOV64_IMM(BPF_REG_3, 0),
4479                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4480                         BPF_MOV64_IMM(BPF_REG_0, 0),
4481                         BPF_EXIT_INSN(),
4482                 },
4483                 .errstr = "invalid stack type R1 off=-64 access_size=65",
4484                 .result = REJECT,
4485                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4486         },
4487         {
4488                 "helper access to variable memory: stack, JMP, no max check",
4489                 .insns = {
4490                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4491                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4492                         BPF_MOV64_IMM(BPF_REG_2, 16),
4493                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4494                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4495                         BPF_MOV64_IMM(BPF_REG_4, 0),
4496                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4497                         BPF_MOV64_IMM(BPF_REG_3, 0),
4498                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4499                         BPF_MOV64_IMM(BPF_REG_0, 0),
4500                         BPF_EXIT_INSN(),
4501                 },
4502                 .errstr = "R2 unbounded memory access",
4503                 .result = REJECT,
4504                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4505         },
4506         {
4507                 "helper access to variable memory: stack, JMP, no min check",
4508                 .insns = {
4509                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4510                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4511                         BPF_MOV64_IMM(BPF_REG_2, 16),
4512                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4513                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4514                         BPF_JMP_IMM(BPF_JGT, BPF_REG_2, 64, 3),
4515                         BPF_MOV64_IMM(BPF_REG_3, 0),
4516                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4517                         BPF_MOV64_IMM(BPF_REG_0, 0),
4518                         BPF_EXIT_INSN(),
4519                 },
4520                 .errstr = "invalid stack type R1 off=-64 access_size=0",
4521                 .result = REJECT,
4522                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4523         },
4524         {
4525                 "helper access to variable memory: stack, JMP (signed), no min check",
4526                 .insns = {
4527                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4528                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4529                         BPF_MOV64_IMM(BPF_REG_2, 16),
4530                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, -128),
4531                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -128),
4532                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_2, 64, 3),
4533                         BPF_MOV64_IMM(BPF_REG_3, 0),
4534                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4535                         BPF_MOV64_IMM(BPF_REG_0, 0),
4536                         BPF_EXIT_INSN(),
4537                 },
4538                 .errstr = "R2 min value is negative",
4539                 .result = REJECT,
4540                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4541         },
4542         {
4543                 "helper access to variable memory: map, JMP, correct bounds",
4544                 .insns = {
4545                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4546                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4547                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4548                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4549                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4550                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4551                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4552                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4553                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4554                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4555                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4556                                 sizeof(struct test_val), 4),
4557                         BPF_MOV64_IMM(BPF_REG_4, 0),
4558                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4559                         BPF_MOV64_IMM(BPF_REG_3, 0),
4560                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4561                         BPF_MOV64_IMM(BPF_REG_0, 0),
4562                         BPF_EXIT_INSN(),
4563                 },
4564                 .fixup_map2 = { 3 },
4565                 .result = ACCEPT,
4566                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4567         },
4568         {
4569                 "helper access to variable memory: map, JMP, wrong max",
4570                 .insns = {
4571                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4572                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4573                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4574                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4575                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4576                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4577                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4578                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4579                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4580                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4581                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4582                                 sizeof(struct test_val) + 1, 4),
4583                         BPF_MOV64_IMM(BPF_REG_4, 0),
4584                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4585                         BPF_MOV64_IMM(BPF_REG_3, 0),
4586                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4587                         BPF_MOV64_IMM(BPF_REG_0, 0),
4588                         BPF_EXIT_INSN(),
4589                 },
4590                 .fixup_map2 = { 3 },
4591                 .errstr = "invalid access to map value, value_size=48 off=0 size=49",
4592                 .result = REJECT,
4593                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4594         },
4595         {
4596                 "helper access to variable memory: map adjusted, JMP, correct bounds",
4597                 .insns = {
4598                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4599                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4600                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4601                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4602                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4603                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4604                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4605                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
4606                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4607                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4608                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4609                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4610                                 sizeof(struct test_val) - 20, 4),
4611                         BPF_MOV64_IMM(BPF_REG_4, 0),
4612                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4613                         BPF_MOV64_IMM(BPF_REG_3, 0),
4614                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4615                         BPF_MOV64_IMM(BPF_REG_0, 0),
4616                         BPF_EXIT_INSN(),
4617                 },
4618                 .fixup_map2 = { 3 },
4619                 .result = ACCEPT,
4620                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4621         },
4622         {
4623                 "helper access to variable memory: map adjusted, JMP, wrong max",
4624                 .insns = {
4625                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4626                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4627                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4628                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4629                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4630                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 11),
4631                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4632                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 20),
4633                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4634                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4635                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4636                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_2,
4637                                 sizeof(struct test_val) - 19, 4),
4638                         BPF_MOV64_IMM(BPF_REG_4, 0),
4639                         BPF_JMP_REG(BPF_JGE, BPF_REG_4, BPF_REG_2, 2),
4640                         BPF_MOV64_IMM(BPF_REG_3, 0),
4641                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4642                         BPF_MOV64_IMM(BPF_REG_0, 0),
4643                         BPF_EXIT_INSN(),
4644                 },
4645                 .fixup_map2 = { 3 },
4646                 .errstr = "R1 min value is outside of the array range",
4647                 .result = REJECT,
4648                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4649         },
4650         {
4651                 "helper access to variable memory: size > 0 not allowed on NULL",
4652                 .insns = {
4653                         BPF_MOV64_IMM(BPF_REG_1, 0),
4654                         BPF_MOV64_IMM(BPF_REG_2, 0),
4655                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4656                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4657                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 64),
4658                         BPF_MOV64_IMM(BPF_REG_3, 0),
4659                         BPF_MOV64_IMM(BPF_REG_4, 0),
4660                         BPF_MOV64_IMM(BPF_REG_5, 0),
4661                         BPF_EMIT_CALL(BPF_FUNC_csum_diff),
4662                         BPF_EXIT_INSN(),
4663                 },
4664                 .errstr = "R1 type=imm expected=fp",
4665                 .result = REJECT,
4666                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4667         },
4668         {
4669                 "helper access to variable memory: size = 0 not allowed on != NULL",
4670                 .insns = {
4671                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4672                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
4673                         BPF_MOV64_IMM(BPF_REG_2, 0),
4674                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2, 0),
4675                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 8),
4676                         BPF_MOV64_IMM(BPF_REG_3, 0),
4677                         BPF_MOV64_IMM(BPF_REG_4, 0),
4678                         BPF_MOV64_IMM(BPF_REG_5, 0),
4679                         BPF_EMIT_CALL(BPF_FUNC_csum_diff),
4680                         BPF_EXIT_INSN(),
4681                 },
4682                 .errstr = "invalid stack type R1 off=-8 access_size=0",
4683                 .result = REJECT,
4684                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4685         },
4686         {
4687                 "helper access to variable memory: 8 bytes leak",
4688                 .insns = {
4689                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4690                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4691                         BPF_MOV64_IMM(BPF_REG_0, 0),
4692                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4693                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4694                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4695                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4696                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4697                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4698                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4699                         BPF_MOV64_IMM(BPF_REG_2, 0),
4700                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -128),
4701                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -128),
4702                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 63),
4703                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
4704                         BPF_MOV64_IMM(BPF_REG_3, 0),
4705                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4706                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
4707                         BPF_EXIT_INSN(),
4708                 },
4709                 .errstr = "invalid indirect read from stack off -64+32 size 64",
4710                 .result = REJECT,
4711                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4712         },
4713         {
4714                 "helper access to variable memory: 8 bytes no leak (init memory)",
4715                 .insns = {
4716                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4717                         BPF_MOV64_IMM(BPF_REG_0, 0),
4718                         BPF_MOV64_IMM(BPF_REG_0, 0),
4719                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -64),
4720                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -56),
4721                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -48),
4722                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -40),
4723                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -32),
4724                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -24),
4725                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -16),
4726                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
4727                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -64),
4728                         BPF_MOV64_IMM(BPF_REG_2, 0),
4729                         BPF_ALU64_IMM(BPF_AND, BPF_REG_2, 32),
4730                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 32),
4731                         BPF_MOV64_IMM(BPF_REG_3, 0),
4732                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4733                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_10, -16),
4734                         BPF_EXIT_INSN(),
4735                 },
4736                 .result = ACCEPT,
4737                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4738         },
4739         {
4740                 "invalid and of negative number",
4741                 .insns = {
4742                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4743                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4744                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4745                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4746                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4747                                      BPF_FUNC_map_lookup_elem),
4748                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4749                         BPF_MOV64_IMM(BPF_REG_1, 6),
4750                         BPF_ALU64_IMM(BPF_AND, BPF_REG_1, -4),
4751                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4752                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4753                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4754                                    offsetof(struct test_val, foo)),
4755                         BPF_EXIT_INSN(),
4756                 },
4757                 .fixup_map2 = { 3 },
4758                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4759                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
4760                 .result = REJECT,
4761                 .result_unpriv = REJECT,
4762                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4763         },
4764         {
4765                 "invalid range check",
4766                 .insns = {
4767                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4768                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4769                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4770                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4771                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4772                                      BPF_FUNC_map_lookup_elem),
4773                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 12),
4774                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4775                         BPF_MOV64_IMM(BPF_REG_9, 1),
4776                         BPF_ALU32_IMM(BPF_MOD, BPF_REG_1, 2),
4777                         BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
4778                         BPF_ALU32_REG(BPF_AND, BPF_REG_9, BPF_REG_1),
4779                         BPF_ALU32_IMM(BPF_ADD, BPF_REG_9, 1),
4780                         BPF_ALU32_IMM(BPF_RSH, BPF_REG_9, 1),
4781                         BPF_MOV32_IMM(BPF_REG_3, 1),
4782                         BPF_ALU32_REG(BPF_SUB, BPF_REG_3, BPF_REG_9),
4783                         BPF_ALU32_IMM(BPF_MUL, BPF_REG_3, 0x10000000),
4784                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
4785                         BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_3, 0),
4786                         BPF_MOV64_REG(BPF_REG_0, 0),
4787                         BPF_EXIT_INSN(),
4788                 },
4789                 .fixup_map2 = { 3 },
4790                 .errstr_unpriv = "R0 pointer arithmetic prohibited",
4791                 .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
4792                 .result = REJECT,
4793                 .result_unpriv = REJECT,
4794                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4795         }
4796 };
4797 
4798 static int probe_filter_length(const struct bpf_insn *fp)
4799 {
4800         int len;
4801 
4802         for (len = MAX_INSNS - 1; len > 0; --len)
4803                 if (fp[len].code != 0 || fp[len].imm != 0)
4804                         break;
4805         return len + 1;
4806 }
4807 
4808 static int create_map(uint32_t size_value, uint32_t max_elem)
4809 {
4810         int fd;
4811 
4812         fd = bpf_create_map(BPF_MAP_TYPE_HASH, sizeof(long long),
4813                             size_value, max_elem, BPF_F_NO_PREALLOC);
4814         if (fd < 0)
4815                 printf("Failed to create hash map '%s'!\n", strerror(errno));
4816 
4817         return fd;
4818 }
4819 
4820 static int create_prog_array(void)
4821 {
4822         int fd;
4823 
4824         fd = bpf_create_map(BPF_MAP_TYPE_PROG_ARRAY, sizeof(int),
4825                             sizeof(int), 4, 0);
4826         if (fd < 0)
4827                 printf("Failed to create prog array '%s'!\n", strerror(errno));
4828 
4829         return fd;
4830 }
4831 
4832 static char bpf_vlog[32768];
4833 
4834 static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
4835                           int *fd_f1, int *fd_f2, int *fd_f3)
4836 {
4837         int *fixup_map1 = test->fixup_map1;
4838         int *fixup_map2 = test->fixup_map2;
4839         int *fixup_prog = test->fixup_prog;
4840 
4841         /* Allocating HTs with 1 elem is fine here, since we only test
4842          * for verifier and not do a runtime lookup, so the only thing
4843          * that really matters is value size in this case.
4844          */
4845         if (*fixup_map1) {
4846                 *fd_f1 = create_map(sizeof(long long), 1);
4847                 do {
4848                         prog[*fixup_map1].imm = *fd_f1;
4849                         fixup_map1++;
4850                 } while (*fixup_map1);
4851         }
4852 
4853         if (*fixup_map2) {
4854                 *fd_f2 = create_map(sizeof(struct test_val), 1);
4855                 do {
4856                         prog[*fixup_map2].imm = *fd_f2;
4857                         fixup_map2++;
4858                 } while (*fixup_map2);
4859         }
4860 
4861         if (*fixup_prog) {
4862                 *fd_f3 = create_prog_array();
4863                 do {
4864                         prog[*fixup_prog].imm = *fd_f3;
4865                         fixup_prog++;
4866                 } while (*fixup_prog);
4867         }
4868 }
4869 
4870 static void do_test_single(struct bpf_test *test, bool unpriv,
4871                            int *passes, int *errors)
4872 {
4873         int fd_prog, expected_ret, reject_from_alignment;
4874         struct bpf_insn *prog = test->insns;
4875         int prog_len = probe_filter_length(prog);
4876         int prog_type = test->prog_type;
4877         int fd_f1 = -1, fd_f2 = -1, fd_f3 = -1;
4878         const char *expected_err;
4879 
4880         do_test_fixup(test, prog, &fd_f1, &fd_f2, &fd_f3);
4881 
4882         fd_prog = bpf_load_program(prog_type ? : BPF_PROG_TYPE_SOCKET_FILTER,
4883                                    prog, prog_len, "GPL", 0, bpf_vlog,
4884                                    sizeof(bpf_vlog));