~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/tools/testing/selftests/bpf/test_verifier.c

Version: ~ [ linux-4.20-rc6 ] ~ [ linux-4.19.8 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.87 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.144 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.166 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.128 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.61 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-3.9.11 ] ~ [ linux-3.8.13 ] ~ [ linux-3.7.10 ] ~ [ linux-3.6.11 ] ~ [ linux-3.5.7 ] ~ [ linux-3.4.113 ] ~ [ linux-3.3.8 ] ~ [ linux-3.2.102 ] ~ [ linux-3.1.10 ] ~ [ linux-3.0.101 ] ~ [ linux-2.6.39.4 ] ~ [ linux-2.6.38.8 ] ~ [ linux-2.6.37.6 ] ~ [ linux-2.6.36.4 ] ~ [ linux-2.6.35.14 ] ~ [ linux-2.6.34.15 ] ~ [ linux-2.6.33.20 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.31.14 ] ~ [ linux-2.6.30.10 ] ~ [ linux-2.6.29.6 ] ~ [ linux-2.6.28.10 ] ~ [ linux-2.6.27.62 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Testsuite for eBPF verifier
  3  *
  4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
  5  * Copyright (c) 2017 Facebook
  6  *
  7  * This program is free software; you can redistribute it and/or
  8  * modify it under the terms of version 2 of the GNU General Public
  9  * License as published by the Free Software Foundation.
 10  */
 11 
 12 #include <endian.h>
 13 #include <asm/types.h>
 14 #include <linux/types.h>
 15 #include <stdint.h>
 16 #include <stdio.h>
 17 #include <stdlib.h>
 18 #include <unistd.h>
 19 #include <errno.h>
 20 #include <string.h>
 21 #include <stddef.h>
 22 #include <stdbool.h>
 23 #include <sched.h>
 24 #include <limits.h>
 25 
 26 #include <sys/capability.h>
 27 #include <sys/resource.h>
 28 
 29 #include <linux/unistd.h>
 30 #include <linux/filter.h>
 31 #include <linux/bpf_perf_event.h>
 32 #include <linux/bpf.h>
 33 #include <linux/if_ether.h>
 34 
 35 #include <bpf/bpf.h>
 36 
 37 #ifdef HAVE_GENHDR
 38 # include "autoconf.h"
 39 #else
 40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
 41 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
 42 # endif
 43 #endif
 44 
 45 #include "../../../include/linux/filter.h"
 46 
 47 #ifndef ARRAY_SIZE
 48 # define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
 49 #endif
 50 
 51 #define MAX_INSNS       512
 52 #define MAX_FIXUPS      8
 53 #define MAX_NR_MAPS     4
 54 #define POINTER_VALUE   0xcafe4all
 55 #define TEST_DATA_LEN   64
 56 
 57 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
 58 #define F_LOAD_WITH_STRICT_ALIGNMENT            (1 << 1)
 59 
 60 struct bpf_test {
 61         const char *descr;
 62         struct bpf_insn insns[MAX_INSNS];
 63         int fixup_map1[MAX_FIXUPS];
 64         int fixup_map2[MAX_FIXUPS];
 65         int fixup_prog[MAX_FIXUPS];
 66         int fixup_map_in_map[MAX_FIXUPS];
 67         const char *errstr;
 68         const char *errstr_unpriv;
 69         uint32_t retval;
 70         enum {
 71                 UNDEF,
 72                 ACCEPT,
 73                 REJECT
 74         } result, result_unpriv;
 75         enum bpf_prog_type prog_type;
 76         uint8_t flags;
 77 };
 78 
 79 /* Note we want this to be 64 bit aligned so that the end of our array is
 80  * actually the end of the structure.
 81  */
 82 #define MAX_ENTRIES 11
 83 
 84 struct test_val {
 85         unsigned int index;
 86         int foo[MAX_ENTRIES];
 87 };
 88 
 89 static struct bpf_test tests[] = {
 90         {
 91                 "add+sub+mul",
 92                 .insns = {
 93                         BPF_MOV64_IMM(BPF_REG_1, 1),
 94                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
 95                         BPF_MOV64_IMM(BPF_REG_2, 3),
 96                         BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
 97                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
 98                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
 99                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
100                         BPF_EXIT_INSN(),
101                 },
102                 .result = ACCEPT,
103                 .retval = -3,
104         },
105         {
106                 "DIV32 by 0, zero check 1",
107                 .insns = {
108                         BPF_MOV32_IMM(BPF_REG_0, 42),
109                         BPF_MOV32_IMM(BPF_REG_1, 0),
110                         BPF_MOV32_IMM(BPF_REG_2, 1),
111                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
112                         BPF_EXIT_INSN(),
113                 },
114                 .result = ACCEPT,
115                 .retval = 42,
116         },
117         {
118                 "DIV32 by 0, zero check 2",
119                 .insns = {
120                         BPF_MOV32_IMM(BPF_REG_0, 42),
121                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
122                         BPF_MOV32_IMM(BPF_REG_2, 1),
123                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
124                         BPF_EXIT_INSN(),
125                 },
126                 .result = ACCEPT,
127                 .retval = 42,
128         },
129         {
130                 "DIV64 by 0, zero check",
131                 .insns = {
132                         BPF_MOV32_IMM(BPF_REG_0, 42),
133                         BPF_MOV32_IMM(BPF_REG_1, 0),
134                         BPF_MOV32_IMM(BPF_REG_2, 1),
135                         BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
136                         BPF_EXIT_INSN(),
137                 },
138                 .result = ACCEPT,
139                 .retval = 42,
140         },
141         {
142                 "MOD32 by 0, zero check 1",
143                 .insns = {
144                         BPF_MOV32_IMM(BPF_REG_0, 42),
145                         BPF_MOV32_IMM(BPF_REG_1, 0),
146                         BPF_MOV32_IMM(BPF_REG_2, 1),
147                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
148                         BPF_EXIT_INSN(),
149                 },
150                 .result = ACCEPT,
151                 .retval = 42,
152         },
153         {
154                 "MOD32 by 0, zero check 2",
155                 .insns = {
156                         BPF_MOV32_IMM(BPF_REG_0, 42),
157                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
158                         BPF_MOV32_IMM(BPF_REG_2, 1),
159                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
160                         BPF_EXIT_INSN(),
161                 },
162                 .result = ACCEPT,
163                 .retval = 42,
164         },
165         {
166                 "MOD64 by 0, zero check",
167                 .insns = {
168                         BPF_MOV32_IMM(BPF_REG_0, 42),
169                         BPF_MOV32_IMM(BPF_REG_1, 0),
170                         BPF_MOV32_IMM(BPF_REG_2, 1),
171                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
172                         BPF_EXIT_INSN(),
173                 },
174                 .result = ACCEPT,
175                 .retval = 42,
176         },
177         {
178                 "DIV32 by 0, zero check ok, cls",
179                 .insns = {
180                         BPF_MOV32_IMM(BPF_REG_0, 42),
181                         BPF_MOV32_IMM(BPF_REG_1, 2),
182                         BPF_MOV32_IMM(BPF_REG_2, 16),
183                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
184                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
185                         BPF_EXIT_INSN(),
186                 },
187                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
188                 .result = ACCEPT,
189                 .retval = 8,
190         },
191         {
192                 "DIV32 by 0, zero check 1, cls",
193                 .insns = {
194                         BPF_MOV32_IMM(BPF_REG_1, 0),
195                         BPF_MOV32_IMM(BPF_REG_0, 1),
196                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
197                         BPF_EXIT_INSN(),
198                 },
199                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
200                 .result = ACCEPT,
201                 .retval = 0,
202         },
203         {
204                 "DIV32 by 0, zero check 2, cls",
205                 .insns = {
206                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
207                         BPF_MOV32_IMM(BPF_REG_0, 1),
208                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
209                         BPF_EXIT_INSN(),
210                 },
211                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
212                 .result = ACCEPT,
213                 .retval = 0,
214         },
215         {
216                 "DIV64 by 0, zero check, cls",
217                 .insns = {
218                         BPF_MOV32_IMM(BPF_REG_1, 0),
219                         BPF_MOV32_IMM(BPF_REG_0, 1),
220                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
221                         BPF_EXIT_INSN(),
222                 },
223                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
224                 .result = ACCEPT,
225                 .retval = 0,
226         },
227         {
228                 "MOD32 by 0, zero check ok, cls",
229                 .insns = {
230                         BPF_MOV32_IMM(BPF_REG_0, 42),
231                         BPF_MOV32_IMM(BPF_REG_1, 3),
232                         BPF_MOV32_IMM(BPF_REG_2, 5),
233                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
234                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
235                         BPF_EXIT_INSN(),
236                 },
237                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
238                 .result = ACCEPT,
239                 .retval = 2,
240         },
241         {
242                 "MOD32 by 0, zero check 1, cls",
243                 .insns = {
244                         BPF_MOV32_IMM(BPF_REG_1, 0),
245                         BPF_MOV32_IMM(BPF_REG_0, 1),
246                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
247                         BPF_EXIT_INSN(),
248                 },
249                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
250                 .result = ACCEPT,
251                 .retval = 1,
252         },
253         {
254                 "MOD32 by 0, zero check 2, cls",
255                 .insns = {
256                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
257                         BPF_MOV32_IMM(BPF_REG_0, 1),
258                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
259                         BPF_EXIT_INSN(),
260                 },
261                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
262                 .result = ACCEPT,
263                 .retval = 1,
264         },
265         {
266                 "MOD64 by 0, zero check 1, cls",
267                 .insns = {
268                         BPF_MOV32_IMM(BPF_REG_1, 0),
269                         BPF_MOV32_IMM(BPF_REG_0, 2),
270                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
271                         BPF_EXIT_INSN(),
272                 },
273                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
274                 .result = ACCEPT,
275                 .retval = 2,
276         },
277         {
278                 "MOD64 by 0, zero check 2, cls",
279                 .insns = {
280                         BPF_MOV32_IMM(BPF_REG_1, 0),
281                         BPF_MOV32_IMM(BPF_REG_0, -1),
282                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
283                         BPF_EXIT_INSN(),
284                 },
285                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
286                 .result = ACCEPT,
287                 .retval = -1,
288         },
289         /* Just make sure that JITs used udiv/umod as otherwise we get
290          * an exception from INT_MIN/-1 overflow similarly as with div
291          * by zero.
292          */
293         {
294                 "DIV32 overflow, check 1",
295                 .insns = {
296                         BPF_MOV32_IMM(BPF_REG_1, -1),
297                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
298                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
299                         BPF_EXIT_INSN(),
300                 },
301                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
302                 .result = ACCEPT,
303                 .retval = 0,
304         },
305         {
306                 "DIV32 overflow, check 2",
307                 .insns = {
308                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
309                         BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
310                         BPF_EXIT_INSN(),
311                 },
312                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
313                 .result = ACCEPT,
314                 .retval = 0,
315         },
316         {
317                 "DIV64 overflow, check 1",
318                 .insns = {
319                         BPF_MOV64_IMM(BPF_REG_1, -1),
320                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
321                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
322                         BPF_EXIT_INSN(),
323                 },
324                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
325                 .result = ACCEPT,
326                 .retval = 0,
327         },
328         {
329                 "DIV64 overflow, check 2",
330                 .insns = {
331                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
332                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
333                         BPF_EXIT_INSN(),
334                 },
335                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
336                 .result = ACCEPT,
337                 .retval = 0,
338         },
339         {
340                 "MOD32 overflow, check 1",
341                 .insns = {
342                         BPF_MOV32_IMM(BPF_REG_1, -1),
343                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
344                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
345                         BPF_EXIT_INSN(),
346                 },
347                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
348                 .result = ACCEPT,
349                 .retval = INT_MIN,
350         },
351         {
352                 "MOD32 overflow, check 2",
353                 .insns = {
354                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
355                         BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
356                         BPF_EXIT_INSN(),
357                 },
358                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
359                 .result = ACCEPT,
360                 .retval = INT_MIN,
361         },
362         {
363                 "MOD64 overflow, check 1",
364                 .insns = {
365                         BPF_MOV64_IMM(BPF_REG_1, -1),
366                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
367                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
368                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
369                         BPF_MOV32_IMM(BPF_REG_0, 0),
370                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
371                         BPF_MOV32_IMM(BPF_REG_0, 1),
372                         BPF_EXIT_INSN(),
373                 },
374                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
375                 .result = ACCEPT,
376                 .retval = 1,
377         },
378         {
379                 "MOD64 overflow, check 2",
380                 .insns = {
381                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
382                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
383                         BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
384                         BPF_MOV32_IMM(BPF_REG_0, 0),
385                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
386                         BPF_MOV32_IMM(BPF_REG_0, 1),
387                         BPF_EXIT_INSN(),
388                 },
389                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
390                 .result = ACCEPT,
391                 .retval = 1,
392         },
393         {
394                 "xor32 zero extend check",
395                 .insns = {
396                         BPF_MOV32_IMM(BPF_REG_2, -1),
397                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
398                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
399                         BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
400                         BPF_MOV32_IMM(BPF_REG_0, 2),
401                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
402                         BPF_MOV32_IMM(BPF_REG_0, 1),
403                         BPF_EXIT_INSN(),
404                 },
405                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
406                 .result = ACCEPT,
407                 .retval = 1,
408         },
409         {
410                 "empty prog",
411                 .insns = {
412                 },
413                 .errstr = "unknown opcode 00",
414                 .result = REJECT,
415         },
416         {
417                 "only exit insn",
418                 .insns = {
419                         BPF_EXIT_INSN(),
420                 },
421                 .errstr = "R0 !read_ok",
422                 .result = REJECT,
423         },
424         {
425                 "unreachable",
426                 .insns = {
427                         BPF_EXIT_INSN(),
428                         BPF_EXIT_INSN(),
429                 },
430                 .errstr = "unreachable",
431                 .result = REJECT,
432         },
433         {
434                 "unreachable2",
435                 .insns = {
436                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
437                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
438                         BPF_EXIT_INSN(),
439                 },
440                 .errstr = "unreachable",
441                 .result = REJECT,
442         },
443         {
444                 "out of range jump",
445                 .insns = {
446                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
447                         BPF_EXIT_INSN(),
448                 },
449                 .errstr = "jump out of range",
450                 .result = REJECT,
451         },
452         {
453                 "out of range jump2",
454                 .insns = {
455                         BPF_JMP_IMM(BPF_JA, 0, 0, -2),
456                         BPF_EXIT_INSN(),
457                 },
458                 .errstr = "jump out of range",
459                 .result = REJECT,
460         },
461         {
462                 "test1 ld_imm64",
463                 .insns = {
464                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
465                         BPF_LD_IMM64(BPF_REG_0, 0),
466                         BPF_LD_IMM64(BPF_REG_0, 0),
467                         BPF_LD_IMM64(BPF_REG_0, 1),
468                         BPF_LD_IMM64(BPF_REG_0, 1),
469                         BPF_MOV64_IMM(BPF_REG_0, 2),
470                         BPF_EXIT_INSN(),
471                 },
472                 .errstr = "invalid BPF_LD_IMM insn",
473                 .errstr_unpriv = "R1 pointer comparison",
474                 .result = REJECT,
475         },
476         {
477                 "test2 ld_imm64",
478                 .insns = {
479                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
480                         BPF_LD_IMM64(BPF_REG_0, 0),
481                         BPF_LD_IMM64(BPF_REG_0, 0),
482                         BPF_LD_IMM64(BPF_REG_0, 1),
483                         BPF_LD_IMM64(BPF_REG_0, 1),
484                         BPF_EXIT_INSN(),
485                 },
486                 .errstr = "invalid BPF_LD_IMM insn",
487                 .errstr_unpriv = "R1 pointer comparison",
488                 .result = REJECT,
489         },
490         {
491                 "test3 ld_imm64",
492                 .insns = {
493                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
494                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
495                         BPF_LD_IMM64(BPF_REG_0, 0),
496                         BPF_LD_IMM64(BPF_REG_0, 0),
497                         BPF_LD_IMM64(BPF_REG_0, 1),
498                         BPF_LD_IMM64(BPF_REG_0, 1),
499                         BPF_EXIT_INSN(),
500                 },
501                 .errstr = "invalid bpf_ld_imm64 insn",
502                 .result = REJECT,
503         },
504         {
505                 "test4 ld_imm64",
506                 .insns = {
507                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
508                         BPF_EXIT_INSN(),
509                 },
510                 .errstr = "invalid bpf_ld_imm64 insn",
511                 .result = REJECT,
512         },
513         {
514                 "test5 ld_imm64",
515                 .insns = {
516                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
517                 },
518                 .errstr = "invalid bpf_ld_imm64 insn",
519                 .result = REJECT,
520         },
521         {
522                 "test6 ld_imm64",
523                 .insns = {
524                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
525                         BPF_RAW_INSN(0, 0, 0, 0, 0),
526                         BPF_EXIT_INSN(),
527                 },
528                 .result = ACCEPT,
529         },
530         {
531                 "test7 ld_imm64",
532                 .insns = {
533                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
534                         BPF_RAW_INSN(0, 0, 0, 0, 1),
535                         BPF_EXIT_INSN(),
536                 },
537                 .result = ACCEPT,
538                 .retval = 1,
539         },
540         {
541                 "test8 ld_imm64",
542                 .insns = {
543                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
544                         BPF_RAW_INSN(0, 0, 0, 0, 1),
545                         BPF_EXIT_INSN(),
546                 },
547                 .errstr = "uses reserved fields",
548                 .result = REJECT,
549         },
550         {
551                 "test9 ld_imm64",
552                 .insns = {
553                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
554                         BPF_RAW_INSN(0, 0, 0, 1, 1),
555                         BPF_EXIT_INSN(),
556                 },
557                 .errstr = "invalid bpf_ld_imm64 insn",
558                 .result = REJECT,
559         },
560         {
561                 "test10 ld_imm64",
562                 .insns = {
563                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
564                         BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
565                         BPF_EXIT_INSN(),
566                 },
567                 .errstr = "invalid bpf_ld_imm64 insn",
568                 .result = REJECT,
569         },
570         {
571                 "test11 ld_imm64",
572                 .insns = {
573                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
574                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
575                         BPF_EXIT_INSN(),
576                 },
577                 .errstr = "invalid bpf_ld_imm64 insn",
578                 .result = REJECT,
579         },
580         {
581                 "test12 ld_imm64",
582                 .insns = {
583                         BPF_MOV64_IMM(BPF_REG_1, 0),
584                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
585                         BPF_RAW_INSN(0, 0, 0, 0, 1),
586                         BPF_EXIT_INSN(),
587                 },
588                 .errstr = "not pointing to valid bpf_map",
589                 .result = REJECT,
590         },
591         {
592                 "test13 ld_imm64",
593                 .insns = {
594                         BPF_MOV64_IMM(BPF_REG_1, 0),
595                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
596                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
597                         BPF_EXIT_INSN(),
598                 },
599                 .errstr = "invalid bpf_ld_imm64 insn",
600                 .result = REJECT,
601         },
602         {
603                 "arsh32 on imm",
604                 .insns = {
605                         BPF_MOV64_IMM(BPF_REG_0, 1),
606                         BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
607                         BPF_EXIT_INSN(),
608                 },
609                 .result = REJECT,
610                 .errstr = "unknown opcode c4",
611         },
612         {
613                 "arsh32 on reg",
614                 .insns = {
615                         BPF_MOV64_IMM(BPF_REG_0, 1),
616                         BPF_MOV64_IMM(BPF_REG_1, 5),
617                         BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
618                         BPF_EXIT_INSN(),
619                 },
620                 .result = REJECT,
621                 .errstr = "unknown opcode cc",
622         },
623         {
624                 "arsh64 on imm",
625                 .insns = {
626                         BPF_MOV64_IMM(BPF_REG_0, 1),
627                         BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
628                         BPF_EXIT_INSN(),
629                 },
630                 .result = ACCEPT,
631         },
632         {
633                 "arsh64 on reg",
634                 .insns = {
635                         BPF_MOV64_IMM(BPF_REG_0, 1),
636                         BPF_MOV64_IMM(BPF_REG_1, 5),
637                         BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
638                         BPF_EXIT_INSN(),
639                 },
640                 .result = ACCEPT,
641         },
642         {
643                 "no bpf_exit",
644                 .insns = {
645                         BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
646                 },
647                 .errstr = "not an exit",
648                 .result = REJECT,
649         },
650         {
651                 "loop (back-edge)",
652                 .insns = {
653                         BPF_JMP_IMM(BPF_JA, 0, 0, -1),
654                         BPF_EXIT_INSN(),
655                 },
656                 .errstr = "back-edge",
657                 .result = REJECT,
658         },
659         {
660                 "loop2 (back-edge)",
661                 .insns = {
662                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
663                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
664                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
665                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
666                         BPF_EXIT_INSN(),
667                 },
668                 .errstr = "back-edge",
669                 .result = REJECT,
670         },
671         {
672                 "conditional loop",
673                 .insns = {
674                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
675                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
676                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
677                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
678                         BPF_EXIT_INSN(),
679                 },
680                 .errstr = "back-edge",
681                 .result = REJECT,
682         },
683         {
684                 "read uninitialized register",
685                 .insns = {
686                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
687                         BPF_EXIT_INSN(),
688                 },
689                 .errstr = "R2 !read_ok",
690                 .result = REJECT,
691         },
692         {
693                 "read invalid register",
694                 .insns = {
695                         BPF_MOV64_REG(BPF_REG_0, -1),
696                         BPF_EXIT_INSN(),
697                 },
698                 .errstr = "R15 is invalid",
699                 .result = REJECT,
700         },
701         {
702                 "program doesn't init R0 before exit",
703                 .insns = {
704                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
705                         BPF_EXIT_INSN(),
706                 },
707                 .errstr = "R0 !read_ok",
708                 .result = REJECT,
709         },
710         {
711                 "program doesn't init R0 before exit in all branches",
712                 .insns = {
713                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
714                         BPF_MOV64_IMM(BPF_REG_0, 1),
715                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
716                         BPF_EXIT_INSN(),
717                 },
718                 .errstr = "R0 !read_ok",
719                 .errstr_unpriv = "R1 pointer comparison",
720                 .result = REJECT,
721         },
722         {
723                 "stack out of bounds",
724                 .insns = {
725                         BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
726                         BPF_EXIT_INSN(),
727                 },
728                 .errstr = "invalid stack",
729                 .result = REJECT,
730         },
731         {
732                 "invalid call insn1",
733                 .insns = {
734                         BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
735                         BPF_EXIT_INSN(),
736                 },
737                 .errstr = "unknown opcode 8d",
738                 .result = REJECT,
739         },
740         {
741                 "invalid call insn2",
742                 .insns = {
743                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
744                         BPF_EXIT_INSN(),
745                 },
746                 .errstr = "BPF_CALL uses reserved",
747                 .result = REJECT,
748         },
749         {
750                 "invalid function call",
751                 .insns = {
752                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
753                         BPF_EXIT_INSN(),
754                 },
755                 .errstr = "invalid func unknown#1234567",
756                 .result = REJECT,
757         },
758         {
759                 "uninitialized stack1",
760                 .insns = {
761                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
762                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
763                         BPF_LD_MAP_FD(BPF_REG_1, 0),
764                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
765                                      BPF_FUNC_map_lookup_elem),
766                         BPF_EXIT_INSN(),
767                 },
768                 .fixup_map1 = { 2 },
769                 .errstr = "invalid indirect read from stack",
770                 .result = REJECT,
771         },
772         {
773                 "uninitialized stack2",
774                 .insns = {
775                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
776                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
777                         BPF_EXIT_INSN(),
778                 },
779                 .errstr = "invalid read from stack",
780                 .result = REJECT,
781         },
782         {
783                 "invalid fp arithmetic",
784                 /* If this gets ever changed, make sure JITs can deal with it. */
785                 .insns = {
786                         BPF_MOV64_IMM(BPF_REG_0, 0),
787                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
788                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
789                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
790                         BPF_EXIT_INSN(),
791                 },
792                 .errstr = "R1 subtraction from stack pointer",
793                 .result = REJECT,
794         },
795         {
796                 "non-invalid fp arithmetic",
797                 .insns = {
798                         BPF_MOV64_IMM(BPF_REG_0, 0),
799                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
800                         BPF_EXIT_INSN(),
801                 },
802                 .result = ACCEPT,
803         },
804         {
805                 "invalid argument register",
806                 .insns = {
807                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
808                                      BPF_FUNC_get_cgroup_classid),
809                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
810                                      BPF_FUNC_get_cgroup_classid),
811                         BPF_EXIT_INSN(),
812                 },
813                 .errstr = "R1 !read_ok",
814                 .result = REJECT,
815                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
816         },
817         {
818                 "non-invalid argument register",
819                 .insns = {
820                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
821                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
822                                      BPF_FUNC_get_cgroup_classid),
823                         BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
824                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
825                                      BPF_FUNC_get_cgroup_classid),
826                         BPF_EXIT_INSN(),
827                 },
828                 .result = ACCEPT,
829                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
830         },
831         {
832                 "check valid spill/fill",
833                 .insns = {
834                         /* spill R1(ctx) into stack */
835                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
836                         /* fill it back into R2 */
837                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
838                         /* should be able to access R0 = *(R2 + 8) */
839                         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
840                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
841                         BPF_EXIT_INSN(),
842                 },
843                 .errstr_unpriv = "R0 leaks addr",
844                 .result = ACCEPT,
845                 .result_unpriv = REJECT,
846                 .retval = POINTER_VALUE,
847         },
848         {
849                 "check valid spill/fill, skb mark",
850                 .insns = {
851                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
852                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
853                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
854                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
855                                     offsetof(struct __sk_buff, mark)),
856                         BPF_EXIT_INSN(),
857                 },
858                 .result = ACCEPT,
859                 .result_unpriv = ACCEPT,
860         },
861         {
862                 "check corrupted spill/fill",
863                 .insns = {
864                         /* spill R1(ctx) into stack */
865                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
866                         /* mess up with R1 pointer on stack */
867                         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
868                         /* fill back into R0 should fail */
869                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
870                         BPF_EXIT_INSN(),
871                 },
872                 .errstr_unpriv = "attempt to corrupt spilled",
873                 .errstr = "corrupted spill",
874                 .result = REJECT,
875         },
876         {
877                 "invalid src register in STX",
878                 .insns = {
879                         BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
880                         BPF_EXIT_INSN(),
881                 },
882                 .errstr = "R15 is invalid",
883                 .result = REJECT,
884         },
885         {
886                 "invalid dst register in STX",
887                 .insns = {
888                         BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
889                         BPF_EXIT_INSN(),
890                 },
891                 .errstr = "R14 is invalid",
892                 .result = REJECT,
893         },
894         {
895                 "invalid dst register in ST",
896                 .insns = {
897                         BPF_ST_MEM(BPF_B, 14, -1, -1),
898                         BPF_EXIT_INSN(),
899                 },
900                 .errstr = "R14 is invalid",
901                 .result = REJECT,
902         },
903         {
904                 "invalid src register in LDX",
905                 .insns = {
906                         BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
907                         BPF_EXIT_INSN(),
908                 },
909                 .errstr = "R12 is invalid",
910                 .result = REJECT,
911         },
912         {
913                 "invalid dst register in LDX",
914                 .insns = {
915                         BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
916                         BPF_EXIT_INSN(),
917                 },
918                 .errstr = "R11 is invalid",
919                 .result = REJECT,
920         },
921         {
922                 "junk insn",
923                 .insns = {
924                         BPF_RAW_INSN(0, 0, 0, 0, 0),
925                         BPF_EXIT_INSN(),
926                 },
927                 .errstr = "unknown opcode 00",
928                 .result = REJECT,
929         },
930         {
931                 "junk insn2",
932                 .insns = {
933                         BPF_RAW_INSN(1, 0, 0, 0, 0),
934                         BPF_EXIT_INSN(),
935                 },
936                 .errstr = "BPF_LDX uses reserved fields",
937                 .result = REJECT,
938         },
939         {
940                 "junk insn3",
941                 .insns = {
942                         BPF_RAW_INSN(-1, 0, 0, 0, 0),
943                         BPF_EXIT_INSN(),
944                 },
945                 .errstr = "unknown opcode ff",
946                 .result = REJECT,
947         },
948         {
949                 "junk insn4",
950                 .insns = {
951                         BPF_RAW_INSN(-1, -1, -1, -1, -1),
952                         BPF_EXIT_INSN(),
953                 },
954                 .errstr = "unknown opcode ff",
955                 .result = REJECT,
956         },
957         {
958                 "junk insn5",
959                 .insns = {
960                         BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
961                         BPF_EXIT_INSN(),
962                 },
963                 .errstr = "BPF_ALU uses reserved fields",
964                 .result = REJECT,
965         },
966         {
967                 "misaligned read from stack",
968                 .insns = {
969                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
970                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
971                         BPF_EXIT_INSN(),
972                 },
973                 .errstr = "misaligned stack access",
974                 .result = REJECT,
975         },
976         {
977                 "invalid map_fd for function call",
978                 .insns = {
979                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
980                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
981                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
982                         BPF_LD_MAP_FD(BPF_REG_1, 0),
983                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
984                                      BPF_FUNC_map_delete_elem),
985                         BPF_EXIT_INSN(),
986                 },
987                 .errstr = "fd 0 is not pointing to valid bpf_map",
988                 .result = REJECT,
989         },
990         {
991                 "don't check return value before access",
992                 .insns = {
993                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
994                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
995                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
996                         BPF_LD_MAP_FD(BPF_REG_1, 0),
997                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
998                                      BPF_FUNC_map_lookup_elem),
999                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1000                         BPF_EXIT_INSN(),
1001                 },
1002                 .fixup_map1 = { 3 },
1003                 .errstr = "R0 invalid mem access 'map_value_or_null'",
1004                 .result = REJECT,
1005         },
1006         {
1007                 "access memory with incorrect alignment",
1008                 .insns = {
1009                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1010                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1011                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1012                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1013                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1014                                      BPF_FUNC_map_lookup_elem),
1015                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1016                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1017                         BPF_EXIT_INSN(),
1018                 },
1019                 .fixup_map1 = { 3 },
1020                 .errstr = "misaligned value access",
1021                 .result = REJECT,
1022                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1023         },
1024         {
1025                 "sometimes access memory with incorrect alignment",
1026                 .insns = {
1027                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1028                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1029                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1030                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1031                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1032                                      BPF_FUNC_map_lookup_elem),
1033                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1034                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1035                         BPF_EXIT_INSN(),
1036                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1037                         BPF_EXIT_INSN(),
1038                 },
1039                 .fixup_map1 = { 3 },
1040                 .errstr = "R0 invalid mem access",
1041                 .errstr_unpriv = "R0 leaks addr",
1042                 .result = REJECT,
1043                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1044         },
1045         {
1046                 "jump test 1",
1047                 .insns = {
1048                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1049                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1050                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1051                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1052                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1053                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1054                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1055                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1056                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1057                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1058                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1059                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1060                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1061                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1062                         BPF_MOV64_IMM(BPF_REG_0, 0),
1063                         BPF_EXIT_INSN(),
1064                 },
1065                 .errstr_unpriv = "R1 pointer comparison",
1066                 .result_unpriv = REJECT,
1067                 .result = ACCEPT,
1068         },
1069         {
1070                 "jump test 2",
1071                 .insns = {
1072                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1073                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1074                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1075                         BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1076                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1077                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1078                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1079                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1080                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1081                         BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1082                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1083                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1084                         BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1085                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1086                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1087                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1088                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1089                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1090                         BPF_MOV64_IMM(BPF_REG_0, 0),
1091                         BPF_EXIT_INSN(),
1092                 },
1093                 .errstr_unpriv = "R1 pointer comparison",
1094                 .result_unpriv = REJECT,
1095                 .result = ACCEPT,
1096         },
1097         {
1098                 "jump test 3",
1099                 .insns = {
1100                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1101                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1102                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1103                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1104                         BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1105                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1106                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1107                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1108                         BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1109                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1110                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1111                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1112                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1113                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1114                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1115                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1116                         BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1117                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1118                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1119                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1120                         BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1121                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1122                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1123                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1124                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1125                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1126                                      BPF_FUNC_map_delete_elem),
1127                         BPF_EXIT_INSN(),
1128                 },
1129                 .fixup_map1 = { 24 },
1130                 .errstr_unpriv = "R1 pointer comparison",
1131                 .result_unpriv = REJECT,
1132                 .result = ACCEPT,
1133                 .retval = -ENOENT,
1134         },
1135         {
1136                 "jump test 4",
1137                 .insns = {
1138                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1139                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1140                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1141                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1142                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1143                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1144                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1145                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1146                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1147                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1148                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1149                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1150                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1151                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1152                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1153                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1154                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1155                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1156                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1157                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1158                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1159                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1160                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1161                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1162                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1163                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1164                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1165                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1166                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1167                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1168                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1169                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1170                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1171                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1172                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1173                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1174                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1175                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1176                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1177                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1178                         BPF_MOV64_IMM(BPF_REG_0, 0),
1179                         BPF_EXIT_INSN(),
1180                 },
1181                 .errstr_unpriv = "R1 pointer comparison",
1182                 .result_unpriv = REJECT,
1183                 .result = ACCEPT,
1184         },
1185         {
1186                 "jump test 5",
1187                 .insns = {
1188                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1189                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1190                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1191                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1192                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1193                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1194                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1195                         BPF_MOV64_IMM(BPF_REG_0, 0),
1196                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1197                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1198                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1199                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1200                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1201                         BPF_MOV64_IMM(BPF_REG_0, 0),
1202                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1203                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1204                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1205                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1206                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1207                         BPF_MOV64_IMM(BPF_REG_0, 0),
1208                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1209                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1210                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1211                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1212                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1213                         BPF_MOV64_IMM(BPF_REG_0, 0),
1214                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1215                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1216                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1217                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1218                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1219                         BPF_MOV64_IMM(BPF_REG_0, 0),
1220                         BPF_EXIT_INSN(),
1221                 },
1222                 .errstr_unpriv = "R1 pointer comparison",
1223                 .result_unpriv = REJECT,
1224                 .result = ACCEPT,
1225         },
1226         {
1227                 "access skb fields ok",
1228                 .insns = {
1229                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1230                                     offsetof(struct __sk_buff, len)),
1231                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1232                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1233                                     offsetof(struct __sk_buff, mark)),
1234                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1235                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1236                                     offsetof(struct __sk_buff, pkt_type)),
1237                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1238                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1239                                     offsetof(struct __sk_buff, queue_mapping)),
1240                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1241                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1242                                     offsetof(struct __sk_buff, protocol)),
1243                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1244                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1245                                     offsetof(struct __sk_buff, vlan_present)),
1246                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1247                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1248                                     offsetof(struct __sk_buff, vlan_tci)),
1249                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1250                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1251                                     offsetof(struct __sk_buff, napi_id)),
1252                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1253                         BPF_EXIT_INSN(),
1254                 },
1255                 .result = ACCEPT,
1256         },
1257         {
1258                 "access skb fields bad1",
1259                 .insns = {
1260                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1261                         BPF_EXIT_INSN(),
1262                 },
1263                 .errstr = "invalid bpf_context access",
1264                 .result = REJECT,
1265         },
1266         {
1267                 "access skb fields bad2",
1268                 .insns = {
1269                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1270                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1271                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1272                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1273                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1274                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1275                                      BPF_FUNC_map_lookup_elem),
1276                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1277                         BPF_EXIT_INSN(),
1278                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1279                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1280                                     offsetof(struct __sk_buff, pkt_type)),
1281                         BPF_EXIT_INSN(),
1282                 },
1283                 .fixup_map1 = { 4 },
1284                 .errstr = "different pointers",
1285                 .errstr_unpriv = "R1 pointer comparison",
1286                 .result = REJECT,
1287         },
1288         {
1289                 "access skb fields bad3",
1290                 .insns = {
1291                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1292                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1293                                     offsetof(struct __sk_buff, pkt_type)),
1294                         BPF_EXIT_INSN(),
1295                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1296                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1297                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1298                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1299                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1300                                      BPF_FUNC_map_lookup_elem),
1301                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1302                         BPF_EXIT_INSN(),
1303                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1304                         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1305                 },
1306                 .fixup_map1 = { 6 },
1307                 .errstr = "different pointers",
1308                 .errstr_unpriv = "R1 pointer comparison",
1309                 .result = REJECT,
1310         },
1311         {
1312                 "access skb fields bad4",
1313                 .insns = {
1314                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1315                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1316                                     offsetof(struct __sk_buff, len)),
1317                         BPF_MOV64_IMM(BPF_REG_0, 0),
1318                         BPF_EXIT_INSN(),
1319                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1320                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1321                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1322                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1323                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1324                                      BPF_FUNC_map_lookup_elem),
1325                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1326                         BPF_EXIT_INSN(),
1327                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1328                         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1329                 },
1330                 .fixup_map1 = { 7 },
1331                 .errstr = "different pointers",
1332                 .errstr_unpriv = "R1 pointer comparison",
1333                 .result = REJECT,
1334         },
1335         {
1336                 "invalid access __sk_buff family",
1337                 .insns = {
1338                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1339                                     offsetof(struct __sk_buff, family)),
1340                         BPF_EXIT_INSN(),
1341                 },
1342                 .errstr = "invalid bpf_context access",
1343                 .result = REJECT,
1344         },
1345         {
1346                 "invalid access __sk_buff remote_ip4",
1347                 .insns = {
1348                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1349                                     offsetof(struct __sk_buff, remote_ip4)),
1350                         BPF_EXIT_INSN(),
1351                 },
1352                 .errstr = "invalid bpf_context access",
1353                 .result = REJECT,
1354         },
1355         {
1356                 "invalid access __sk_buff local_ip4",
1357                 .insns = {
1358                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1359                                     offsetof(struct __sk_buff, local_ip4)),
1360                         BPF_EXIT_INSN(),
1361                 },
1362                 .errstr = "invalid bpf_context access",
1363                 .result = REJECT,
1364         },
1365         {
1366                 "invalid access __sk_buff remote_ip6",
1367                 .insns = {
1368                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1369                                     offsetof(struct __sk_buff, remote_ip6)),
1370                         BPF_EXIT_INSN(),
1371                 },
1372                 .errstr = "invalid bpf_context access",
1373                 .result = REJECT,
1374         },
1375         {
1376                 "invalid access __sk_buff local_ip6",
1377                 .insns = {
1378                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1379                                     offsetof(struct __sk_buff, local_ip6)),
1380                         BPF_EXIT_INSN(),
1381                 },
1382                 .errstr = "invalid bpf_context access",
1383                 .result = REJECT,
1384         },
1385         {
1386                 "invalid access __sk_buff remote_port",
1387                 .insns = {
1388                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1389                                     offsetof(struct __sk_buff, remote_port)),
1390                         BPF_EXIT_INSN(),
1391                 },
1392                 .errstr = "invalid bpf_context access",
1393                 .result = REJECT,
1394         },
1395         {
1396                 "invalid access __sk_buff remote_port",
1397                 .insns = {
1398                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1399                                     offsetof(struct __sk_buff, local_port)),
1400                         BPF_EXIT_INSN(),
1401                 },
1402                 .errstr = "invalid bpf_context access",
1403                 .result = REJECT,
1404         },
1405         {
1406                 "valid access __sk_buff family",
1407                 .insns = {
1408                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1409                                     offsetof(struct __sk_buff, family)),
1410                         BPF_EXIT_INSN(),
1411                 },
1412                 .result = ACCEPT,
1413                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1414         },
1415         {
1416                 "valid access __sk_buff remote_ip4",
1417                 .insns = {
1418                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1419                                     offsetof(struct __sk_buff, remote_ip4)),
1420                         BPF_EXIT_INSN(),
1421                 },
1422                 .result = ACCEPT,
1423                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1424         },
1425         {
1426                 "valid access __sk_buff local_ip4",
1427                 .insns = {
1428                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1429                                     offsetof(struct __sk_buff, local_ip4)),
1430                         BPF_EXIT_INSN(),
1431                 },
1432                 .result = ACCEPT,
1433                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1434         },
1435         {
1436                 "valid access __sk_buff remote_ip6",
1437                 .insns = {
1438                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1439                                     offsetof(struct __sk_buff, remote_ip6[0])),
1440                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1441                                     offsetof(struct __sk_buff, remote_ip6[1])),
1442                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1443                                     offsetof(struct __sk_buff, remote_ip6[2])),
1444                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1445                                     offsetof(struct __sk_buff, remote_ip6[3])),
1446                         BPF_EXIT_INSN(),
1447                 },
1448                 .result = ACCEPT,
1449                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1450         },
1451         {
1452                 "valid access __sk_buff local_ip6",
1453                 .insns = {
1454                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1455                                     offsetof(struct __sk_buff, local_ip6[0])),
1456                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1457                                     offsetof(struct __sk_buff, local_ip6[1])),
1458                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1459                                     offsetof(struct __sk_buff, local_ip6[2])),
1460                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1461                                     offsetof(struct __sk_buff, local_ip6[3])),
1462                         BPF_EXIT_INSN(),
1463                 },
1464                 .result = ACCEPT,
1465                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1466         },
1467         {
1468                 "valid access __sk_buff remote_port",
1469                 .insns = {
1470                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1471                                     offsetof(struct __sk_buff, remote_port)),
1472                         BPF_EXIT_INSN(),
1473                 },
1474                 .result = ACCEPT,
1475                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1476         },
1477         {
1478                 "valid access __sk_buff remote_port",
1479                 .insns = {
1480                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1481                                     offsetof(struct __sk_buff, local_port)),
1482                         BPF_EXIT_INSN(),
1483                 },
1484                 .result = ACCEPT,
1485                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1486         },
1487         {
1488                 "invalid access of tc_classid for SK_SKB",
1489                 .insns = {
1490                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1491                                     offsetof(struct __sk_buff, tc_classid)),
1492                         BPF_EXIT_INSN(),
1493                 },
1494                 .result = REJECT,
1495                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1496                 .errstr = "invalid bpf_context access",
1497         },
1498         {
1499                 "invalid access of skb->mark for SK_SKB",
1500                 .insns = {
1501                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1502                                     offsetof(struct __sk_buff, mark)),
1503                         BPF_EXIT_INSN(),
1504                 },
1505                 .result =  REJECT,
1506                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1507                 .errstr = "invalid bpf_context access",
1508         },
1509         {
1510                 "check skb->mark is not writeable by SK_SKB",
1511                 .insns = {
1512                         BPF_MOV64_IMM(BPF_REG_0, 0),
1513                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1514                                     offsetof(struct __sk_buff, mark)),
1515                         BPF_EXIT_INSN(),
1516                 },
1517                 .result =  REJECT,
1518                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1519                 .errstr = "invalid bpf_context access",
1520         },
1521         {
1522                 "check skb->tc_index is writeable by SK_SKB",
1523                 .insns = {
1524                         BPF_MOV64_IMM(BPF_REG_0, 0),
1525                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1526                                     offsetof(struct __sk_buff, tc_index)),
1527                         BPF_EXIT_INSN(),
1528                 },
1529                 .result = ACCEPT,
1530                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1531         },
1532         {
1533                 "check skb->priority is writeable by SK_SKB",
1534                 .insns = {
1535                         BPF_MOV64_IMM(BPF_REG_0, 0),
1536                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1537                                     offsetof(struct __sk_buff, priority)),
1538                         BPF_EXIT_INSN(),
1539                 },
1540                 .result = ACCEPT,
1541                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1542         },
1543         {
1544                 "direct packet read for SK_SKB",
1545                 .insns = {
1546                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1547                                     offsetof(struct __sk_buff, data)),
1548                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1549                                     offsetof(struct __sk_buff, data_end)),
1550                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1551                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1552                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1553                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1554                         BPF_MOV64_IMM(BPF_REG_0, 0),
1555                         BPF_EXIT_INSN(),
1556                 },
1557                 .result = ACCEPT,
1558                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1559         },
1560         {
1561                 "direct packet write for SK_SKB",
1562                 .insns = {
1563                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1564                                     offsetof(struct __sk_buff, data)),
1565                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1566                                     offsetof(struct __sk_buff, data_end)),
1567                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1568                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1569                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1570                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1571                         BPF_MOV64_IMM(BPF_REG_0, 0),
1572                         BPF_EXIT_INSN(),
1573                 },
1574                 .result = ACCEPT,
1575                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1576         },
1577         {
1578                 "overlapping checks for direct packet access SK_SKB",
1579                 .insns = {
1580                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1581                                     offsetof(struct __sk_buff, data)),
1582                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1583                                     offsetof(struct __sk_buff, data_end)),
1584                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1585                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1586                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1587                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1588                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1589                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1590                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1591                         BPF_MOV64_IMM(BPF_REG_0, 0),
1592                         BPF_EXIT_INSN(),
1593                 },
1594                 .result = ACCEPT,
1595                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1596         },
1597         {
1598                 "check skb->mark is not writeable by sockets",
1599                 .insns = {
1600                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1601                                     offsetof(struct __sk_buff, mark)),
1602                         BPF_EXIT_INSN(),
1603                 },
1604                 .errstr = "invalid bpf_context access",
1605                 .errstr_unpriv = "R1 leaks addr",
1606                 .result = REJECT,
1607         },
1608         {
1609                 "check skb->tc_index is not writeable by sockets",
1610                 .insns = {
1611                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1612                                     offsetof(struct __sk_buff, tc_index)),
1613                         BPF_EXIT_INSN(),
1614                 },
1615                 .errstr = "invalid bpf_context access",
1616                 .errstr_unpriv = "R1 leaks addr",
1617                 .result = REJECT,
1618         },
1619         {
1620                 "check cb access: byte",
1621                 .insns = {
1622                         BPF_MOV64_IMM(BPF_REG_0, 0),
1623                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1624                                     offsetof(struct __sk_buff, cb[0])),
1625                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1626                                     offsetof(struct __sk_buff, cb[0]) + 1),
1627                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1628                                     offsetof(struct __sk_buff, cb[0]) + 2),
1629                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1630                                     offsetof(struct __sk_buff, cb[0]) + 3),
1631                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1632                                     offsetof(struct __sk_buff, cb[1])),
1633                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1634                                     offsetof(struct __sk_buff, cb[1]) + 1),
1635                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1636                                     offsetof(struct __sk_buff, cb[1]) + 2),
1637                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1638                                     offsetof(struct __sk_buff, cb[1]) + 3),
1639                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1640                                     offsetof(struct __sk_buff, cb[2])),
1641                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1642                                     offsetof(struct __sk_buff, cb[2]) + 1),
1643                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1644                                     offsetof(struct __sk_buff, cb[2]) + 2),
1645                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1646                                     offsetof(struct __sk_buff, cb[2]) + 3),
1647                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1648                                     offsetof(struct __sk_buff, cb[3])),
1649                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1650                                     offsetof(struct __sk_buff, cb[3]) + 1),
1651                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1652                                     offsetof(struct __sk_buff, cb[3]) + 2),
1653                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1654                                     offsetof(struct __sk_buff, cb[3]) + 3),
1655                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1656                                     offsetof(struct __sk_buff, cb[4])),
1657                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1658                                     offsetof(struct __sk_buff, cb[4]) + 1),
1659                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1660                                     offsetof(struct __sk_buff, cb[4]) + 2),
1661                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1662                                     offsetof(struct __sk_buff, cb[4]) + 3),
1663                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1664                                     offsetof(struct __sk_buff, cb[0])),
1665                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1666                                     offsetof(struct __sk_buff, cb[0]) + 1),
1667                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1668                                     offsetof(struct __sk_buff, cb[0]) + 2),
1669                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1670                                     offsetof(struct __sk_buff, cb[0]) + 3),
1671                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1672                                     offsetof(struct __sk_buff, cb[1])),
1673                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1674                                     offsetof(struct __sk_buff, cb[1]) + 1),
1675                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1676                                     offsetof(struct __sk_buff, cb[1]) + 2),
1677                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1678                                     offsetof(struct __sk_buff, cb[1]) + 3),
1679                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1680                                     offsetof(struct __sk_buff, cb[2])),
1681                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1682                                     offsetof(struct __sk_buff, cb[2]) + 1),
1683                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1684                                     offsetof(struct __sk_buff, cb[2]) + 2),
1685                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1686                                     offsetof(struct __sk_buff, cb[2]) + 3),
1687                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1688                                     offsetof(struct __sk_buff, cb[3])),
1689                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1690                                     offsetof(struct __sk_buff, cb[3]) + 1),
1691                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1692                                     offsetof(struct __sk_buff, cb[3]) + 2),
1693                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1694                                     offsetof(struct __sk_buff, cb[3]) + 3),
1695                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1696                                     offsetof(struct __sk_buff, cb[4])),
1697                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1698                                     offsetof(struct __sk_buff, cb[4]) + 1),
1699                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1700                                     offsetof(struct __sk_buff, cb[4]) + 2),
1701                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1702                                     offsetof(struct __sk_buff, cb[4]) + 3),
1703                         BPF_EXIT_INSN(),
1704                 },
1705                 .result = ACCEPT,
1706         },
1707         {
1708                 "__sk_buff->hash, offset 0, byte store not permitted",
1709                 .insns = {
1710                         BPF_MOV64_IMM(BPF_REG_0, 0),
1711                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1712                                     offsetof(struct __sk_buff, hash)),
1713                         BPF_EXIT_INSN(),
1714                 },
1715                 .errstr = "invalid bpf_context access",
1716                 .result = REJECT,
1717         },
1718         {
1719                 "__sk_buff->tc_index, offset 3, byte store not permitted",
1720                 .insns = {
1721                         BPF_MOV64_IMM(BPF_REG_0, 0),
1722                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1723                                     offsetof(struct __sk_buff, tc_index) + 3),
1724                         BPF_EXIT_INSN(),
1725                 },
1726                 .errstr = "invalid bpf_context access",
1727                 .result = REJECT,
1728         },
1729         {
1730                 "check skb->hash byte load permitted",
1731                 .insns = {
1732                         BPF_MOV64_IMM(BPF_REG_0, 0),
1733 #if __BYTE_ORDER == __LITTLE_ENDIAN
1734                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1735                                     offsetof(struct __sk_buff, hash)),
1736 #else
1737                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1738                                     offsetof(struct __sk_buff, hash) + 3),
1739 #endif
1740                         BPF_EXIT_INSN(),
1741                 },
1742                 .result = ACCEPT,
1743         },
1744         {
1745                 "check skb->hash byte load not permitted 1",
1746                 .insns = {
1747                         BPF_MOV64_IMM(BPF_REG_0, 0),
1748                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1749                                     offsetof(struct __sk_buff, hash) + 1),
1750                         BPF_EXIT_INSN(),
1751                 },
1752                 .errstr = "invalid bpf_context access",
1753                 .result = REJECT,
1754         },
1755         {
1756                 "check skb->hash byte load not permitted 2",
1757                 .insns = {
1758                         BPF_MOV64_IMM(BPF_REG_0, 0),
1759                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1760                                     offsetof(struct __sk_buff, hash) + 2),
1761                         BPF_EXIT_INSN(),
1762                 },
1763                 .errstr = "invalid bpf_context access",
1764                 .result = REJECT,
1765         },
1766         {
1767                 "check skb->hash byte load not permitted 3",
1768                 .insns = {
1769                         BPF_MOV64_IMM(BPF_REG_0, 0),
1770 #if __BYTE_ORDER == __LITTLE_ENDIAN
1771                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1772                                     offsetof(struct __sk_buff, hash) + 3),
1773 #else
1774                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1775                                     offsetof(struct __sk_buff, hash)),
1776 #endif
1777                         BPF_EXIT_INSN(),
1778                 },
1779                 .errstr = "invalid bpf_context access",
1780                 .result = REJECT,
1781         },
1782         {
1783                 "check cb access: byte, wrong type",
1784                 .insns = {
1785                         BPF_MOV64_IMM(BPF_REG_0, 0),
1786                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1787                                     offsetof(struct __sk_buff, cb[0])),
1788                         BPF_EXIT_INSN(),
1789                 },
1790                 .errstr = "invalid bpf_context access",
1791                 .result = REJECT,
1792                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1793         },
1794         {
1795                 "check cb access: half",
1796                 .insns = {
1797                         BPF_MOV64_IMM(BPF_REG_0, 0),
1798                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1799                                     offsetof(struct __sk_buff, cb[0])),
1800                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1801                                     offsetof(struct __sk_buff, cb[0]) + 2),
1802                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1803                                     offsetof(struct __sk_buff, cb[1])),
1804                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1805                                     offsetof(struct __sk_buff, cb[1]) + 2),
1806                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1807                                     offsetof(struct __sk_buff, cb[2])),
1808                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1809                                     offsetof(struct __sk_buff, cb[2]) + 2),
1810                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1811                                     offsetof(struct __sk_buff, cb[3])),
1812                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1813                                     offsetof(struct __sk_buff, cb[3]) + 2),
1814                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1815                                     offsetof(struct __sk_buff, cb[4])),
1816                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1817                                     offsetof(struct __sk_buff, cb[4]) + 2),
1818                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1819                                     offsetof(struct __sk_buff, cb[0])),
1820                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1821                                     offsetof(struct __sk_buff, cb[0]) + 2),
1822                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1823                                     offsetof(struct __sk_buff, cb[1])),
1824                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1825                                     offsetof(struct __sk_buff, cb[1]) + 2),
1826                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1827                                     offsetof(struct __sk_buff, cb[2])),
1828                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1829                                     offsetof(struct __sk_buff, cb[2]) + 2),
1830                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1831                                     offsetof(struct __sk_buff, cb[3])),
1832                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1833                                     offsetof(struct __sk_buff, cb[3]) + 2),
1834                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1835                                     offsetof(struct __sk_buff, cb[4])),
1836                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1837                                     offsetof(struct __sk_buff, cb[4]) + 2),
1838                         BPF_EXIT_INSN(),
1839                 },
1840                 .result = ACCEPT,
1841         },
1842         {
1843                 "check cb access: half, unaligned",
1844                 .insns = {
1845                         BPF_MOV64_IMM(BPF_REG_0, 0),
1846                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1847                                     offsetof(struct __sk_buff, cb[0]) + 1),
1848                         BPF_EXIT_INSN(),
1849                 },
1850                 .errstr = "misaligned context access",
1851                 .result = REJECT,
1852                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1853         },
1854         {
1855                 "check __sk_buff->hash, offset 0, half store not permitted",
1856                 .insns = {
1857                         BPF_MOV64_IMM(BPF_REG_0, 0),
1858                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1859                                     offsetof(struct __sk_buff, hash)),
1860                         BPF_EXIT_INSN(),
1861                 },
1862                 .errstr = "invalid bpf_context access",
1863                 .result = REJECT,
1864         },
1865         {
1866                 "check __sk_buff->tc_index, offset 2, half store not permitted",
1867                 .insns = {
1868                         BPF_MOV64_IMM(BPF_REG_0, 0),
1869                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1870                                     offsetof(struct __sk_buff, tc_index) + 2),
1871                         BPF_EXIT_INSN(),
1872                 },
1873                 .errstr = "invalid bpf_context access",
1874                 .result = REJECT,
1875         },
1876         {
1877                 "check skb->hash half load permitted",
1878                 .insns = {
1879                         BPF_MOV64_IMM(BPF_REG_0, 0),
1880 #if __BYTE_ORDER == __LITTLE_ENDIAN
1881                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1882                                     offsetof(struct __sk_buff, hash)),
1883 #else
1884                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1885                                     offsetof(struct __sk_buff, hash) + 2),
1886 #endif
1887                         BPF_EXIT_INSN(),
1888                 },
1889                 .result = ACCEPT,
1890         },
1891         {
1892                 "check skb->hash half load not permitted",
1893                 .insns = {
1894                         BPF_MOV64_IMM(BPF_REG_0, 0),
1895 #if __BYTE_ORDER == __LITTLE_ENDIAN
1896                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1897                                     offsetof(struct __sk_buff, hash) + 2),
1898 #else
1899                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
1900                                     offsetof(struct __sk_buff, hash)),
1901 #endif
1902                         BPF_EXIT_INSN(),
1903                 },
1904                 .errstr = "invalid bpf_context access",
1905                 .result = REJECT,
1906         },
1907         {
1908                 "check cb access: half, wrong type",
1909                 .insns = {
1910                         BPF_MOV64_IMM(BPF_REG_0, 0),
1911                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
1912                                     offsetof(struct __sk_buff, cb[0])),
1913                         BPF_EXIT_INSN(),
1914                 },
1915                 .errstr = "invalid bpf_context access",
1916                 .result = REJECT,
1917                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
1918         },
1919         {
1920                 "check cb access: word",
1921                 .insns = {
1922                         BPF_MOV64_IMM(BPF_REG_0, 0),
1923                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1924                                     offsetof(struct __sk_buff, cb[0])),
1925                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1926                                     offsetof(struct __sk_buff, cb[1])),
1927                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1928                                     offsetof(struct __sk_buff, cb[2])),
1929                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1930                                     offsetof(struct __sk_buff, cb[3])),
1931                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1932                                     offsetof(struct __sk_buff, cb[4])),
1933                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1934                                     offsetof(struct __sk_buff, cb[0])),
1935                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1936                                     offsetof(struct __sk_buff, cb[1])),
1937                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1938                                     offsetof(struct __sk_buff, cb[2])),
1939                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1940                                     offsetof(struct __sk_buff, cb[3])),
1941                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1942                                     offsetof(struct __sk_buff, cb[4])),
1943                         BPF_EXIT_INSN(),
1944                 },
1945                 .result = ACCEPT,
1946         },
1947         {
1948                 "check cb access: word, unaligned 1",
1949                 .insns = {
1950                         BPF_MOV64_IMM(BPF_REG_0, 0),
1951                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1952                                     offsetof(struct __sk_buff, cb[0]) + 2),
1953                         BPF_EXIT_INSN(),
1954                 },
1955                 .errstr = "misaligned context access",
1956                 .result = REJECT,
1957                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1958         },
1959         {
1960                 "check cb access: word, unaligned 2",
1961                 .insns = {
1962                         BPF_MOV64_IMM(BPF_REG_0, 0),
1963                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1964                                     offsetof(struct __sk_buff, cb[4]) + 1),
1965                         BPF_EXIT_INSN(),
1966                 },
1967                 .errstr = "misaligned context access",
1968                 .result = REJECT,
1969                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1970         },
1971         {
1972                 "check cb access: word, unaligned 3",
1973                 .insns = {
1974                         BPF_MOV64_IMM(BPF_REG_0, 0),
1975                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1976                                     offsetof(struct __sk_buff, cb[4]) + 2),
1977                         BPF_EXIT_INSN(),
1978                 },
1979                 .errstr = "misaligned context access",
1980                 .result = REJECT,
1981                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1982         },
1983         {
1984                 "check cb access: word, unaligned 4",
1985                 .insns = {
1986                         BPF_MOV64_IMM(BPF_REG_0, 0),
1987                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1988                                     offsetof(struct __sk_buff, cb[4]) + 3),
1989                         BPF_EXIT_INSN(),
1990                 },
1991                 .errstr = "misaligned context access",
1992                 .result = REJECT,
1993                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1994         },
1995         {
1996                 "check cb access: double",
1997                 .insns = {
1998                         BPF_MOV64_IMM(BPF_REG_0, 0),
1999                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2000                                     offsetof(struct __sk_buff, cb[0])),
2001                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2002                                     offsetof(struct __sk_buff, cb[2])),
2003                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2004                                     offsetof(struct __sk_buff, cb[0])),
2005                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2006                                     offsetof(struct __sk_buff, cb[2])),
2007                         BPF_EXIT_INSN(),
2008                 },
2009                 .result = ACCEPT,
2010         },
2011         {
2012                 "check cb access: double, unaligned 1",
2013                 .insns = {
2014                         BPF_MOV64_IMM(BPF_REG_0, 0),
2015                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2016                                     offsetof(struct __sk_buff, cb[1])),
2017                         BPF_EXIT_INSN(),
2018                 },
2019                 .errstr = "misaligned context access",
2020                 .result = REJECT,
2021                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2022         },
2023         {
2024                 "check cb access: double, unaligned 2",
2025                 .insns = {
2026                         BPF_MOV64_IMM(BPF_REG_0, 0),
2027                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2028                                     offsetof(struct __sk_buff, cb[3])),
2029                         BPF_EXIT_INSN(),
2030                 },
2031                 .errstr = "misaligned context access",
2032                 .result = REJECT,
2033                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2034         },
2035         {
2036                 "check cb access: double, oob 1",
2037                 .insns = {
2038                         BPF_MOV64_IMM(BPF_REG_0, 0),
2039                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2040                                     offsetof(struct __sk_buff, cb[4])),
2041                         BPF_EXIT_INSN(),
2042                 },
2043                 .errstr = "invalid bpf_context access",
2044                 .result = REJECT,
2045         },
2046         {
2047                 "check cb access: double, oob 2",
2048                 .insns = {
2049                         BPF_MOV64_IMM(BPF_REG_0, 0),
2050                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2051                                     offsetof(struct __sk_buff, cb[4])),
2052                         BPF_EXIT_INSN(),
2053                 },
2054                 .errstr = "invalid bpf_context access",
2055                 .result = REJECT,
2056         },
2057         {
2058                 "check __sk_buff->ifindex dw store not permitted",
2059                 .insns = {
2060                         BPF_MOV64_IMM(BPF_REG_0, 0),
2061                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2062                                     offsetof(struct __sk_buff, ifindex)),
2063                         BPF_EXIT_INSN(),
2064                 },
2065                 .errstr = "invalid bpf_context access",
2066                 .result = REJECT,
2067         },
2068         {
2069                 "check __sk_buff->ifindex dw load not permitted",
2070                 .insns = {
2071                         BPF_MOV64_IMM(BPF_REG_0, 0),
2072                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2073                                     offsetof(struct __sk_buff, ifindex)),
2074                         BPF_EXIT_INSN(),
2075                 },
2076                 .errstr = "invalid bpf_context access",
2077                 .result = REJECT,
2078         },
2079         {
2080                 "check cb access: double, wrong type",
2081                 .insns = {
2082                         BPF_MOV64_IMM(BPF_REG_0, 0),
2083                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2084                                     offsetof(struct __sk_buff, cb[0])),
2085                         BPF_EXIT_INSN(),
2086                 },
2087                 .errstr = "invalid bpf_context access",
2088                 .result = REJECT,
2089                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2090         },
2091         {
2092                 "check out of range skb->cb access",
2093                 .insns = {
2094                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2095                                     offsetof(struct __sk_buff, cb[0]) + 256),
2096                         BPF_EXIT_INSN(),
2097                 },
2098                 .errstr = "invalid bpf_context access",
2099                 .errstr_unpriv = "",
2100                 .result = REJECT,
2101                 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2102         },
2103         {
2104                 "write skb fields from socket prog",
2105                 .insns = {
2106                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2107                                     offsetof(struct __sk_buff, cb[4])),
2108                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2109                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2110                                     offsetof(struct __sk_buff, mark)),
2111                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2112                                     offsetof(struct __sk_buff, tc_index)),
2113                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2114                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2115                                     offsetof(struct __sk_buff, cb[0])),
2116                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2117                                     offsetof(struct __sk_buff, cb[2])),
2118                         BPF_EXIT_INSN(),
2119                 },
2120                 .result = ACCEPT,
2121                 .errstr_unpriv = "R1 leaks addr",
2122                 .result_unpriv = REJECT,
2123         },
2124         {
2125                 "write skb fields from tc_cls_act prog",
2126                 .insns = {
2127                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2128                                     offsetof(struct __sk_buff, cb[0])),
2129                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2130                                     offsetof(struct __sk_buff, mark)),
2131                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2132                                     offsetof(struct __sk_buff, tc_index)),
2133                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2134                                     offsetof(struct __sk_buff, tc_index)),
2135                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2136                                     offsetof(struct __sk_buff, cb[3])),
2137                         BPF_EXIT_INSN(),
2138                 },
2139                 .errstr_unpriv = "",
2140                 .result_unpriv = REJECT,
2141                 .result = ACCEPT,
2142                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2143         },
2144         {
2145                 "PTR_TO_STACK store/load",
2146                 .insns = {
2147                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2148                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2149                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2150                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2151                         BPF_EXIT_INSN(),
2152                 },
2153                 .result = ACCEPT,
2154                 .retval = 0xfaceb00c,
2155         },
2156         {
2157                 "PTR_TO_STACK store/load - bad alignment on off",
2158                 .insns = {
2159                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2160                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2161                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2162                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2163                         BPF_EXIT_INSN(),
2164                 },
2165                 .result = REJECT,
2166                 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2167         },
2168         {
2169                 "PTR_TO_STACK store/load - bad alignment on reg",
2170                 .insns = {
2171                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2172                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2173                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2174                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2175                         BPF_EXIT_INSN(),
2176                 },
2177                 .result = REJECT,
2178                 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2179         },
2180         {
2181                 "PTR_TO_STACK store/load - out of bounds low",
2182                 .insns = {
2183                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2184                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2185                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2186                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2187                         BPF_EXIT_INSN(),
2188                 },
2189                 .result = REJECT,
2190                 .errstr = "invalid stack off=-79992 size=8",
2191         },
2192         {
2193                 "PTR_TO_STACK store/load - out of bounds high",
2194                 .insns = {
2195                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2196                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2197                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2198                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2199                         BPF_EXIT_INSN(),
2200                 },
2201                 .result = REJECT,
2202                 .errstr = "invalid stack off=0 size=8",
2203         },
2204         {
2205                 "unpriv: return pointer",
2206                 .insns = {
2207                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2208                         BPF_EXIT_INSN(),
2209                 },
2210                 .result = ACCEPT,
2211                 .result_unpriv = REJECT,
2212                 .errstr_unpriv = "R0 leaks addr",
2213                 .retval = POINTER_VALUE,
2214         },
2215         {
2216                 "unpriv: add const to pointer",
2217                 .insns = {
2218                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2219                         BPF_MOV64_IMM(BPF_REG_0, 0),
2220                         BPF_EXIT_INSN(),
2221                 },
2222                 .result = ACCEPT,
2223         },
2224         {
2225                 "unpriv: add pointer to pointer",
2226                 .insns = {
2227                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2228                         BPF_MOV64_IMM(BPF_REG_0, 0),
2229                         BPF_EXIT_INSN(),
2230                 },
2231                 .result = REJECT,
2232                 .errstr = "R1 pointer += pointer",
2233         },
2234         {
2235                 "unpriv: neg pointer",
2236                 .insns = {
2237                         BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2238                         BPF_MOV64_IMM(BPF_REG_0, 0),
2239                         BPF_EXIT_INSN(),
2240                 },
2241                 .result = ACCEPT,
2242                 .result_unpriv = REJECT,
2243                 .errstr_unpriv = "R1 pointer arithmetic",
2244         },
2245         {
2246                 "unpriv: cmp pointer with const",
2247                 .insns = {
2248                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2249                         BPF_MOV64_IMM(BPF_REG_0, 0),
2250                         BPF_EXIT_INSN(),
2251                 },
2252                 .result = ACCEPT,
2253                 .result_unpriv = REJECT,
2254                 .errstr_unpriv = "R1 pointer comparison",
2255         },
2256         {
2257                 "unpriv: cmp pointer with pointer",
2258                 .insns = {
2259                         BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2260                         BPF_MOV64_IMM(BPF_REG_0, 0),
2261                         BPF_EXIT_INSN(),
2262                 },
2263                 .result = ACCEPT,
2264                 .result_unpriv = REJECT,
2265                 .errstr_unpriv = "R10 pointer comparison",
2266         },
2267         {
2268                 "unpriv: check that printk is disallowed",
2269                 .insns = {
2270                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2271                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2272                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2273                         BPF_MOV64_IMM(BPF_REG_2, 8),
2274                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2275                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2276                                      BPF_FUNC_trace_printk),
2277                         BPF_MOV64_IMM(BPF_REG_0, 0),
2278                         BPF_EXIT_INSN(),
2279                 },
2280                 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2281                 .result_unpriv = REJECT,
2282                 .result = ACCEPT,
2283         },
2284         {
2285                 "unpriv: pass pointer to helper function",
2286                 .insns = {
2287                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2288                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2289                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2290                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2291                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2292                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2293                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2294                                      BPF_FUNC_map_update_elem),
2295                         BPF_MOV64_IMM(BPF_REG_0, 0),
2296                         BPF_EXIT_INSN(),
2297                 },
2298                 .fixup_map1 = { 3 },
2299                 .errstr_unpriv = "R4 leaks addr",
2300                 .result_unpriv = REJECT,
2301                 .result = ACCEPT,
2302         },
2303         {
2304                 "unpriv: indirectly pass pointer on stack to helper function",
2305                 .insns = {
2306                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2307                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2308                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2309                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2310                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2311                                      BPF_FUNC_map_lookup_elem),
2312                         BPF_MOV64_IMM(BPF_REG_0, 0),
2313                         BPF_EXIT_INSN(),
2314                 },
2315                 .fixup_map1 = { 3 },
2316                 .errstr = "invalid indirect read from stack off -8+0 size 8",
2317                 .result = REJECT,
2318         },
2319         {
2320                 "unpriv: mangle pointer on stack 1",
2321                 .insns = {
2322                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2323                         BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2324                         BPF_MOV64_IMM(BPF_REG_0, 0),
2325                         BPF_EXIT_INSN(),
2326                 },
2327                 .errstr_unpriv = "attempt to corrupt spilled",
2328                 .result_unpriv = REJECT,
2329                 .result = ACCEPT,
2330         },
2331         {
2332                 "unpriv: mangle pointer on stack 2",
2333                 .insns = {
2334                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2335                         BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2336                         BPF_MOV64_IMM(BPF_REG_0, 0),
2337                         BPF_EXIT_INSN(),
2338                 },
2339                 .errstr_unpriv = "attempt to corrupt spilled",
2340                 .result_unpriv = REJECT,
2341                 .result = ACCEPT,
2342         },
2343         {
2344                 "unpriv: read pointer from stack in small chunks",
2345                 .insns = {
2346                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2347                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2348                         BPF_MOV64_IMM(BPF_REG_0, 0),
2349                         BPF_EXIT_INSN(),
2350                 },
2351                 .errstr = "invalid size",
2352                 .result = REJECT,
2353         },
2354         {
2355                 "unpriv: write pointer into ctx",
2356                 .insns = {
2357                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2358                         BPF_MOV64_IMM(BPF_REG_0, 0),
2359                         BPF_EXIT_INSN(),
2360                 },
2361                 .errstr_unpriv = "R1 leaks addr",
2362                 .result_unpriv = REJECT,
2363                 .errstr = "invalid bpf_context access",
2364                 .result = REJECT,
2365         },
2366         {
2367                 "unpriv: spill/fill of ctx",
2368                 .insns = {
2369                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2370                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2371                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2372                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2373                         BPF_MOV64_IMM(BPF_REG_0, 0),
2374                         BPF_EXIT_INSN(),
2375                 },
2376                 .result = ACCEPT,
2377         },
2378         {
2379                 "unpriv: spill/fill of ctx 2",
2380                 .insns = {
2381                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2382                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2383                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2384                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2385                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2386                                      BPF_FUNC_get_hash_recalc),
2387                         BPF_MOV64_IMM(BPF_REG_0, 0),
2388                         BPF_EXIT_INSN(),
2389                 },
2390                 .result = ACCEPT,
2391                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2392         },
2393         {
2394                 "unpriv: spill/fill of ctx 3",
2395                 .insns = {
2396                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2397                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2398                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2399                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2400                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2401                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2402                                      BPF_FUNC_get_hash_recalc),
2403                         BPF_EXIT_INSN(),
2404                 },
2405                 .result = REJECT,
2406                 .errstr = "R1 type=fp expected=ctx",
2407                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2408         },
2409         {
2410                 "unpriv: spill/fill of ctx 4",
2411                 .insns = {
2412                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2413                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2414                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2415                         BPF_MOV64_IMM(BPF_REG_0, 1),
2416                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2417                                      BPF_REG_0, -8, 0),
2418                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2419                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2420                                      BPF_FUNC_get_hash_recalc),
2421                         BPF_EXIT_INSN(),
2422                 },
2423                 .result = REJECT,
2424                 .errstr = "R1 type=inv expected=ctx",
2425                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2426         },
2427         {
2428                 "unpriv: spill/fill of different pointers stx",
2429                 .insns = {
2430                         BPF_MOV64_IMM(BPF_REG_3, 42),
2431                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2432                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2433                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2434                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2435                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2436                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2437                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2438                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2439                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2440                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2441                                     offsetof(struct __sk_buff, mark)),
2442                         BPF_MOV64_IMM(BPF_REG_0, 0),
2443                         BPF_EXIT_INSN(),
2444                 },
2445                 .result = REJECT,
2446                 .errstr = "same insn cannot be used with different pointers",
2447                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2448         },
2449         {
2450                 "unpriv: spill/fill of different pointers ldx",
2451                 .insns = {
2452                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2453                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2454                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2455                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2456                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2,
2457                                       -(__s32)offsetof(struct bpf_perf_event_data,
2458                                                        sample_period) - 8),
2459                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2460                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2461                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2462                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2463                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1,
2464                                     offsetof(struct bpf_perf_event_data,
2465                                              sample_period)),
2466                         BPF_MOV64_IMM(BPF_REG_0, 0),
2467                         BPF_EXIT_INSN(),
2468                 },
2469                 .result = REJECT,
2470                 .errstr = "same insn cannot be used with different pointers",
2471                 .prog_type = BPF_PROG_TYPE_PERF_EVENT,
2472         },
2473         {
2474                 "unpriv: write pointer into map elem value",
2475                 .insns = {
2476                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2477                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2478                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2479                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2480                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2481                                      BPF_FUNC_map_lookup_elem),
2482                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
2483                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 0),
2484                         BPF_EXIT_INSN(),
2485                 },
2486                 .fixup_map1 = { 3 },
2487                 .errstr_unpriv = "R0 leaks addr",
2488                 .result_unpriv = REJECT,
2489                 .result = ACCEPT,
2490         },
2491         {
2492                 "unpriv: partial copy of pointer",
2493                 .insns = {
2494                         BPF_MOV32_REG(BPF_REG_1, BPF_REG_10),
2495                         BPF_MOV64_IMM(BPF_REG_0, 0),
2496                         BPF_EXIT_INSN(),
2497                 },
2498                 .errstr_unpriv = "R10 partial copy",
2499                 .result_unpriv = REJECT,
2500                 .result = ACCEPT,
2501         },
2502         {
2503                 "unpriv: pass pointer to tail_call",
2504                 .insns = {
2505                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2506                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2507                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2508                                      BPF_FUNC_tail_call),
2509                         BPF_MOV64_IMM(BPF_REG_0, 0),
2510                         BPF_EXIT_INSN(),
2511                 },
2512                 .fixup_prog = { 1 },
2513                 .errstr_unpriv = "R3 leaks addr into helper",
2514                 .result_unpriv = REJECT,
2515                 .result = ACCEPT,
2516         },
2517         {
2518                 "unpriv: cmp map pointer with zero",
2519                 .insns = {
2520                         BPF_MOV64_IMM(BPF_REG_1, 0),
2521                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2522                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2523                         BPF_MOV64_IMM(BPF_REG_0, 0),
2524                         BPF_EXIT_INSN(),
2525                 },
2526                 .fixup_map1 = { 1 },
2527                 .errstr_unpriv = "R1 pointer comparison",
2528                 .result_unpriv = REJECT,
2529                 .result = ACCEPT,
2530         },
2531         {
2532                 "unpriv: write into frame pointer",
2533                 .insns = {
2534                         BPF_MOV64_REG(BPF_REG_10, BPF_REG_1),
2535                         BPF_MOV64_IMM(BPF_REG_0, 0),
2536                         BPF_EXIT_INSN(),
2537                 },
2538                 .errstr = "frame pointer is read only",
2539                 .result = REJECT,
2540         },
2541         {
2542                 "unpriv: spill/fill frame pointer",
2543                 .insns = {
2544                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2545                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2546                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2547                         BPF_LDX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, 0),
2548                         BPF_MOV64_IMM(BPF_REG_0, 0),
2549                         BPF_EXIT_INSN(),
2550                 },
2551                 .errstr = "frame pointer is read only",
2552                 .result = REJECT,
2553         },
2554         {
2555                 "unpriv: cmp of frame pointer",
2556                 .insns = {
2557                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_10, 0, 0),
2558                         BPF_MOV64_IMM(BPF_REG_0, 0),
2559                         BPF_EXIT_INSN(),
2560                 },
2561                 .errstr_unpriv = "R10 pointer comparison",
2562                 .result_unpriv = REJECT,
2563                 .result = ACCEPT,
2564         },
2565         {
2566                 "unpriv: adding of fp",
2567                 .insns = {
2568                         BPF_MOV64_IMM(BPF_REG_0, 0),
2569                         BPF_MOV64_IMM(BPF_REG_1, 0),
2570                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2571                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
2572                         BPF_EXIT_INSN(),
2573                 },
2574                 .result = ACCEPT,
2575         },
2576         {
2577                 "unpriv: cmp of stack pointer",
2578                 .insns = {
2579                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2580                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2581                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_2, 0, 0),
2582                         BPF_MOV64_IMM(BPF_REG_0, 0),
2583                         BPF_EXIT_INSN(),
2584                 },
2585                 .errstr_unpriv = "R2 pointer comparison",
2586                 .result_unpriv = REJECT,
2587                 .result = ACCEPT,
2588         },
2589         {
2590                 "runtime/jit: pass negative index to tail_call",
2591                 .insns = {
2592                         BPF_MOV64_IMM(BPF_REG_3, -1),
2593                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2594                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595                                      BPF_FUNC_tail_call),
2596                         BPF_MOV64_IMM(BPF_REG_0, 0),
2597                         BPF_EXIT_INSN(),
2598                 },
2599                 .fixup_prog = { 1 },
2600                 .result = ACCEPT,
2601         },
2602         {
2603                 "runtime/jit: pass > 32bit index to tail_call",
2604                 .insns = {
2605                         BPF_LD_IMM64(BPF_REG_3, 0x100000000ULL),
2606                         BPF_LD_MAP_FD(BPF_REG_2, 0),
2607                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2608                                      BPF_FUNC_tail_call),
2609                         BPF_MOV64_IMM(BPF_REG_0, 0),
2610                         BPF_EXIT_INSN(),
2611                 },
2612                 .fixup_prog = { 2 },
2613                 .result = ACCEPT,
2614         },
2615         {
2616                 "stack pointer arithmetic",
2617                 .insns = {
2618                         BPF_MOV64_IMM(BPF_REG_1, 4),
2619                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
2620                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
2621                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2622                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
2623                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2624                         BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
2625                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2626                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
2627                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
2628                         BPF_ST_MEM(0, BPF_REG_2, 4, 0),
2629                         BPF_MOV64_IMM(BPF_REG_0, 0),
2630                         BPF_EXIT_INSN(),
2631                 },
2632                 .result = ACCEPT,
2633         },
2634         {
2635                 "raw_stack: no skb_load_bytes",
2636                 .insns = {
2637                         BPF_MOV64_IMM(BPF_REG_2, 4),
2638                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2639                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2640                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2641                         BPF_MOV64_IMM(BPF_REG_4, 8),
2642                         /* Call to skb_load_bytes() omitted. */
2643                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2644                         BPF_EXIT_INSN(),
2645                 },
2646                 .result = REJECT,
2647                 .errstr = "invalid read from stack off -8+0 size 8",
2648                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2649         },
2650         {
2651                 "raw_stack: skb_load_bytes, negative len",
2652                 .insns = {
2653                         BPF_MOV64_IMM(BPF_REG_2, 4),
2654                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2655                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2656                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2657                         BPF_MOV64_IMM(BPF_REG_4, -8),
2658                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2659                                      BPF_FUNC_skb_load_bytes),
2660                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2661                         BPF_EXIT_INSN(),
2662                 },
2663                 .result = REJECT,
2664                 .errstr = "R4 min value is negative",
2665                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2666         },
2667         {
2668                 "raw_stack: skb_load_bytes, negative len 2",
2669                 .insns = {
2670                         BPF_MOV64_IMM(BPF_REG_2, 4),
2671                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2672                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2673                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2674                         BPF_MOV64_IMM(BPF_REG_4, ~0),
2675                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2676                                      BPF_FUNC_skb_load_bytes),
2677                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2678                         BPF_EXIT_INSN(),
2679                 },
2680                 .result = REJECT,
2681                 .errstr = "R4 min value is negative",
2682                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2683         },
2684         {
2685                 "raw_stack: skb_load_bytes, zero len",
2686                 .insns = {
2687                         BPF_MOV64_IMM(BPF_REG_2, 4),
2688                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2689                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2690                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2691                         BPF_MOV64_IMM(BPF_REG_4, 0),
2692                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2693                                      BPF_FUNC_skb_load_bytes),
2694                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2695                         BPF_EXIT_INSN(),
2696                 },
2697                 .result = REJECT,
2698                 .errstr = "invalid stack type R3",
2699                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2700         },
2701         {
2702                 "raw_stack: skb_load_bytes, no init",
2703                 .insns = {
2704                         BPF_MOV64_IMM(BPF_REG_2, 4),
2705                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2706                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2707                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2708                         BPF_MOV64_IMM(BPF_REG_4, 8),
2709                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2710                                      BPF_FUNC_skb_load_bytes),
2711                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2712                         BPF_EXIT_INSN(),
2713                 },
2714                 .result = ACCEPT,
2715                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2716         },
2717         {
2718                 "raw_stack: skb_load_bytes, init",
2719                 .insns = {
2720                         BPF_MOV64_IMM(BPF_REG_2, 4),
2721                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2722                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2723                         BPF_ST_MEM(BPF_DW, BPF_REG_6, 0, 0xcafe),
2724                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2725                         BPF_MOV64_IMM(BPF_REG_4, 8),
2726                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2727                                      BPF_FUNC_skb_load_bytes),
2728                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2729                         BPF_EXIT_INSN(),
2730                 },
2731                 .result = ACCEPT,
2732                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2733         },
2734         {
2735                 "raw_stack: skb_load_bytes, spilled regs around bounds",
2736                 .insns = {
2737                         BPF_MOV64_IMM(BPF_REG_2, 4),
2738                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2739                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2740                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2741                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2742                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2743                         BPF_MOV64_IMM(BPF_REG_4, 8),
2744                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2745                                      BPF_FUNC_skb_load_bytes),
2746                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2747                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2748                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2749                                     offsetof(struct __sk_buff, mark)),
2750                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2751                                     offsetof(struct __sk_buff, priority)),
2752                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2753                         BPF_EXIT_INSN(),
2754                 },
2755                 .result = ACCEPT,
2756                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2757         },
2758         {
2759                 "raw_stack: skb_load_bytes, spilled regs corruption",
2760                 .insns = {
2761                         BPF_MOV64_IMM(BPF_REG_2, 4),
2762                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2763                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2764                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2765                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2766                         BPF_MOV64_IMM(BPF_REG_4, 8),
2767                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2768                                      BPF_FUNC_skb_load_bytes),
2769                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2770                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2771                                     offsetof(struct __sk_buff, mark)),
2772                         BPF_EXIT_INSN(),
2773                 },
2774                 .result = REJECT,
2775                 .errstr = "R0 invalid mem access 'inv'",
2776                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2777         },
2778         {
2779                 "raw_stack: skb_load_bytes, spilled regs corruption 2",
2780                 .insns = {
2781                         BPF_MOV64_IMM(BPF_REG_2, 4),
2782                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2783                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2784                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2785                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2786                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2787                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2788                         BPF_MOV64_IMM(BPF_REG_4, 8),
2789                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2790                                      BPF_FUNC_skb_load_bytes),
2791                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2792                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2793                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2794                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2795                                     offsetof(struct __sk_buff, mark)),
2796                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2797                                     offsetof(struct __sk_buff, priority)),
2798                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2799                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_3,
2800                                     offsetof(struct __sk_buff, pkt_type)),
2801                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2802                         BPF_EXIT_INSN(),
2803                 },
2804                 .result = REJECT,
2805                 .errstr = "R3 invalid mem access 'inv'",
2806                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2807         },
2808         {
2809                 "raw_stack: skb_load_bytes, spilled regs + data",
2810                 .insns = {
2811                         BPF_MOV64_IMM(BPF_REG_2, 4),
2812                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2813                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -16),
2814                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, -8),
2815                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  0),
2816                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1,  8),
2817                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2818                         BPF_MOV64_IMM(BPF_REG_4, 8),
2819                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2820                                      BPF_FUNC_skb_load_bytes),
2821                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, -8),
2822                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_6,  8),
2823                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_6,  0),
2824                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
2825                                     offsetof(struct __sk_buff, mark)),
2826                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_2,
2827                                     offsetof(struct __sk_buff, priority)),
2828                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
2829                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_3),
2830                         BPF_EXIT_INSN(),
2831                 },
2832                 .result = ACCEPT,
2833                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2834         },
2835         {
2836                 "raw_stack: skb_load_bytes, invalid access 1",
2837                 .insns = {
2838                         BPF_MOV64_IMM(BPF_REG_2, 4),
2839                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2840                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -513),
2841                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2842                         BPF_MOV64_IMM(BPF_REG_4, 8),
2843                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2844                                      BPF_FUNC_skb_load_bytes),
2845                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2846                         BPF_EXIT_INSN(),
2847                 },
2848                 .result = REJECT,
2849                 .errstr = "invalid stack type R3 off=-513 access_size=8",
2850                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2851         },
2852         {
2853                 "raw_stack: skb_load_bytes, invalid access 2",
2854                 .insns = {
2855                         BPF_MOV64_IMM(BPF_REG_2, 4),
2856                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2857                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2858                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2859                         BPF_MOV64_IMM(BPF_REG_4, 8),
2860                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2861                                      BPF_FUNC_skb_load_bytes),
2862                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2863                         BPF_EXIT_INSN(),
2864                 },
2865                 .result = REJECT,
2866                 .errstr = "invalid stack type R3 off=-1 access_size=8",
2867                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2868         },
2869         {
2870                 "raw_stack: skb_load_bytes, invalid access 3",
2871                 .insns = {
2872                         BPF_MOV64_IMM(BPF_REG_2, 4),
2873                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2874                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 0xffffffff),
2875                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2876                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
2877                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2878                                      BPF_FUNC_skb_load_bytes),
2879                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2880                         BPF_EXIT_INSN(),
2881                 },
2882                 .result = REJECT,
2883                 .errstr = "R4 min value is negative",
2884                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2885         },
2886         {
2887                 "raw_stack: skb_load_bytes, invalid access 4",
2888                 .insns = {
2889                         BPF_MOV64_IMM(BPF_REG_2, 4),
2890                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2891                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -1),
2892                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2893                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2894                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2895                                      BPF_FUNC_skb_load_bytes),
2896                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2897                         BPF_EXIT_INSN(),
2898                 },
2899                 .result = REJECT,
2900                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2901                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2902         },
2903         {
2904                 "raw_stack: skb_load_bytes, invalid access 5",
2905                 .insns = {
2906                         BPF_MOV64_IMM(BPF_REG_2, 4),
2907                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2908                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2909                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2910                         BPF_MOV64_IMM(BPF_REG_4, 0x7fffffff),
2911                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2912                                      BPF_FUNC_skb_load_bytes),
2913                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2914                         BPF_EXIT_INSN(),
2915                 },
2916                 .result = REJECT,
2917                 .errstr = "R4 unbounded memory access, use 'var &= const' or 'if (var < const)'",
2918                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2919         },
2920         {
2921                 "raw_stack: skb_load_bytes, invalid access 6",
2922                 .insns = {
2923                         BPF_MOV64_IMM(BPF_REG_2, 4),
2924                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2925                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2926                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2927                         BPF_MOV64_IMM(BPF_REG_4, 0),
2928                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2929                                      BPF_FUNC_skb_load_bytes),
2930                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2931                         BPF_EXIT_INSN(),
2932                 },
2933                 .result = REJECT,
2934                 .errstr = "invalid stack type R3 off=-512 access_size=0",
2935                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2936         },
2937         {
2938                 "raw_stack: skb_load_bytes, large access",
2939                 .insns = {
2940                         BPF_MOV64_IMM(BPF_REG_2, 4),
2941                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2942                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -512),
2943                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
2944                         BPF_MOV64_IMM(BPF_REG_4, 512),
2945                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2946                                      BPF_FUNC_skb_load_bytes),
2947                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
2948                         BPF_EXIT_INSN(),
2949                 },
2950                 .result = ACCEPT,
2951                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2952         },
2953         {
2954                 "context stores via ST",
2955                 .insns = {
2956                         BPF_MOV64_IMM(BPF_REG_0, 0),
2957                         BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
2958                         BPF_EXIT_INSN(),
2959                 },
2960                 .errstr = "BPF_ST stores into R1 context is not allowed",
2961                 .result = REJECT,
2962                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2963         },
2964         {
2965                 "context stores via XADD",
2966                 .insns = {
2967                         BPF_MOV64_IMM(BPF_REG_0, 0),
2968                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_W, BPF_REG_1,
2969                                      BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
2970                         BPF_EXIT_INSN(),
2971                 },
2972                 .errstr = "BPF_XADD stores into R1 context is not allowed",
2973                 .result = REJECT,
2974                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2975         },
2976         {
2977                 "direct packet access: test1",
2978                 .insns = {
2979                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
2980                                     offsetof(struct __sk_buff, data)),
2981                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
2982                                     offsetof(struct __sk_buff, data_end)),
2983                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
2984                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
2985                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
2986                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
2987                         BPF_MOV64_IMM(BPF_REG_0, 0),
2988                         BPF_EXIT_INSN(),
2989                 },
2990                 .result = ACCEPT,
2991                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2992         },
2993         {
2994                 "direct packet access: test2",
2995                 .insns = {
2996                         BPF_MOV64_IMM(BPF_REG_0, 1),
2997                         BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
2998                                     offsetof(struct __sk_buff, data_end)),
2999                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3000                                     offsetof(struct __sk_buff, data)),
3001                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3002                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
3003                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
3004                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
3005                         BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
3006                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
3007                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3008                                     offsetof(struct __sk_buff, data)),
3009                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
3010                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3011                                     offsetof(struct __sk_buff, len)),
3012                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
3013                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
3014                         BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
3015                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
3016                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
3017                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
3018                                     offsetof(struct __sk_buff, data_end)),
3019                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
3020                         BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
3021                         BPF_MOV64_IMM(BPF_REG_0, 0),
3022                         BPF_EXIT_INSN(),
3023                 },
3024                 .result = ACCEPT,
3025                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3026         },
3027         {
3028                 "direct packet access: test3",
3029                 .insns = {
3030                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3031                                     offsetof(struct __sk_buff, data)),
3032                         BPF_MOV64_IMM(BPF_REG_0, 0),
3033                         BPF_EXIT_INSN(),
3034                 },
3035                 .errstr = "invalid bpf_context access off=76",
3036                 .result = REJECT,
3037                 .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
3038         },
3039         {
3040                 "direct packet access: test4 (write)",
3041                 .insns = {
3042                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3043                                     offsetof(struct __sk_buff, data)),
3044                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3045                                     offsetof(struct __sk_buff, data_end)),
3046                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3047                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3048                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3049                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3050                         BPF_MOV64_IMM(BPF_REG_0, 0),
3051                         BPF_EXIT_INSN(),
3052                 },
3053                 .result = ACCEPT,
3054                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3055         },
3056         {
3057                 "direct packet access: test5 (pkt_end >= reg, good access)",
3058                 .insns = {
3059                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3060                                     offsetof(struct __sk_buff, data)),
3061                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3062                                     offsetof(struct __sk_buff, data_end)),
3063                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3064                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3065                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3066                         BPF_MOV64_IMM(BPF_REG_0, 1),
3067                         BPF_EXIT_INSN(),
3068                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3069                         BPF_MOV64_IMM(BPF_REG_0, 0),
3070                         BPF_EXIT_INSN(),
3071                 },
3072                 .result = ACCEPT,
3073                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3074         },
3075         {
3076                 "direct packet access: test6 (pkt_end >= reg, bad access)",
3077                 .insns = {
3078                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3079                                     offsetof(struct __sk_buff, data)),
3080                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3081                                     offsetof(struct __sk_buff, data_end)),
3082                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3083                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3084                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3085                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3086                         BPF_MOV64_IMM(BPF_REG_0, 1),
3087                         BPF_EXIT_INSN(),
3088                         BPF_MOV64_IMM(BPF_REG_0, 0),
3089                         BPF_EXIT_INSN(),
3090                 },
3091                 .errstr = "invalid access to packet",
3092                 .result = REJECT,
3093                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3094         },
3095         {
3096                 "direct packet access: test7 (pkt_end >= reg, both accesses)",
3097                 .insns = {
3098                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3099                                     offsetof(struct __sk_buff, data)),
3100                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3101                                     offsetof(struct __sk_buff, data_end)),
3102                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3103                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3104                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
3105                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3106                         BPF_MOV64_IMM(BPF_REG_0, 1),
3107                         BPF_EXIT_INSN(),
3108                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3109                         BPF_MOV64_IMM(BPF_REG_0, 0),
3110                         BPF_EXIT_INSN(),
3111                 },
3112                 .errstr = "invalid access to packet",
3113                 .result = REJECT,
3114                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3115         },
3116         {
3117                 "direct packet access: test8 (double test, variant 1)",
3118                 .insns = {
3119                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3120                                     offsetof(struct __sk_buff, data)),
3121                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3122                                     offsetof(struct __sk_buff, data_end)),
3123                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3124                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3125                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
3126                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3127                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3128                         BPF_MOV64_IMM(BPF_REG_0, 1),
3129                         BPF_EXIT_INSN(),
3130                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3131                         BPF_MOV64_IMM(BPF_REG_0, 0),
3132                         BPF_EXIT_INSN(),
3133                 },
3134                 .result = ACCEPT,
3135                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3136         },
3137         {
3138                 "direct packet access: test9 (double test, variant 2)",
3139                 .insns = {
3140                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3141                                     offsetof(struct __sk_buff, data)),
3142                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3143                                     offsetof(struct __sk_buff, data_end)),
3144                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3145                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3146                         BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
3147                         BPF_MOV64_IMM(BPF_REG_0, 1),
3148                         BPF_EXIT_INSN(),
3149                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3150                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3151                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3152                         BPF_MOV64_IMM(BPF_REG_0, 0),
3153                         BPF_EXIT_INSN(),
3154                 },
3155                 .result = ACCEPT,
3156                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3157         },
3158         {
3159                 "direct packet access: test10 (write invalid)",
3160                 .insns = {
3161                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3162                                     offsetof(struct __sk_buff, data)),
3163                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3164                                     offsetof(struct __sk_buff, data_end)),
3165                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3166                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3167                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3168                         BPF_MOV64_IMM(BPF_REG_0, 0),
3169                         BPF_EXIT_INSN(),
3170                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3171                         BPF_MOV64_IMM(BPF_REG_0, 0),
3172                         BPF_EXIT_INSN(),
3173                 },
3174                 .errstr = "invalid access to packet",
3175                 .result = REJECT,
3176                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3177         },
3178         {
3179                 "direct packet access: test11 (shift, good access)",
3180                 .insns = {
3181                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3182                                     offsetof(struct __sk_buff, data)),
3183                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3184                                     offsetof(struct __sk_buff, data_end)),
3185                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3186                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3187                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3188                         BPF_MOV64_IMM(BPF_REG_3, 144),
3189                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3190                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3191                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
3192                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3193                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3194                         BPF_MOV64_IMM(BPF_REG_0, 1),
3195                         BPF_EXIT_INSN(),
3196                         BPF_MOV64_IMM(BPF_REG_0, 0),
3197                         BPF_EXIT_INSN(),
3198                 },
3199                 .result = ACCEPT,
3200                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3201                 .retval = 1,
3202         },
3203         {
3204                 "direct packet access: test12 (and, good access)",
3205                 .insns = {
3206                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3207                                     offsetof(struct __sk_buff, data)),
3208                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3209                                     offsetof(struct __sk_buff, data_end)),
3210                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3211                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3212                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3213                         BPF_MOV64_IMM(BPF_REG_3, 144),
3214                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3215                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3216                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3217                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3218                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3219                         BPF_MOV64_IMM(BPF_REG_0, 1),
3220                         BPF_EXIT_INSN(),
3221                         BPF_MOV64_IMM(BPF_REG_0, 0),
3222                         BPF_EXIT_INSN(),
3223                 },
3224                 .result = ACCEPT,
3225                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3226                 .retval = 1,
3227         },
3228         {
3229                 "direct packet access: test13 (branches, good access)",
3230                 .insns = {
3231                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3232                                     offsetof(struct __sk_buff, data)),
3233                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3234                                     offsetof(struct __sk_buff, data_end)),
3235                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3236                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3237                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
3238                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3239                                     offsetof(struct __sk_buff, mark)),
3240                         BPF_MOV64_IMM(BPF_REG_4, 1),
3241                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
3242                         BPF_MOV64_IMM(BPF_REG_3, 14),
3243                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
3244                         BPF_MOV64_IMM(BPF_REG_3, 24),
3245                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
3246                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
3247                         BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
3248                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3249                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3250                         BPF_MOV64_IMM(BPF_REG_0, 1),
3251                         BPF_EXIT_INSN(),
3252                         BPF_MOV64_IMM(BPF_REG_0, 0),
3253                         BPF_EXIT_INSN(),
3254                 },
3255                 .result = ACCEPT,
3256                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3257                 .retval = 1,
3258         },
3259         {
3260                 "direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
3261                 .insns = {
3262                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3263                                     offsetof(struct __sk_buff, data)),
3264                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3265                                     offsetof(struct __sk_buff, data_end)),
3266                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3267                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
3268                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
3269                         BPF_MOV64_IMM(BPF_REG_5, 12),
3270                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
3271                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
3272                         BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
3273                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
3274                         BPF_MOV64_IMM(BPF_REG_0, 1),
3275                         BPF_EXIT_INSN(),
3276                         BPF_MOV64_IMM(BPF_REG_0, 0),
3277                         BPF_EXIT_INSN(),
3278                 },
3279                 .result = ACCEPT,
3280                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3281                 .retval = 1,
3282         },
3283         {
3284                 "direct packet access: test15 (spill with xadd)",
3285                 .insns = {
3286                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3287                                     offsetof(struct __sk_buff, data)),
3288                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3289                                     offsetof(struct __sk_buff, data_end)),
3290                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3291                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3292                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
3293                         BPF_MOV64_IMM(BPF_REG_5, 4096),
3294                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
3295                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
3296                         BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
3297                         BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
3298                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
3299                         BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
3300                         BPF_MOV64_IMM(BPF_REG_0, 0),
3301                         BPF_EXIT_INSN(),
3302                 },
3303                 .errstr = "R2 invalid mem access 'inv'",
3304                 .result = REJECT,
3305                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3306         },
3307         {
3308                 "direct packet access: test16 (arith on data_end)",
3309                 .insns = {
3310                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3311                                     offsetof(struct __sk_buff, data)),
3312                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3313                                     offsetof(struct __sk_buff, data_end)),
3314                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3315                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3316                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
3317                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3318                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3319                         BPF_MOV64_IMM(BPF_REG_0, 0),
3320                         BPF_EXIT_INSN(),
3321                 },
3322                 .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END",
3323                 .result = REJECT,
3324                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3325         },
3326         {
3327                 "direct packet access: test17 (pruning, alignment)",
3328                 .insns = {
3329                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3330                                     offsetof(struct __sk_buff, data)),
3331                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3332                                     offsetof(struct __sk_buff, data_end)),
3333                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3334                                     offsetof(struct __sk_buff, mark)),
3335                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3336                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
3337                         BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
3338                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3339                         BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
3340                         BPF_MOV64_IMM(BPF_REG_0, 0),
3341                         BPF_EXIT_INSN(),
3342                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
3343                         BPF_JMP_A(-6),
3344                 },
3345                 .errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
3346                 .result = REJECT,
3347                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3348                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
3349         },
3350         {
3351                 "direct packet access: test18 (imm += pkt_ptr, 1)",
3352                 .insns = {
3353                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3354                                     offsetof(struct __sk_buff, data)),
3355                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3356                                     offsetof(struct __sk_buff, data_end)),
3357                         BPF_MOV64_IMM(BPF_REG_0, 8),
3358                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3359                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3360                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
3361                         BPF_MOV64_IMM(BPF_REG_0, 0),
3362                         BPF_EXIT_INSN(),
3363                 },
3364                 .result = ACCEPT,
3365                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3366         },
3367         {
3368                 "direct packet access: test19 (imm += pkt_ptr, 2)",
3369                 .insns = {
3370                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3371                                     offsetof(struct __sk_buff, data)),
3372                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3373                                     offsetof(struct __sk_buff, data_end)),
3374                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3375                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3376                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
3377                         BPF_MOV64_IMM(BPF_REG_4, 4),
3378                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3379                         BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
3380                         BPF_MOV64_IMM(BPF_REG_0, 0),
3381                         BPF_EXIT_INSN(),
3382                 },
3383                 .result = ACCEPT,
3384                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3385         },
3386         {
3387                 "direct packet access: test20 (x += pkt_ptr, 1)",
3388                 .insns = {
3389                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3390                                     offsetof(struct __sk_buff, data)),
3391                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3392                                     offsetof(struct __sk_buff, data_end)),
3393                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3394                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3395                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3396                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
3397                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3398                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3399                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3400                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3401                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3402                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3403                         BPF_MOV64_IMM(BPF_REG_0, 0),
3404                         BPF_EXIT_INSN(),
3405                 },
3406                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3407                 .result = ACCEPT,
3408         },
3409         {
3410                 "direct packet access: test21 (x += pkt_ptr, 2)",
3411                 .insns = {
3412                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3413                                     offsetof(struct __sk_buff, data)),
3414                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3415                                     offsetof(struct __sk_buff, data_end)),
3416                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3417                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3418                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
3419                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3420                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3421                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3422                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
3423                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3424                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3425                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
3426                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
3427                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
3428                         BPF_MOV64_IMM(BPF_REG_0, 0),
3429                         BPF_EXIT_INSN(),
3430                 },
3431                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3432                 .result = ACCEPT,
3433         },
3434         {
3435                 "direct packet access: test22 (x += pkt_ptr, 3)",
3436                 .insns = {
3437                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3438                                     offsetof(struct __sk_buff, data)),
3439                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3440                                     offsetof(struct __sk_buff, data_end)),
3441                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3442                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3443                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
3444                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
3445                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
3446                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
3447                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
3448                         BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
3449                         BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
3450                         BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
3451                         BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
3452                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
3453                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
3454                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
3455                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
3456                         BPF_MOV64_IMM(BPF_REG_2, 1),
3457                         BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
3458                         BPF_MOV64_IMM(BPF_REG_0, 0),
3459                         BPF_EXIT_INSN(),
3460                 },
3461                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3462                 .result = ACCEPT,
3463         },
3464         {
3465                 "direct packet access: test23 (x += pkt_ptr, 4)",
3466                 .insns = {
3467                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3468                                     offsetof(struct __sk_buff, data)),
3469                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3470                                     offsetof(struct __sk_buff, data_end)),
3471                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3472                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3473                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3474                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
3475                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3476                         BPF_MOV64_IMM(BPF_REG_0, 31),
3477                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3478                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3479                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3480                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
3481                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3482                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3483                         BPF_MOV64_IMM(BPF_REG_0, 0),
3484                         BPF_EXIT_INSN(),
3485                 },
3486                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3487                 .result = REJECT,
3488                 .errstr = "invalid access to packet, off=0 size=8, R5(id=1,off=0,r=0)",
3489         },
3490         {
3491                 "direct packet access: test24 (x += pkt_ptr, 5)",
3492                 .insns = {
3493                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3494                                     offsetof(struct __sk_buff, data)),
3495                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3496                                     offsetof(struct __sk_buff, data_end)),
3497                         BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
3498                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
3499                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
3500                         BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
3501                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
3502                         BPF_MOV64_IMM(BPF_REG_0, 64),
3503                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
3504                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
3505                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
3506                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
3507                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
3508                         BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
3509                         BPF_MOV64_IMM(BPF_REG_0, 0),
3510                         BPF_EXIT_INSN(),
3511                 },
3512                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3513                 .result = ACCEPT,
3514         },
3515         {
3516                 "direct packet access: test25 (marking on <, good access)",
3517                 .insns = {
3518                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3519                                     offsetof(struct __sk_buff, data)),
3520                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3521                                     offsetof(struct __sk_buff, data_end)),
3522                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3523                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3524                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
3525                         BPF_MOV64_IMM(BPF_REG_0, 0),
3526                         BPF_EXIT_INSN(),
3527                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3528                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3529                 },
3530                 .result = ACCEPT,
3531                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3532         },
3533         {
3534                 "direct packet access: test26 (marking on <, bad access)",
3535                 .insns = {
3536                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3537                                     offsetof(struct __sk_buff, data)),
3538                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3539                                     offsetof(struct __sk_buff, data_end)),
3540                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3541                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3542                         BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
3543                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3544                         BPF_MOV64_IMM(BPF_REG_0, 0),
3545                         BPF_EXIT_INSN(),
3546                         BPF_JMP_IMM(BPF_JA, 0, 0, -3),
3547                 },
3548                 .result = REJECT,
3549                 .errstr = "invalid access to packet",
3550                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3551         },
3552         {
3553                 "direct packet access: test27 (marking on <=, good access)",
3554                 .insns = {
3555                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3556                                     offsetof(struct __sk_buff, data)),
3557                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3558                                     offsetof(struct __sk_buff, data_end)),
3559                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3560                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3561                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
3562                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3563                         BPF_MOV64_IMM(BPF_REG_0, 1),
3564                         BPF_EXIT_INSN(),
3565                 },
3566                 .result = ACCEPT,
3567                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3568                 .retval = 1,
3569         },
3570         {
3571                 "direct packet access: test28 (marking on <=, bad access)",
3572                 .insns = {
3573                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3574                                     offsetof(struct __sk_buff, data)),
3575                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3576                                     offsetof(struct __sk_buff, data_end)),
3577                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
3578                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
3579                         BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
3580                         BPF_MOV64_IMM(BPF_REG_0, 1),
3581                         BPF_EXIT_INSN(),
3582                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
3583                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
3584                 },
3585                 .result = REJECT,
3586                 .errstr = "invalid access to packet",
3587                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3588         },
3589         {
3590                 "helper access to packet: test1, valid packet_ptr range",
3591                 .insns = {
3592                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3593                                     offsetof(struct xdp_md, data)),
3594                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3595                                     offsetof(struct xdp_md, data_end)),
3596                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3597                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3598                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3599                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3600                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3601                         BPF_MOV64_IMM(BPF_REG_4, 0),
3602                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3603                                      BPF_FUNC_map_update_elem),
3604                         BPF_MOV64_IMM(BPF_REG_0, 0),
3605                         BPF_EXIT_INSN(),
3606                 },
3607                 .fixup_map1 = { 5 },
3608                 .result_unpriv = ACCEPT,
3609                 .result = ACCEPT,
3610                 .prog_type = BPF_PROG_TYPE_XDP,
3611         },
3612         {
3613                 "helper access to packet: test2, unchecked packet_ptr",
3614                 .insns = {
3615                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3616                                     offsetof(struct xdp_md, data)),
3617                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3618                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3619                                      BPF_FUNC_map_lookup_elem),
3620                         BPF_MOV64_IMM(BPF_REG_0, 0),
3621                         BPF_EXIT_INSN(),
3622                 },
3623                 .fixup_map1 = { 1 },
3624                 .result = REJECT,
3625                 .errstr = "invalid access to packet",
3626                 .prog_type = BPF_PROG_TYPE_XDP,
3627         },
3628         {
3629                 "helper access to packet: test3, variable add",
3630                 .insns = {
3631                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3632                                         offsetof(struct xdp_md, data)),
3633                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3634                                         offsetof(struct xdp_md, data_end)),
3635                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3636                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3637                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3638                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3639                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3640                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3641                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3642                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3643                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3644                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3645                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3646                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3647                                      BPF_FUNC_map_lookup_elem),
3648                         BPF_MOV64_IMM(BPF_REG_0, 0),
3649                         BPF_EXIT_INSN(),
3650                 },
3651                 .fixup_map1 = { 11 },
3652                 .result = ACCEPT,
3653                 .prog_type = BPF_PROG_TYPE_XDP,
3654         },
3655         {
3656                 "helper access to packet: test4, packet_ptr with bad range",
3657                 .insns = {
3658                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3659                                     offsetof(struct xdp_md, data)),
3660                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3661                                     offsetof(struct xdp_md, data_end)),
3662                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3663                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3664                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3665                         BPF_MOV64_IMM(BPF_REG_0, 0),
3666                         BPF_EXIT_INSN(),
3667                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3668                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3669                                      BPF_FUNC_map_lookup_elem),
3670                         BPF_MOV64_IMM(BPF_REG_0, 0),
3671                         BPF_EXIT_INSN(),
3672                 },
3673                 .fixup_map1 = { 7 },
3674                 .result = REJECT,
3675                 .errstr = "invalid access to packet",
3676                 .prog_type = BPF_PROG_TYPE_XDP,
3677         },
3678         {
3679                 "helper access to packet: test5, packet_ptr with too short range",
3680                 .insns = {
3681                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3682                                     offsetof(struct xdp_md, data)),
3683                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3684                                     offsetof(struct xdp_md, data_end)),
3685                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3686                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3687                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3688                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3689                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3690                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3691                                      BPF_FUNC_map_lookup_elem),
3692                         BPF_MOV64_IMM(BPF_REG_0, 0),
3693                         BPF_EXIT_INSN(),
3694                 },
3695                 .fixup_map1 = { 6 },
3696                 .result = REJECT,
3697                 .errstr = "invalid access to packet",
3698                 .prog_type = BPF_PROG_TYPE_XDP,
3699         },
3700         {
3701                 "helper access to packet: test6, cls valid packet_ptr range",
3702                 .insns = {
3703                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3704                                     offsetof(struct __sk_buff, data)),
3705                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3706                                     offsetof(struct __sk_buff, data_end)),
3707                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
3708                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
3709                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 5),
3710                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3711                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
3712                         BPF_MOV64_IMM(BPF_REG_4, 0),
3713                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3714                                      BPF_FUNC_map_update_elem),
3715                         BPF_MOV64_IMM(BPF_REG_0, 0),
3716                         BPF_EXIT_INSN(),
3717                 },
3718                 .fixup_map1 = { 5 },
3719                 .result = ACCEPT,
3720                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3721         },
3722         {
3723                 "helper access to packet: test7, cls unchecked packet_ptr",
3724                 .insns = {
3725                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3726                                     offsetof(struct __sk_buff, data)),
3727                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3728                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3729                                      BPF_FUNC_map_lookup_elem),
3730                         BPF_MOV64_IMM(BPF_REG_0, 0),
3731                         BPF_EXIT_INSN(),
3732                 },
3733                 .fixup_map1 = { 1 },
3734                 .result = REJECT,
3735                 .errstr = "invalid access to packet",
3736                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3737         },
3738         {
3739                 "helper access to packet: test8, cls variable add",
3740                 .insns = {
3741                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3742                                         offsetof(struct __sk_buff, data)),
3743                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3744                                         offsetof(struct __sk_buff, data_end)),
3745                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3746                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 8),
3747                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 10),
3748                         BPF_LDX_MEM(BPF_B, BPF_REG_5, BPF_REG_2, 0),
3749                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3750                         BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_5),
3751                         BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
3752                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 8),
3753                         BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_3, 4),
3754                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3755                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_4),
3756                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3757                                      BPF_FUNC_map_lookup_elem),
3758                         BPF_MOV64_IMM(BPF_REG_0, 0),
3759                         BPF_EXIT_INSN(),
3760                 },
3761                 .fixup_map1 = { 11 },
3762                 .result = ACCEPT,
3763                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3764         },
3765         {
3766                 "helper access to packet: test9, cls packet_ptr with bad range",
3767                 .insns = {
3768                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3769                                     offsetof(struct __sk_buff, data)),
3770                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3771                                     offsetof(struct __sk_buff, data_end)),
3772                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3773                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 4),
3774                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 2),
3775                         BPF_MOV64_IMM(BPF_REG_0, 0),
3776                         BPF_EXIT_INSN(),
3777                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3778                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3779                                      BPF_FUNC_map_lookup_elem),
3780                         BPF_MOV64_IMM(BPF_REG_0, 0),
3781                         BPF_EXIT_INSN(),
3782                 },
3783                 .fixup_map1 = { 7 },
3784                 .result = REJECT,
3785                 .errstr = "invalid access to packet",
3786                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3787         },
3788         {
3789                 "helper access to packet: test10, cls packet_ptr with too short range",
3790                 .insns = {
3791                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
3792                                     offsetof(struct __sk_buff, data)),
3793                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
3794                                     offsetof(struct __sk_buff, data_end)),
3795                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 1),
3796                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
3797                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 7),
3798                         BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 3),
3799                         BPF_LD_MAP_FD(BPF_REG_1, 0),
3800                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3801                                      BPF_FUNC_map_lookup_elem),
3802                         BPF_MOV64_IMM(BPF_REG_0, 0),
3803                         BPF_EXIT_INSN(),
3804                 },
3805                 .fixup_map1 = { 6 },
3806                 .result = REJECT,
3807                 .errstr = "invalid access to packet",
3808                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3809         },
3810         {
3811                 "helper access to packet: test11, cls unsuitable helper 1",
3812                 .insns = {
3813                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3814                                     offsetof(struct __sk_buff, data)),
3815                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3816                                     offsetof(struct __sk_buff, data_end)),
3817                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3818                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3819                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 7),
3820                         BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_7, 4),
3821                         BPF_MOV64_IMM(BPF_REG_2, 0),
3822                         BPF_MOV64_IMM(BPF_REG_4, 42),
3823                         BPF_MOV64_IMM(BPF_REG_5, 0),
3824                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3825                                      BPF_FUNC_skb_store_bytes),
3826                         BPF_MOV64_IMM(BPF_REG_0, 0),
3827                         BPF_EXIT_INSN(),
3828                 },
3829                 .result = REJECT,
3830                 .errstr = "helper access to the packet",
3831                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3832         },
3833         {
3834                 "helper access to packet: test12, cls unsuitable helper 2",
3835                 .insns = {
3836                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3837                                     offsetof(struct __sk_buff, data)),
3838                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3839                                     offsetof(struct __sk_buff, data_end)),
3840                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
3841                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 8),
3842                         BPF_JMP_REG(BPF_JGT, BPF_REG_6, BPF_REG_7, 3),
3843                         BPF_MOV64_IMM(BPF_REG_2, 0),
3844                         BPF_MOV64_IMM(BPF_REG_4, 4),
3845                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3846                                      BPF_FUNC_skb_load_bytes),
3847                         BPF_MOV64_IMM(BPF_REG_0, 0),
3848                         BPF_EXIT_INSN(),
3849                 },
3850                 .result = REJECT,
3851                 .errstr = "helper access to the packet",
3852                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3853         },
3854         {
3855                 "helper access to packet: test13, cls helper ok",
3856                 .insns = {
3857                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3858                                     offsetof(struct __sk_buff, data)),
3859                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3860                                     offsetof(struct __sk_buff, data_end)),
3861                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3862                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3863                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3864                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3865                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3866                         BPF_MOV64_IMM(BPF_REG_2, 4),
3867                         BPF_MOV64_IMM(BPF_REG_3, 0),
3868                         BPF_MOV64_IMM(BPF_REG_4, 0),
3869                         BPF_MOV64_IMM(BPF_REG_5, 0),
3870                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3871                                      BPF_FUNC_csum_diff),
3872                         BPF_MOV64_IMM(BPF_REG_0, 0),
3873                         BPF_EXIT_INSN(),
3874                 },
3875                 .result = ACCEPT,
3876                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3877         },
3878         {
3879                 "helper access to packet: test14, cls helper ok sub",
3880                 .insns = {
3881                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3882                                     offsetof(struct __sk_buff, data)),
3883                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3884                                     offsetof(struct __sk_buff, data_end)),
3885                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3886                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3887                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3888                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3889                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 4),
3890                         BPF_MOV64_IMM(BPF_REG_2, 4),
3891                         BPF_MOV64_IMM(BPF_REG_3, 0),
3892                         BPF_MOV64_IMM(BPF_REG_4, 0),
3893                         BPF_MOV64_IMM(BPF_REG_5, 0),
3894                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3895                                      BPF_FUNC_csum_diff),
3896                         BPF_MOV64_IMM(BPF_REG_0, 0),
3897                         BPF_EXIT_INSN(),
3898                 },
3899                 .result = ACCEPT,
3900                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3901         },
3902         {
3903                 "helper access to packet: test15, cls helper fail sub",
3904                 .insns = {
3905                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3906                                     offsetof(struct __sk_buff, data)),
3907                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3908                                     offsetof(struct __sk_buff, data_end)),
3909                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3910                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3911                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3912                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3913                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 12),
3914                         BPF_MOV64_IMM(BPF_REG_2, 4),
3915                         BPF_MOV64_IMM(BPF_REG_3, 0),
3916                         BPF_MOV64_IMM(BPF_REG_4, 0),
3917                         BPF_MOV64_IMM(BPF_REG_5, 0),
3918                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3919                                      BPF_FUNC_csum_diff),
3920                         BPF_MOV64_IMM(BPF_REG_0, 0),
3921                         BPF_EXIT_INSN(),
3922                 },
3923                 .result = REJECT,
3924                 .errstr = "invalid access to packet",
3925                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3926         },
3927         {
3928                 "helper access to packet: test16, cls helper fail range 1",
3929                 .insns = {
3930                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3931                                     offsetof(struct __sk_buff, data)),
3932                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3933                                     offsetof(struct __sk_buff, data_end)),
3934                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3935                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3936                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3937                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3938                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3939                         BPF_MOV64_IMM(BPF_REG_2, 8),
3940                         BPF_MOV64_IMM(BPF_REG_3, 0),
3941                         BPF_MOV64_IMM(BPF_REG_4, 0),
3942                         BPF_MOV64_IMM(BPF_REG_5, 0),
3943                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3944                                      BPF_FUNC_csum_diff),
3945                         BPF_MOV64_IMM(BPF_REG_0, 0),
3946                         BPF_EXIT_INSN(),
3947                 },
3948                 .result = REJECT,
3949                 .errstr = "invalid access to packet",
3950                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3951         },
3952         {
3953                 "helper access to packet: test17, cls helper fail range 2",
3954                 .insns = {
3955                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3956                                     offsetof(struct __sk_buff, data)),
3957                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3958                                     offsetof(struct __sk_buff, data_end)),
3959                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3960                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3961                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3962                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3963                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3964                         BPF_MOV64_IMM(BPF_REG_2, -9),
3965                         BPF_MOV64_IMM(BPF_REG_3, 0),
3966                         BPF_MOV64_IMM(BPF_REG_4, 0),
3967                         BPF_MOV64_IMM(BPF_REG_5, 0),
3968                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3969                                      BPF_FUNC_csum_diff),
3970                         BPF_MOV64_IMM(BPF_REG_0, 0),
3971                         BPF_EXIT_INSN(),
3972                 },
3973                 .result = REJECT,
3974                 .errstr = "R2 min value is negative",
3975                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
3976         },
3977         {
3978                 "helper access to packet: test18, cls helper fail range 3",
3979                 .insns = {
3980                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
3981                                     offsetof(struct __sk_buff, data)),
3982                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
3983                                     offsetof(struct __sk_buff, data_end)),
3984                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
3985                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3986                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
3987                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
3988                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
3989                         BPF_MOV64_IMM(BPF_REG_2, ~0),
3990                         BPF_MOV64_IMM(BPF_REG_3, 0),
3991                         BPF_MOV64_IMM(BPF_REG_4, 0),
3992                         BPF_MOV64_IMM(BPF_REG_5, 0),
3993                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
3994                                      BPF_FUNC_csum_diff),
3995                         BPF_MOV64_IMM(BPF_REG_0, 0),
3996                         BPF_EXIT_INSN(),
3997                 },
3998                 .result = REJECT,
3999                 .errstr = "R2 min value is negative",
4000                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4001         },
4002         {
4003                 "helper access to packet: test19, cls helper range zero",
4004                 .insns = {
4005                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4006                                     offsetof(struct __sk_buff, data)),
4007                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4008                                     offsetof(struct __sk_buff, data_end)),
4009                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4010                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4011                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4012                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4013                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4014                         BPF_MOV64_IMM(BPF_REG_2, 0),
4015                         BPF_MOV64_IMM(BPF_REG_3, 0),
4016                         BPF_MOV64_IMM(BPF_REG_4, 0),
4017                         BPF_MOV64_IMM(BPF_REG_5, 0),
4018                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4019                                      BPF_FUNC_csum_diff),
4020                         BPF_MOV64_IMM(BPF_REG_0, 0),
4021                         BPF_EXIT_INSN(),
4022                 },
4023                 .result = ACCEPT,
4024                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4025         },
4026         {
4027                 "helper access to packet: test20, pkt end as input",
4028                 .insns = {
4029                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4030                                     offsetof(struct __sk_buff, data)),
4031                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4032                                     offsetof(struct __sk_buff, data_end)),
4033                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4034                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4035                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4036                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4037                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
4038                         BPF_MOV64_IMM(BPF_REG_2, 4),
4039                         BPF_MOV64_IMM(BPF_REG_3, 0),
4040                         BPF_MOV64_IMM(BPF_REG_4, 0),
4041                         BPF_MOV64_IMM(BPF_REG_5, 0),
4042                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4043                                      BPF_FUNC_csum_diff),
4044                         BPF_MOV64_IMM(BPF_REG_0, 0),
4045                         BPF_EXIT_INSN(),
4046                 },
4047                 .result = REJECT,
4048                 .errstr = "R1 type=pkt_end expected=fp",
4049                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4050         },
4051         {
4052                 "helper access to packet: test21, wrong reg",
4053                 .insns = {
4054                         BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
4055                                     offsetof(struct __sk_buff, data)),
4056                         BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
4057                                     offsetof(struct __sk_buff, data_end)),
4058                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, 1),
4059                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
4060                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 7),
4061                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_7, 6),
4062                         BPF_MOV64_IMM(BPF_REG_2, 4),
4063                         BPF_MOV64_IMM(BPF_REG_3, 0),
4064                         BPF_MOV64_IMM(BPF_REG_4, 0),
4065                         BPF_MOV64_IMM(BPF_REG_5, 0),
4066                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4067                                      BPF_FUNC_csum_diff),
4068                         BPF_MOV64_IMM(BPF_REG_0, 0),
4069                         BPF_EXIT_INSN(),
4070                 },
4071                 .result = REJECT,
4072                 .errstr = "invalid access to packet",
4073                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
4074         },
4075         {
4076                 "valid map access into an array with a constant",
4077                 .insns = {
4078                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4079                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4080                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4081                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4082                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4083                                      BPF_FUNC_map_lookup_elem),
4084                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4085                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4086                                    offsetof(struct test_val, foo)),
4087                         BPF_EXIT_INSN(),
4088                 },
4089                 .fixup_map2 = { 3 },
4090                 .errstr_unpriv = "R0 leaks addr",
4091                 .result_unpriv = REJECT,
4092                 .result = ACCEPT,
4093         },
4094         {
4095                 "valid map access into an array with a register",
4096                 .insns = {
4097                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4098                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4099                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4100                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4101                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4102                                      BPF_FUNC_map_lookup_elem),
4103                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4104                         BPF_MOV64_IMM(BPF_REG_1, 4),
4105                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4106                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4107                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4108                                    offsetof(struct test_val, foo)),
4109                         BPF_EXIT_INSN(),
4110                 },
4111                 .fixup_map2 = { 3 },
4112                 .errstr_unpriv = "R0 leaks addr",
4113                 .result_unpriv = REJECT,
4114                 .result = ACCEPT,
4115                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4116         },
4117         {
4118                 "valid map access into an array with a variable",
4119                 .insns = {
4120                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4121                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4122                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4123                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4124                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4125                                      BPF_FUNC_map_lookup_elem),
4126                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4127                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4128                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES, 3),
4129                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4130                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4131                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4132                                    offsetof(struct test_val, foo)),
4133                         BPF_EXIT_INSN(),
4134                 },
4135                 .fixup_map2 = { 3 },
4136                 .errstr_unpriv = "R0 leaks addr",
4137                 .result_unpriv = REJECT,
4138                 .result = ACCEPT,
4139                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4140         },
4141         {
4142                 "valid map access into an array with a signed variable",
4143                 .insns = {
4144                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4145                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4146                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4147                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4148                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4149                                      BPF_FUNC_map_lookup_elem),
4150                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 9),
4151                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4152                         BPF_JMP_IMM(BPF_JSGT, BPF_REG_1, 0xffffffff, 1),
4153                         BPF_MOV32_IMM(BPF_REG_1, 0),
4154                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4155                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4156                         BPF_MOV32_IMM(BPF_REG_1, 0),
4157                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4158                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4159                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4160                                    offsetof(struct test_val, foo)),
4161                         BPF_EXIT_INSN(),
4162                 },
4163                 .fixup_map2 = { 3 },
4164                 .errstr_unpriv = "R0 leaks addr",
4165                 .result_unpriv = REJECT,
4166                 .result = ACCEPT,
4167                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4168         },
4169         {
4170                 "invalid map access into an array with a constant",
4171                 .insns = {
4172                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4173                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4174                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4175                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4176                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4177                                      BPF_FUNC_map_lookup_elem),
4178                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4179                         BPF_ST_MEM(BPF_DW, BPF_REG_0, (MAX_ENTRIES + 1) << 2,
4180                                    offsetof(struct test_val, foo)),
4181                         BPF_EXIT_INSN(),
4182                 },
4183                 .fixup_map2 = { 3 },
4184                 .errstr = "invalid access to map value, value_size=48 off=48 size=8",
4185                 .result = REJECT,
4186         },
4187         {
4188                 "invalid map access into an array with a register",
4189                 .insns = {
4190                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4191                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4192                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4193                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4194                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4195                                      BPF_FUNC_map_lookup_elem),
4196                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4197                         BPF_MOV64_IMM(BPF_REG_1, MAX_ENTRIES + 1),
4198                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4199                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4200                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4201                                    offsetof(struct test_val, foo)),
4202                         BPF_EXIT_INSN(),
4203                 },
4204                 .fixup_map2 = { 3 },
4205                 .errstr = "R0 min value is outside of the array range",
4206                 .result = REJECT,
4207                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4208         },
4209         {
4210                 "invalid map access into an array with a variable",
4211                 .insns = {
4212                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4213                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4214                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4215                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4216                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4217                                      BPF_FUNC_map_lookup_elem),
4218                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4219                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4220                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4221                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4222                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4223                                    offsetof(struct test_val, foo)),
4224                         BPF_EXIT_INSN(),
4225                 },
4226                 .fixup_map2 = { 3 },
4227                 .errstr = "R0 unbounded memory access, make sure to bounds check any array access into a map",
4228                 .result = REJECT,
4229                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4230         },
4231         {
4232                 "invalid map access into an array with no floor check",
4233                 .insns = {
4234                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4235                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4236                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4237                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4238                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4239                                      BPF_FUNC_map_lookup_elem),
4240                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4241                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
4242                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES),
4243                         BPF_JMP_REG(BPF_JSGT, BPF_REG_2, BPF_REG_1, 1),
4244                         BPF_MOV32_IMM(BPF_REG_1, 0),
4245                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4246                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4247                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4248                                    offsetof(struct test_val, foo)),
4249                         BPF_EXIT_INSN(),
4250                 },
4251                 .fixup_map2 = { 3 },
4252                 .errstr_unpriv = "R0 leaks addr",
4253                 .errstr = "R0 unbounded memory access",
4254                 .result_unpriv = REJECT,
4255                 .result = REJECT,
4256                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4257         },
4258         {
4259                 "invalid map access into an array with a invalid max check",
4260                 .insns = {
4261                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4262                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4263                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4264                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4265                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4266                                      BPF_FUNC_map_lookup_elem),
4267                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
4268                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4269                         BPF_MOV32_IMM(BPF_REG_2, MAX_ENTRIES + 1),
4270                         BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
4271                         BPF_MOV32_IMM(BPF_REG_1, 0),
4272                         BPF_ALU32_IMM(BPF_LSH, BPF_REG_1, 2),
4273                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4274                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0,
4275                                    offsetof(struct test_val, foo)),
4276                         BPF_EXIT_INSN(),
4277                 },
4278                 .fixup_map2 = { 3 },
4279                 .errstr_unpriv = "R0 leaks addr",
4280                 .errstr = "invalid access to map value, value_size=48 off=44 size=8",
4281                 .result_unpriv = REJECT,
4282                 .result = REJECT,
4283                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4284         },
4285         {
4286                 "invalid map access into an array with a invalid max check",
4287                 .insns = {
4288                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4289                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4290                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4291                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4292                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4293                                      BPF_FUNC_map_lookup_elem),
4294                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 10),
4295                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_0),
4296                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4297                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4298                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4299                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4300                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4301                                      BPF_FUNC_map_lookup_elem),
4302                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
4303                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_8),
4304                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
4305                                     offsetof(struct test_val, foo)),
4306                         BPF_EXIT_INSN(),
4307                 },
4308                 .fixup_map2 = { 3, 11 },
4309                 .errstr = "R0 pointer += pointer",
4310                 .result = REJECT,
4311                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4312         },
4313         {
4314                 "multiple registers share map_lookup_elem result",
4315                 .insns = {
4316                         BPF_MOV64_IMM(BPF_REG_1, 10),
4317                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4318                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4319                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4320                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4321                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4322                                      BPF_FUNC_map_lookup_elem),
4323                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4324                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4325                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4326                         BPF_EXIT_INSN(),
4327                 },
4328                 .fixup_map1 = { 4 },
4329                 .result = ACCEPT,
4330                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4331         },
4332         {
4333                 "alu ops on ptr_to_map_value_or_null, 1",
4334                 .insns = {
4335                         BPF_MOV64_IMM(BPF_REG_1, 10),
4336                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4337                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4338                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4339                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4340                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4341                                      BPF_FUNC_map_lookup_elem),
4342                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4343                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -2),
4344                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 2),
4345                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4346                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4347                         BPF_EXIT_INSN(),
4348                 },
4349                 .fixup_map1 = { 4 },
4350                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4351                 .result = REJECT,
4352                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4353         },
4354         {
4355                 "alu ops on ptr_to_map_value_or_null, 2",
4356                 .insns = {
4357                         BPF_MOV64_IMM(BPF_REG_1, 10),
4358                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4359                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4360                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4361                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4362                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4363                                      BPF_FUNC_map_lookup_elem),
4364                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4365                         BPF_ALU64_IMM(BPF_AND, BPF_REG_4, -1),
4366                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4367                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4368                         BPF_EXIT_INSN(),
4369                 },
4370                 .fixup_map1 = { 4 },
4371                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4372                 .result = REJECT,
4373                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4374         },
4375         {
4376                 "alu ops on ptr_to_map_value_or_null, 3",
4377                 .insns = {
4378                         BPF_MOV64_IMM(BPF_REG_1, 10),
4379                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4380                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4381                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4382                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4383                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4384                                      BPF_FUNC_map_lookup_elem),
4385                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4386                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_4, 1),
4387                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4388                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4389                         BPF_EXIT_INSN(),
4390                 },
4391                 .fixup_map1 = { 4 },
4392                 .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL",
4393                 .result = REJECT,
4394                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4395         },
4396         {
4397                 "invalid memory access with multiple map_lookup_elem calls",
4398                 .insns = {
4399                         BPF_MOV64_IMM(BPF_REG_1, 10),
4400                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4401                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4402                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4403                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4404                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4405                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4406                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4407                                      BPF_FUNC_map_lookup_elem),
4408                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4409                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4410                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4411                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4412                                      BPF_FUNC_map_lookup_elem),
4413                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4414                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4415                         BPF_EXIT_INSN(),
4416                 },
4417                 .fixup_map1 = { 4 },
4418                 .result = REJECT,
4419                 .errstr = "R4 !read_ok",
4420                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4421         },
4422         {
4423                 "valid indirect map_lookup_elem access with 2nd lookup in branch",
4424                 .insns = {
4425                         BPF_MOV64_IMM(BPF_REG_1, 10),
4426                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
4427                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4428                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4429                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4430                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
4431                         BPF_MOV64_REG(BPF_REG_7, BPF_REG_2),
4432                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4433                                      BPF_FUNC_map_lookup_elem),
4434                         BPF_MOV64_IMM(BPF_REG_2, 10),
4435                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 3),
4436                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
4437                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
4438                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4439                                      BPF_FUNC_map_lookup_elem),
4440                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
4441                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
4442                         BPF_ST_MEM(BPF_DW, BPF_REG_4, 0, 0),
4443                         BPF_EXIT_INSN(),
4444                 },
4445                 .fixup_map1 = { 4 },
4446                 .result = ACCEPT,
4447                 .prog_type = BPF_PROG_TYPE_SCHED_CLS
4448         },
4449         {
4450                 "invalid map access from else condition",
4451                 .insns = {
4452                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4453                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4454                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4455                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4456                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
4457                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4458                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_0, 0),
4459                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, MAX_ENTRIES-1, 1),
4460                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
4461                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 2),
4462                         BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
4463                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, offsetof(struct test_val, foo)),
4464                         BPF_EXIT_INSN(),
4465                 },
4466                 .fixup_map2 = { 3 },
4467                 .errstr = "R0 unbounded memory access",
4468                 .result = REJECT,
4469                 .errstr_unpriv = "R0 leaks addr",
4470                 .result_unpriv = REJECT,
4471                 .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
4472         },
4473         {
4474                 "constant register |= constant should keep constant type",
4475                 .insns = {
4476                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4477                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4478                         BPF_MOV64_IMM(BPF_REG_2, 34),
4479                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 13),
4480                         BPF_MOV64_IMM(BPF_REG_3, 0),
4481                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4482                         BPF_EXIT_INSN(),
4483                 },
4484                 .result = ACCEPT,
4485                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4486         },
4487         {
4488                 "constant register |= constant should not bypass stack boundary checks",
4489                 .insns = {
4490                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4491                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4492                         BPF_MOV64_IMM(BPF_REG_2, 34),
4493                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 24),
4494                         BPF_MOV64_IMM(BPF_REG_3, 0),
4495                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4496                         BPF_EXIT_INSN(),
4497                 },
4498                 .errstr = "invalid stack type R1 off=-48 access_size=58",
4499                 .result = REJECT,
4500                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4501         },
4502         {
4503                 "constant register |= constant register should keep constant type",
4504                 .insns = {
4505                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4506                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4507                         BPF_MOV64_IMM(BPF_REG_2, 34),
4508                         BPF_MOV64_IMM(BPF_REG_4, 13),
4509                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4510                         BPF_MOV64_IMM(BPF_REG_3, 0),
4511                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4512                         BPF_EXIT_INSN(),
4513                 },
4514                 .result = ACCEPT,
4515                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4516         },
4517         {
4518                 "constant register |= constant register should not bypass stack boundary checks",
4519                 .insns = {
4520                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
4521                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -48),
4522                         BPF_MOV64_IMM(BPF_REG_2, 34),
4523                         BPF_MOV64_IMM(BPF_REG_4, 24),
4524                         BPF_ALU64_REG(BPF_OR, BPF_REG_2, BPF_REG_4),
4525                         BPF_MOV64_IMM(BPF_REG_3, 0),
4526                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4527                         BPF_EXIT_INSN(),
4528                 },
4529                 .errstr = "invalid stack type R1 off=-48 access_size=58",
4530                 .result = REJECT,
4531                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4532         },
4533         {
4534                 "invalid direct packet write for LWT_IN",
4535                 .insns = {
4536                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4537                                     offsetof(struct __sk_buff, data)),
4538                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4539                                     offsetof(struct __sk_buff, data_end)),
4540                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4541                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4542                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4543                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4544                         BPF_MOV64_IMM(BPF_REG_0, 0),
4545                         BPF_EXIT_INSN(),
4546                 },
4547                 .errstr = "cannot write into packet",
4548                 .result = REJECT,
4549                 .prog_type = BPF_PROG_TYPE_LWT_IN,
4550         },
4551         {
4552                 "invalid direct packet write for LWT_OUT",
4553                 .insns = {
4554                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4555                                     offsetof(struct __sk_buff, data)),
4556                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4557                                     offsetof(struct __sk_buff, data_end)),
4558                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4559                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4560                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4561                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4562                         BPF_MOV64_IMM(BPF_REG_0, 0),
4563                         BPF_EXIT_INSN(),
4564                 },
4565                 .errstr = "cannot write into packet",
4566                 .result = REJECT,
4567                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4568         },
4569         {
4570                 "direct packet write for LWT_XMIT",
4571                 .insns = {
4572                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4573                                     offsetof(struct __sk_buff, data)),
4574                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4575                                     offsetof(struct __sk_buff, data_end)),
4576                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4577                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4578                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4579                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
4580                         BPF_MOV64_IMM(BPF_REG_0, 0),
4581                         BPF_EXIT_INSN(),
4582                 },
4583                 .result = ACCEPT,
4584                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4585         },
4586         {
4587                 "direct packet read for LWT_IN",
4588                 .insns = {
4589                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4590                                     offsetof(struct __sk_buff, data)),
4591                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4592                                     offsetof(struct __sk_buff, data_end)),
4593                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4594                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4595                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4596                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4597                         BPF_MOV64_IMM(BPF_REG_0, 0),
4598                         BPF_EXIT_INSN(),
4599                 },
4600                 .result = ACCEPT,
4601                 .prog_type = BPF_PROG_TYPE_LWT_IN,
4602         },
4603         {
4604                 "direct packet read for LWT_OUT",
4605                 .insns = {
4606                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4607                                     offsetof(struct __sk_buff, data)),
4608                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4609                                     offsetof(struct __sk_buff, data_end)),
4610                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4611                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4612                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4613                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4614                         BPF_MOV64_IMM(BPF_REG_0, 0),
4615                         BPF_EXIT_INSN(),
4616                 },
4617                 .result = ACCEPT,
4618                 .prog_type = BPF_PROG_TYPE_LWT_OUT,
4619         },
4620         {
4621                 "direct packet read for LWT_XMIT",
4622                 .insns = {
4623                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4624                                     offsetof(struct __sk_buff, data)),
4625                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4626                                     offsetof(struct __sk_buff, data_end)),
4627                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4628                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4629                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
4630                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
4631                         BPF_MOV64_IMM(BPF_REG_0, 0),
4632                         BPF_EXIT_INSN(),
4633                 },
4634                 .result = ACCEPT,
4635                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4636         },
4637         {
4638                 "overlapping checks for direct packet access",
4639                 .insns = {
4640                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
4641                                     offsetof(struct __sk_buff, data)),
4642                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
4643                                     offsetof(struct __sk_buff, data_end)),
4644                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
4645                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
4646                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
4647                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
4648                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
4649                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
4650                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
4651                         BPF_MOV64_IMM(BPF_REG_0, 0),
4652                         BPF_EXIT_INSN(),
4653                 },
4654                 .result = ACCEPT,
4655                 .prog_type = BPF_PROG_TYPE_LWT_XMIT,
4656         },
4657         {
4658                 "invalid access of tc_classid for LWT_IN",
4659                 .insns = {
4660                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4661                                     offsetof(struct __sk_buff, tc_classid)),
4662                         BPF_EXIT_INSN(),
4663                 },
4664                 .result = REJECT,
4665                 .errstr = "invalid bpf_context access",
4666         },
4667         {
4668                 "invalid access of tc_classid for LWT_OUT",
4669                 .insns = {
4670                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4671                                     offsetof(struct __sk_buff, tc_classid)),
4672                         BPF_EXIT_INSN(),
4673                 },
4674                 .result = REJECT,
4675                 .errstr = "invalid bpf_context access",
4676         },
4677         {
4678                 "invalid access of tc_classid for LWT_XMIT",
4679                 .insns = {
4680                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
4681                                     offsetof(struct __sk_buff, tc_classid)),
4682                         BPF_EXIT_INSN(),
4683                 },
4684                 .result = REJECT,
4685                 .errstr = "invalid bpf_context access",
4686         },
4687         {
4688                 "leak pointer into ctx 1",
4689                 .insns = {
4690                         BPF_MOV64_IMM(BPF_REG_0, 0),
4691                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4692                                     offsetof(struct __sk_buff, cb[0])),
4693                         BPF_LD_MAP_FD(BPF_REG_2, 0),
4694                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_2,
4695                                       offsetof(struct __sk_buff, cb[0])),
4696                         BPF_EXIT_INSN(),
4697                 },
4698                 .fixup_map1 = { 2 },
4699                 .errstr_unpriv = "R2 leaks addr into mem",
4700                 .result_unpriv = REJECT,
4701                 .result = REJECT,
4702                 .errstr = "BPF_XADD stores into R1 context is not allowed",
4703         },
4704         {
4705                 "leak pointer into ctx 2",
4706                 .insns = {
4707                         BPF_MOV64_IMM(BPF_REG_0, 0),
4708                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
4709                                     offsetof(struct __sk_buff, cb[0])),
4710                         BPF_STX_XADD(BPF_DW, BPF_REG_1, BPF_REG_10,
4711                                       offsetof(struct __sk_buff, cb[0])),
4712                         BPF_EXIT_INSN(),
4713                 },
4714                 .errstr_unpriv = "R10 leaks addr into mem",
4715                 .result_unpriv = REJECT,
4716                 .result = REJECT,
4717                 .errstr = "BPF_XADD stores into R1 context is not allowed",
4718         },
4719         {
4720                 "leak pointer into ctx 3",
4721                 .insns = {
4722                         BPF_MOV64_IMM(BPF_REG_0, 0),
4723                         BPF_LD_MAP_FD(BPF_REG_2, 0),
4724                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_2,
4725                                       offsetof(struct __sk_buff, cb[0])),
4726                         BPF_EXIT_INSN(),
4727                 },
4728                 .fixup_map1 = { 1 },
4729                 .errstr_unpriv = "R2 leaks addr into ctx",
4730                 .result_unpriv = REJECT,
4731                 .result = ACCEPT,
4732         },
4733         {
4734                 "leak pointer into map val",
4735                 .insns = {
4736                         BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
4737                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
4738                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4739                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4740                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4741                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
4742                                      BPF_FUNC_map_lookup_elem),
4743                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4744                         BPF_MOV64_IMM(BPF_REG_3, 0),
4745                         BPF_STX_MEM(BPF_DW, BPF_REG_0, BPF_REG_3, 0),
4746                         BPF_STX_XADD(BPF_DW, BPF_REG_0, BPF_REG_6, 0),
4747                         BPF_MOV64_IMM(BPF_REG_0, 0),
4748                         BPF_EXIT_INSN(),
4749                 },
4750                 .fixup_map1 = { 4 },
4751                 .errstr_unpriv = "R6 leaks addr into mem",
4752                 .result_unpriv = REJECT,
4753                 .result = ACCEPT,
4754         },
4755         {
4756                 "helper access to map: full range",
4757                 .insns = {
4758                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4759                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4760                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4761                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4762                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4763                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4764                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4765                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
4766                         BPF_MOV64_IMM(BPF_REG_3, 0),
4767                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4768                         BPF_EXIT_INSN(),
4769                 },
4770                 .fixup_map2 = { 3 },
4771                 .result = ACCEPT,
4772                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4773         },
4774         {
4775                 "helper access to map: partial range",
4776                 .insns = {
4777                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4778                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4779                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4780                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4781                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4782                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4783                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4784                         BPF_MOV64_IMM(BPF_REG_2, 8),
4785                         BPF_MOV64_IMM(BPF_REG_3, 0),
4786                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4787                         BPF_EXIT_INSN(),
4788                 },
4789                 .fixup_map2 = { 3 },
4790                 .result = ACCEPT,
4791                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4792         },
4793         {
4794                 "helper access to map: empty range",
4795                 .insns = {
4796                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4797                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4798                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4799                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4800                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4801                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
4802                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4803                         BPF_MOV64_IMM(BPF_REG_2, 0),
4804                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4805                         BPF_EXIT_INSN(),
4806                 },
4807                 .fixup_map2 = { 3 },
4808                 .errstr = "invalid access to map value, value_size=48 off=0 size=0",
4809                 .result = REJECT,
4810                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4811         },
4812         {
4813                 "helper access to map: out-of-bound range",
4814                 .insns = {
4815                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4816                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4817                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4818                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4819                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4820                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4821                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4822                         BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
4823                         BPF_MOV64_IMM(BPF_REG_3, 0),
4824                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4825                         BPF_EXIT_INSN(),
4826                 },
4827                 .fixup_map2 = { 3 },
4828                 .errstr = "invalid access to map value, value_size=48 off=0 size=56",
4829                 .result = REJECT,
4830                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4831         },
4832         {
4833                 "helper access to map: negative range",
4834                 .insns = {
4835                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4836                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4837                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4838                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4839                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4840                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4841                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4842                         BPF_MOV64_IMM(BPF_REG_2, -8),
4843                         BPF_MOV64_IMM(BPF_REG_3, 0),
4844                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4845                         BPF_EXIT_INSN(),
4846                 },
4847                 .fixup_map2 = { 3 },
4848                 .errstr = "R2 min value is negative",
4849                 .result = REJECT,
4850                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4851         },
4852         {
4853                 "helper access to adjusted map (via const imm): full range",
4854                 .insns = {
4855                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4856                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4857                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4858                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4859                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4860                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4861                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4862                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4863                                 offsetof(struct test_val, foo)),
4864                         BPF_MOV64_IMM(BPF_REG_2,
4865                                 sizeof(struct test_val) -
4866                                 offsetof(struct test_val, foo)),
4867                         BPF_MOV64_IMM(BPF_REG_3, 0),
4868                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4869                         BPF_EXIT_INSN(),
4870                 },
4871                 .fixup_map2 = { 3 },
4872                 .result = ACCEPT,
4873                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4874         },
4875         {
4876                 "helper access to adjusted map (via const imm): partial range",
4877                 .insns = {
4878                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4879                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4880                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4881                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4882                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4883                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4884                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4885                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4886                                 offsetof(struct test_val, foo)),
4887                         BPF_MOV64_IMM(BPF_REG_2, 8),
4888                         BPF_MOV64_IMM(BPF_REG_3, 0),
4889                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4890                         BPF_EXIT_INSN(),
4891                 },
4892                 .fixup_map2 = { 3 },
4893                 .result = ACCEPT,
4894                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4895         },
4896         {
4897                 "helper access to adjusted map (via const imm): empty range",
4898                 .insns = {
4899                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4900                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4901                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4902                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4903                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4904                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
4905                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4906                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4907                                 offsetof(struct test_val, foo)),
4908                         BPF_MOV64_IMM(BPF_REG_2, 0),
4909                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
4910                         BPF_EXIT_INSN(),
4911                 },
4912                 .fixup_map2 = { 3 },
4913                 .errstr = "invalid access to map value, value_size=48 off=4 size=0",
4914                 .result = REJECT,
4915                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4916         },
4917         {
4918                 "helper access to adjusted map (via const imm): out-of-bound range",
4919                 .insns = {
4920                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4921                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4922                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4923                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4924                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4925                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4926                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4927                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4928                                 offsetof(struct test_val, foo)),
4929                         BPF_MOV64_IMM(BPF_REG_2,
4930                                 sizeof(struct test_val) -
4931                                 offsetof(struct test_val, foo) + 8),
4932                         BPF_MOV64_IMM(BPF_REG_3, 0),
4933                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4934                         BPF_EXIT_INSN(),
4935                 },
4936                 .fixup_map2 = { 3 },
4937                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
4938                 .result = REJECT,
4939                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4940         },
4941         {
4942                 "helper access to adjusted map (via const imm): negative range (> adjustment)",
4943                 .insns = {
4944                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4945                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4946                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4947                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4948                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4949                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4950                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4951                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4952                                 offsetof(struct test_val, foo)),
4953                         BPF_MOV64_IMM(BPF_REG_2, -8),
4954                         BPF_MOV64_IMM(BPF_REG_3, 0),
4955                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4956                         BPF_EXIT_INSN(),
4957                 },
4958                 .fixup_map2 = { 3 },
4959                 .errstr = "R2 min value is negative",
4960                 .result = REJECT,
4961                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4962         },
4963         {
4964                 "helper access to adjusted map (via const imm): negative range (< adjustment)",
4965                 .insns = {
4966                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4967                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4968                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4969                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4970                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4971                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
4972                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4973                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1,
4974                                 offsetof(struct test_val, foo)),
4975                         BPF_MOV64_IMM(BPF_REG_2, -1),
4976                         BPF_MOV64_IMM(BPF_REG_3, 0),
4977                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
4978                         BPF_EXIT_INSN(),
4979                 },
4980                 .fixup_map2 = { 3 },
4981                 .errstr = "R2 min value is negative",
4982                 .result = REJECT,
4983                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
4984         },
4985         {
4986                 "helper access to adjusted map (via const reg): full range",
4987                 .insns = {
4988                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
4989                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
4990                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
4991                         BPF_LD_MAP_FD(BPF_REG_1, 0),
4992                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
4993                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
4994                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
4995                         BPF_MOV64_IMM(BPF_REG_3,
4996                                 offsetof(struct test_val, foo)),
4997                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
4998                         BPF_MOV64_IMM(BPF_REG_2,
4999                                 sizeof(struct test_val) -
5000                                 offsetof(struct test_val, foo)),
5001                         BPF_MOV64_IMM(BPF_REG_3, 0),
5002                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5003                         BPF_EXIT_INSN(),
5004                 },
5005                 .fixup_map2 = { 3 },
5006                 .result = ACCEPT,
5007                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5008         },
5009         {
5010                 "helper access to adjusted map (via const reg): partial range",
5011                 .insns = {
5012                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5013                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5014                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5015                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5016                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5017                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5018                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5019                         BPF_MOV64_IMM(BPF_REG_3,
5020                                 offsetof(struct test_val, foo)),
5021                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5022                         BPF_MOV64_IMM(BPF_REG_2, 8),
5023                         BPF_MOV64_IMM(BPF_REG_3, 0),
5024                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5025                         BPF_EXIT_INSN(),
5026                 },
5027                 .fixup_map2 = { 3 },
5028                 .result = ACCEPT,
5029                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5030         },
5031         {
5032                 "helper access to adjusted map (via const reg): empty range",
5033                 .insns = {
5034                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5035                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5036                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5037                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5038                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5039                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
5040                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5041                         BPF_MOV64_IMM(BPF_REG_3, 0),
5042                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5043                         BPF_MOV64_IMM(BPF_REG_2, 0),
5044                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5045                         BPF_EXIT_INSN(),
5046                 },
5047                 .fixup_map2 = { 3 },
5048                 .errstr = "R1 min value is outside of the array range",
5049                 .result = REJECT,
5050                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5051         },
5052         {
5053                 "helper access to adjusted map (via const reg): out-of-bound range",
5054                 .insns = {
5055                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5056                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5057                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5058                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5059                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5060                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5061                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5062                         BPF_MOV64_IMM(BPF_REG_3,
5063                                 offsetof(struct test_val, foo)),
5064                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5065                         BPF_MOV64_IMM(BPF_REG_2,
5066                                 sizeof(struct test_val) -
5067                                 offsetof(struct test_val, foo) + 8),
5068                         BPF_MOV64_IMM(BPF_REG_3, 0),
5069                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5070                         BPF_EXIT_INSN(),
5071                 },
5072                 .fixup_map2 = { 3 },
5073                 .errstr = "invalid access to map value, value_size=48 off=4 size=52",
5074                 .result = REJECT,
5075                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5076         },
5077         {
5078                 "helper access to adjusted map (via const reg): negative range (> adjustment)",
5079                 .insns = {
5080                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5081                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5082                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5083                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5084                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5085                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5086                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5087                         BPF_MOV64_IMM(BPF_REG_3,
5088                                 offsetof(struct test_val, foo)),
5089                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5090                         BPF_MOV64_IMM(BPF_REG_2, -8),
5091                         BPF_MOV64_IMM(BPF_REG_3, 0),
5092                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5093                         BPF_EXIT_INSN(),
5094                 },
5095                 .fixup_map2 = { 3 },
5096                 .errstr = "R2 min value is negative",
5097                 .result = REJECT,
5098                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5099         },
5100         {
5101                 "helper access to adjusted map (via const reg): negative range (< adjustment)",
5102                 .insns = {
5103                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5104                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5105                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5106                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5107                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5108                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5109                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5110                         BPF_MOV64_IMM(BPF_REG_3,
5111                                 offsetof(struct test_val, foo)),
5112                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5113                         BPF_MOV64_IMM(BPF_REG_2, -1),
5114                         BPF_MOV64_IMM(BPF_REG_3, 0),
5115                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5116                         BPF_EXIT_INSN(),
5117                 },
5118                 .fixup_map2 = { 3 },
5119                 .errstr = "R2 min value is negative",
5120                 .result = REJECT,
5121                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5122         },
5123         {
5124                 "helper access to adjusted map (via variable): full range",
5125                 .insns = {
5126                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5127                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5128                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5129                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5130                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5131                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5132                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5133                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5134                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5135                                 offsetof(struct test_val, foo), 4),
5136                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5137                         BPF_MOV64_IMM(BPF_REG_2,
5138                                 sizeof(struct test_val) -
5139                                 offsetof(struct test_val, foo)),
5140                         BPF_MOV64_IMM(BPF_REG_3, 0),
5141                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5142                         BPF_EXIT_INSN(),
5143                 },
5144                 .fixup_map2 = { 3 },
5145                 .result = ACCEPT,
5146                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5147         },
5148         {
5149                 "helper access to adjusted map (via variable): partial range",
5150                 .insns = {
5151                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5152                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5153                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5154                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5155                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5156                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5157                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5158                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5159                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5160                                 offsetof(struct test_val, foo), 4),
5161                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5162                         BPF_MOV64_IMM(BPF_REG_2, 8),
5163                         BPF_MOV64_IMM(BPF_REG_3, 0),
5164                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5165                         BPF_EXIT_INSN(),
5166                 },
5167                 .fixup_map2 = { 3 },
5168                 .result = ACCEPT,
5169                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5170         },
5171         {
5172                 "helper access to adjusted map (via variable): empty range",
5173                 .insns = {
5174                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5175                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5176                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5177                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5178                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5179                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5180                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5181                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5182                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5183                                 offsetof(struct test_val, foo), 3),
5184                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5185                         BPF_MOV64_IMM(BPF_REG_2, 0),
5186                         BPF_EMIT_CALL(BPF_FUNC_trace_printk),
5187                         BPF_EXIT_INSN(),
5188                 },
5189                 .fixup_map2 = { 3 },
5190                 .errstr = "R1 min value is outside of the array range",
5191                 .result = REJECT,
5192                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5193         },
5194         {
5195                 "helper access to adjusted map (via variable): no max check",
5196                 .insns = {
5197                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5198                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5199                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5200                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5201                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5202                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
5203                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5204                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5205                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5206                         BPF_MOV64_IMM(BPF_REG_2, 1),
5207                         BPF_MOV64_IMM(BPF_REG_3, 0),
5208                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5209                         BPF_EXIT_INSN(),
5210                 },
5211                 .fixup_map2 = { 3 },
5212                 .errstr = "R1 unbounded memory access",
5213                 .result = REJECT,
5214                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5215         },
5216         {
5217                 "helper access to adjusted map (via variable): wrong max check",
5218                 .insns = {
5219                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5220                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5221                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5222                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5223                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5224                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
5225                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5226                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5227                         BPF_JMP_IMM(BPF_JGT, BPF_REG_3,
5228                                 offsetof(struct test_val, foo), 4),
5229                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5230                         BPF_MOV64_IMM(BPF_REG_2,
5231                                 sizeof(struct test_val) -
5232                                 offsetof(struct test_val, foo) + 1),
5233                         BPF_MOV64_IMM(BPF_REG_3, 0),
5234                         BPF_EMIT_CALL(BPF_FUNC_probe_read),
5235                         BPF_EXIT_INSN(),
5236                 },
5237                 .fixup_map2 = { 3 },
5238                 .errstr = "invalid access to map value, value_size=48 off=4 size=45",
5239                 .result = REJECT,
5240                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5241         },
5242         {
5243                 "helper access to map: bounds check using <, good access",
5244                 .insns = {
5245                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5246                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5247                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5248                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5249                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5250                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5251                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5252                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5253                         BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
5254                         BPF_MOV64_IMM(BPF_REG_0, 0),
5255                         BPF_EXIT_INSN(),
5256                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5257                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5258                         BPF_MOV64_IMM(BPF_REG_0, 0),
5259                         BPF_EXIT_INSN(),
5260                 },
5261                 .fixup_map2 = { 3 },
5262                 .result = ACCEPT,
5263                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5264         },
5265         {
5266                 "helper access to map: bounds check using <, bad access",
5267                 .insns = {
5268                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5269                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5270                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5271                         BPF_LD_MAP_FD(BPF_REG_1, 0),
5272                         BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
5273                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
5274                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
5275                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
5276                         BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
5277                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
5278                         BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
5279                         BPF_MOV64_IMM(BPF_REG_0, 0),
5280                         BPF_EXIT_INSN(),
5281                         BPF_MOV64_IMM(BPF_REG_0, 0),
5282                         BPF_EXIT_INSN(),
5283                 },
5284                 .fixup_map2 = { 3 },
5285                 .result = REJECT,
5286                 .errstr = "R1 unbounded memory access",
5287                 .prog_type = BPF_PROG_TYPE_TRACEPOINT,
5288         },
5289         {
5290                 "helper access to map: bounds check using <=, good access",
5291                 .insns = {
5292                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5293                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
5294                         BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
5295                         BPF_LD_MAP_FD(BPF_REG_1, 0),