Merge branch '10GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net...
[muen/linux.git] / tools / testing / selftests / bpf / test_verifier.c
1 /*
2  * Testsuite for eBPF verifier
3  *
4  * Copyright (c) 2014 PLUMgrid, http://plumgrid.com
5  * Copyright (c) 2017 Facebook
6  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
7  *
8  * This program is free software; you can redistribute it and/or
9  * modify it under the terms of version 2 of the GNU General Public
10  * License as published by the Free Software Foundation.
11  */
12
13 #include <endian.h>
14 #include <asm/types.h>
15 #include <linux/types.h>
16 #include <stdint.h>
17 #include <stdio.h>
18 #include <stdlib.h>
19 #include <unistd.h>
20 #include <errno.h>
21 #include <string.h>
22 #include <stddef.h>
23 #include <stdbool.h>
24 #include <sched.h>
25 #include <limits.h>
26
27 #include <sys/capability.h>
28
29 #include <linux/unistd.h>
30 #include <linux/filter.h>
31 #include <linux/bpf_perf_event.h>
32 #include <linux/bpf.h>
33 #include <linux/if_ether.h>
34
35 #include <bpf/bpf.h>
36
37 #ifdef HAVE_GENHDR
38 # include "autoconf.h"
39 #else
40 # if defined(__i386) || defined(__x86_64) || defined(__s390x__) || defined(__aarch64__)
41 #  define CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS 1
42 # endif
43 #endif
44 #include "bpf_rlimit.h"
45 #include "bpf_rand.h"
46 #include "bpf_util.h"
47 #include "../../../include/linux/filter.h"
48
49 #define MAX_INSNS       BPF_MAXINSNS
50 #define MAX_FIXUPS      8
51 #define MAX_NR_MAPS     13
52 #define POINTER_VALUE   0xcafe4all
53 #define TEST_DATA_LEN   64
54
55 #define F_NEEDS_EFFICIENT_UNALIGNED_ACCESS      (1 << 0)
56 #define F_LOAD_WITH_STRICT_ALIGNMENT            (1 << 1)
57
58 #define UNPRIV_SYSCTL "kernel/unprivileged_bpf_disabled"
59 static bool unpriv_disabled = false;
60
61 struct bpf_test {
62         const char *descr;
63         struct bpf_insn insns[MAX_INSNS];
64         int fixup_map_hash_8b[MAX_FIXUPS];
65         int fixup_map_hash_48b[MAX_FIXUPS];
66         int fixup_map_hash_16b[MAX_FIXUPS];
67         int fixup_map_array_48b[MAX_FIXUPS];
68         int fixup_map_sockmap[MAX_FIXUPS];
69         int fixup_map_sockhash[MAX_FIXUPS];
70         int fixup_map_xskmap[MAX_FIXUPS];
71         int fixup_map_stacktrace[MAX_FIXUPS];
72         int fixup_prog1[MAX_FIXUPS];
73         int fixup_prog2[MAX_FIXUPS];
74         int fixup_map_in_map[MAX_FIXUPS];
75         int fixup_cgroup_storage[MAX_FIXUPS];
76         int fixup_percpu_cgroup_storage[MAX_FIXUPS];
77         const char *errstr;
78         const char *errstr_unpriv;
79         uint32_t retval, retval_unpriv;
80         enum {
81                 UNDEF,
82                 ACCEPT,
83                 REJECT
84         } result, result_unpriv;
85         enum bpf_prog_type prog_type;
86         uint8_t flags;
87         __u8 data[TEST_DATA_LEN];
88         void (*fill_helper)(struct bpf_test *self);
89 };
90
91 /* Note we want this to be 64 bit aligned so that the end of our array is
92  * actually the end of the structure.
93  */
94 #define MAX_ENTRIES 11
95
96 struct test_val {
97         unsigned int index;
98         int foo[MAX_ENTRIES];
99 };
100
101 struct other_val {
102         long long foo;
103         long long bar;
104 };
105
106 static void bpf_fill_ld_abs_vlan_push_pop(struct bpf_test *self)
107 {
108         /* test: {skb->data[0], vlan_push} x 68 + {skb->data[0], vlan_pop} x 68 */
109 #define PUSH_CNT 51
110         unsigned int len = BPF_MAXINSNS;
111         struct bpf_insn *insn = self->insns;
112         int i = 0, j, k = 0;
113
114         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
115 loop:
116         for (j = 0; j < PUSH_CNT; j++) {
117                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
118                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
119                 i++;
120                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
121                 insn[i++] = BPF_MOV64_IMM(BPF_REG_2, 1);
122                 insn[i++] = BPF_MOV64_IMM(BPF_REG_3, 2);
123                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
124                                          BPF_FUNC_skb_vlan_push),
125                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
126                 i++;
127         }
128
129         for (j = 0; j < PUSH_CNT; j++) {
130                 insn[i++] = BPF_LD_ABS(BPF_B, 0);
131                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0x34, len - i - 2);
132                 i++;
133                 insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_6);
134                 insn[i++] = BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
135                                          BPF_FUNC_skb_vlan_pop),
136                 insn[i] = BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, len - i - 2);
137                 i++;
138         }
139         if (++k < 5)
140                 goto loop;
141
142         for (; i < len - 1; i++)
143                 insn[i] = BPF_ALU32_IMM(BPF_MOV, BPF_REG_0, 0xbef);
144         insn[len - 1] = BPF_EXIT_INSN();
145 }
146
147 static void bpf_fill_jump_around_ld_abs(struct bpf_test *self)
148 {
149         struct bpf_insn *insn = self->insns;
150         unsigned int len = BPF_MAXINSNS;
151         int i = 0;
152
153         insn[i++] = BPF_MOV64_REG(BPF_REG_6, BPF_REG_1);
154         insn[i++] = BPF_LD_ABS(BPF_B, 0);
155         insn[i] = BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 10, len - i - 2);
156         i++;
157         while (i < len - 1)
158                 insn[i++] = BPF_LD_ABS(BPF_B, 1);
159         insn[i] = BPF_EXIT_INSN();
160 }
161
162 static void bpf_fill_rand_ld_dw(struct bpf_test *self)
163 {
164         struct bpf_insn *insn = self->insns;
165         uint64_t res = 0;
166         int i = 0;
167
168         insn[i++] = BPF_MOV32_IMM(BPF_REG_0, 0);
169         while (i < self->retval) {
170                 uint64_t val = bpf_semi_rand_get();
171                 struct bpf_insn tmp[2] = { BPF_LD_IMM64(BPF_REG_1, val) };
172
173                 res ^= val;
174                 insn[i++] = tmp[0];
175                 insn[i++] = tmp[1];
176                 insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
177         }
178         insn[i++] = BPF_MOV64_REG(BPF_REG_1, BPF_REG_0);
179         insn[i++] = BPF_ALU64_IMM(BPF_RSH, BPF_REG_1, 32);
180         insn[i++] = BPF_ALU64_REG(BPF_XOR, BPF_REG_0, BPF_REG_1);
181         insn[i] = BPF_EXIT_INSN();
182         res ^= (res >> 32);
183         self->retval = (uint32_t)res;
184 }
185
186 /* BPF_SK_LOOKUP contains 13 instructions, if you need to fix up maps */
187 #define BPF_SK_LOOKUP                                                   \
188         /* struct bpf_sock_tuple tuple = {} */                          \
189         BPF_MOV64_IMM(BPF_REG_2, 0),                                    \
190         BPF_STX_MEM(BPF_W, BPF_REG_10, BPF_REG_2, -8),                  \
191         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -16),                \
192         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -24),                \
193         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -32),                \
194         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -40),                \
195         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -48),                \
196         /* sk = sk_lookup_tcp(ctx, &tuple, sizeof tuple, 0, 0) */       \
197         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),                           \
198         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),                         \
199         BPF_MOV64_IMM(BPF_REG_3, sizeof(struct bpf_sock_tuple)),        \
200         BPF_MOV64_IMM(BPF_REG_4, 0),                                    \
201         BPF_MOV64_IMM(BPF_REG_5, 0),                                    \
202         BPF_EMIT_CALL(BPF_FUNC_sk_lookup_tcp)
203
204 static struct bpf_test tests[] = {
205         {
206                 "add+sub+mul",
207                 .insns = {
208                         BPF_MOV64_IMM(BPF_REG_1, 1),
209                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 2),
210                         BPF_MOV64_IMM(BPF_REG_2, 3),
211                         BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_2),
212                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -1),
213                         BPF_ALU64_IMM(BPF_MUL, BPF_REG_1, 3),
214                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_1),
215                         BPF_EXIT_INSN(),
216                 },
217                 .result = ACCEPT,
218                 .retval = -3,
219         },
220         {
221                 "DIV32 by 0, zero check 1",
222                 .insns = {
223                         BPF_MOV32_IMM(BPF_REG_0, 42),
224                         BPF_MOV32_IMM(BPF_REG_1, 0),
225                         BPF_MOV32_IMM(BPF_REG_2, 1),
226                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
227                         BPF_EXIT_INSN(),
228                 },
229                 .result = ACCEPT,
230                 .retval = 42,
231         },
232         {
233                 "DIV32 by 0, zero check 2",
234                 .insns = {
235                         BPF_MOV32_IMM(BPF_REG_0, 42),
236                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
237                         BPF_MOV32_IMM(BPF_REG_2, 1),
238                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
239                         BPF_EXIT_INSN(),
240                 },
241                 .result = ACCEPT,
242                 .retval = 42,
243         },
244         {
245                 "DIV64 by 0, zero check",
246                 .insns = {
247                         BPF_MOV32_IMM(BPF_REG_0, 42),
248                         BPF_MOV32_IMM(BPF_REG_1, 0),
249                         BPF_MOV32_IMM(BPF_REG_2, 1),
250                         BPF_ALU64_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
251                         BPF_EXIT_INSN(),
252                 },
253                 .result = ACCEPT,
254                 .retval = 42,
255         },
256         {
257                 "MOD32 by 0, zero check 1",
258                 .insns = {
259                         BPF_MOV32_IMM(BPF_REG_0, 42),
260                         BPF_MOV32_IMM(BPF_REG_1, 0),
261                         BPF_MOV32_IMM(BPF_REG_2, 1),
262                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
263                         BPF_EXIT_INSN(),
264                 },
265                 .result = ACCEPT,
266                 .retval = 42,
267         },
268         {
269                 "MOD32 by 0, zero check 2",
270                 .insns = {
271                         BPF_MOV32_IMM(BPF_REG_0, 42),
272                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
273                         BPF_MOV32_IMM(BPF_REG_2, 1),
274                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
275                         BPF_EXIT_INSN(),
276                 },
277                 .result = ACCEPT,
278                 .retval = 42,
279         },
280         {
281                 "MOD64 by 0, zero check",
282                 .insns = {
283                         BPF_MOV32_IMM(BPF_REG_0, 42),
284                         BPF_MOV32_IMM(BPF_REG_1, 0),
285                         BPF_MOV32_IMM(BPF_REG_2, 1),
286                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
287                         BPF_EXIT_INSN(),
288                 },
289                 .result = ACCEPT,
290                 .retval = 42,
291         },
292         {
293                 "DIV32 by 0, zero check ok, cls",
294                 .insns = {
295                         BPF_MOV32_IMM(BPF_REG_0, 42),
296                         BPF_MOV32_IMM(BPF_REG_1, 2),
297                         BPF_MOV32_IMM(BPF_REG_2, 16),
298                         BPF_ALU32_REG(BPF_DIV, BPF_REG_2, BPF_REG_1),
299                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
300                         BPF_EXIT_INSN(),
301                 },
302                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
303                 .result = ACCEPT,
304                 .retval = 8,
305         },
306         {
307                 "DIV32 by 0, zero check 1, cls",
308                 .insns = {
309                         BPF_MOV32_IMM(BPF_REG_1, 0),
310                         BPF_MOV32_IMM(BPF_REG_0, 1),
311                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
312                         BPF_EXIT_INSN(),
313                 },
314                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
315                 .result = ACCEPT,
316                 .retval = 0,
317         },
318         {
319                 "DIV32 by 0, zero check 2, cls",
320                 .insns = {
321                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
322                         BPF_MOV32_IMM(BPF_REG_0, 1),
323                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
324                         BPF_EXIT_INSN(),
325                 },
326                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
327                 .result = ACCEPT,
328                 .retval = 0,
329         },
330         {
331                 "DIV64 by 0, zero check, cls",
332                 .insns = {
333                         BPF_MOV32_IMM(BPF_REG_1, 0),
334                         BPF_MOV32_IMM(BPF_REG_0, 1),
335                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
336                         BPF_EXIT_INSN(),
337                 },
338                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
339                 .result = ACCEPT,
340                 .retval = 0,
341         },
342         {
343                 "MOD32 by 0, zero check ok, cls",
344                 .insns = {
345                         BPF_MOV32_IMM(BPF_REG_0, 42),
346                         BPF_MOV32_IMM(BPF_REG_1, 3),
347                         BPF_MOV32_IMM(BPF_REG_2, 5),
348                         BPF_ALU32_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
349                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
350                         BPF_EXIT_INSN(),
351                 },
352                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
353                 .result = ACCEPT,
354                 .retval = 2,
355         },
356         {
357                 "MOD32 by 0, zero check 1, cls",
358                 .insns = {
359                         BPF_MOV32_IMM(BPF_REG_1, 0),
360                         BPF_MOV32_IMM(BPF_REG_0, 1),
361                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
362                         BPF_EXIT_INSN(),
363                 },
364                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
365                 .result = ACCEPT,
366                 .retval = 1,
367         },
368         {
369                 "MOD32 by 0, zero check 2, cls",
370                 .insns = {
371                         BPF_LD_IMM64(BPF_REG_1, 0xffffffff00000000LL),
372                         BPF_MOV32_IMM(BPF_REG_0, 1),
373                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
374                         BPF_EXIT_INSN(),
375                 },
376                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
377                 .result = ACCEPT,
378                 .retval = 1,
379         },
380         {
381                 "MOD64 by 0, zero check 1, cls",
382                 .insns = {
383                         BPF_MOV32_IMM(BPF_REG_1, 0),
384                         BPF_MOV32_IMM(BPF_REG_0, 2),
385                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
386                         BPF_EXIT_INSN(),
387                 },
388                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
389                 .result = ACCEPT,
390                 .retval = 2,
391         },
392         {
393                 "MOD64 by 0, zero check 2, cls",
394                 .insns = {
395                         BPF_MOV32_IMM(BPF_REG_1, 0),
396                         BPF_MOV32_IMM(BPF_REG_0, -1),
397                         BPF_ALU64_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
398                         BPF_EXIT_INSN(),
399                 },
400                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
401                 .result = ACCEPT,
402                 .retval = -1,
403         },
404         /* Just make sure that JITs used udiv/umod as otherwise we get
405          * an exception from INT_MIN/-1 overflow similarly as with div
406          * by zero.
407          */
408         {
409                 "DIV32 overflow, check 1",
410                 .insns = {
411                         BPF_MOV32_IMM(BPF_REG_1, -1),
412                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
413                         BPF_ALU32_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
414                         BPF_EXIT_INSN(),
415                 },
416                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
417                 .result = ACCEPT,
418                 .retval = 0,
419         },
420         {
421                 "DIV32 overflow, check 2",
422                 .insns = {
423                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
424                         BPF_ALU32_IMM(BPF_DIV, BPF_REG_0, -1),
425                         BPF_EXIT_INSN(),
426                 },
427                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
428                 .result = ACCEPT,
429                 .retval = 0,
430         },
431         {
432                 "DIV64 overflow, check 1",
433                 .insns = {
434                         BPF_MOV64_IMM(BPF_REG_1, -1),
435                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
436                         BPF_ALU64_REG(BPF_DIV, BPF_REG_0, BPF_REG_1),
437                         BPF_EXIT_INSN(),
438                 },
439                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
440                 .result = ACCEPT,
441                 .retval = 0,
442         },
443         {
444                 "DIV64 overflow, check 2",
445                 .insns = {
446                         BPF_LD_IMM64(BPF_REG_0, LLONG_MIN),
447                         BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, -1),
448                         BPF_EXIT_INSN(),
449                 },
450                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
451                 .result = ACCEPT,
452                 .retval = 0,
453         },
454         {
455                 "MOD32 overflow, check 1",
456                 .insns = {
457                         BPF_MOV32_IMM(BPF_REG_1, -1),
458                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
459                         BPF_ALU32_REG(BPF_MOD, BPF_REG_0, BPF_REG_1),
460                         BPF_EXIT_INSN(),
461                 },
462                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
463                 .result = ACCEPT,
464                 .retval = INT_MIN,
465         },
466         {
467                 "MOD32 overflow, check 2",
468                 .insns = {
469                         BPF_MOV32_IMM(BPF_REG_0, INT_MIN),
470                         BPF_ALU32_IMM(BPF_MOD, BPF_REG_0, -1),
471                         BPF_EXIT_INSN(),
472                 },
473                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
474                 .result = ACCEPT,
475                 .retval = INT_MIN,
476         },
477         {
478                 "MOD64 overflow, check 1",
479                 .insns = {
480                         BPF_MOV64_IMM(BPF_REG_1, -1),
481                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
482                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
483                         BPF_ALU64_REG(BPF_MOD, BPF_REG_2, BPF_REG_1),
484                         BPF_MOV32_IMM(BPF_REG_0, 0),
485                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
486                         BPF_MOV32_IMM(BPF_REG_0, 1),
487                         BPF_EXIT_INSN(),
488                 },
489                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
490                 .result = ACCEPT,
491                 .retval = 1,
492         },
493         {
494                 "MOD64 overflow, check 2",
495                 .insns = {
496                         BPF_LD_IMM64(BPF_REG_2, LLONG_MIN),
497                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
498                         BPF_ALU64_IMM(BPF_MOD, BPF_REG_2, -1),
499                         BPF_MOV32_IMM(BPF_REG_0, 0),
500                         BPF_JMP_REG(BPF_JNE, BPF_REG_3, BPF_REG_2, 1),
501                         BPF_MOV32_IMM(BPF_REG_0, 1),
502                         BPF_EXIT_INSN(),
503                 },
504                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
505                 .result = ACCEPT,
506                 .retval = 1,
507         },
508         {
509                 "xor32 zero extend check",
510                 .insns = {
511                         BPF_MOV32_IMM(BPF_REG_2, -1),
512                         BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 32),
513                         BPF_ALU64_IMM(BPF_OR, BPF_REG_2, 0xffff),
514                         BPF_ALU32_REG(BPF_XOR, BPF_REG_2, BPF_REG_2),
515                         BPF_MOV32_IMM(BPF_REG_0, 2),
516                         BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0, 1),
517                         BPF_MOV32_IMM(BPF_REG_0, 1),
518                         BPF_EXIT_INSN(),
519                 },
520                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
521                 .result = ACCEPT,
522                 .retval = 1,
523         },
524         {
525                 "empty prog",
526                 .insns = {
527                 },
528                 .errstr = "unknown opcode 00",
529                 .result = REJECT,
530         },
531         {
532                 "only exit insn",
533                 .insns = {
534                         BPF_EXIT_INSN(),
535                 },
536                 .errstr = "R0 !read_ok",
537                 .result = REJECT,
538         },
539         {
540                 "unreachable",
541                 .insns = {
542                         BPF_EXIT_INSN(),
543                         BPF_EXIT_INSN(),
544                 },
545                 .errstr = "unreachable",
546                 .result = REJECT,
547         },
548         {
549                 "unreachable2",
550                 .insns = {
551                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
552                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
553                         BPF_EXIT_INSN(),
554                 },
555                 .errstr = "unreachable",
556                 .result = REJECT,
557         },
558         {
559                 "out of range jump",
560                 .insns = {
561                         BPF_JMP_IMM(BPF_JA, 0, 0, 1),
562                         BPF_EXIT_INSN(),
563                 },
564                 .errstr = "jump out of range",
565                 .result = REJECT,
566         },
567         {
568                 "out of range jump2",
569                 .insns = {
570                         BPF_JMP_IMM(BPF_JA, 0, 0, -2),
571                         BPF_EXIT_INSN(),
572                 },
573                 .errstr = "jump out of range",
574                 .result = REJECT,
575         },
576         {
577                 "test1 ld_imm64",
578                 .insns = {
579                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
580                         BPF_LD_IMM64(BPF_REG_0, 0),
581                         BPF_LD_IMM64(BPF_REG_0, 0),
582                         BPF_LD_IMM64(BPF_REG_0, 1),
583                         BPF_LD_IMM64(BPF_REG_0, 1),
584                         BPF_MOV64_IMM(BPF_REG_0, 2),
585                         BPF_EXIT_INSN(),
586                 },
587                 .errstr = "invalid BPF_LD_IMM insn",
588                 .errstr_unpriv = "R1 pointer comparison",
589                 .result = REJECT,
590         },
591         {
592                 "test2 ld_imm64",
593                 .insns = {
594                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
595                         BPF_LD_IMM64(BPF_REG_0, 0),
596                         BPF_LD_IMM64(BPF_REG_0, 0),
597                         BPF_LD_IMM64(BPF_REG_0, 1),
598                         BPF_LD_IMM64(BPF_REG_0, 1),
599                         BPF_EXIT_INSN(),
600                 },
601                 .errstr = "invalid BPF_LD_IMM insn",
602                 .errstr_unpriv = "R1 pointer comparison",
603                 .result = REJECT,
604         },
605         {
606                 "test3 ld_imm64",
607                 .insns = {
608                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
609                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
610                         BPF_LD_IMM64(BPF_REG_0, 0),
611                         BPF_LD_IMM64(BPF_REG_0, 0),
612                         BPF_LD_IMM64(BPF_REG_0, 1),
613                         BPF_LD_IMM64(BPF_REG_0, 1),
614                         BPF_EXIT_INSN(),
615                 },
616                 .errstr = "invalid bpf_ld_imm64 insn",
617                 .result = REJECT,
618         },
619         {
620                 "test4 ld_imm64",
621                 .insns = {
622                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
623                         BPF_EXIT_INSN(),
624                 },
625                 .errstr = "invalid bpf_ld_imm64 insn",
626                 .result = REJECT,
627         },
628         {
629                 "test5 ld_imm64",
630                 .insns = {
631                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
632                 },
633                 .errstr = "invalid bpf_ld_imm64 insn",
634                 .result = REJECT,
635         },
636         {
637                 "test6 ld_imm64",
638                 .insns = {
639                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 0),
640                         BPF_RAW_INSN(0, 0, 0, 0, 0),
641                         BPF_EXIT_INSN(),
642                 },
643                 .result = ACCEPT,
644         },
645         {
646                 "test7 ld_imm64",
647                 .insns = {
648                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
649                         BPF_RAW_INSN(0, 0, 0, 0, 1),
650                         BPF_EXIT_INSN(),
651                 },
652                 .result = ACCEPT,
653                 .retval = 1,
654         },
655         {
656                 "test8 ld_imm64",
657                 .insns = {
658                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 1, 1),
659                         BPF_RAW_INSN(0, 0, 0, 0, 1),
660                         BPF_EXIT_INSN(),
661                 },
662                 .errstr = "uses reserved fields",
663                 .result = REJECT,
664         },
665         {
666                 "test9 ld_imm64",
667                 .insns = {
668                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
669                         BPF_RAW_INSN(0, 0, 0, 1, 1),
670                         BPF_EXIT_INSN(),
671                 },
672                 .errstr = "invalid bpf_ld_imm64 insn",
673                 .result = REJECT,
674         },
675         {
676                 "test10 ld_imm64",
677                 .insns = {
678                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
679                         BPF_RAW_INSN(0, BPF_REG_1, 0, 0, 1),
680                         BPF_EXIT_INSN(),
681                 },
682                 .errstr = "invalid bpf_ld_imm64 insn",
683                 .result = REJECT,
684         },
685         {
686                 "test11 ld_imm64",
687                 .insns = {
688                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, 0, 0, 1),
689                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
690                         BPF_EXIT_INSN(),
691                 },
692                 .errstr = "invalid bpf_ld_imm64 insn",
693                 .result = REJECT,
694         },
695         {
696                 "test12 ld_imm64",
697                 .insns = {
698                         BPF_MOV64_IMM(BPF_REG_1, 0),
699                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
700                         BPF_RAW_INSN(0, 0, 0, 0, 1),
701                         BPF_EXIT_INSN(),
702                 },
703                 .errstr = "not pointing to valid bpf_map",
704                 .result = REJECT,
705         },
706         {
707                 "test13 ld_imm64",
708                 .insns = {
709                         BPF_MOV64_IMM(BPF_REG_1, 0),
710                         BPF_RAW_INSN(BPF_LD | BPF_IMM | BPF_DW, 0, BPF_REG_1, 0, 1),
711                         BPF_RAW_INSN(0, 0, BPF_REG_1, 0, 1),
712                         BPF_EXIT_INSN(),
713                 },
714                 .errstr = "invalid bpf_ld_imm64 insn",
715                 .result = REJECT,
716         },
717         {
718                 "arsh32 on imm",
719                 .insns = {
720                         BPF_MOV64_IMM(BPF_REG_0, 1),
721                         BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
722                         BPF_EXIT_INSN(),
723                 },
724                 .result = REJECT,
725                 .errstr = "unknown opcode c4",
726         },
727         {
728                 "arsh32 on reg",
729                 .insns = {
730                         BPF_MOV64_IMM(BPF_REG_0, 1),
731                         BPF_MOV64_IMM(BPF_REG_1, 5),
732                         BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
733                         BPF_EXIT_INSN(),
734                 },
735                 .result = REJECT,
736                 .errstr = "unknown opcode cc",
737         },
738         {
739                 "arsh64 on imm",
740                 .insns = {
741                         BPF_MOV64_IMM(BPF_REG_0, 1),
742                         BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
743                         BPF_EXIT_INSN(),
744                 },
745                 .result = ACCEPT,
746         },
747         {
748                 "arsh64 on reg",
749                 .insns = {
750                         BPF_MOV64_IMM(BPF_REG_0, 1),
751                         BPF_MOV64_IMM(BPF_REG_1, 5),
752                         BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
753                         BPF_EXIT_INSN(),
754                 },
755                 .result = ACCEPT,
756         },
757         {
758                 "no bpf_exit",
759                 .insns = {
760                         BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
761                 },
762                 .errstr = "not an exit",
763                 .result = REJECT,
764         },
765         {
766                 "loop (back-edge)",
767                 .insns = {
768                         BPF_JMP_IMM(BPF_JA, 0, 0, -1),
769                         BPF_EXIT_INSN(),
770                 },
771                 .errstr = "back-edge",
772                 .result = REJECT,
773         },
774         {
775                 "loop2 (back-edge)",
776                 .insns = {
777                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
778                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
780                         BPF_JMP_IMM(BPF_JA, 0, 0, -4),
781                         BPF_EXIT_INSN(),
782                 },
783                 .errstr = "back-edge",
784                 .result = REJECT,
785         },
786         {
787                 "conditional loop",
788                 .insns = {
789                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
790                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
791                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
792                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, -3),
793                         BPF_EXIT_INSN(),
794                 },
795                 .errstr = "back-edge",
796                 .result = REJECT,
797         },
798         {
799                 "read uninitialized register",
800                 .insns = {
801                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
802                         BPF_EXIT_INSN(),
803                 },
804                 .errstr = "R2 !read_ok",
805                 .result = REJECT,
806         },
807         {
808                 "read invalid register",
809                 .insns = {
810                         BPF_MOV64_REG(BPF_REG_0, -1),
811                         BPF_EXIT_INSN(),
812                 },
813                 .errstr = "R15 is invalid",
814                 .result = REJECT,
815         },
816         {
817                 "program doesn't init R0 before exit",
818                 .insns = {
819                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_1),
820                         BPF_EXIT_INSN(),
821                 },
822                 .errstr = "R0 !read_ok",
823                 .result = REJECT,
824         },
825         {
826                 "program doesn't init R0 before exit in all branches",
827                 .insns = {
828                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
829                         BPF_MOV64_IMM(BPF_REG_0, 1),
830                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
831                         BPF_EXIT_INSN(),
832                 },
833                 .errstr = "R0 !read_ok",
834                 .errstr_unpriv = "R1 pointer comparison",
835                 .result = REJECT,
836         },
837         {
838                 "stack out of bounds",
839                 .insns = {
840                         BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0),
841                         BPF_EXIT_INSN(),
842                 },
843                 .errstr = "invalid stack",
844                 .result = REJECT,
845         },
846         {
847                 "invalid call insn1",
848                 .insns = {
849                         BPF_RAW_INSN(BPF_JMP | BPF_CALL | BPF_X, 0, 0, 0, 0),
850                         BPF_EXIT_INSN(),
851                 },
852                 .errstr = "unknown opcode 8d",
853                 .result = REJECT,
854         },
855         {
856                 "invalid call insn2",
857                 .insns = {
858                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 1, 0),
859                         BPF_EXIT_INSN(),
860                 },
861                 .errstr = "BPF_CALL uses reserved",
862                 .result = REJECT,
863         },
864         {
865                 "invalid function call",
866                 .insns = {
867                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, 1234567),
868                         BPF_EXIT_INSN(),
869                 },
870                 .errstr = "invalid func unknown#1234567",
871                 .result = REJECT,
872         },
873         {
874                 "uninitialized stack1",
875                 .insns = {
876                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
877                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
878                         BPF_LD_MAP_FD(BPF_REG_1, 0),
879                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
880                                      BPF_FUNC_map_lookup_elem),
881                         BPF_EXIT_INSN(),
882                 },
883                 .fixup_map_hash_8b = { 2 },
884                 .errstr = "invalid indirect read from stack",
885                 .result = REJECT,
886         },
887         {
888                 "uninitialized stack2",
889                 .insns = {
890                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
891                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -8),
892                         BPF_EXIT_INSN(),
893                 },
894                 .errstr = "invalid read from stack",
895                 .result = REJECT,
896         },
897         {
898                 "invalid fp arithmetic",
899                 /* If this gets ever changed, make sure JITs can deal with it. */
900                 .insns = {
901                         BPF_MOV64_IMM(BPF_REG_0, 0),
902                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
903                         BPF_ALU64_IMM(BPF_SUB, BPF_REG_1, 8),
904                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0),
905                         BPF_EXIT_INSN(),
906                 },
907                 .errstr = "R1 subtraction from stack pointer",
908                 .result = REJECT,
909         },
910         {
911                 "non-invalid fp arithmetic",
912                 .insns = {
913                         BPF_MOV64_IMM(BPF_REG_0, 0),
914                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
915                         BPF_EXIT_INSN(),
916                 },
917                 .result = ACCEPT,
918         },
919         {
920                 "invalid argument register",
921                 .insns = {
922                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
923                                      BPF_FUNC_get_cgroup_classid),
924                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
925                                      BPF_FUNC_get_cgroup_classid),
926                         BPF_EXIT_INSN(),
927                 },
928                 .errstr = "R1 !read_ok",
929                 .result = REJECT,
930                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
931         },
932         {
933                 "non-invalid argument register",
934                 .insns = {
935                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
936                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
937                                      BPF_FUNC_get_cgroup_classid),
938                         BPF_ALU64_REG(BPF_MOV, BPF_REG_1, BPF_REG_6),
939                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
940                                      BPF_FUNC_get_cgroup_classid),
941                         BPF_EXIT_INSN(),
942                 },
943                 .result = ACCEPT,
944                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
945         },
946         {
947                 "check valid spill/fill",
948                 .insns = {
949                         /* spill R1(ctx) into stack */
950                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
951                         /* fill it back into R2 */
952                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
953                         /* should be able to access R0 = *(R2 + 8) */
954                         /* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
955                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
956                         BPF_EXIT_INSN(),
957                 },
958                 .errstr_unpriv = "R0 leaks addr",
959                 .result = ACCEPT,
960                 .result_unpriv = REJECT,
961                 .retval = POINTER_VALUE,
962         },
963         {
964                 "check valid spill/fill, skb mark",
965                 .insns = {
966                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
967                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
968                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
969                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
970                                     offsetof(struct __sk_buff, mark)),
971                         BPF_EXIT_INSN(),
972                 },
973                 .result = ACCEPT,
974                 .result_unpriv = ACCEPT,
975         },
976         {
977                 "check corrupted spill/fill",
978                 .insns = {
979                         /* spill R1(ctx) into stack */
980                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
981                         /* mess up with R1 pointer on stack */
982                         BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
983                         /* fill back into R0 should fail */
984                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
985                         BPF_EXIT_INSN(),
986                 },
987                 .errstr_unpriv = "attempt to corrupt spilled",
988                 .errstr = "corrupted spill",
989                 .result = REJECT,
990         },
991         {
992                 "invalid src register in STX",
993                 .insns = {
994                         BPF_STX_MEM(BPF_B, BPF_REG_10, -1, -1),
995                         BPF_EXIT_INSN(),
996                 },
997                 .errstr = "R15 is invalid",
998                 .result = REJECT,
999         },
1000         {
1001                 "invalid dst register in STX",
1002                 .insns = {
1003                         BPF_STX_MEM(BPF_B, 14, BPF_REG_10, -1),
1004                         BPF_EXIT_INSN(),
1005                 },
1006                 .errstr = "R14 is invalid",
1007                 .result = REJECT,
1008         },
1009         {
1010                 "invalid dst register in ST",
1011                 .insns = {
1012                         BPF_ST_MEM(BPF_B, 14, -1, -1),
1013                         BPF_EXIT_INSN(),
1014                 },
1015                 .errstr = "R14 is invalid",
1016                 .result = REJECT,
1017         },
1018         {
1019                 "invalid src register in LDX",
1020                 .insns = {
1021                         BPF_LDX_MEM(BPF_B, BPF_REG_0, 12, 0),
1022                         BPF_EXIT_INSN(),
1023                 },
1024                 .errstr = "R12 is invalid",
1025                 .result = REJECT,
1026         },
1027         {
1028                 "invalid dst register in LDX",
1029                 .insns = {
1030                         BPF_LDX_MEM(BPF_B, 11, BPF_REG_1, 0),
1031                         BPF_EXIT_INSN(),
1032                 },
1033                 .errstr = "R11 is invalid",
1034                 .result = REJECT,
1035         },
1036         {
1037                 "junk insn",
1038                 .insns = {
1039                         BPF_RAW_INSN(0, 0, 0, 0, 0),
1040                         BPF_EXIT_INSN(),
1041                 },
1042                 .errstr = "unknown opcode 00",
1043                 .result = REJECT,
1044         },
1045         {
1046                 "junk insn2",
1047                 .insns = {
1048                         BPF_RAW_INSN(1, 0, 0, 0, 0),
1049                         BPF_EXIT_INSN(),
1050                 },
1051                 .errstr = "BPF_LDX uses reserved fields",
1052                 .result = REJECT,
1053         },
1054         {
1055                 "junk insn3",
1056                 .insns = {
1057                         BPF_RAW_INSN(-1, 0, 0, 0, 0),
1058                         BPF_EXIT_INSN(),
1059                 },
1060                 .errstr = "unknown opcode ff",
1061                 .result = REJECT,
1062         },
1063         {
1064                 "junk insn4",
1065                 .insns = {
1066                         BPF_RAW_INSN(-1, -1, -1, -1, -1),
1067                         BPF_EXIT_INSN(),
1068                 },
1069                 .errstr = "unknown opcode ff",
1070                 .result = REJECT,
1071         },
1072         {
1073                 "junk insn5",
1074                 .insns = {
1075                         BPF_RAW_INSN(0x7f, -1, -1, -1, -1),
1076                         BPF_EXIT_INSN(),
1077                 },
1078                 .errstr = "BPF_ALU uses reserved fields",
1079                 .result = REJECT,
1080         },
1081         {
1082                 "misaligned read from stack",
1083                 .insns = {
1084                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1085                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, -4),
1086                         BPF_EXIT_INSN(),
1087                 },
1088                 .errstr = "misaligned stack access",
1089                 .result = REJECT,
1090         },
1091         {
1092                 "invalid map_fd for function call",
1093                 .insns = {
1094                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1095                         BPF_ALU64_REG(BPF_MOV, BPF_REG_2, BPF_REG_10),
1096                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1097                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1098                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1099                                      BPF_FUNC_map_delete_elem),
1100                         BPF_EXIT_INSN(),
1101                 },
1102                 .errstr = "fd 0 is not pointing to valid bpf_map",
1103                 .result = REJECT,
1104         },
1105         {
1106                 "don't check return value before access",
1107                 .insns = {
1108                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1109                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1110                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1111                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1112                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1113                                      BPF_FUNC_map_lookup_elem),
1114                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1115                         BPF_EXIT_INSN(),
1116                 },
1117                 .fixup_map_hash_8b = { 3 },
1118                 .errstr = "R0 invalid mem access 'map_value_or_null'",
1119                 .result = REJECT,
1120         },
1121         {
1122                 "access memory with incorrect alignment",
1123                 .insns = {
1124                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1125                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1126                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1127                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1128                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1129                                      BPF_FUNC_map_lookup_elem),
1130                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
1131                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 4, 0),
1132                         BPF_EXIT_INSN(),
1133                 },
1134                 .fixup_map_hash_8b = { 3 },
1135                 .errstr = "misaligned value access",
1136                 .result = REJECT,
1137                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1138         },
1139         {
1140                 "sometimes access memory with incorrect alignment",
1141                 .insns = {
1142                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1143                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1144                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1145                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1146                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1147                                      BPF_FUNC_map_lookup_elem),
1148                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 2),
1149                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 0),
1150                         BPF_EXIT_INSN(),
1151                         BPF_ST_MEM(BPF_DW, BPF_REG_0, 0, 1),
1152                         BPF_EXIT_INSN(),
1153                 },
1154                 .fixup_map_hash_8b = { 3 },
1155                 .errstr = "R0 invalid mem access",
1156                 .errstr_unpriv = "R0 leaks addr",
1157                 .result = REJECT,
1158                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
1159         },
1160         {
1161                 "jump test 1",
1162                 .insns = {
1163                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1164                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1, -8),
1165                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
1166                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1167                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 1),
1168                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 1),
1169                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 1),
1170                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 2),
1171                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 1),
1172                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 3),
1173                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 1),
1174                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 4),
1175                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1176                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 5),
1177                         BPF_MOV64_IMM(BPF_REG_0, 0),
1178                         BPF_EXIT_INSN(),
1179                 },
1180                 .errstr_unpriv = "R1 pointer comparison",
1181                 .result_unpriv = REJECT,
1182                 .result = ACCEPT,
1183         },
1184         {
1185                 "jump test 2",
1186                 .insns = {
1187                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1188                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 2),
1189                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1190                         BPF_JMP_IMM(BPF_JA, 0, 0, 14),
1191                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 2),
1192                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1193                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1194                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 2),
1195                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1196                         BPF_JMP_IMM(BPF_JA, 0, 0, 8),
1197                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 2),
1198                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1199                         BPF_JMP_IMM(BPF_JA, 0, 0, 5),
1200                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 2),
1201                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1202                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1203                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 1),
1204                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1205                         BPF_MOV64_IMM(BPF_REG_0, 0),
1206                         BPF_EXIT_INSN(),
1207                 },
1208                 .errstr_unpriv = "R1 pointer comparison",
1209                 .result_unpriv = REJECT,
1210                 .result = ACCEPT,
1211         },
1212         {
1213                 "jump test 3",
1214                 .insns = {
1215                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1216                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
1217                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -8, 0),
1218                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1219                         BPF_JMP_IMM(BPF_JA, 0, 0, 19),
1220                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 1, 3),
1221                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -16, 0),
1222                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
1223                         BPF_JMP_IMM(BPF_JA, 0, 0, 15),
1224                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 2, 3),
1225                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -32, 0),
1226                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -32),
1227                         BPF_JMP_IMM(BPF_JA, 0, 0, 11),
1228                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 3, 3),
1229                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -40, 0),
1230                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -40),
1231                         BPF_JMP_IMM(BPF_JA, 0, 0, 7),
1232                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 4, 3),
1233                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -48, 0),
1234                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -48),
1235                         BPF_JMP_IMM(BPF_JA, 0, 0, 3),
1236                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 5, 0),
1237                         BPF_ST_MEM(BPF_DW, BPF_REG_2, -56, 0),
1238                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -56),
1239                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1240                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1241                                      BPF_FUNC_map_delete_elem),
1242                         BPF_EXIT_INSN(),
1243                 },
1244                 .fixup_map_hash_8b = { 24 },
1245                 .errstr_unpriv = "R1 pointer comparison",
1246                 .result_unpriv = REJECT,
1247                 .result = ACCEPT,
1248                 .retval = -ENOENT,
1249         },
1250         {
1251                 "jump test 4",
1252                 .insns = {
1253                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1254                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1255                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1256                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1257                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1258                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1259                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1260                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1261                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1262                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1263                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1264                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1265                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1266                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1267                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1268                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1269                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1270                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1271                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1272                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1273                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1274                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1275                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1276                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1277                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1278                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1279                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1280                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1281                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1282                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1283                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1284                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1285                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 1),
1286                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 2),
1287                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 3),
1288                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 4),
1289                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1290                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1291                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1292                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
1293                         BPF_MOV64_IMM(BPF_REG_0, 0),
1294                         BPF_EXIT_INSN(),
1295                 },
1296                 .errstr_unpriv = "R1 pointer comparison",
1297                 .result_unpriv = REJECT,
1298                 .result = ACCEPT,
1299         },
1300         {
1301                 "jump test 5",
1302                 .insns = {
1303                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1304                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
1305                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1306                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1307                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1308                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1309                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1310                         BPF_MOV64_IMM(BPF_REG_0, 0),
1311                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1312                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1313                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1314                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1315                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1316                         BPF_MOV64_IMM(BPF_REG_0, 0),
1317                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1318                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1319                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1320                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1321                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1322                         BPF_MOV64_IMM(BPF_REG_0, 0),
1323                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1324                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1325                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1326                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1327                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1328                         BPF_MOV64_IMM(BPF_REG_0, 0),
1329                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1330                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, -8),
1331                         BPF_JMP_IMM(BPF_JA, 0, 0, 2),
1332                         BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_2, -8),
1333                         BPF_JMP_IMM(BPF_JA, 0, 0, 0),
1334                         BPF_MOV64_IMM(BPF_REG_0, 0),
1335                         BPF_EXIT_INSN(),
1336                 },
1337                 .errstr_unpriv = "R1 pointer comparison",
1338                 .result_unpriv = REJECT,
1339                 .result = ACCEPT,
1340         },
1341         {
1342                 "access skb fields ok",
1343                 .insns = {
1344                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1345                                     offsetof(struct __sk_buff, len)),
1346                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1347                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1348                                     offsetof(struct __sk_buff, mark)),
1349                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1350                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1351                                     offsetof(struct __sk_buff, pkt_type)),
1352                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
1353                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1354                                     offsetof(struct __sk_buff, queue_mapping)),
1355                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1356                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1357                                     offsetof(struct __sk_buff, protocol)),
1358                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1359                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1360                                     offsetof(struct __sk_buff, vlan_present)),
1361                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1362                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1363                                     offsetof(struct __sk_buff, vlan_tci)),
1364                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1365                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1366                                     offsetof(struct __sk_buff, napi_id)),
1367                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 0),
1368                         BPF_EXIT_INSN(),
1369                 },
1370                 .result = ACCEPT,
1371         },
1372         {
1373                 "access skb fields bad1",
1374                 .insns = {
1375                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -4),
1376                         BPF_EXIT_INSN(),
1377                 },
1378                 .errstr = "invalid bpf_context access",
1379                 .result = REJECT,
1380         },
1381         {
1382                 "access skb fields bad2",
1383                 .insns = {
1384                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 9),
1385                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1386                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1387                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1388                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1389                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1390                                      BPF_FUNC_map_lookup_elem),
1391                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1392                         BPF_EXIT_INSN(),
1393                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1394                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1395                                     offsetof(struct __sk_buff, pkt_type)),
1396                         BPF_EXIT_INSN(),
1397                 },
1398                 .fixup_map_hash_8b = { 4 },
1399                 .errstr = "different pointers",
1400                 .errstr_unpriv = "R1 pointer comparison",
1401                 .result = REJECT,
1402         },
1403         {
1404                 "access skb fields bad3",
1405                 .insns = {
1406                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2),
1407                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1408                                     offsetof(struct __sk_buff, pkt_type)),
1409                         BPF_EXIT_INSN(),
1410                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1411                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1412                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1413                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1414                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1415                                      BPF_FUNC_map_lookup_elem),
1416                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1417                         BPF_EXIT_INSN(),
1418                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1419                         BPF_JMP_IMM(BPF_JA, 0, 0, -12),
1420                 },
1421                 .fixup_map_hash_8b = { 6 },
1422                 .errstr = "different pointers",
1423                 .errstr_unpriv = "R1 pointer comparison",
1424                 .result = REJECT,
1425         },
1426         {
1427                 "access skb fields bad4",
1428                 .insns = {
1429                         BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
1430                         BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1431                                     offsetof(struct __sk_buff, len)),
1432                         BPF_MOV64_IMM(BPF_REG_0, 0),
1433                         BPF_EXIT_INSN(),
1434                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
1435                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
1436                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
1437                         BPF_LD_MAP_FD(BPF_REG_1, 0),
1438                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
1439                                      BPF_FUNC_map_lookup_elem),
1440                         BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
1441                         BPF_EXIT_INSN(),
1442                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
1443                         BPF_JMP_IMM(BPF_JA, 0, 0, -13),
1444                 },
1445                 .fixup_map_hash_8b = { 7 },
1446                 .errstr = "different pointers",
1447                 .errstr_unpriv = "R1 pointer comparison",
1448                 .result = REJECT,
1449         },
1450         {
1451                 "invalid access __sk_buff family",
1452                 .insns = {
1453                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1454                                     offsetof(struct __sk_buff, family)),
1455                         BPF_EXIT_INSN(),
1456                 },
1457                 .errstr = "invalid bpf_context access",
1458                 .result = REJECT,
1459         },
1460         {
1461                 "invalid access __sk_buff remote_ip4",
1462                 .insns = {
1463                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1464                                     offsetof(struct __sk_buff, remote_ip4)),
1465                         BPF_EXIT_INSN(),
1466                 },
1467                 .errstr = "invalid bpf_context access",
1468                 .result = REJECT,
1469         },
1470         {
1471                 "invalid access __sk_buff local_ip4",
1472                 .insns = {
1473                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1474                                     offsetof(struct __sk_buff, local_ip4)),
1475                         BPF_EXIT_INSN(),
1476                 },
1477                 .errstr = "invalid bpf_context access",
1478                 .result = REJECT,
1479         },
1480         {
1481                 "invalid access __sk_buff remote_ip6",
1482                 .insns = {
1483                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1484                                     offsetof(struct __sk_buff, remote_ip6)),
1485                         BPF_EXIT_INSN(),
1486                 },
1487                 .errstr = "invalid bpf_context access",
1488                 .result = REJECT,
1489         },
1490         {
1491                 "invalid access __sk_buff local_ip6",
1492                 .insns = {
1493                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1494                                     offsetof(struct __sk_buff, local_ip6)),
1495                         BPF_EXIT_INSN(),
1496                 },
1497                 .errstr = "invalid bpf_context access",
1498                 .result = REJECT,
1499         },
1500         {
1501                 "invalid access __sk_buff remote_port",
1502                 .insns = {
1503                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1504                                     offsetof(struct __sk_buff, remote_port)),
1505                         BPF_EXIT_INSN(),
1506                 },
1507                 .errstr = "invalid bpf_context access",
1508                 .result = REJECT,
1509         },
1510         {
1511                 "invalid access __sk_buff remote_port",
1512                 .insns = {
1513                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1514                                     offsetof(struct __sk_buff, local_port)),
1515                         BPF_EXIT_INSN(),
1516                 },
1517                 .errstr = "invalid bpf_context access",
1518                 .result = REJECT,
1519         },
1520         {
1521                 "valid access __sk_buff family",
1522                 .insns = {
1523                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1524                                     offsetof(struct __sk_buff, family)),
1525                         BPF_EXIT_INSN(),
1526                 },
1527                 .result = ACCEPT,
1528                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1529         },
1530         {
1531                 "valid access __sk_buff remote_ip4",
1532                 .insns = {
1533                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1534                                     offsetof(struct __sk_buff, remote_ip4)),
1535                         BPF_EXIT_INSN(),
1536                 },
1537                 .result = ACCEPT,
1538                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1539         },
1540         {
1541                 "valid access __sk_buff local_ip4",
1542                 .insns = {
1543                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1544                                     offsetof(struct __sk_buff, local_ip4)),
1545                         BPF_EXIT_INSN(),
1546                 },
1547                 .result = ACCEPT,
1548                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1549         },
1550         {
1551                 "valid access __sk_buff remote_ip6",
1552                 .insns = {
1553                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1554                                     offsetof(struct __sk_buff, remote_ip6[0])),
1555                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1556                                     offsetof(struct __sk_buff, remote_ip6[1])),
1557                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1558                                     offsetof(struct __sk_buff, remote_ip6[2])),
1559                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1560                                     offsetof(struct __sk_buff, remote_ip6[3])),
1561                         BPF_EXIT_INSN(),
1562                 },
1563                 .result = ACCEPT,
1564                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1565         },
1566         {
1567                 "valid access __sk_buff local_ip6",
1568                 .insns = {
1569                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1570                                     offsetof(struct __sk_buff, local_ip6[0])),
1571                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1572                                     offsetof(struct __sk_buff, local_ip6[1])),
1573                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1574                                     offsetof(struct __sk_buff, local_ip6[2])),
1575                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1576                                     offsetof(struct __sk_buff, local_ip6[3])),
1577                         BPF_EXIT_INSN(),
1578                 },
1579                 .result = ACCEPT,
1580                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1581         },
1582         {
1583                 "valid access __sk_buff remote_port",
1584                 .insns = {
1585                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1586                                     offsetof(struct __sk_buff, remote_port)),
1587                         BPF_EXIT_INSN(),
1588                 },
1589                 .result = ACCEPT,
1590                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1591         },
1592         {
1593                 "valid access __sk_buff remote_port",
1594                 .insns = {
1595                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1596                                     offsetof(struct __sk_buff, local_port)),
1597                         BPF_EXIT_INSN(),
1598                 },
1599                 .result = ACCEPT,
1600                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1601         },
1602         {
1603                 "invalid access of tc_classid for SK_SKB",
1604                 .insns = {
1605                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1606                                     offsetof(struct __sk_buff, tc_classid)),
1607                         BPF_EXIT_INSN(),
1608                 },
1609                 .result = REJECT,
1610                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1611                 .errstr = "invalid bpf_context access",
1612         },
1613         {
1614                 "invalid access of skb->mark for SK_SKB",
1615                 .insns = {
1616                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1617                                     offsetof(struct __sk_buff, mark)),
1618                         BPF_EXIT_INSN(),
1619                 },
1620                 .result =  REJECT,
1621                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1622                 .errstr = "invalid bpf_context access",
1623         },
1624         {
1625                 "check skb->mark is not writeable by SK_SKB",
1626                 .insns = {
1627                         BPF_MOV64_IMM(BPF_REG_0, 0),
1628                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1629                                     offsetof(struct __sk_buff, mark)),
1630                         BPF_EXIT_INSN(),
1631                 },
1632                 .result =  REJECT,
1633                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1634                 .errstr = "invalid bpf_context access",
1635         },
1636         {
1637                 "check skb->tc_index is writeable by SK_SKB",
1638                 .insns = {
1639                         BPF_MOV64_IMM(BPF_REG_0, 0),
1640                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1641                                     offsetof(struct __sk_buff, tc_index)),
1642                         BPF_EXIT_INSN(),
1643                 },
1644                 .result = ACCEPT,
1645                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1646         },
1647         {
1648                 "check skb->priority is writeable by SK_SKB",
1649                 .insns = {
1650                         BPF_MOV64_IMM(BPF_REG_0, 0),
1651                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
1652                                     offsetof(struct __sk_buff, priority)),
1653                         BPF_EXIT_INSN(),
1654                 },
1655                 .result = ACCEPT,
1656                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1657         },
1658         {
1659                 "direct packet read for SK_SKB",
1660                 .insns = {
1661                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1662                                     offsetof(struct __sk_buff, data)),
1663                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1664                                     offsetof(struct __sk_buff, data_end)),
1665                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1666                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1667                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1668                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1669                         BPF_MOV64_IMM(BPF_REG_0, 0),
1670                         BPF_EXIT_INSN(),
1671                 },
1672                 .result = ACCEPT,
1673                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1674         },
1675         {
1676                 "direct packet write for SK_SKB",
1677                 .insns = {
1678                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1679                                     offsetof(struct __sk_buff, data)),
1680                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1681                                     offsetof(struct __sk_buff, data_end)),
1682                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1683                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1684                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1685                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1686                         BPF_MOV64_IMM(BPF_REG_0, 0),
1687                         BPF_EXIT_INSN(),
1688                 },
1689                 .result = ACCEPT,
1690                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1691         },
1692         {
1693                 "overlapping checks for direct packet access SK_SKB",
1694                 .insns = {
1695                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1696                                     offsetof(struct __sk_buff, data)),
1697                         BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
1698                                     offsetof(struct __sk_buff, data_end)),
1699                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1700                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1701                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1702                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1703                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1704                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1705                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1706                         BPF_MOV64_IMM(BPF_REG_0, 0),
1707                         BPF_EXIT_INSN(),
1708                 },
1709                 .result = ACCEPT,
1710                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1711         },
1712         {
1713                 "valid access family in SK_MSG",
1714                 .insns = {
1715                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1716                                     offsetof(struct sk_msg_md, family)),
1717                         BPF_EXIT_INSN(),
1718                 },
1719                 .result = ACCEPT,
1720                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1721         },
1722         {
1723                 "valid access remote_ip4 in SK_MSG",
1724                 .insns = {
1725                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1726                                     offsetof(struct sk_msg_md, remote_ip4)),
1727                         BPF_EXIT_INSN(),
1728                 },
1729                 .result = ACCEPT,
1730                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1731         },
1732         {
1733                 "valid access local_ip4 in SK_MSG",
1734                 .insns = {
1735                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1736                                     offsetof(struct sk_msg_md, local_ip4)),
1737                         BPF_EXIT_INSN(),
1738                 },
1739                 .result = ACCEPT,
1740                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1741         },
1742         {
1743                 "valid access remote_port in SK_MSG",
1744                 .insns = {
1745                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1746                                     offsetof(struct sk_msg_md, remote_port)),
1747                         BPF_EXIT_INSN(),
1748                 },
1749                 .result = ACCEPT,
1750                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1751         },
1752         {
1753                 "valid access local_port in SK_MSG",
1754                 .insns = {
1755                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1756                                     offsetof(struct sk_msg_md, local_port)),
1757                         BPF_EXIT_INSN(),
1758                 },
1759                 .result = ACCEPT,
1760                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1761         },
1762         {
1763                 "valid access remote_ip6 in SK_MSG",
1764                 .insns = {
1765                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1766                                     offsetof(struct sk_msg_md, remote_ip6[0])),
1767                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1768                                     offsetof(struct sk_msg_md, remote_ip6[1])),
1769                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1770                                     offsetof(struct sk_msg_md, remote_ip6[2])),
1771                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1772                                     offsetof(struct sk_msg_md, remote_ip6[3])),
1773                         BPF_EXIT_INSN(),
1774                 },
1775                 .result = ACCEPT,
1776                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1777         },
1778         {
1779                 "valid access local_ip6 in SK_MSG",
1780                 .insns = {
1781                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1782                                     offsetof(struct sk_msg_md, local_ip6[0])),
1783                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1784                                     offsetof(struct sk_msg_md, local_ip6[1])),
1785                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1786                                     offsetof(struct sk_msg_md, local_ip6[2])),
1787                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
1788                                     offsetof(struct sk_msg_md, local_ip6[3])),
1789                         BPF_EXIT_INSN(),
1790                 },
1791                 .result = ACCEPT,
1792                 .prog_type = BPF_PROG_TYPE_SK_SKB,
1793         },
1794         {
1795                 "invalid 64B read of family in SK_MSG",
1796                 .insns = {
1797                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1798                                     offsetof(struct sk_msg_md, family)),
1799                         BPF_EXIT_INSN(),
1800                 },
1801                 .errstr = "invalid bpf_context access",
1802                 .result = REJECT,
1803                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1804         },
1805         {
1806                 "invalid read past end of SK_MSG",
1807                 .insns = {
1808                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1809                                     offsetof(struct sk_msg_md, local_port) + 4),
1810                         BPF_EXIT_INSN(),
1811                 },
1812                 .errstr = "R0 !read_ok",
1813                 .result = REJECT,
1814                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1815         },
1816         {
1817                 "invalid read offset in SK_MSG",
1818                 .insns = {
1819                         BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
1820                                     offsetof(struct sk_msg_md, family) + 1),
1821                         BPF_EXIT_INSN(),
1822                 },
1823                 .errstr = "invalid bpf_context access",
1824                 .result = REJECT,
1825                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1826         },
1827         {
1828                 "direct packet read for SK_MSG",
1829                 .insns = {
1830                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1831                                     offsetof(struct sk_msg_md, data)),
1832                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1833                                     offsetof(struct sk_msg_md, data_end)),
1834                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1835                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1836                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1837                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
1838                         BPF_MOV64_IMM(BPF_REG_0, 0),
1839                         BPF_EXIT_INSN(),
1840                 },
1841                 .result = ACCEPT,
1842                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1843         },
1844         {
1845                 "direct packet write for SK_MSG",
1846                 .insns = {
1847                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1848                                     offsetof(struct sk_msg_md, data)),
1849                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1850                                     offsetof(struct sk_msg_md, data_end)),
1851                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1852                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1853                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
1854                         BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
1855                         BPF_MOV64_IMM(BPF_REG_0, 0),
1856                         BPF_EXIT_INSN(),
1857                 },
1858                 .result = ACCEPT,
1859                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1860         },
1861         {
1862                 "overlapping checks for direct packet access SK_MSG",
1863                 .insns = {
1864                         BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_1,
1865                                     offsetof(struct sk_msg_md, data)),
1866                         BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_1,
1867                                     offsetof(struct sk_msg_md, data_end)),
1868                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
1869                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
1870                         BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 4),
1871                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
1872                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
1873                         BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
1874                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_2, 6),
1875                         BPF_MOV64_IMM(BPF_REG_0, 0),
1876                         BPF_EXIT_INSN(),
1877                 },
1878                 .result = ACCEPT,
1879                 .prog_type = BPF_PROG_TYPE_SK_MSG,
1880         },
1881         {
1882                 "check skb->mark is not writeable by sockets",
1883                 .insns = {
1884                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1885                                     offsetof(struct __sk_buff, mark)),
1886                         BPF_EXIT_INSN(),
1887                 },
1888                 .errstr = "invalid bpf_context access",
1889                 .errstr_unpriv = "R1 leaks addr",
1890                 .result = REJECT,
1891         },
1892         {
1893                 "check skb->tc_index is not writeable by sockets",
1894                 .insns = {
1895                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
1896                                     offsetof(struct __sk_buff, tc_index)),
1897                         BPF_EXIT_INSN(),
1898                 },
1899                 .errstr = "invalid bpf_context access",
1900                 .errstr_unpriv = "R1 leaks addr",
1901                 .result = REJECT,
1902         },
1903         {
1904                 "check cb access: byte",
1905                 .insns = {
1906                         BPF_MOV64_IMM(BPF_REG_0, 0),
1907                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1908                                     offsetof(struct __sk_buff, cb[0])),
1909                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1910                                     offsetof(struct __sk_buff, cb[0]) + 1),
1911                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1912                                     offsetof(struct __sk_buff, cb[0]) + 2),
1913                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1914                                     offsetof(struct __sk_buff, cb[0]) + 3),
1915                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1916                                     offsetof(struct __sk_buff, cb[1])),
1917                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1918                                     offsetof(struct __sk_buff, cb[1]) + 1),
1919                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1920                                     offsetof(struct __sk_buff, cb[1]) + 2),
1921                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1922                                     offsetof(struct __sk_buff, cb[1]) + 3),
1923                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1924                                     offsetof(struct __sk_buff, cb[2])),
1925                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1926                                     offsetof(struct __sk_buff, cb[2]) + 1),
1927                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1928                                     offsetof(struct __sk_buff, cb[2]) + 2),
1929                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1930                                     offsetof(struct __sk_buff, cb[2]) + 3),
1931                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1932                                     offsetof(struct __sk_buff, cb[3])),
1933                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1934                                     offsetof(struct __sk_buff, cb[3]) + 1),
1935                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1936                                     offsetof(struct __sk_buff, cb[3]) + 2),
1937                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1938                                     offsetof(struct __sk_buff, cb[3]) + 3),
1939                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1940                                     offsetof(struct __sk_buff, cb[4])),
1941                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1942                                     offsetof(struct __sk_buff, cb[4]) + 1),
1943                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1944                                     offsetof(struct __sk_buff, cb[4]) + 2),
1945                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1946                                     offsetof(struct __sk_buff, cb[4]) + 3),
1947                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1948                                     offsetof(struct __sk_buff, cb[0])),
1949                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1950                                     offsetof(struct __sk_buff, cb[0]) + 1),
1951                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1952                                     offsetof(struct __sk_buff, cb[0]) + 2),
1953                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1954                                     offsetof(struct __sk_buff, cb[0]) + 3),
1955                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1956                                     offsetof(struct __sk_buff, cb[1])),
1957                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1958                                     offsetof(struct __sk_buff, cb[1]) + 1),
1959                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1960                                     offsetof(struct __sk_buff, cb[1]) + 2),
1961                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1962                                     offsetof(struct __sk_buff, cb[1]) + 3),
1963                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1964                                     offsetof(struct __sk_buff, cb[2])),
1965                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1966                                     offsetof(struct __sk_buff, cb[2]) + 1),
1967                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1968                                     offsetof(struct __sk_buff, cb[2]) + 2),
1969                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1970                                     offsetof(struct __sk_buff, cb[2]) + 3),
1971                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1972                                     offsetof(struct __sk_buff, cb[3])),
1973                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1974                                     offsetof(struct __sk_buff, cb[3]) + 1),
1975                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1976                                     offsetof(struct __sk_buff, cb[3]) + 2),
1977                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1978                                     offsetof(struct __sk_buff, cb[3]) + 3),
1979                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1980                                     offsetof(struct __sk_buff, cb[4])),
1981                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1982                                     offsetof(struct __sk_buff, cb[4]) + 1),
1983                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1984                                     offsetof(struct __sk_buff, cb[4]) + 2),
1985                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
1986                                     offsetof(struct __sk_buff, cb[4]) + 3),
1987                         BPF_EXIT_INSN(),
1988                 },
1989                 .result = ACCEPT,
1990         },
1991         {
1992                 "__sk_buff->hash, offset 0, byte store not permitted",
1993                 .insns = {
1994                         BPF_MOV64_IMM(BPF_REG_0, 0),
1995                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
1996                                     offsetof(struct __sk_buff, hash)),
1997                         BPF_EXIT_INSN(),
1998                 },
1999                 .errstr = "invalid bpf_context access",
2000                 .result = REJECT,
2001         },
2002         {
2003                 "__sk_buff->tc_index, offset 3, byte store not permitted",
2004                 .insns = {
2005                         BPF_MOV64_IMM(BPF_REG_0, 0),
2006                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2007                                     offsetof(struct __sk_buff, tc_index) + 3),
2008                         BPF_EXIT_INSN(),
2009                 },
2010                 .errstr = "invalid bpf_context access",
2011                 .result = REJECT,
2012         },
2013         {
2014                 "check skb->hash byte load permitted",
2015                 .insns = {
2016                         BPF_MOV64_IMM(BPF_REG_0, 0),
2017 #if __BYTE_ORDER == __LITTLE_ENDIAN
2018                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2019                                     offsetof(struct __sk_buff, hash)),
2020 #else
2021                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2022                                     offsetof(struct __sk_buff, hash) + 3),
2023 #endif
2024                         BPF_EXIT_INSN(),
2025                 },
2026                 .result = ACCEPT,
2027         },
2028         {
2029                 "check skb->hash byte load not permitted 1",
2030                 .insns = {
2031                         BPF_MOV64_IMM(BPF_REG_0, 0),
2032                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2033                                     offsetof(struct __sk_buff, hash) + 1),
2034                         BPF_EXIT_INSN(),
2035                 },
2036                 .errstr = "invalid bpf_context access",
2037                 .result = REJECT,
2038         },
2039         {
2040                 "check skb->hash byte load not permitted 2",
2041                 .insns = {
2042                         BPF_MOV64_IMM(BPF_REG_0, 0),
2043                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2044                                     offsetof(struct __sk_buff, hash) + 2),
2045                         BPF_EXIT_INSN(),
2046                 },
2047                 .errstr = "invalid bpf_context access",
2048                 .result = REJECT,
2049         },
2050         {
2051                 "check skb->hash byte load not permitted 3",
2052                 .insns = {
2053                         BPF_MOV64_IMM(BPF_REG_0, 0),
2054 #if __BYTE_ORDER == __LITTLE_ENDIAN
2055                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2056                                     offsetof(struct __sk_buff, hash) + 3),
2057 #else
2058                         BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1,
2059                                     offsetof(struct __sk_buff, hash)),
2060 #endif
2061                         BPF_EXIT_INSN(),
2062                 },
2063                 .errstr = "invalid bpf_context access",
2064                 .result = REJECT,
2065         },
2066         {
2067                 "check cb access: byte, wrong type",
2068                 .insns = {
2069                         BPF_MOV64_IMM(BPF_REG_0, 0),
2070                         BPF_STX_MEM(BPF_B, BPF_REG_1, BPF_REG_0,
2071                                     offsetof(struct __sk_buff, cb[0])),
2072                         BPF_EXIT_INSN(),
2073                 },
2074                 .errstr = "invalid bpf_context access",
2075                 .result = REJECT,
2076                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2077         },
2078         {
2079                 "check cb access: half",
2080                 .insns = {
2081                         BPF_MOV64_IMM(BPF_REG_0, 0),
2082                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2083                                     offsetof(struct __sk_buff, cb[0])),
2084                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2085                                     offsetof(struct __sk_buff, cb[0]) + 2),
2086                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2087                                     offsetof(struct __sk_buff, cb[1])),
2088                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2089                                     offsetof(struct __sk_buff, cb[1]) + 2),
2090                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2091                                     offsetof(struct __sk_buff, cb[2])),
2092                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2093                                     offsetof(struct __sk_buff, cb[2]) + 2),
2094                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2095                                     offsetof(struct __sk_buff, cb[3])),
2096                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2097                                     offsetof(struct __sk_buff, cb[3]) + 2),
2098                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2099                                     offsetof(struct __sk_buff, cb[4])),
2100                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2101                                     offsetof(struct __sk_buff, cb[4]) + 2),
2102                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2103                                     offsetof(struct __sk_buff, cb[0])),
2104                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2105                                     offsetof(struct __sk_buff, cb[0]) + 2),
2106                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2107                                     offsetof(struct __sk_buff, cb[1])),
2108                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2109                                     offsetof(struct __sk_buff, cb[1]) + 2),
2110                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2111                                     offsetof(struct __sk_buff, cb[2])),
2112                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2113                                     offsetof(struct __sk_buff, cb[2]) + 2),
2114                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2115                                     offsetof(struct __sk_buff, cb[3])),
2116                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2117                                     offsetof(struct __sk_buff, cb[3]) + 2),
2118                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2119                                     offsetof(struct __sk_buff, cb[4])),
2120                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2121                                     offsetof(struct __sk_buff, cb[4]) + 2),
2122                         BPF_EXIT_INSN(),
2123                 },
2124                 .result = ACCEPT,
2125         },
2126         {
2127                 "check cb access: half, unaligned",
2128                 .insns = {
2129                         BPF_MOV64_IMM(BPF_REG_0, 0),
2130                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2131                                     offsetof(struct __sk_buff, cb[0]) + 1),
2132                         BPF_EXIT_INSN(),
2133                 },
2134                 .errstr = "misaligned context access",
2135                 .result = REJECT,
2136                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2137         },
2138         {
2139                 "check __sk_buff->hash, offset 0, half store not permitted",
2140                 .insns = {
2141                         BPF_MOV64_IMM(BPF_REG_0, 0),
2142                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2143                                     offsetof(struct __sk_buff, hash)),
2144                         BPF_EXIT_INSN(),
2145                 },
2146                 .errstr = "invalid bpf_context access",
2147                 .result = REJECT,
2148         },
2149         {
2150                 "check __sk_buff->tc_index, offset 2, half store not permitted",
2151                 .insns = {
2152                         BPF_MOV64_IMM(BPF_REG_0, 0),
2153                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2154                                     offsetof(struct __sk_buff, tc_index) + 2),
2155                         BPF_EXIT_INSN(),
2156                 },
2157                 .errstr = "invalid bpf_context access",
2158                 .result = REJECT,
2159         },
2160         {
2161                 "check skb->hash half load permitted",
2162                 .insns = {
2163                         BPF_MOV64_IMM(BPF_REG_0, 0),
2164 #if __BYTE_ORDER == __LITTLE_ENDIAN
2165                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2166                                     offsetof(struct __sk_buff, hash)),
2167 #else
2168                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2169                                     offsetof(struct __sk_buff, hash) + 2),
2170 #endif
2171                         BPF_EXIT_INSN(),
2172                 },
2173                 .result = ACCEPT,
2174         },
2175         {
2176                 "check skb->hash half load not permitted",
2177                 .insns = {
2178                         BPF_MOV64_IMM(BPF_REG_0, 0),
2179 #if __BYTE_ORDER == __LITTLE_ENDIAN
2180                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2181                                     offsetof(struct __sk_buff, hash) + 2),
2182 #else
2183                         BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1,
2184                                     offsetof(struct __sk_buff, hash)),
2185 #endif
2186                         BPF_EXIT_INSN(),
2187                 },
2188                 .errstr = "invalid bpf_context access",
2189                 .result = REJECT,
2190         },
2191         {
2192                 "check cb access: half, wrong type",
2193                 .insns = {
2194                         BPF_MOV64_IMM(BPF_REG_0, 0),
2195                         BPF_STX_MEM(BPF_H, BPF_REG_1, BPF_REG_0,
2196                                     offsetof(struct __sk_buff, cb[0])),
2197                         BPF_EXIT_INSN(),
2198                 },
2199                 .errstr = "invalid bpf_context access",
2200                 .result = REJECT,
2201                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2202         },
2203         {
2204                 "check cb access: word",
2205                 .insns = {
2206                         BPF_MOV64_IMM(BPF_REG_0, 0),
2207                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2208                                     offsetof(struct __sk_buff, cb[0])),
2209                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2210                                     offsetof(struct __sk_buff, cb[1])),
2211                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2212                                     offsetof(struct __sk_buff, cb[2])),
2213                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2214                                     offsetof(struct __sk_buff, cb[3])),
2215                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2216                                     offsetof(struct __sk_buff, cb[4])),
2217                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2218                                     offsetof(struct __sk_buff, cb[0])),
2219                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2220                                     offsetof(struct __sk_buff, cb[1])),
2221                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2222                                     offsetof(struct __sk_buff, cb[2])),
2223                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2224                                     offsetof(struct __sk_buff, cb[3])),
2225                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2226                                     offsetof(struct __sk_buff, cb[4])),
2227                         BPF_EXIT_INSN(),
2228                 },
2229                 .result = ACCEPT,
2230         },
2231         {
2232                 "check cb access: word, unaligned 1",
2233                 .insns = {
2234                         BPF_MOV64_IMM(BPF_REG_0, 0),
2235                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2236                                     offsetof(struct __sk_buff, cb[0]) + 2),
2237                         BPF_EXIT_INSN(),
2238                 },
2239                 .errstr = "misaligned context access",
2240                 .result = REJECT,
2241                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2242         },
2243         {
2244                 "check cb access: word, unaligned 2",
2245                 .insns = {
2246                         BPF_MOV64_IMM(BPF_REG_0, 0),
2247                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2248                                     offsetof(struct __sk_buff, cb[4]) + 1),
2249                         BPF_EXIT_INSN(),
2250                 },
2251                 .errstr = "misaligned context access",
2252                 .result = REJECT,
2253                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2254         },
2255         {
2256                 "check cb access: word, unaligned 3",
2257                 .insns = {
2258                         BPF_MOV64_IMM(BPF_REG_0, 0),
2259                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2260                                     offsetof(struct __sk_buff, cb[4]) + 2),
2261                         BPF_EXIT_INSN(),
2262                 },
2263                 .errstr = "misaligned context access",
2264                 .result = REJECT,
2265                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2266         },
2267         {
2268                 "check cb access: word, unaligned 4",
2269                 .insns = {
2270                         BPF_MOV64_IMM(BPF_REG_0, 0),
2271                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2272                                     offsetof(struct __sk_buff, cb[4]) + 3),
2273                         BPF_EXIT_INSN(),
2274                 },
2275                 .errstr = "misaligned context access",
2276                 .result = REJECT,
2277                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2278         },
2279         {
2280                 "check cb access: double",
2281                 .insns = {
2282                         BPF_MOV64_IMM(BPF_REG_0, 0),
2283                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2284                                     offsetof(struct __sk_buff, cb[0])),
2285                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2286                                     offsetof(struct __sk_buff, cb[2])),
2287                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2288                                     offsetof(struct __sk_buff, cb[0])),
2289                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2290                                     offsetof(struct __sk_buff, cb[2])),
2291                         BPF_EXIT_INSN(),
2292                 },
2293                 .result = ACCEPT,
2294         },
2295         {
2296                 "check cb access: double, unaligned 1",
2297                 .insns = {
2298                         BPF_MOV64_IMM(BPF_REG_0, 0),
2299                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2300                                     offsetof(struct __sk_buff, cb[1])),
2301                         BPF_EXIT_INSN(),
2302                 },
2303                 .errstr = "misaligned context access",
2304                 .result = REJECT,
2305                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2306         },
2307         {
2308                 "check cb access: double, unaligned 2",
2309                 .insns = {
2310                         BPF_MOV64_IMM(BPF_REG_0, 0),
2311                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2312                                     offsetof(struct __sk_buff, cb[3])),
2313                         BPF_EXIT_INSN(),
2314                 },
2315                 .errstr = "misaligned context access",
2316                 .result = REJECT,
2317                 .flags = F_LOAD_WITH_STRICT_ALIGNMENT,
2318         },
2319         {
2320                 "check cb access: double, oob 1",
2321                 .insns = {
2322                         BPF_MOV64_IMM(BPF_REG_0, 0),
2323                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2324                                     offsetof(struct __sk_buff, cb[4])),
2325                         BPF_EXIT_INSN(),
2326                 },
2327                 .errstr = "invalid bpf_context access",
2328                 .result = REJECT,
2329         },
2330         {
2331                 "check cb access: double, oob 2",
2332                 .insns = {
2333                         BPF_MOV64_IMM(BPF_REG_0, 0),
2334                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2335                                     offsetof(struct __sk_buff, cb[4])),
2336                         BPF_EXIT_INSN(),
2337                 },
2338                 .errstr = "invalid bpf_context access",
2339                 .result = REJECT,
2340         },
2341         {
2342                 "check __sk_buff->ifindex dw store not permitted",
2343                 .insns = {
2344                         BPF_MOV64_IMM(BPF_REG_0, 0),
2345                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2346                                     offsetof(struct __sk_buff, ifindex)),
2347                         BPF_EXIT_INSN(),
2348                 },
2349                 .errstr = "invalid bpf_context access",
2350                 .result = REJECT,
2351         },
2352         {
2353                 "check __sk_buff->ifindex dw load not permitted",
2354                 .insns = {
2355                         BPF_MOV64_IMM(BPF_REG_0, 0),
2356                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1,
2357                                     offsetof(struct __sk_buff, ifindex)),
2358                         BPF_EXIT_INSN(),
2359                 },
2360                 .errstr = "invalid bpf_context access",
2361                 .result = REJECT,
2362         },
2363         {
2364                 "check cb access: double, wrong type",
2365                 .insns = {
2366                         BPF_MOV64_IMM(BPF_REG_0, 0),
2367                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0,
2368                                     offsetof(struct __sk_buff, cb[0])),
2369                         BPF_EXIT_INSN(),
2370                 },
2371                 .errstr = "invalid bpf_context access",
2372                 .result = REJECT,
2373                 .prog_type = BPF_PROG_TYPE_CGROUP_SOCK,
2374         },
2375         {
2376                 "check out of range skb->cb access",
2377                 .insns = {
2378                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2379                                     offsetof(struct __sk_buff, cb[0]) + 256),
2380                         BPF_EXIT_INSN(),
2381                 },
2382                 .errstr = "invalid bpf_context access",
2383                 .errstr_unpriv = "",
2384                 .result = REJECT,
2385                 .prog_type = BPF_PROG_TYPE_SCHED_ACT,
2386         },
2387         {
2388                 "write skb fields from socket prog",
2389                 .insns = {
2390                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2391                                     offsetof(struct __sk_buff, cb[4])),
2392                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2393                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2394                                     offsetof(struct __sk_buff, mark)),
2395                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2396                                     offsetof(struct __sk_buff, tc_index)),
2397                         BPF_JMP_IMM(BPF_JGE, BPF_REG_0, 0, 1),
2398                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2399                                     offsetof(struct __sk_buff, cb[0])),
2400                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
2401                                     offsetof(struct __sk_buff, cb[2])),
2402                         BPF_EXIT_INSN(),
2403                 },
2404                 .result = ACCEPT,
2405                 .errstr_unpriv = "R1 leaks addr",
2406                 .result_unpriv = REJECT,
2407         },
2408         {
2409                 "write skb fields from tc_cls_act prog",
2410                 .insns = {
2411                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2412                                     offsetof(struct __sk_buff, cb[0])),
2413                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2414                                     offsetof(struct __sk_buff, mark)),
2415                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
2416                                     offsetof(struct __sk_buff, tc_index)),
2417                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2418                                     offsetof(struct __sk_buff, tc_index)),
2419                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_0,
2420                                     offsetof(struct __sk_buff, cb[3])),
2421                         BPF_EXIT_INSN(),
2422                 },
2423                 .errstr_unpriv = "",
2424                 .result_unpriv = REJECT,
2425                 .result = ACCEPT,
2426                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2427         },
2428         {
2429                 "PTR_TO_STACK store/load",
2430                 .insns = {
2431                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2432                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2433                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2434                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2435                         BPF_EXIT_INSN(),
2436                 },
2437                 .result = ACCEPT,
2438                 .retval = 0xfaceb00c,
2439         },
2440         {
2441                 "PTR_TO_STACK store/load - bad alignment on off",
2442                 .insns = {
2443                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2444                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2445                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 2, 0xfaceb00c),
2446                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 2),
2447                         BPF_EXIT_INSN(),
2448                 },
2449                 .result = REJECT,
2450                 .errstr = "misaligned stack access off (0x0; 0x0)+-8+2 size 8",
2451         },
2452         {
2453                 "PTR_TO_STACK store/load - bad alignment on reg",
2454                 .insns = {
2455                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2456                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -10),
2457                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2458                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2459                         BPF_EXIT_INSN(),
2460                 },
2461                 .result = REJECT,
2462                 .errstr = "misaligned stack access off (0x0; 0x0)+-10+8 size 8",
2463         },
2464         {
2465                 "PTR_TO_STACK store/load - out of bounds low",
2466                 .insns = {
2467                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2468                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -80000),
2469                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2470                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2471                         BPF_EXIT_INSN(),
2472                 },
2473                 .result = REJECT,
2474                 .errstr = "invalid stack off=-79992 size=8",
2475         },
2476         {
2477                 "PTR_TO_STACK store/load - out of bounds high",
2478                 .insns = {
2479                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2480                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2481                         BPF_ST_MEM(BPF_DW, BPF_REG_1, 8, 0xfaceb00c),
2482                         BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, 8),
2483                         BPF_EXIT_INSN(),
2484                 },
2485                 .result = REJECT,
2486                 .errstr = "invalid stack off=0 size=8",
2487         },
2488         {
2489                 "unpriv: return pointer",
2490                 .insns = {
2491                         BPF_MOV64_REG(BPF_REG_0, BPF_REG_10),
2492                         BPF_EXIT_INSN(),
2493                 },
2494                 .result = ACCEPT,
2495                 .result_unpriv = REJECT,
2496                 .errstr_unpriv = "R0 leaks addr",
2497                 .retval = POINTER_VALUE,
2498         },
2499         {
2500                 "unpriv: add const to pointer",
2501                 .insns = {
2502                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
2503                         BPF_MOV64_IMM(BPF_REG_0, 0),
2504                         BPF_EXIT_INSN(),
2505                 },
2506                 .result = ACCEPT,
2507         },
2508         {
2509                 "unpriv: add pointer to pointer",
2510                 .insns = {
2511                         BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_10),
2512                         BPF_MOV64_IMM(BPF_REG_0, 0),
2513                         BPF_EXIT_INSN(),
2514                 },
2515                 .result = REJECT,
2516                 .errstr = "R1 pointer += pointer",
2517         },
2518         {
2519                 "unpriv: neg pointer",
2520                 .insns = {
2521                         BPF_ALU64_IMM(BPF_NEG, BPF_REG_1, 0),
2522                         BPF_MOV64_IMM(BPF_REG_0, 0),
2523                         BPF_EXIT_INSN(),
2524                 },
2525                 .result = ACCEPT,
2526                 .result_unpriv = REJECT,
2527                 .errstr_unpriv = "R1 pointer arithmetic",
2528         },
2529         {
2530                 "unpriv: cmp pointer with const",
2531                 .insns = {
2532                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 0),
2533                         BPF_MOV64_IMM(BPF_REG_0, 0),
2534                         BPF_EXIT_INSN(),
2535                 },
2536                 .result = ACCEPT,
2537                 .result_unpriv = REJECT,
2538                 .errstr_unpriv = "R1 pointer comparison",
2539         },
2540         {
2541                 "unpriv: cmp pointer with pointer",
2542                 .insns = {
2543                         BPF_JMP_REG(BPF_JEQ, BPF_REG_1, BPF_REG_10, 0),
2544                         BPF_MOV64_IMM(BPF_REG_0, 0),
2545                         BPF_EXIT_INSN(),
2546                 },
2547                 .result = ACCEPT,
2548                 .result_unpriv = REJECT,
2549                 .errstr_unpriv = "R10 pointer comparison",
2550         },
2551         {
2552                 "unpriv: check that printk is disallowed",
2553                 .insns = {
2554                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2555                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
2556                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
2557                         BPF_MOV64_IMM(BPF_REG_2, 8),
2558                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_1),
2559                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2560                                      BPF_FUNC_trace_printk),
2561                         BPF_MOV64_IMM(BPF_REG_0, 0),
2562                         BPF_EXIT_INSN(),
2563                 },
2564                 .errstr_unpriv = "unknown func bpf_trace_printk#6",
2565                 .result_unpriv = REJECT,
2566                 .result = ACCEPT,
2567         },
2568         {
2569                 "unpriv: pass pointer to helper function",
2570                 .insns = {
2571                         BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
2572                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2573                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2574                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2575                         BPF_MOV64_REG(BPF_REG_3, BPF_REG_2),
2576                         BPF_MOV64_REG(BPF_REG_4, BPF_REG_2),
2577                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2578                                      BPF_FUNC_map_update_elem),
2579                         BPF_MOV64_IMM(BPF_REG_0, 0),
2580                         BPF_EXIT_INSN(),
2581                 },
2582                 .fixup_map_hash_8b = { 3 },
2583                 .errstr_unpriv = "R4 leaks addr",
2584                 .result_unpriv = REJECT,
2585                 .result = ACCEPT,
2586         },
2587         {
2588                 "unpriv: indirectly pass pointer on stack to helper function",
2589                 .insns = {
2590                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2591                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2592                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
2593                         BPF_LD_MAP_FD(BPF_REG_1, 0),
2594                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2595                                      BPF_FUNC_map_lookup_elem),
2596                         BPF_MOV64_IMM(BPF_REG_0, 0),
2597                         BPF_EXIT_INSN(),
2598                 },
2599                 .fixup_map_hash_8b = { 3 },
2600                 .errstr = "invalid indirect read from stack off -8+0 size 8",
2601                 .result = REJECT,
2602         },
2603         {
2604                 "unpriv: mangle pointer on stack 1",
2605                 .insns = {
2606                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2607                         BPF_ST_MEM(BPF_W, BPF_REG_10, -8, 0),
2608                         BPF_MOV64_IMM(BPF_REG_0, 0),
2609                         BPF_EXIT_INSN(),
2610                 },
2611                 .errstr_unpriv = "attempt to corrupt spilled",
2612                 .result_unpriv = REJECT,
2613                 .result = ACCEPT,
2614         },
2615         {
2616                 "unpriv: mangle pointer on stack 2",
2617                 .insns = {
2618                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2619                         BPF_ST_MEM(BPF_B, BPF_REG_10, -1, 0),
2620                         BPF_MOV64_IMM(BPF_REG_0, 0),
2621                         BPF_EXIT_INSN(),
2622                 },
2623                 .errstr_unpriv = "attempt to corrupt spilled",
2624                 .result_unpriv = REJECT,
2625                 .result = ACCEPT,
2626         },
2627         {
2628                 "unpriv: read pointer from stack in small chunks",
2629                 .insns = {
2630                         BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_10, -8),
2631                         BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_10, -8),
2632                         BPF_MOV64_IMM(BPF_REG_0, 0),
2633                         BPF_EXIT_INSN(),
2634                 },
2635                 .errstr = "invalid size",
2636                 .result = REJECT,
2637         },
2638         {
2639                 "unpriv: write pointer into ctx",
2640                 .insns = {
2641                         BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, 0),
2642                         BPF_MOV64_IMM(BPF_REG_0, 0),
2643                         BPF_EXIT_INSN(),
2644                 },
2645                 .errstr_unpriv = "R1 leaks addr",
2646                 .result_unpriv = REJECT,
2647                 .errstr = "invalid bpf_context access",
2648                 .result = REJECT,
2649         },
2650         {
2651                 "unpriv: spill/fill of ctx",
2652                 .insns = {
2653                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2654                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2655                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2656                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2657                         BPF_MOV64_IMM(BPF_REG_0, 0),
2658                         BPF_EXIT_INSN(),
2659                 },
2660                 .result = ACCEPT,
2661         },
2662         {
2663                 "unpriv: spill/fill of ctx 2",
2664                 .insns = {
2665                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2666                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2667                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2668                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2669                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2670                                      BPF_FUNC_get_hash_recalc),
2671                         BPF_MOV64_IMM(BPF_REG_0, 0),
2672                         BPF_EXIT_INSN(),
2673                 },
2674                 .result = ACCEPT,
2675                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2676         },
2677         {
2678                 "unpriv: spill/fill of ctx 3",
2679                 .insns = {
2680                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2681                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2682                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2683                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_10, 0),
2684                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2685                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2686                                      BPF_FUNC_get_hash_recalc),
2687                         BPF_EXIT_INSN(),
2688                 },
2689                 .result = REJECT,
2690                 .errstr = "R1 type=fp expected=ctx",
2691                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2692         },
2693         {
2694                 "unpriv: spill/fill of ctx 4",
2695                 .insns = {
2696                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2697                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2698                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2699                         BPF_MOV64_IMM(BPF_REG_0, 1),
2700                         BPF_RAW_INSN(BPF_STX | BPF_XADD | BPF_DW, BPF_REG_10,
2701                                      BPF_REG_0, -8, 0),
2702                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2703                         BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
2704                                      BPF_FUNC_get_hash_recalc),
2705                         BPF_EXIT_INSN(),
2706                 },
2707                 .result = REJECT,
2708                 .errstr = "R1 type=inv expected=ctx",
2709                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2710         },
2711         {
2712                 "unpriv: spill/fill of different pointers stx",
2713                 .insns = {
2714                         BPF_MOV64_IMM(BPF_REG_3, 42),
2715                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2716                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2717                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 3),
2718                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
2719                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -16),
2720                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2721                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2722                         BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2723                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2724                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2725                                     offsetof(struct __sk_buff, mark)),
2726                         BPF_MOV64_IMM(BPF_REG_0, 0),
2727                         BPF_EXIT_INSN(),
2728                 },
2729                 .result = REJECT,
2730                 .errstr = "same insn cannot be used with different pointers",
2731                 .prog_type = BPF_PROG_TYPE_SCHED_CLS,
2732         },
2733         {
2734                 "unpriv: spill/fill of different pointers stx - ctx and sock",
2735                 .insns = {
2736                         BPF_MOV64_REG(BPF_REG_8, BPF_REG_1),
2737                         /* struct bpf_sock *sock = bpf_sock_lookup(...); */
2738                         BPF_SK_LOOKUP,
2739                         BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
2740                         /* u64 foo; */
2741                         /* void *target = &foo; */
2742                         BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_10),
2743                         BPF_ALU64_IMM(BPF_ADD, BPF_REG_6, -8),
2744                         BPF_MOV64_REG(BPF_REG_1, BPF_REG_8),
2745                         /* if (skb == NULL) *target = sock; */
2746                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),
2747                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_2, 0),
2748                         /* else *target = skb; */
2749                         BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 1),
2750                                 BPF_STX_MEM(BPF_DW, BPF_REG_6, BPF_REG_1, 0),
2751                         /* struct __sk_buff *skb = *target; */
2752                         BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_6, 0),
2753                         /* skb->mark = 42; */
2754                         BPF_MOV64_IMM(BPF_REG_3, 42),
2755                         BPF_STX_MEM(BPF_W, BPF_REG_1, BPF_REG_3,
2756                                     offsetof(struct __sk_buff, mark)),
2757                         /* if (sk) bpf_sk_release(sk) */
2758                         BPF_JMP_IMM(BPF_JEQ, BPF_REG_1, 0, 1),