1 {
2 	"pkt_end - pkt_start is allowed",
3 	.insns = {
4 		BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
5 			    offsetof(struct __sk_buff, data_end)),
6 		BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
7 			    offsetof(struct __sk_buff, data)),
8 		BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2),
9 		BPF_EXIT_INSN(),
10 	},
11 	.result = ACCEPT,
12 	.retval = TEST_DATA_LEN,
13 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
14 },
15 {
16 	"direct packet access: test1",
17 	.insns = {
18 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
19 		    offsetof(struct __sk_buff, data)),
20 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
21 		    offsetof(struct __sk_buff, data_end)),
22 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
23 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
24 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
25 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
26 	BPF_MOV64_IMM(BPF_REG_0, 0),
27 	BPF_EXIT_INSN(),
28 	},
29 	.result = ACCEPT,
30 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
31 },
32 {
33 	"direct packet access: test2",
34 	.insns = {
35 	BPF_MOV64_IMM(BPF_REG_0, 1),
36 	BPF_LDX_MEM(BPF_W, BPF_REG_4, BPF_REG_1,
37 		    offsetof(struct __sk_buff, data_end)),
38 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
39 		    offsetof(struct __sk_buff, data)),
40 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
41 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 14),
42 	BPF_JMP_REG(BPF_JGT, BPF_REG_5, BPF_REG_4, 15),
43 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_3, 7),
44 	BPF_LDX_MEM(BPF_B, BPF_REG_4, BPF_REG_3, 12),
45 	BPF_ALU64_IMM(BPF_MUL, BPF_REG_4, 14),
46 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
47 		    offsetof(struct __sk_buff, data)),
48 	BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4),
49 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
50 		    offsetof(struct __sk_buff, len)),
51 	BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49),
52 	BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49),
53 	BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2),
54 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_3),
55 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
56 	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
57 		    offsetof(struct __sk_buff, data_end)),
58 	BPF_JMP_REG(BPF_JGT, BPF_REG_2, BPF_REG_1, 1),
59 	BPF_LDX_MEM(BPF_B, BPF_REG_1, BPF_REG_3, 4),
60 	BPF_MOV64_IMM(BPF_REG_0, 0),
61 	BPF_EXIT_INSN(),
62 	},
63 	.result = ACCEPT,
64 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
65 },
66 {
67 	"direct packet access: test3",
68 	.insns = {
69 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
70 		    offsetof(struct __sk_buff, data)),
71 	BPF_MOV64_IMM(BPF_REG_0, 0),
72 	BPF_EXIT_INSN(),
73 	},
74 	.errstr = "invalid bpf_context access off=76",
75 	.result = REJECT,
76 	.prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
77 },
78 {
79 	"direct packet access: test4 (write)",
80 	.insns = {
81 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
82 		    offsetof(struct __sk_buff, data)),
83 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
84 		    offsetof(struct __sk_buff, data_end)),
85 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
86 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
87 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
88 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
89 	BPF_MOV64_IMM(BPF_REG_0, 0),
90 	BPF_EXIT_INSN(),
91 	},
92 	.result = ACCEPT,
93 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
94 },
95 {
96 	"direct packet access: test5 (pkt_end >= reg, good access)",
97 	.insns = {
98 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
99 		    offsetof(struct __sk_buff, data)),
100 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
101 		    offsetof(struct __sk_buff, data_end)),
102 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
103 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
104 	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
105 	BPF_MOV64_IMM(BPF_REG_0, 1),
106 	BPF_EXIT_INSN(),
107 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
108 	BPF_MOV64_IMM(BPF_REG_0, 0),
109 	BPF_EXIT_INSN(),
110 	},
111 	.result = ACCEPT,
112 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
113 },
114 {
115 	"direct packet access: test6 (pkt_end >= reg, bad access)",
116 	.insns = {
117 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
118 		    offsetof(struct __sk_buff, data)),
119 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
120 		    offsetof(struct __sk_buff, data_end)),
121 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
122 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
123 	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
124 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
125 	BPF_MOV64_IMM(BPF_REG_0, 1),
126 	BPF_EXIT_INSN(),
127 	BPF_MOV64_IMM(BPF_REG_0, 0),
128 	BPF_EXIT_INSN(),
129 	},
130 	.errstr = "invalid access to packet",
131 	.result = REJECT,
132 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
133 },
134 {
135 	"direct packet access: test7 (pkt_end >= reg, both accesses)",
136 	.insns = {
137 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
138 		    offsetof(struct __sk_buff, data)),
139 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
140 		    offsetof(struct __sk_buff, data_end)),
141 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
142 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
143 	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 3),
144 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
145 	BPF_MOV64_IMM(BPF_REG_0, 1),
146 	BPF_EXIT_INSN(),
147 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
148 	BPF_MOV64_IMM(BPF_REG_0, 0),
149 	BPF_EXIT_INSN(),
150 	},
151 	.errstr = "invalid access to packet",
152 	.result = REJECT,
153 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
154 },
155 {
156 	"direct packet access: test8 (double test, variant 1)",
157 	.insns = {
158 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
159 		    offsetof(struct __sk_buff, data)),
160 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
161 		    offsetof(struct __sk_buff, data_end)),
162 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
163 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
164 	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 4),
165 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
166 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
167 	BPF_MOV64_IMM(BPF_REG_0, 1),
168 	BPF_EXIT_INSN(),
169 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
170 	BPF_MOV64_IMM(BPF_REG_0, 0),
171 	BPF_EXIT_INSN(),
172 	},
173 	.result = ACCEPT,
174 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
175 },
176 {
177 	"direct packet access: test9 (double test, variant 2)",
178 	.insns = {
179 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
180 		    offsetof(struct __sk_buff, data)),
181 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
182 		    offsetof(struct __sk_buff, data_end)),
183 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
184 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
185 	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_0, 2),
186 	BPF_MOV64_IMM(BPF_REG_0, 1),
187 	BPF_EXIT_INSN(),
188 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
189 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
190 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
191 	BPF_MOV64_IMM(BPF_REG_0, 0),
192 	BPF_EXIT_INSN(),
193 	},
194 	.result = ACCEPT,
195 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
196 },
197 {
198 	"direct packet access: test10 (write invalid)",
199 	.insns = {
200 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
201 		    offsetof(struct __sk_buff, data)),
202 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
203 		    offsetof(struct __sk_buff, data_end)),
204 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
205 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
206 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
207 	BPF_MOV64_IMM(BPF_REG_0, 0),
208 	BPF_EXIT_INSN(),
209 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
210 	BPF_MOV64_IMM(BPF_REG_0, 0),
211 	BPF_EXIT_INSN(),
212 	},
213 	.errstr = "invalid access to packet",
214 	.result = REJECT,
215 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
216 },
217 {
218 	"direct packet access: test11 (shift, good access)",
219 	.insns = {
220 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
221 		    offsetof(struct __sk_buff, data)),
222 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
223 		    offsetof(struct __sk_buff, data_end)),
224 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
225 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
226 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
227 	BPF_MOV64_IMM(BPF_REG_3, 144),
228 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
229 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
230 	BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 3),
231 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
232 	BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
233 	BPF_MOV64_IMM(BPF_REG_0, 1),
234 	BPF_EXIT_INSN(),
235 	BPF_MOV64_IMM(BPF_REG_0, 0),
236 	BPF_EXIT_INSN(),
237 	},
238 	.result = ACCEPT,
239 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
240 	.retval = 1,
241 },
242 {
243 	"direct packet access: test12 (and, good access)",
244 	.insns = {
245 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
246 		    offsetof(struct __sk_buff, data)),
247 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
248 		    offsetof(struct __sk_buff, data_end)),
249 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
250 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
251 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
252 	BPF_MOV64_IMM(BPF_REG_3, 144),
253 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
254 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
255 	BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
256 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
257 	BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
258 	BPF_MOV64_IMM(BPF_REG_0, 1),
259 	BPF_EXIT_INSN(),
260 	BPF_MOV64_IMM(BPF_REG_0, 0),
261 	BPF_EXIT_INSN(),
262 	},
263 	.result = ACCEPT,
264 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
265 	.retval = 1,
266 },
267 {
268 	"direct packet access: test13 (branches, good access)",
269 	.insns = {
270 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
271 		    offsetof(struct __sk_buff, data)),
272 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
273 		    offsetof(struct __sk_buff, data_end)),
274 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
275 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
276 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 13),
277 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
278 		    offsetof(struct __sk_buff, mark)),
279 	BPF_MOV64_IMM(BPF_REG_4, 1),
280 	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_4, 2),
281 	BPF_MOV64_IMM(BPF_REG_3, 14),
282 	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
283 	BPF_MOV64_IMM(BPF_REG_3, 24),
284 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_3),
285 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_5, 23),
286 	BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 15),
287 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
288 	BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
289 	BPF_MOV64_IMM(BPF_REG_0, 1),
290 	BPF_EXIT_INSN(),
291 	BPF_MOV64_IMM(BPF_REG_0, 0),
292 	BPF_EXIT_INSN(),
293 	},
294 	.result = ACCEPT,
295 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
296 	.retval = 1,
297 },
298 {
299 	"direct packet access: test14 (pkt_ptr += 0, CONST_IMM, good access)",
300 	.insns = {
301 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
302 		    offsetof(struct __sk_buff, data)),
303 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
304 		    offsetof(struct __sk_buff, data_end)),
305 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
306 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 22),
307 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 7),
308 	BPF_MOV64_IMM(BPF_REG_5, 12),
309 	BPF_ALU64_IMM(BPF_RSH, BPF_REG_5, 4),
310 	BPF_MOV64_REG(BPF_REG_6, BPF_REG_2),
311 	BPF_ALU64_REG(BPF_ADD, BPF_REG_6, BPF_REG_5),
312 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
313 	BPF_MOV64_IMM(BPF_REG_0, 1),
314 	BPF_EXIT_INSN(),
315 	BPF_MOV64_IMM(BPF_REG_0, 0),
316 	BPF_EXIT_INSN(),
317 	},
318 	.result = ACCEPT,
319 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
320 	.retval = 1,
321 },
322 {
323 	"direct packet access: test15 (spill with xadd)",
324 	.insns = {
325 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
326 		    offsetof(struct __sk_buff, data)),
327 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
328 		    offsetof(struct __sk_buff, data_end)),
329 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
330 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
331 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 8),
332 	BPF_MOV64_IMM(BPF_REG_5, 4096),
333 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_10),
334 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, -8),
335 	BPF_STX_MEM(BPF_DW, BPF_REG_4, BPF_REG_2, 0),
336 	BPF_STX_XADD(BPF_DW, BPF_REG_4, BPF_REG_5, 0),
337 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_4, 0),
338 	BPF_STX_MEM(BPF_W, BPF_REG_2, BPF_REG_5, 0),
339 	BPF_MOV64_IMM(BPF_REG_0, 0),
340 	BPF_EXIT_INSN(),
341 	},
342 	.errstr = "R2 invalid mem access 'inv'",
343 	.result = REJECT,
344 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
345 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
346 },
347 {
348 	"direct packet access: test16 (arith on data_end)",
349 	.insns = {
350 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
351 		    offsetof(struct __sk_buff, data)),
352 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
353 		    offsetof(struct __sk_buff, data_end)),
354 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
355 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
356 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 16),
357 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
358 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
359 	BPF_MOV64_IMM(BPF_REG_0, 0),
360 	BPF_EXIT_INSN(),
361 	},
362 	.errstr = "R3 pointer arithmetic on pkt_end",
363 	.result = REJECT,
364 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
365 },
366 {
367 	"direct packet access: test17 (pruning, alignment)",
368 	.insns = {
369 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
370 		    offsetof(struct __sk_buff, data)),
371 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
372 		    offsetof(struct __sk_buff, data_end)),
373 	BPF_LDX_MEM(BPF_W, BPF_REG_7, BPF_REG_1,
374 		    offsetof(struct __sk_buff, mark)),
375 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
376 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 14),
377 	BPF_JMP_IMM(BPF_JGT, BPF_REG_7, 1, 4),
378 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
379 	BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, -4),
380 	BPF_MOV64_IMM(BPF_REG_0, 0),
381 	BPF_EXIT_INSN(),
382 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 1),
383 	BPF_JMP_A(-6),
384 	},
385 	.errstr = "misaligned packet access off 2+(0x0; 0x0)+15+-4 size 4",
386 	.result = REJECT,
387 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
388 	.flags = F_LOAD_WITH_STRICT_ALIGNMENT,
389 },
390 {
391 	"direct packet access: test18 (imm += pkt_ptr, 1)",
392 	.insns = {
393 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
394 		    offsetof(struct __sk_buff, data)),
395 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
396 		    offsetof(struct __sk_buff, data_end)),
397 	BPF_MOV64_IMM(BPF_REG_0, 8),
398 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
399 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
400 	BPF_STX_MEM(BPF_B, BPF_REG_2, BPF_REG_2, 0),
401 	BPF_MOV64_IMM(BPF_REG_0, 0),
402 	BPF_EXIT_INSN(),
403 	},
404 	.result = ACCEPT,
405 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
406 },
407 {
408 	"direct packet access: test19 (imm += pkt_ptr, 2)",
409 	.insns = {
410 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
411 		    offsetof(struct __sk_buff, data)),
412 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
413 		    offsetof(struct __sk_buff, data_end)),
414 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
415 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
416 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 3),
417 	BPF_MOV64_IMM(BPF_REG_4, 4),
418 	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
419 	BPF_STX_MEM(BPF_B, BPF_REG_4, BPF_REG_4, 0),
420 	BPF_MOV64_IMM(BPF_REG_0, 0),
421 	BPF_EXIT_INSN(),
422 	},
423 	.result = ACCEPT,
424 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
425 },
426 {
427 	"direct packet access: test20 (x += pkt_ptr, 1)",
428 	.insns = {
429 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
430 		    offsetof(struct __sk_buff, data)),
431 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
432 		    offsetof(struct __sk_buff, data_end)),
433 	BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
434 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
435 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
436 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0x7fff),
437 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
438 	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
439 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
440 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
441 	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
442 	BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
443 	BPF_MOV64_IMM(BPF_REG_0, 0),
444 	BPF_EXIT_INSN(),
445 	},
446 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
447 	.result = ACCEPT,
448 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
449 },
450 {
451 	"direct packet access: test21 (x += pkt_ptr, 2)",
452 	.insns = {
453 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
454 		    offsetof(struct __sk_buff, data)),
455 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
456 		    offsetof(struct __sk_buff, data_end)),
457 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
458 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
459 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 9),
460 	BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
461 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
462 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
463 	BPF_ALU64_IMM(BPF_AND, BPF_REG_4, 0x7fff),
464 	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
465 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_4),
466 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_4, 0x7fff - 1),
467 	BPF_JMP_REG(BPF_JGT, BPF_REG_4, BPF_REG_3, 1),
468 	BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_4, 0),
469 	BPF_MOV64_IMM(BPF_REG_0, 0),
470 	BPF_EXIT_INSN(),
471 	},
472 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
473 	.result = ACCEPT,
474 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
475 },
476 {
477 	"direct packet access: test22 (x += pkt_ptr, 3)",
478 	.insns = {
479 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
480 		    offsetof(struct __sk_buff, data)),
481 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
482 		    offsetof(struct __sk_buff, data_end)),
483 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
484 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
485 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_2, -8),
486 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_3, -16),
487 	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
488 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 11),
489 	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
490 	BPF_MOV64_IMM(BPF_REG_4, 0xffffffff),
491 	BPF_STX_XADD(BPF_DW, BPF_REG_10, BPF_REG_4, -8),
492 	BPF_LDX_MEM(BPF_DW, BPF_REG_4, BPF_REG_10, -8),
493 	BPF_ALU64_IMM(BPF_RSH, BPF_REG_4, 49),
494 	BPF_ALU64_REG(BPF_ADD, BPF_REG_4, BPF_REG_2),
495 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_4),
496 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
497 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 2),
498 	BPF_MOV64_IMM(BPF_REG_2, 1),
499 	BPF_STX_MEM(BPF_H, BPF_REG_4, BPF_REG_2, 0),
500 	BPF_MOV64_IMM(BPF_REG_0, 0),
501 	BPF_EXIT_INSN(),
502 	},
503 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
504 	.result = ACCEPT,
505 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
506 },
507 {
508 	"direct packet access: test23 (x += pkt_ptr, 4)",
509 	.insns = {
510 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
511 		    offsetof(struct __sk_buff, data)),
512 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
513 		    offsetof(struct __sk_buff, data_end)),
514 	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1,
515 		    offsetof(struct __sk_buff, mark)),
516 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
517 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
518 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xffff),
519 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
520 	BPF_MOV64_IMM(BPF_REG_0, 31),
521 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
522 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
523 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
524 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0xffff - 1),
525 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
526 	BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
527 	BPF_MOV64_IMM(BPF_REG_0, 0),
528 	BPF_EXIT_INSN(),
529 	},
530 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
531 	.result = REJECT,
532 	.errstr = "invalid access to packet, off=0 size=8, R5(id=2,off=0,r=0)",
533 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
534 },
535 {
536 	"direct packet access: test24 (x += pkt_ptr, 5)",
537 	.insns = {
538 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
539 		    offsetof(struct __sk_buff, data)),
540 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
541 		    offsetof(struct __sk_buff, data_end)),
542 	BPF_MOV64_IMM(BPF_REG_0, 0xffffffff),
543 	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_0, -8),
544 	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
545 	BPF_ALU64_IMM(BPF_AND, BPF_REG_0, 0xff),
546 	BPF_MOV64_REG(BPF_REG_4, BPF_REG_0),
547 	BPF_MOV64_IMM(BPF_REG_0, 64),
548 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_4),
549 	BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_2),
550 	BPF_MOV64_REG(BPF_REG_5, BPF_REG_0),
551 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 0x7fff - 1),
552 	BPF_JMP_REG(BPF_JGT, BPF_REG_0, BPF_REG_3, 1),
553 	BPF_STX_MEM(BPF_DW, BPF_REG_5, BPF_REG_0, 0),
554 	BPF_MOV64_IMM(BPF_REG_0, 0),
555 	BPF_EXIT_INSN(),
556 	},
557 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
558 	.result = ACCEPT,
559 	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
560 },
561 {
562 	"direct packet access: test25 (marking on <, good access)",
563 	.insns = {
564 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
565 		    offsetof(struct __sk_buff, data)),
566 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
567 		    offsetof(struct __sk_buff, data_end)),
568 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
569 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
570 	BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 2),
571 	BPF_MOV64_IMM(BPF_REG_0, 0),
572 	BPF_EXIT_INSN(),
573 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
574 	BPF_JMP_IMM(BPF_JA, 0, 0, -4),
575 	},
576 	.result = ACCEPT,
577 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
578 },
579 {
580 	"direct packet access: test26 (marking on <, bad access)",
581 	.insns = {
582 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
583 		    offsetof(struct __sk_buff, data)),
584 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
585 		    offsetof(struct __sk_buff, data_end)),
586 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
587 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
588 	BPF_JMP_REG(BPF_JLT, BPF_REG_0, BPF_REG_3, 3),
589 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
590 	BPF_MOV64_IMM(BPF_REG_0, 0),
591 	BPF_EXIT_INSN(),
592 	BPF_JMP_IMM(BPF_JA, 0, 0, -3),
593 	},
594 	.result = REJECT,
595 	.errstr = "invalid access to packet",
596 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
597 },
598 {
599 	"direct packet access: test27 (marking on <=, good access)",
600 	.insns = {
601 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
602 		    offsetof(struct __sk_buff, data)),
603 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
604 		    offsetof(struct __sk_buff, data_end)),
605 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
606 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
607 	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 1),
608 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
609 	BPF_MOV64_IMM(BPF_REG_0, 1),
610 	BPF_EXIT_INSN(),
611 	},
612 	.result = ACCEPT,
613 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
614 	.retval = 1,
615 },
616 {
617 	"direct packet access: test28 (marking on <=, bad access)",
618 	.insns = {
619 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
620 		    offsetof(struct __sk_buff, data)),
621 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
622 		    offsetof(struct __sk_buff, data_end)),
623 	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
624 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 8),
625 	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_0, 2),
626 	BPF_MOV64_IMM(BPF_REG_0, 1),
627 	BPF_EXIT_INSN(),
628 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_2, 0),
629 	BPF_JMP_IMM(BPF_JA, 0, 0, -4),
630 	},
631 	.result = REJECT,
632 	.errstr = "invalid access to packet",
633 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
634 },
635 {
636 	"direct packet access: test29 (reg > pkt_end in subprog)",
637 	.insns = {
638 	BPF_LDX_MEM(BPF_W, BPF_REG_6, BPF_REG_1,
639 		    offsetof(struct __sk_buff, data)),
640 	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
641 		    offsetof(struct __sk_buff, data_end)),
642 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_6),
643 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
644 	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 4),
645 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 1),
646 	BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_6, 0),
647 	BPF_MOV64_IMM(BPF_REG_0, 0),
648 	BPF_EXIT_INSN(),
649 	BPF_MOV64_IMM(BPF_REG_0, 0),
650 	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_2, 1),
651 	BPF_MOV64_IMM(BPF_REG_0, 1),
652 	BPF_EXIT_INSN(),
653 	},
654 	.result = ACCEPT,
655 	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
656 },
657