1 files changed, 480 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 50e15cedbb7f..64ae21f64489 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6671,6 +6671,486 @@ static struct bpf_test tests[] = {
                .result = REJECT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
+        {
+                "XDP pkt read, pkt_end mangling, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end mangling, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' > pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' > pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' > pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end > pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end > pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end > pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' < pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' < pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' < pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end < pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end < pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end < pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' >= pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' >= pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' >= pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end >= pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end >= pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end >= pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' <= pkt_end, good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_data' <= pkt_end, bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_data' <= pkt_end, bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end <= pkt_data', good access",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .result = ACCEPT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
+        {
+                "XDP pkt read, pkt_end <= pkt_data', bad access 1",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
+                        BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+        },
+        {
+                "XDP pkt read, pkt_end <= pkt_data', bad access 2",
+                .insns = {
+                        BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
+                                    offsetof(struct xdp_md, data)),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
+                                    offsetof(struct xdp_md, data_end)),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+                        BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                },
+                .errstr = "R1 offset is outside of the packet",
+                .result = REJECT,
+                .prog_type = BPF_PROG_TYPE_XDP,
+                .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+        },
 };
 static int probe_filter_length(const struct bpf_insn *fp)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 50e15cedbb7f..64ae21f64489 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6671,6 +6671,486 @@ static struct bpf_test tests[] = {
6671	.result = REJECT,	6671	.result = REJECT,
6672	.prog_type = BPF_PROG_TYPE_SCHED_CLS,	6672	.prog_type = BPF_PROG_TYPE_SCHED_CLS,
6673	},	6673	},
		6674	{
		6675	"XDP pkt read, pkt_end mangling, bad access 1",
		6676	.insns = {
		6677	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6678	offsetof(struct xdp_md, data)),
		6679	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6680	offsetof(struct xdp_md, data_end)),
		6681	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6682	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6683	BPF_ALU64_IMM(BPF_ADD, BPF_REG_3, 8),
		6684	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6685	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6686	BPF_MOV64_IMM(BPF_REG_0, 0),
		6687	BPF_EXIT_INSN(),
		6688	},
		6689	.errstr = "R1 offset is outside of the packet",
		6690	.result = REJECT,
		6691	.prog_type = BPF_PROG_TYPE_XDP,
		6692	},
		6693	{
		6694	"XDP pkt read, pkt_end mangling, bad access 2",
		6695	.insns = {
		6696	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6697	offsetof(struct xdp_md, data)),
		6698	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6699	offsetof(struct xdp_md, data_end)),
		6700	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6701	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6702	BPF_ALU64_IMM(BPF_SUB, BPF_REG_3, 8),
		6703	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6704	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6705	BPF_MOV64_IMM(BPF_REG_0, 0),
		6706	BPF_EXIT_INSN(),
		6707	},
		6708	.errstr = "R1 offset is outside of the packet",
		6709	.result = REJECT,
		6710	.prog_type = BPF_PROG_TYPE_XDP,
		6711	},
		6712	{
		6713	"XDP pkt read, pkt_data' > pkt_end, good access",
		6714	.insns = {
		6715	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6716	offsetof(struct xdp_md, data)),
		6717	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6718	offsetof(struct xdp_md, data_end)),
		6719	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6720	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6721	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6722	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6723	BPF_MOV64_IMM(BPF_REG_0, 0),
		6724	BPF_EXIT_INSN(),
		6725	},
		6726	.result = ACCEPT,
		6727	.prog_type = BPF_PROG_TYPE_XDP,
		6728	},
		6729	{
		6730	"XDP pkt read, pkt_data' > pkt_end, bad access 1",
		6731	.insns = {
		6732	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6733	offsetof(struct xdp_md, data)),
		6734	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6735	offsetof(struct xdp_md, data_end)),
		6736	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6737	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6738	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 1),
		6739	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		6740	BPF_MOV64_IMM(BPF_REG_0, 0),
		6741	BPF_EXIT_INSN(),
		6742	},
		6743	.errstr = "R1 offset is outside of the packet",
		6744	.result = REJECT,
		6745	.prog_type = BPF_PROG_TYPE_XDP,
		6746	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6747	},
		6748	{
		6749	"XDP pkt read, pkt_data' > pkt_end, bad access 2",
		6750	.insns = {
		6751	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6752	offsetof(struct xdp_md, data)),
		6753	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6754	offsetof(struct xdp_md, data_end)),
		6755	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6756	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6757	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_3, 0),
		6758	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6759	BPF_MOV64_IMM(BPF_REG_0, 0),
		6760	BPF_EXIT_INSN(),
		6761	},
		6762	.errstr = "R1 offset is outside of the packet",
		6763	.result = REJECT,
		6764	.prog_type = BPF_PROG_TYPE_XDP,
		6765	},
		6766	{
		6767	"XDP pkt read, pkt_end > pkt_data', good access",
		6768	.insns = {
		6769	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6770	offsetof(struct xdp_md, data)),
		6771	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6772	offsetof(struct xdp_md, data_end)),
		6773	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6774	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6775	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
		6776	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6777	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6778	BPF_MOV64_IMM(BPF_REG_0, 0),
		6779	BPF_EXIT_INSN(),
		6780	},
		6781	.result = ACCEPT,
		6782	.prog_type = BPF_PROG_TYPE_XDP,
		6783	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6784	},
		6785	{
		6786	"XDP pkt read, pkt_end > pkt_data', bad access 1",
		6787	.insns = {
		6788	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6789	offsetof(struct xdp_md, data)),
		6790	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6791	offsetof(struct xdp_md, data_end)),
		6792	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6793	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6794	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
		6795	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6796	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6797	BPF_MOV64_IMM(BPF_REG_0, 0),
		6798	BPF_EXIT_INSN(),
		6799	},
		6800	.errstr = "R1 offset is outside of the packet",
		6801	.result = REJECT,
		6802	.prog_type = BPF_PROG_TYPE_XDP,
		6803	},
		6804	{
		6805	"XDP pkt read, pkt_end > pkt_data', bad access 2",
		6806	.insns = {
		6807	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6808	offsetof(struct xdp_md, data)),
		6809	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6810	offsetof(struct xdp_md, data_end)),
		6811	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6812	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6813	BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
		6814	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6815	BPF_MOV64_IMM(BPF_REG_0, 0),
		6816	BPF_EXIT_INSN(),
		6817	},
		6818	.errstr = "R1 offset is outside of the packet",
		6819	.result = REJECT,
		6820	.prog_type = BPF_PROG_TYPE_XDP,
		6821	},
		6822	{
		6823	"XDP pkt read, pkt_data' < pkt_end, good access",
		6824	.insns = {
		6825	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6826	offsetof(struct xdp_md, data)),
		6827	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6828	offsetof(struct xdp_md, data_end)),
		6829	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6830	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6831	BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
		6832	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6833	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6834	BPF_MOV64_IMM(BPF_REG_0, 0),
		6835	BPF_EXIT_INSN(),
		6836	},
		6837	.result = ACCEPT,
		6838	.prog_type = BPF_PROG_TYPE_XDP,
		6839	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6840	},
		6841	{
		6842	"XDP pkt read, pkt_data' < pkt_end, bad access 1",
		6843	.insns = {
		6844	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6845	offsetof(struct xdp_md, data)),
		6846	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6847	offsetof(struct xdp_md, data_end)),
		6848	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6849	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6850	BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
		6851	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6852	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6853	BPF_MOV64_IMM(BPF_REG_0, 0),
		6854	BPF_EXIT_INSN(),
		6855	},
		6856	.errstr = "R1 offset is outside of the packet",
		6857	.result = REJECT,
		6858	.prog_type = BPF_PROG_TYPE_XDP,
		6859	},
		6860	{
		6861	"XDP pkt read, pkt_data' < pkt_end, bad access 2",
		6862	.insns = {
		6863	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6864	offsetof(struct xdp_md, data)),
		6865	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6866	offsetof(struct xdp_md, data_end)),
		6867	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6868	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6869	BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
		6870	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6871	BPF_MOV64_IMM(BPF_REG_0, 0),
		6872	BPF_EXIT_INSN(),
		6873	},
		6874	.errstr = "R1 offset is outside of the packet",
		6875	.result = REJECT,
		6876	.prog_type = BPF_PROG_TYPE_XDP,
		6877	},
		6878	{
		6879	"XDP pkt read, pkt_end < pkt_data', good access",
		6880	.insns = {
		6881	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6882	offsetof(struct xdp_md, data)),
		6883	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6884	offsetof(struct xdp_md, data_end)),
		6885	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6886	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6887	BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
		6888	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6889	BPF_MOV64_IMM(BPF_REG_0, 0),
		6890	BPF_EXIT_INSN(),
		6891	},
		6892	.result = ACCEPT,
		6893	.prog_type = BPF_PROG_TYPE_XDP,
		6894	},
		6895	{
		6896	"XDP pkt read, pkt_end < pkt_data', bad access 1",
		6897	.insns = {
		6898	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6899	offsetof(struct xdp_md, data)),
		6900	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6901	offsetof(struct xdp_md, data_end)),
		6902	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6903	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6904	BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 1),
		6905	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		6906	BPF_MOV64_IMM(BPF_REG_0, 0),
		6907	BPF_EXIT_INSN(),
		6908	},
		6909	.errstr = "R1 offset is outside of the packet",
		6910	.result = REJECT,
		6911	.prog_type = BPF_PROG_TYPE_XDP,
		6912	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6913	},
		6914	{
		6915	"XDP pkt read, pkt_end < pkt_data', bad access 2",
		6916	.insns = {
		6917	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6918	offsetof(struct xdp_md, data)),
		6919	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6920	offsetof(struct xdp_md, data_end)),
		6921	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6922	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6923	BPF_JMP_REG(BPF_JLT, BPF_REG_3, BPF_REG_1, 0),
		6924	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6925	BPF_MOV64_IMM(BPF_REG_0, 0),
		6926	BPF_EXIT_INSN(),
		6927	},
		6928	.errstr = "R1 offset is outside of the packet",
		6929	.result = REJECT,
		6930	.prog_type = BPF_PROG_TYPE_XDP,
		6931	},
		6932	{
		6933	"XDP pkt read, pkt_data' >= pkt_end, good access",
		6934	.insns = {
		6935	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6936	offsetof(struct xdp_md, data)),
		6937	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6938	offsetof(struct xdp_md, data_end)),
		6939	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6940	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6941	BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
		6942	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6943	BPF_MOV64_IMM(BPF_REG_0, 0),
		6944	BPF_EXIT_INSN(),
		6945	},
		6946	.result = ACCEPT,
		6947	.prog_type = BPF_PROG_TYPE_XDP,
		6948	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6949	},
		6950	{
		6951	"XDP pkt read, pkt_data' >= pkt_end, bad access 1",
		6952	.insns = {
		6953	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6954	offsetof(struct xdp_md, data)),
		6955	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6956	offsetof(struct xdp_md, data_end)),
		6957	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6958	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6959	BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
		6960	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6961	BPF_MOV64_IMM(BPF_REG_0, 0),
		6962	BPF_EXIT_INSN(),
		6963	},
		6964	.errstr = "R1 offset is outside of the packet",
		6965	.result = REJECT,
		6966	.prog_type = BPF_PROG_TYPE_XDP,
		6967	},
		6968	{
		6969	"XDP pkt read, pkt_data' >= pkt_end, bad access 2",
		6970	.insns = {
		6971	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6972	offsetof(struct xdp_md, data)),
		6973	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6974	offsetof(struct xdp_md, data_end)),
		6975	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6976	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6977	BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 0),
		6978	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		6979	BPF_MOV64_IMM(BPF_REG_0, 0),
		6980	BPF_EXIT_INSN(),
		6981	},
		6982	.errstr = "R1 offset is outside of the packet",
		6983	.result = REJECT,
		6984	.prog_type = BPF_PROG_TYPE_XDP,
		6985	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		6986	},
		6987	{
		6988	"XDP pkt read, pkt_end >= pkt_data', good access",
		6989	.insns = {
		6990	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		6991	offsetof(struct xdp_md, data)),
		6992	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		6993	offsetof(struct xdp_md, data_end)),
		6994	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		6995	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		6996	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
		6997	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		6998	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		6999	BPF_MOV64_IMM(BPF_REG_0, 0),
		7000	BPF_EXIT_INSN(),
		7001	},
		7002	.result = ACCEPT,
		7003	.prog_type = BPF_PROG_TYPE_XDP,
		7004	},
		7005	{
		7006	"XDP pkt read, pkt_end >= pkt_data', bad access 1",
		7007	.insns = {
		7008	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7009	offsetof(struct xdp_md, data)),
		7010	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7011	offsetof(struct xdp_md, data_end)),
		7012	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7013	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7014	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
		7015	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		7016	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		7017	BPF_MOV64_IMM(BPF_REG_0, 0),
		7018	BPF_EXIT_INSN(),
		7019	},
		7020	.errstr = "R1 offset is outside of the packet",
		7021	.result = REJECT,
		7022	.prog_type = BPF_PROG_TYPE_XDP,
		7023	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7024	},
		7025	{
		7026	"XDP pkt read, pkt_end >= pkt_data', bad access 2",
		7027	.insns = {
		7028	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7029	offsetof(struct xdp_md, data)),
		7030	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7031	offsetof(struct xdp_md, data_end)),
		7032	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7033	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7034	BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 1),
		7035	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7036	BPF_MOV64_IMM(BPF_REG_0, 0),
		7037	BPF_EXIT_INSN(),
		7038	},
		7039	.errstr = "R1 offset is outside of the packet",
		7040	.result = REJECT,
		7041	.prog_type = BPF_PROG_TYPE_XDP,
		7042	},
		7043	{
		7044	"XDP pkt read, pkt_data' <= pkt_end, good access",
		7045	.insns = {
		7046	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7047	offsetof(struct xdp_md, data)),
		7048	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7049	offsetof(struct xdp_md, data_end)),
		7050	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7051	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7052	BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
		7053	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		7054	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7055	BPF_MOV64_IMM(BPF_REG_0, 0),
		7056	BPF_EXIT_INSN(),
		7057	},
		7058	.result = ACCEPT,
		7059	.prog_type = BPF_PROG_TYPE_XDP,
		7060	},
		7061	{
		7062	"XDP pkt read, pkt_data' <= pkt_end, bad access 1",
		7063	.insns = {
		7064	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7065	offsetof(struct xdp_md, data)),
		7066	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7067	offsetof(struct xdp_md, data_end)),
		7068	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7069	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7070	BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
		7071	BPF_JMP_IMM(BPF_JA, 0, 0, 1),
		7072	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -4),
		7073	BPF_MOV64_IMM(BPF_REG_0, 0),
		7074	BPF_EXIT_INSN(),
		7075	},
		7076	.errstr = "R1 offset is outside of the packet",
		7077	.result = REJECT,
		7078	.prog_type = BPF_PROG_TYPE_XDP,
		7079	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7080	},
		7081	{
		7082	"XDP pkt read, pkt_data' <= pkt_end, bad access 2",
		7083	.insns = {
		7084	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7085	offsetof(struct xdp_md, data)),
		7086	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7087	offsetof(struct xdp_md, data_end)),
		7088	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7089	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7090	BPF_JMP_REG(BPF_JLE, BPF_REG_1, BPF_REG_3, 1),
		7091	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7092	BPF_MOV64_IMM(BPF_REG_0, 0),
		7093	BPF_EXIT_INSN(),
		7094	},
		7095	.errstr = "R1 offset is outside of the packet",
		7096	.result = REJECT,
		7097	.prog_type = BPF_PROG_TYPE_XDP,
		7098	},
		7099	{
		7100	"XDP pkt read, pkt_end <= pkt_data', good access",
		7101	.insns = {
		7102	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7103	offsetof(struct xdp_md, data)),
		7104	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7105	offsetof(struct xdp_md, data_end)),
		7106	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7107	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7108	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
		7109	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		7110	BPF_MOV64_IMM(BPF_REG_0, 0),
		7111	BPF_EXIT_INSN(),
		7112	},
		7113	.result = ACCEPT,
		7114	.prog_type = BPF_PROG_TYPE_XDP,
		7115	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7116	},
		7117	{
		7118	"XDP pkt read, pkt_end <= pkt_data', bad access 1",
		7119	.insns = {
		7120	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7121	offsetof(struct xdp_md, data)),
		7122	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7123	offsetof(struct xdp_md, data_end)),
		7124	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7125	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7126	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
		7127	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
		7128	BPF_MOV64_IMM(BPF_REG_0, 0),
		7129	BPF_EXIT_INSN(),
		7130	},
		7131	.errstr = "R1 offset is outside of the packet",
		7132	.result = REJECT,
		7133	.prog_type = BPF_PROG_TYPE_XDP,
		7134	},
		7135	{
		7136	"XDP pkt read, pkt_end <= pkt_data', bad access 2",
		7137	.insns = {
		7138	BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1,
		7139	offsetof(struct xdp_md, data)),
		7140	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
		7141	offsetof(struct xdp_md, data_end)),
		7142	BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
		7143	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
		7144	BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 0),
		7145	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, -5),
		7146	BPF_MOV64_IMM(BPF_REG_0, 0),
		7147	BPF_EXIT_INSN(),
		7148	},
		7149	.errstr = "R1 offset is outside of the packet",
		7150	.result = REJECT,
		7151	.prog_type = BPF_PROG_TYPE_XDP,
		7152	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
		7153	},
6674	};	7154	};
6675		7155
6676	static int probe_filter_length(const struct bpf_insn *fp)	7156	static int probe_filter_length(const struct bpf_insn *fp)