1{
2	"check valid spill/fill",
3	.insns = {
4	/* spill R1(ctx) into stack */
5	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
6	/* fill it back into R2 */
7	BPF_LDX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, -8),
8	/* should be able to access R0 = *(R2 + 8) */
9	/* BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_2, 8), */
10	BPF_MOV64_REG(BPF_REG_0, BPF_REG_2),
11	BPF_EXIT_INSN(),
12	},
13	.errstr_unpriv = "R0 leaks addr",
14	.result = ACCEPT,
15	.result_unpriv = REJECT,
16	.retval = POINTER_VALUE,
17},
18{
19	"check valid spill/fill, skb mark",
20	.insns = {
21	BPF_ALU64_REG(BPF_MOV, BPF_REG_6, BPF_REG_1),
22	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
23	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
24	BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0,
25		    offsetof(struct __sk_buff, mark)),
26	BPF_EXIT_INSN(),
27	},
28	.result = ACCEPT,
29	.result_unpriv = ACCEPT,
30},
31{
32	"check valid spill/fill, ptr to mem",
33	.insns = {
34	/* reserve 8 byte ringbuf memory */
35	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
36	BPF_LD_MAP_FD(BPF_REG_1, 0),
37	BPF_MOV64_IMM(BPF_REG_2, 8),
38	BPF_MOV64_IMM(BPF_REG_3, 0),
39	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_reserve),
40	/* store a pointer to the reserved memory in R6 */
41	BPF_MOV64_REG(BPF_REG_6, BPF_REG_0),
42	/* check whether the reservation was successful */
43	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
44	/* spill R6(mem) into the stack */
45	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_6, -8),
46	/* fill it back in R7 */
47	BPF_LDX_MEM(BPF_DW, BPF_REG_7, BPF_REG_10, -8),
48	/* should be able to access *(R7) = 0 */
49	BPF_ST_MEM(BPF_DW, BPF_REG_7, 0, 0),
50	/* submit the reserved ringbuf memory */
51	BPF_MOV64_REG(BPF_REG_1, BPF_REG_7),
52	BPF_MOV64_IMM(BPF_REG_2, 0),
53	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_ringbuf_submit),
54	BPF_MOV64_IMM(BPF_REG_0, 0),
55	BPF_EXIT_INSN(),
56	},
57	.fixup_map_ringbuf = { 1 },
58	.result = ACCEPT,
59	.result_unpriv = ACCEPT,
60},
61{
62	"check corrupted spill/fill",
63	.insns = {
64	/* spill R1(ctx) into stack */
65	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
66	/* mess up with R1 pointer on stack */
67	BPF_ST_MEM(BPF_B, BPF_REG_10, -7, 0x23),
68	/* fill back into R0 is fine for priv.
69	 * R0 now becomes SCALAR_VALUE.
70	 */
71	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
72	/* Load from R0 should fail. */
73	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, 8),
74	BPF_EXIT_INSN(),
75	},
76	.errstr_unpriv = "attempt to corrupt spilled",
77	.errstr = "R0 invalid mem access 'inv",
78	.result = REJECT,
79	.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
80},
81{
82	"check corrupted spill/fill, LSB",
83	.insns = {
84	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
85	BPF_ST_MEM(BPF_H, BPF_REG_10, -8, 0xcafe),
86	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
87	BPF_EXIT_INSN(),
88	},
89	.errstr_unpriv = "attempt to corrupt spilled",
90	.result_unpriv = REJECT,
91	.result = ACCEPT,
92	.retval = POINTER_VALUE,
93},
94{
95	"check corrupted spill/fill, MSB",
96	.insns = {
97	BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -8),
98	BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0x12345678),
99	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_10, -8),
100	BPF_EXIT_INSN(),
101	},
102	.errstr_unpriv = "attempt to corrupt spilled",
103	.result_unpriv = REJECT,
104	.result = ACCEPT,
105	.retval = POINTER_VALUE,
106},
107