• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 {
2 	"helper access to map: full range",
3 	.insns = {
4 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7 	BPF_LD_MAP_FD(BPF_REG_1, 0),
8 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
9 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
10 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11 	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
12 	BPF_MOV64_IMM(BPF_REG_3, 0),
13 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
14 	BPF_EXIT_INSN(),
15 	},
16 	.fixup_map_hash_48b = { 3 },
17 	.result = ACCEPT,
18 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
19 },
20 {
21 	"helper access to map: partial range",
22 	.insns = {
23 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
24 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
25 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
26 	BPF_LD_MAP_FD(BPF_REG_1, 0),
27 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
28 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
29 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
30 	BPF_MOV64_IMM(BPF_REG_2, 8),
31 	BPF_MOV64_IMM(BPF_REG_3, 0),
32 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
33 	BPF_EXIT_INSN(),
34 	},
35 	.fixup_map_hash_48b = { 3 },
36 	.result = ACCEPT,
37 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
38 },
39 {
40 	"helper access to map: empty range",
41 	.insns = {
42 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
43 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
44 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
45 	BPF_LD_MAP_FD(BPF_REG_1, 0),
46 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
47 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
48 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
49 	BPF_MOV64_IMM(BPF_REG_2, 0),
50 	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
51 	BPF_EXIT_INSN(),
52 	},
53 	.fixup_map_hash_48b = { 3 },
54 	.errstr = "invalid access to map value, value_size=48 off=0 size=0",
55 	.result = REJECT,
56 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
57 },
58 {
59 	"helper access to map: out-of-bound range",
60 	.insns = {
61 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
62 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
63 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
64 	BPF_LD_MAP_FD(BPF_REG_1, 0),
65 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
66 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
67 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
68 	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
69 	BPF_MOV64_IMM(BPF_REG_3, 0),
70 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
71 	BPF_EXIT_INSN(),
72 	},
73 	.fixup_map_hash_48b = { 3 },
74 	.errstr = "invalid access to map value, value_size=48 off=0 size=56",
75 	.result = REJECT,
76 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
77 },
78 {
79 	"helper access to map: negative range",
80 	.insns = {
81 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
82 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
83 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
84 	BPF_LD_MAP_FD(BPF_REG_1, 0),
85 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
86 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
87 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
88 	BPF_MOV64_IMM(BPF_REG_2, -8),
89 	BPF_MOV64_IMM(BPF_REG_3, 0),
90 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
91 	BPF_EXIT_INSN(),
92 	},
93 	.fixup_map_hash_48b = { 3 },
94 	.errstr = "R2 min value is negative",
95 	.result = REJECT,
96 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
97 },
98 {
99 	"helper access to adjusted map (via const imm): full range",
100 	.insns = {
101 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
102 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
103 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
104 	BPF_LD_MAP_FD(BPF_REG_1, 0),
105 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
106 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
107 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
108 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
109 	BPF_MOV64_IMM(BPF_REG_2,
110 		      sizeof(struct test_val) -	offsetof(struct test_val, foo)),
111 	BPF_MOV64_IMM(BPF_REG_3, 0),
112 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
113 	BPF_EXIT_INSN(),
114 	},
115 	.fixup_map_hash_48b = { 3 },
116 	.result = ACCEPT,
117 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
118 },
119 {
120 	"helper access to adjusted map (via const imm): partial range",
121 	.insns = {
122 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
123 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
124 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
125 	BPF_LD_MAP_FD(BPF_REG_1, 0),
126 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
127 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
128 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
130 	BPF_MOV64_IMM(BPF_REG_2, 8),
131 	BPF_MOV64_IMM(BPF_REG_3, 0),
132 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
133 	BPF_EXIT_INSN(),
134 	},
135 	.fixup_map_hash_48b = { 3 },
136 	.result = ACCEPT,
137 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
138 },
139 {
140 	"helper access to adjusted map (via const imm): empty range",
141 	.insns = {
142 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
143 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
144 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
145 	BPF_LD_MAP_FD(BPF_REG_1, 0),
146 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
147 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
148 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
149 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
150 	BPF_MOV64_IMM(BPF_REG_2, 0),
151 	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
152 	BPF_EXIT_INSN(),
153 	},
154 	.fixup_map_hash_48b = { 3 },
155 	.errstr = "invalid access to map value, value_size=48 off=4 size=0",
156 	.result = REJECT,
157 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
158 },
159 {
160 	"helper access to adjusted map (via const imm): out-of-bound range",
161 	.insns = {
162 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
163 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
164 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
165 	BPF_LD_MAP_FD(BPF_REG_1, 0),
166 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
167 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
168 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
169 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
170 	BPF_MOV64_IMM(BPF_REG_2,
171 		      sizeof(struct test_val) - offsetof(struct test_val, foo) + 8),
172 	BPF_MOV64_IMM(BPF_REG_3, 0),
173 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
174 	BPF_EXIT_INSN(),
175 	},
176 	.fixup_map_hash_48b = { 3 },
177 	.errstr = "invalid access to map value, value_size=48 off=4 size=52",
178 	.result = REJECT,
179 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
180 },
181 {
182 	"helper access to adjusted map (via const imm): negative range (> adjustment)",
183 	.insns = {
184 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
185 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
186 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
187 	BPF_LD_MAP_FD(BPF_REG_1, 0),
188 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
189 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
190 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
191 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
192 	BPF_MOV64_IMM(BPF_REG_2, -8),
193 	BPF_MOV64_IMM(BPF_REG_3, 0),
194 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
195 	BPF_EXIT_INSN(),
196 	},
197 	.fixup_map_hash_48b = { 3 },
198 	.errstr = "R2 min value is negative",
199 	.result = REJECT,
200 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
201 },
202 {
203 	"helper access to adjusted map (via const imm): negative range (< adjustment)",
204 	.insns = {
205 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
207 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
208 	BPF_LD_MAP_FD(BPF_REG_1, 0),
209 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
210 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
211 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
212 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
213 	BPF_MOV64_IMM(BPF_REG_2, -1),
214 	BPF_MOV64_IMM(BPF_REG_3, 0),
215 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
216 	BPF_EXIT_INSN(),
217 	},
218 	.fixup_map_hash_48b = { 3 },
219 	.errstr = "R2 min value is negative",
220 	.result = REJECT,
221 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
222 },
223 {
224 	"helper access to adjusted map (via const reg): full range",
225 	.insns = {
226 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
227 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
228 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
229 	BPF_LD_MAP_FD(BPF_REG_1, 0),
230 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
231 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
232 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
233 	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
234 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
235 	BPF_MOV64_IMM(BPF_REG_2,
236 		      sizeof(struct test_val) - offsetof(struct test_val, foo)),
237 	BPF_MOV64_IMM(BPF_REG_3, 0),
238 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
239 	BPF_EXIT_INSN(),
240 	},
241 	.fixup_map_hash_48b = { 3 },
242 	.result = ACCEPT,
243 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
244 },
245 {
246 	"helper access to adjusted map (via const reg): partial range",
247 	.insns = {
248 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
249 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
250 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
251 	BPF_LD_MAP_FD(BPF_REG_1, 0),
252 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
253 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
254 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
255 	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
256 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
257 	BPF_MOV64_IMM(BPF_REG_2, 8),
258 	BPF_MOV64_IMM(BPF_REG_3, 0),
259 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
260 	BPF_EXIT_INSN(),
261 	},
262 	.fixup_map_hash_48b = { 3 },
263 	.result = ACCEPT,
264 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
265 },
266 {
267 	"helper access to adjusted map (via const reg): empty range",
268 	.insns = {
269 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
270 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
271 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
272 	BPF_LD_MAP_FD(BPF_REG_1, 0),
273 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
274 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
275 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
276 	BPF_MOV64_IMM(BPF_REG_3, 0),
277 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
278 	BPF_MOV64_IMM(BPF_REG_2, 0),
279 	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
280 	BPF_EXIT_INSN(),
281 	},
282 	.fixup_map_hash_48b = { 3 },
283 	.errstr = "R1 min value is outside of the allowed memory range",
284 	.result = REJECT,
285 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
286 },
287 {
288 	"helper access to adjusted map (via const reg): out-of-bound range",
289 	.insns = {
290 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
291 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
292 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
293 	BPF_LD_MAP_FD(BPF_REG_1, 0),
294 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
295 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
296 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
297 	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
298 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
299 	BPF_MOV64_IMM(BPF_REG_2,
300 		      sizeof(struct test_val) -
301 		      offsetof(struct test_val, foo) + 8),
302 	BPF_MOV64_IMM(BPF_REG_3, 0),
303 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
304 	BPF_EXIT_INSN(),
305 	},
306 	.fixup_map_hash_48b = { 3 },
307 	.errstr = "invalid access to map value, value_size=48 off=4 size=52",
308 	.result = REJECT,
309 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
310 },
311 {
312 	"helper access to adjusted map (via const reg): negative range (> adjustment)",
313 	.insns = {
314 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
315 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
316 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
317 	BPF_LD_MAP_FD(BPF_REG_1, 0),
318 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
319 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
320 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
321 	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
322 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
323 	BPF_MOV64_IMM(BPF_REG_2, -8),
324 	BPF_MOV64_IMM(BPF_REG_3, 0),
325 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
326 	BPF_EXIT_INSN(),
327 	},
328 	.fixup_map_hash_48b = { 3 },
329 	.errstr = "R2 min value is negative",
330 	.result = REJECT,
331 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
332 },
333 {
334 	"helper access to adjusted map (via const reg): negative range (< adjustment)",
335 	.insns = {
336 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
337 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
338 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
339 	BPF_LD_MAP_FD(BPF_REG_1, 0),
340 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
341 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
342 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
343 	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
344 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
345 	BPF_MOV64_IMM(BPF_REG_2, -1),
346 	BPF_MOV64_IMM(BPF_REG_3, 0),
347 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
348 	BPF_EXIT_INSN(),
349 	},
350 	.fixup_map_hash_48b = { 3 },
351 	.errstr = "R2 min value is negative",
352 	.result = REJECT,
353 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
354 },
355 {
356 	"helper access to adjusted map (via variable): full range",
357 	.insns = {
358 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
359 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
360 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
361 	BPF_LD_MAP_FD(BPF_REG_1, 0),
362 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
363 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
364 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
365 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
366 	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
367 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
368 	BPF_MOV64_IMM(BPF_REG_2,
369 		      sizeof(struct test_val) - offsetof(struct test_val, foo)),
370 	BPF_MOV64_IMM(BPF_REG_3, 0),
371 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
372 	BPF_EXIT_INSN(),
373 	},
374 	.fixup_map_hash_48b = { 3 },
375 	.result = ACCEPT,
376 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
377 },
378 {
379 	"helper access to adjusted map (via variable): partial range",
380 	.insns = {
381 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
382 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
383 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
384 	BPF_LD_MAP_FD(BPF_REG_1, 0),
385 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
386 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
387 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
388 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
389 	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
390 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
391 	BPF_MOV64_IMM(BPF_REG_2, 8),
392 	BPF_MOV64_IMM(BPF_REG_3, 0),
393 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
394 	BPF_EXIT_INSN(),
395 	},
396 	.fixup_map_hash_48b = { 3 },
397 	.result = ACCEPT,
398 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
399 },
400 {
401 	"helper access to adjusted map (via variable): empty range",
402 	.insns = {
403 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
404 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
405 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
406 	BPF_LD_MAP_FD(BPF_REG_1, 0),
407 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
408 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
409 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
410 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
411 	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 3),
412 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
413 	BPF_MOV64_IMM(BPF_REG_2, 0),
414 	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
415 	BPF_EXIT_INSN(),
416 	},
417 	.fixup_map_hash_48b = { 3 },
418 	.errstr = "R1 min value is outside of the allowed memory range",
419 	.result = REJECT,
420 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
421 },
422 {
423 	"helper access to adjusted map (via variable): no max check",
424 	.insns = {
425 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
426 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
427 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
428 	BPF_LD_MAP_FD(BPF_REG_1, 0),
429 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
430 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
431 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
432 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
433 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
434 	BPF_MOV64_IMM(BPF_REG_2, 1),
435 	BPF_MOV64_IMM(BPF_REG_3, 0),
436 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
437 	BPF_EXIT_INSN(),
438 	},
439 	.fixup_map_hash_48b = { 3 },
440 	.errstr = "R1 unbounded memory access",
441 	.result = REJECT,
442 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
443 },
444 {
445 	"helper access to adjusted map (via variable): wrong max check",
446 	.insns = {
447 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
448 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
449 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
450 	BPF_LD_MAP_FD(BPF_REG_1, 0),
451 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
452 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
453 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
454 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
455 	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
456 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
457 	BPF_MOV64_IMM(BPF_REG_2,
458 		      sizeof(struct test_val) -
459 		      offsetof(struct test_val, foo) + 1),
460 	BPF_MOV64_IMM(BPF_REG_3, 0),
461 	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
462 	BPF_EXIT_INSN(),
463 	},
464 	.fixup_map_hash_48b = { 3 },
465 	.errstr = "invalid access to map value, value_size=48 off=4 size=45",
466 	.result = REJECT,
467 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
468 },
469 {
470 	"helper access to map: bounds check using <, good access",
471 	.insns = {
472 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
473 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
474 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
475 	BPF_LD_MAP_FD(BPF_REG_1, 0),
476 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
477 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
478 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
479 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
480 	BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
481 	BPF_MOV64_IMM(BPF_REG_0, 0),
482 	BPF_EXIT_INSN(),
483 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
484 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
485 	BPF_MOV64_IMM(BPF_REG_0, 0),
486 	BPF_EXIT_INSN(),
487 	},
488 	.fixup_map_hash_48b = { 3 },
489 	.result = ACCEPT,
490 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
491 },
492 {
493 	"helper access to map: bounds check using <, bad access",
494 	.insns = {
495 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
496 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
497 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
498 	BPF_LD_MAP_FD(BPF_REG_1, 0),
499 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
500 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
501 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
502 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
503 	BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
504 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
505 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
506 	BPF_MOV64_IMM(BPF_REG_0, 0),
507 	BPF_EXIT_INSN(),
508 	BPF_MOV64_IMM(BPF_REG_0, 0),
509 	BPF_EXIT_INSN(),
510 	},
511 	.fixup_map_hash_48b = { 3 },
512 	.result = REJECT,
513 	.errstr = "R1 unbounded memory access",
514 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
515 },
516 {
517 	"helper access to map: bounds check using <=, good access",
518 	.insns = {
519 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
520 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
521 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
522 	BPF_LD_MAP_FD(BPF_REG_1, 0),
523 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
524 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
525 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
526 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
527 	BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
528 	BPF_MOV64_IMM(BPF_REG_0, 0),
529 	BPF_EXIT_INSN(),
530 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
531 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
532 	BPF_MOV64_IMM(BPF_REG_0, 0),
533 	BPF_EXIT_INSN(),
534 	},
535 	.fixup_map_hash_48b = { 3 },
536 	.result = ACCEPT,
537 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
538 },
539 {
540 	"helper access to map: bounds check using <=, bad access",
541 	.insns = {
542 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
543 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
544 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
545 	BPF_LD_MAP_FD(BPF_REG_1, 0),
546 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
547 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
548 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
549 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
550 	BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
551 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
552 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
553 	BPF_MOV64_IMM(BPF_REG_0, 0),
554 	BPF_EXIT_INSN(),
555 	BPF_MOV64_IMM(BPF_REG_0, 0),
556 	BPF_EXIT_INSN(),
557 	},
558 	.fixup_map_hash_48b = { 3 },
559 	.result = REJECT,
560 	.errstr = "R1 unbounded memory access",
561 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
562 },
563 {
564 	"helper access to map: bounds check using s<, good access",
565 	.insns = {
566 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
567 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
568 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
569 	BPF_LD_MAP_FD(BPF_REG_1, 0),
570 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
571 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
572 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
573 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
574 	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
575 	BPF_MOV64_IMM(BPF_REG_0, 0),
576 	BPF_EXIT_INSN(),
577 	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
578 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
579 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
580 	BPF_MOV64_IMM(BPF_REG_0, 0),
581 	BPF_EXIT_INSN(),
582 	},
583 	.fixup_map_hash_48b = { 3 },
584 	.result = ACCEPT,
585 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
586 },
587 {
588 	"helper access to map: bounds check using s<, good access 2",
589 	.insns = {
590 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
591 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
592 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
593 	BPF_LD_MAP_FD(BPF_REG_1, 0),
594 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
595 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
596 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
597 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
598 	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
599 	BPF_MOV64_IMM(BPF_REG_0, 0),
600 	BPF_EXIT_INSN(),
601 	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
602 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
603 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
604 	BPF_MOV64_IMM(BPF_REG_0, 0),
605 	BPF_EXIT_INSN(),
606 	},
607 	.fixup_map_hash_48b = { 3 },
608 	.result = ACCEPT,
609 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
610 },
611 {
612 	"helper access to map: bounds check using s<, bad access",
613 	.insns = {
614 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
615 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
616 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
617 	BPF_LD_MAP_FD(BPF_REG_1, 0),
618 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
619 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
620 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
621 	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
622 	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
623 	BPF_MOV64_IMM(BPF_REG_0, 0),
624 	BPF_EXIT_INSN(),
625 	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
626 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
627 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
628 	BPF_MOV64_IMM(BPF_REG_0, 0),
629 	BPF_EXIT_INSN(),
630 	},
631 	.fixup_map_hash_48b = { 3 },
632 	.result = REJECT,
633 	.errstr = "R1 min value is negative",
634 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
635 },
636 {
637 	"helper access to map: bounds check using s<=, good access",
638 	.insns = {
639 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
640 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
641 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
642 	BPF_LD_MAP_FD(BPF_REG_1, 0),
643 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
644 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
645 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
646 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
647 	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
648 	BPF_MOV64_IMM(BPF_REG_0, 0),
649 	BPF_EXIT_INSN(),
650 	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
651 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
652 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
653 	BPF_MOV64_IMM(BPF_REG_0, 0),
654 	BPF_EXIT_INSN(),
655 	},
656 	.fixup_map_hash_48b = { 3 },
657 	.result = ACCEPT,
658 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
659 },
660 {
661 	"helper access to map: bounds check using s<=, good access 2",
662 	.insns = {
663 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
666 	BPF_LD_MAP_FD(BPF_REG_1, 0),
667 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
668 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
669 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
670 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
671 	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
672 	BPF_MOV64_IMM(BPF_REG_0, 0),
673 	BPF_EXIT_INSN(),
674 	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
675 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
676 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
677 	BPF_MOV64_IMM(BPF_REG_0, 0),
678 	BPF_EXIT_INSN(),
679 	},
680 	.fixup_map_hash_48b = { 3 },
681 	.result = ACCEPT,
682 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
683 },
684 {
685 	"helper access to map: bounds check using s<=, bad access",
686 	.insns = {
687 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
688 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
689 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
690 	BPF_LD_MAP_FD(BPF_REG_1, 0),
691 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
692 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
693 	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
694 	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
695 	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
696 	BPF_MOV64_IMM(BPF_REG_0, 0),
697 	BPF_EXIT_INSN(),
698 	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
699 	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
700 	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
701 	BPF_MOV64_IMM(BPF_REG_0, 0),
702 	BPF_EXIT_INSN(),
703 	},
704 	.fixup_map_hash_48b = { 3 },
705 	.result = REJECT,
706 	.errstr = "R1 min value is negative",
707 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
708 },
709 {
710 	"map lookup helper access to map",
711 	.insns = {
712 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
713 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
714 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
715 	BPF_LD_MAP_FD(BPF_REG_1, 0),
716 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
717 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
718 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
719 	BPF_LD_MAP_FD(BPF_REG_1, 0),
720 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
721 	BPF_EXIT_INSN(),
722 	},
723 	.fixup_map_hash_16b = { 3, 8 },
724 	.result = ACCEPT,
725 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
726 },
727 {
728 	"map update helper access to map",
729 	.insns = {
730 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
731 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
732 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
733 	BPF_LD_MAP_FD(BPF_REG_1, 0),
734 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
735 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
736 	BPF_MOV64_IMM(BPF_REG_4, 0),
737 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
738 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
739 	BPF_LD_MAP_FD(BPF_REG_1, 0),
740 	BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
741 	BPF_EXIT_INSN(),
742 	},
743 	.fixup_map_hash_16b = { 3, 10 },
744 	.result = ACCEPT,
745 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
746 },
747 {
748 	"map update helper access to map: wrong size",
749 	.insns = {
750 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
751 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
752 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
753 	BPF_LD_MAP_FD(BPF_REG_1, 0),
754 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
755 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
756 	BPF_MOV64_IMM(BPF_REG_4, 0),
757 	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
758 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
759 	BPF_LD_MAP_FD(BPF_REG_1, 0),
760 	BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
761 	BPF_EXIT_INSN(),
762 	},
763 	.fixup_map_hash_8b = { 3 },
764 	.fixup_map_hash_16b = { 10 },
765 	.result = REJECT,
766 	.errstr = "invalid access to map value, value_size=8 off=0 size=16",
767 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
768 },
769 {
770 	"map helper access to adjusted map (via const imm)",
771 	.insns = {
772 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
773 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
774 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
775 	BPF_LD_MAP_FD(BPF_REG_1, 0),
776 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
777 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
778 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, offsetof(struct other_val, bar)),
780 	BPF_LD_MAP_FD(BPF_REG_1, 0),
781 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
782 	BPF_EXIT_INSN(),
783 	},
784 	.fixup_map_hash_16b = { 3, 9 },
785 	.result = ACCEPT,
786 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
787 },
788 {
789 	"map helper access to adjusted map (via const imm): out-of-bound 1",
790 	.insns = {
791 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
792 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
793 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
794 	BPF_LD_MAP_FD(BPF_REG_1, 0),
795 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
796 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
797 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
798 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, sizeof(struct other_val) - 4),
799 	BPF_LD_MAP_FD(BPF_REG_1, 0),
800 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
801 	BPF_EXIT_INSN(),
802 	},
803 	.fixup_map_hash_16b = { 3, 9 },
804 	.result = REJECT,
805 	.errstr = "invalid access to map value, value_size=16 off=12 size=8",
806 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
807 },
808 {
809 	"map helper access to adjusted map (via const imm): out-of-bound 2",
810 	.insns = {
811 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
812 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
813 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
814 	BPF_LD_MAP_FD(BPF_REG_1, 0),
815 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
816 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
817 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
818 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
819 	BPF_LD_MAP_FD(BPF_REG_1, 0),
820 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
821 	BPF_EXIT_INSN(),
822 	},
823 	.fixup_map_hash_16b = { 3, 9 },
824 	.result = REJECT,
825 	.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
826 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
827 },
828 {
829 	"map helper access to adjusted map (via const reg)",
830 	.insns = {
831 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
832 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
833 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
834 	BPF_LD_MAP_FD(BPF_REG_1, 0),
835 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
836 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
837 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
838 	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct other_val, bar)),
839 	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
840 	BPF_LD_MAP_FD(BPF_REG_1, 0),
841 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
842 	BPF_EXIT_INSN(),
843 	},
844 	.fixup_map_hash_16b = { 3, 10 },
845 	.result = ACCEPT,
846 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
847 },
848 {
849 	"map helper access to adjusted map (via const reg): out-of-bound 1",
850 	.insns = {
851 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
852 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
853 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
854 	BPF_LD_MAP_FD(BPF_REG_1, 0),
855 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
856 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
857 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
858 	BPF_MOV64_IMM(BPF_REG_3, sizeof(struct other_val) - 4),
859 	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
860 	BPF_LD_MAP_FD(BPF_REG_1, 0),
861 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
862 	BPF_EXIT_INSN(),
863 	},
864 	.fixup_map_hash_16b = { 3, 10 },
865 	.result = REJECT,
866 	.errstr = "invalid access to map value, value_size=16 off=12 size=8",
867 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
868 },
869 {
870 	"map helper access to adjusted map (via const reg): out-of-bound 2",
871 	.insns = {
872 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
873 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
874 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
875 	BPF_LD_MAP_FD(BPF_REG_1, 0),
876 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
877 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
878 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
879 	BPF_MOV64_IMM(BPF_REG_3, -4),
880 	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
881 	BPF_LD_MAP_FD(BPF_REG_1, 0),
882 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
883 	BPF_EXIT_INSN(),
884 	},
885 	.fixup_map_hash_16b = { 3, 10 },
886 	.result = REJECT,
887 	.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
888 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
889 },
890 {
891 	"map helper access to adjusted map (via variable)",
892 	.insns = {
893 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
894 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
895 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
896 	BPF_LD_MAP_FD(BPF_REG_1, 0),
897 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
898 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
899 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
900 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
901 	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar), 4),
902 	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
903 	BPF_LD_MAP_FD(BPF_REG_1, 0),
904 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
905 	BPF_EXIT_INSN(),
906 	},
907 	.fixup_map_hash_16b = { 3, 11 },
908 	.result = ACCEPT,
909 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
910 },
911 {
912 	"map helper access to adjusted map (via variable): no max check",
913 	.insns = {
914 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
915 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
916 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
917 	BPF_LD_MAP_FD(BPF_REG_1, 0),
918 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
919 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
920 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
921 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
922 	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
923 	BPF_LD_MAP_FD(BPF_REG_1, 0),
924 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
925 	BPF_EXIT_INSN(),
926 	},
927 	.fixup_map_hash_16b = { 3, 10 },
928 	.result = REJECT,
929 	.errstr = "R2 unbounded memory access, make sure to bounds check any such access",
930 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
931 },
932 {
933 	"map helper access to adjusted map (via variable): wrong max check",
934 	.insns = {
935 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
936 	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
937 	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
938 	BPF_LD_MAP_FD(BPF_REG_1, 0),
939 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
940 	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
941 	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
942 	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
943 	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar) + 1, 4),
944 	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
945 	BPF_LD_MAP_FD(BPF_REG_1, 0),
946 	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
947 	BPF_EXIT_INSN(),
948 	},
949 	.fixup_map_hash_16b = { 3, 11 },
950 	.result = REJECT,
951 	.errstr = "invalid access to map value, value_size=16 off=9 size=8",
952 	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
953 },
954