1{
2	"helper access to map: full range",
3	.insns = {
4	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
5	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
6	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
7	BPF_LD_MAP_FD(BPF_REG_1, 0),
8	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
9	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
10	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
11	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val)),
12	BPF_MOV64_IMM(BPF_REG_3, 0),
13	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
14	BPF_EXIT_INSN(),
15	},
16	.fixup_map_hash_48b = { 3 },
17	.result = ACCEPT,
18	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
19},
20{
21	"helper access to map: partial range",
22	.insns = {
23	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
24	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
25	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
26	BPF_LD_MAP_FD(BPF_REG_1, 0),
27	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
28	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
29	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
30	BPF_MOV64_IMM(BPF_REG_2, 8),
31	BPF_MOV64_IMM(BPF_REG_3, 0),
32	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
33	BPF_EXIT_INSN(),
34	},
35	.fixup_map_hash_48b = { 3 },
36	.result = ACCEPT,
37	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
38},
39{
40	"helper access to map: empty range",
41	.insns = {
42	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
43	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
44	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
45	BPF_LD_MAP_FD(BPF_REG_1, 0),
46	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
47	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),
48	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
49	BPF_MOV64_IMM(BPF_REG_2, 0),
50	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
51	BPF_EXIT_INSN(),
52	},
53	.fixup_map_hash_48b = { 3 },
54	.errstr = "invalid access to map value, value_size=48 off=0 size=0",
55	.result = REJECT,
56	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
57},
58{
59	"helper access to map: out-of-bound range",
60	.insns = {
61	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
62	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
63	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
64	BPF_LD_MAP_FD(BPF_REG_1, 0),
65	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
66	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
67	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
68	BPF_MOV64_IMM(BPF_REG_2, sizeof(struct test_val) + 8),
69	BPF_MOV64_IMM(BPF_REG_3, 0),
70	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
71	BPF_EXIT_INSN(),
72	},
73	.fixup_map_hash_48b = { 3 },
74	.errstr = "invalid access to map value, value_size=48 off=0 size=56",
75	.result = REJECT,
76	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
77},
78{
79	"helper access to map: negative range",
80	.insns = {
81	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
82	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
83	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
84	BPF_LD_MAP_FD(BPF_REG_1, 0),
85	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
86	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
87	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
88	BPF_MOV64_IMM(BPF_REG_2, -8),
89	BPF_MOV64_IMM(BPF_REG_3, 0),
90	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
91	BPF_EXIT_INSN(),
92	},
93	.fixup_map_hash_48b = { 3 },
94	.errstr = "R2 min value is negative",
95	.result = REJECT,
96	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
97},
98{
99	"helper access to adjusted map (via const imm): full range",
100	.insns = {
101	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
102	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
103	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
104	BPF_LD_MAP_FD(BPF_REG_1, 0),
105	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
106	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
107	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
108	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
109	BPF_MOV64_IMM(BPF_REG_2,
110		      sizeof(struct test_val) -	offsetof(struct test_val, foo)),
111	BPF_MOV64_IMM(BPF_REG_3, 0),
112	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
113	BPF_EXIT_INSN(),
114	},
115	.fixup_map_hash_48b = { 3 },
116	.result = ACCEPT,
117	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
118},
119{
120	"helper access to adjusted map (via const imm): partial range",
121	.insns = {
122	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
123	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
124	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
125	BPF_LD_MAP_FD(BPF_REG_1, 0),
126	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
127	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
128	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
129	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
130	BPF_MOV64_IMM(BPF_REG_2, 8),
131	BPF_MOV64_IMM(BPF_REG_3, 0),
132	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
133	BPF_EXIT_INSN(),
134	},
135	.fixup_map_hash_48b = { 3 },
136	.result = ACCEPT,
137	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
138},
139{
140	"helper access to adjusted map (via const imm): empty range",
141	.insns = {
142	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
143	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
144	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
145	BPF_LD_MAP_FD(BPF_REG_1, 0),
146	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
147	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
148	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
149	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
150	BPF_MOV64_IMM(BPF_REG_2, 0),
151	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
152	BPF_EXIT_INSN(),
153	},
154	.fixup_map_hash_48b = { 3 },
155	.errstr = "invalid access to map value, value_size=48 off=4 size=0",
156	.result = REJECT,
157	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
158},
159{
160	"helper access to adjusted map (via const imm): out-of-bound range",
161	.insns = {
162	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
163	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
164	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
165	BPF_LD_MAP_FD(BPF_REG_1, 0),
166	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
167	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
168	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
169	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
170	BPF_MOV64_IMM(BPF_REG_2,
171		      sizeof(struct test_val) - offsetof(struct test_val, foo) + 8),
172	BPF_MOV64_IMM(BPF_REG_3, 0),
173	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
174	BPF_EXIT_INSN(),
175	},
176	.fixup_map_hash_48b = { 3 },
177	.errstr = "invalid access to map value, value_size=48 off=4 size=52",
178	.result = REJECT,
179	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
180},
181{
182	"helper access to adjusted map (via const imm): negative range (> adjustment)",
183	.insns = {
184	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
185	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
186	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
187	BPF_LD_MAP_FD(BPF_REG_1, 0),
188	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
189	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
190	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
191	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
192	BPF_MOV64_IMM(BPF_REG_2, -8),
193	BPF_MOV64_IMM(BPF_REG_3, 0),
194	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
195	BPF_EXIT_INSN(),
196	},
197	.fixup_map_hash_48b = { 3 },
198	.errstr = "R2 min value is negative",
199	.result = REJECT,
200	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
201},
202{
203	"helper access to adjusted map (via const imm): negative range (< adjustment)",
204	.insns = {
205	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
206	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
207	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
208	BPF_LD_MAP_FD(BPF_REG_1, 0),
209	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
210	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
211	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
212	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, offsetof(struct test_val, foo)),
213	BPF_MOV64_IMM(BPF_REG_2, -1),
214	BPF_MOV64_IMM(BPF_REG_3, 0),
215	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
216	BPF_EXIT_INSN(),
217	},
218	.fixup_map_hash_48b = { 3 },
219	.errstr = "R2 min value is negative",
220	.result = REJECT,
221	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
222},
223{
224	"helper access to adjusted map (via const reg): full range",
225	.insns = {
226	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
227	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
228	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
229	BPF_LD_MAP_FD(BPF_REG_1, 0),
230	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
231	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
232	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
233	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
234	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
235	BPF_MOV64_IMM(BPF_REG_2,
236		      sizeof(struct test_val) - offsetof(struct test_val, foo)),
237	BPF_MOV64_IMM(BPF_REG_3, 0),
238	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
239	BPF_EXIT_INSN(),
240	},
241	.fixup_map_hash_48b = { 3 },
242	.result = ACCEPT,
243	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
244},
245{
246	"helper access to adjusted map (via const reg): partial range",
247	.insns = {
248	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
249	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
250	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
251	BPF_LD_MAP_FD(BPF_REG_1, 0),
252	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
253	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
254	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
255	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
256	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
257	BPF_MOV64_IMM(BPF_REG_2, 8),
258	BPF_MOV64_IMM(BPF_REG_3, 0),
259	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
260	BPF_EXIT_INSN(),
261	},
262	.fixup_map_hash_48b = { 3 },
263	.result = ACCEPT,
264	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
265},
266{
267	"helper access to adjusted map (via const reg): empty range",
268	.insns = {
269	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
270	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
271	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
272	BPF_LD_MAP_FD(BPF_REG_1, 0),
273	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
274	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
275	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
276	BPF_MOV64_IMM(BPF_REG_3, 0),
277	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
278	BPF_MOV64_IMM(BPF_REG_2, 0),
279	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
280	BPF_EXIT_INSN(),
281	},
282	.fixup_map_hash_48b = { 3 },
283	.errstr = "R1 min value is outside of the allowed memory range",
284	.result = REJECT,
285	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
286},
287{
288	"helper access to adjusted map (via const reg): out-of-bound range",
289	.insns = {
290	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
291	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
292	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
293	BPF_LD_MAP_FD(BPF_REG_1, 0),
294	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
295	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
296	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
297	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
298	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
299	BPF_MOV64_IMM(BPF_REG_2,
300		      sizeof(struct test_val) -
301		      offsetof(struct test_val, foo) + 8),
302	BPF_MOV64_IMM(BPF_REG_3, 0),
303	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
304	BPF_EXIT_INSN(),
305	},
306	.fixup_map_hash_48b = { 3 },
307	.errstr = "invalid access to map value, value_size=48 off=4 size=52",
308	.result = REJECT,
309	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
310},
311{
312	"helper access to adjusted map (via const reg): negative range (> adjustment)",
313	.insns = {
314	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
315	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
316	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
317	BPF_LD_MAP_FD(BPF_REG_1, 0),
318	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
319	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
320	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
321	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
322	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
323	BPF_MOV64_IMM(BPF_REG_2, -8),
324	BPF_MOV64_IMM(BPF_REG_3, 0),
325	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
326	BPF_EXIT_INSN(),
327	},
328	.fixup_map_hash_48b = { 3 },
329	.errstr = "R2 min value is negative",
330	.result = REJECT,
331	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
332},
333{
334	"helper access to adjusted map (via const reg): negative range (< adjustment)",
335	.insns = {
336	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
337	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
338	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
339	BPF_LD_MAP_FD(BPF_REG_1, 0),
340	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
341	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
342	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
343	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct test_val, foo)),
344	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
345	BPF_MOV64_IMM(BPF_REG_2, -1),
346	BPF_MOV64_IMM(BPF_REG_3, 0),
347	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
348	BPF_EXIT_INSN(),
349	},
350	.fixup_map_hash_48b = { 3 },
351	.errstr = "R2 min value is negative",
352	.result = REJECT,
353	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
354},
355{
356	"helper access to adjusted map (via variable): full range",
357	.insns = {
358	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
359	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
360	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
361	BPF_LD_MAP_FD(BPF_REG_1, 0),
362	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
363	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
364	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
365	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
366	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
367	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
368	BPF_MOV64_IMM(BPF_REG_2,
369		      sizeof(struct test_val) - offsetof(struct test_val, foo)),
370	BPF_MOV64_IMM(BPF_REG_3, 0),
371	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
372	BPF_EXIT_INSN(),
373	},
374	.fixup_map_hash_48b = { 3 },
375	.result = ACCEPT,
376	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
377},
378{
379	"helper access to adjusted map (via variable): partial range",
380	.insns = {
381	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
382	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
383	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
384	BPF_LD_MAP_FD(BPF_REG_1, 0),
385	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
386	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
387	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
388	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
389	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
390	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
391	BPF_MOV64_IMM(BPF_REG_2, 8),
392	BPF_MOV64_IMM(BPF_REG_3, 0),
393	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
394	BPF_EXIT_INSN(),
395	},
396	.fixup_map_hash_48b = { 3 },
397	.result = ACCEPT,
398	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
399},
400{
401	"helper access to adjusted map (via variable): empty range",
402	.insns = {
403	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
404	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
405	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
406	BPF_LD_MAP_FD(BPF_REG_1, 0),
407	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
408	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
409	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
410	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
411	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 3),
412	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
413	BPF_MOV64_IMM(BPF_REG_2, 0),
414	BPF_EMIT_CALL(BPF_FUNC_trace_printk),
415	BPF_EXIT_INSN(),
416	},
417	.fixup_map_hash_48b = { 3 },
418	.errstr = "R1 min value is outside of the allowed memory range",
419	.result = REJECT,
420	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
421},
422{
423	"helper access to adjusted map (via variable): no max check",
424	.insns = {
425	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
426	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
427	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
428	BPF_LD_MAP_FD(BPF_REG_1, 0),
429	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
430	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
431	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
432	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
433	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
434	BPF_MOV64_IMM(BPF_REG_2, 1),
435	BPF_MOV64_IMM(BPF_REG_3, 0),
436	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
437	BPF_EXIT_INSN(),
438	},
439	.fixup_map_hash_48b = { 3 },
440	.errstr = "R1 unbounded memory access",
441	.result = REJECT,
442	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
443},
444{
445	"helper access to adjusted map (via variable): wrong max check",
446	.insns = {
447	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
448	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
449	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
450	BPF_LD_MAP_FD(BPF_REG_1, 0),
451	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
452	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
453	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
454	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
455	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct test_val, foo), 4),
456	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
457	BPF_MOV64_IMM(BPF_REG_2,
458		      sizeof(struct test_val) -
459		      offsetof(struct test_val, foo) + 1),
460	BPF_MOV64_IMM(BPF_REG_3, 0),
461	BPF_EMIT_CALL(BPF_FUNC_probe_read_kernel),
462	BPF_EXIT_INSN(),
463	},
464	.fixup_map_hash_48b = { 3 },
465	.errstr = "invalid access to map value, value_size=48 off=4 size=45",
466	.result = REJECT,
467	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
468},
469{
470	"helper access to map: bounds check using <, good access",
471	.insns = {
472	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
473	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
474	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
475	BPF_LD_MAP_FD(BPF_REG_1, 0),
476	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
477	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
478	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
479	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
480	BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 2),
481	BPF_MOV64_IMM(BPF_REG_0, 0),
482	BPF_EXIT_INSN(),
483	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
484	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
485	BPF_MOV64_IMM(BPF_REG_0, 0),
486	BPF_EXIT_INSN(),
487	},
488	.fixup_map_hash_48b = { 3 },
489	.result = ACCEPT,
490	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
491},
492{
493	"helper access to map: bounds check using <, bad access",
494	.insns = {
495	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
496	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
497	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
498	BPF_LD_MAP_FD(BPF_REG_1, 0),
499	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
500	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
501	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
502	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
503	BPF_JMP_IMM(BPF_JLT, BPF_REG_3, 32, 4),
504	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
505	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
506	BPF_MOV64_IMM(BPF_REG_0, 0),
507	BPF_EXIT_INSN(),
508	BPF_MOV64_IMM(BPF_REG_0, 0),
509	BPF_EXIT_INSN(),
510	},
511	.fixup_map_hash_48b = { 3 },
512	.result = REJECT,
513	.errstr = "R1 unbounded memory access",
514	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
515},
516{
517	"helper access to map: bounds check using <=, good access",
518	.insns = {
519	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
520	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
521	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
522	BPF_LD_MAP_FD(BPF_REG_1, 0),
523	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
524	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
525	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
526	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
527	BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 2),
528	BPF_MOV64_IMM(BPF_REG_0, 0),
529	BPF_EXIT_INSN(),
530	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
531	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
532	BPF_MOV64_IMM(BPF_REG_0, 0),
533	BPF_EXIT_INSN(),
534	},
535	.fixup_map_hash_48b = { 3 },
536	.result = ACCEPT,
537	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
538},
539{
540	"helper access to map: bounds check using <=, bad access",
541	.insns = {
542	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
543	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
544	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
545	BPF_LD_MAP_FD(BPF_REG_1, 0),
546	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
547	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
548	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
549	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
550	BPF_JMP_IMM(BPF_JLE, BPF_REG_3, 32, 4),
551	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
552	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
553	BPF_MOV64_IMM(BPF_REG_0, 0),
554	BPF_EXIT_INSN(),
555	BPF_MOV64_IMM(BPF_REG_0, 0),
556	BPF_EXIT_INSN(),
557	},
558	.fixup_map_hash_48b = { 3 },
559	.result = REJECT,
560	.errstr = "R1 unbounded memory access",
561	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
562},
563{
564	"helper access to map: bounds check using s<, good access",
565	.insns = {
566	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
567	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
568	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
569	BPF_LD_MAP_FD(BPF_REG_1, 0),
570	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
571	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
572	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
573	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
574	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
575	BPF_MOV64_IMM(BPF_REG_0, 0),
576	BPF_EXIT_INSN(),
577	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 0, -3),
578	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
579	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
580	BPF_MOV64_IMM(BPF_REG_0, 0),
581	BPF_EXIT_INSN(),
582	},
583	.fixup_map_hash_48b = { 3 },
584	.result = ACCEPT,
585	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
586},
587{
588	"helper access to map: bounds check using s<, good access 2",
589	.insns = {
590	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
591	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
592	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
593	BPF_LD_MAP_FD(BPF_REG_1, 0),
594	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
595	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
596	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
597	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
598	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
599	BPF_MOV64_IMM(BPF_REG_0, 0),
600	BPF_EXIT_INSN(),
601	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
602	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
603	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
604	BPF_MOV64_IMM(BPF_REG_0, 0),
605	BPF_EXIT_INSN(),
606	},
607	.fixup_map_hash_48b = { 3 },
608	.result = ACCEPT,
609	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
610},
611{
612	"helper access to map: bounds check using s<, bad access",
613	.insns = {
614	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
615	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
616	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
617	BPF_LD_MAP_FD(BPF_REG_1, 0),
618	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
619	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
620	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
621	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
622	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, 32, 2),
623	BPF_MOV64_IMM(BPF_REG_0, 0),
624	BPF_EXIT_INSN(),
625	BPF_JMP_IMM(BPF_JSLT, BPF_REG_3, -3, -3),
626	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
627	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
628	BPF_MOV64_IMM(BPF_REG_0, 0),
629	BPF_EXIT_INSN(),
630	},
631	.fixup_map_hash_48b = { 3 },
632	.result = REJECT,
633	.errstr = "R1 min value is negative",
634	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
635},
636{
637	"helper access to map: bounds check using s<=, good access",
638	.insns = {
639	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
640	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
641	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
642	BPF_LD_MAP_FD(BPF_REG_1, 0),
643	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
644	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
645	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
646	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
647	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
648	BPF_MOV64_IMM(BPF_REG_0, 0),
649	BPF_EXIT_INSN(),
650	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 0, -3),
651	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
652	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
653	BPF_MOV64_IMM(BPF_REG_0, 0),
654	BPF_EXIT_INSN(),
655	},
656	.fixup_map_hash_48b = { 3 },
657	.result = ACCEPT,
658	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
659},
660{
661	"helper access to map: bounds check using s<=, good access 2",
662	.insns = {
663	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
664	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
665	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
666	BPF_LD_MAP_FD(BPF_REG_1, 0),
667	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
668	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
669	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
670	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
671	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
672	BPF_MOV64_IMM(BPF_REG_0, 0),
673	BPF_EXIT_INSN(),
674	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
675	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
676	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
677	BPF_MOV64_IMM(BPF_REG_0, 0),
678	BPF_EXIT_INSN(),
679	},
680	.fixup_map_hash_48b = { 3 },
681	.result = ACCEPT,
682	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
683},
684{
685	"helper access to map: bounds check using s<=, bad access",
686	.insns = {
687	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
688	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
689	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
690	BPF_LD_MAP_FD(BPF_REG_1, 0),
691	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
692	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
693	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
694	BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_0, 0),
695	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, 32, 2),
696	BPF_MOV64_IMM(BPF_REG_0, 0),
697	BPF_EXIT_INSN(),
698	BPF_JMP_IMM(BPF_JSLE, BPF_REG_3, -3, -3),
699	BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_3),
700	BPF_ST_MEM(BPF_B, BPF_REG_1, 0, 0),
701	BPF_MOV64_IMM(BPF_REG_0, 0),
702	BPF_EXIT_INSN(),
703	},
704	.fixup_map_hash_48b = { 3 },
705	.result = REJECT,
706	.errstr = "R1 min value is negative",
707	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
708},
709{
710	"map lookup helper access to map",
711	.insns = {
712	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
713	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
714	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
715	BPF_LD_MAP_FD(BPF_REG_1, 0),
716	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
717	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 4),
718	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
719	BPF_LD_MAP_FD(BPF_REG_1, 0),
720	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
721	BPF_EXIT_INSN(),
722	},
723	.fixup_map_hash_16b = { 3, 8 },
724	.result = ACCEPT,
725	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
726},
727{
728	"map update helper access to map",
729	.insns = {
730	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
731	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
732	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
733	BPF_LD_MAP_FD(BPF_REG_1, 0),
734	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
735	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
736	BPF_MOV64_IMM(BPF_REG_4, 0),
737	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
738	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
739	BPF_LD_MAP_FD(BPF_REG_1, 0),
740	BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
741	BPF_EXIT_INSN(),
742	},
743	.fixup_map_hash_16b = { 3, 10 },
744	.result = ACCEPT,
745	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
746},
747{
748	"map update helper access to map: wrong size",
749	.insns = {
750	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
751	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
752	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
753	BPF_LD_MAP_FD(BPF_REG_1, 0),
754	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
755	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
756	BPF_MOV64_IMM(BPF_REG_4, 0),
757	BPF_MOV64_REG(BPF_REG_3, BPF_REG_0),
758	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
759	BPF_LD_MAP_FD(BPF_REG_1, 0),
760	BPF_EMIT_CALL(BPF_FUNC_map_update_elem),
761	BPF_EXIT_INSN(),
762	},
763	.fixup_map_hash_8b = { 3 },
764	.fixup_map_hash_16b = { 10 },
765	.result = REJECT,
766	.errstr = "invalid access to map value, value_size=8 off=0 size=16",
767	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
768},
769{
770	"map helper access to adjusted map (via const imm)",
771	.insns = {
772	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
773	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
774	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
775	BPF_LD_MAP_FD(BPF_REG_1, 0),
776	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
777	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
778	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
779	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, offsetof(struct other_val, bar)),
780	BPF_LD_MAP_FD(BPF_REG_1, 0),
781	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
782	BPF_EXIT_INSN(),
783	},
784	.fixup_map_hash_16b = { 3, 9 },
785	.result = ACCEPT,
786	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
787},
788{
789	"map helper access to adjusted map (via const imm): out-of-bound 1",
790	.insns = {
791	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
792	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
793	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
794	BPF_LD_MAP_FD(BPF_REG_1, 0),
795	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
796	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
797	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
798	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, sizeof(struct other_val) - 4),
799	BPF_LD_MAP_FD(BPF_REG_1, 0),
800	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
801	BPF_EXIT_INSN(),
802	},
803	.fixup_map_hash_16b = { 3, 9 },
804	.result = REJECT,
805	.errstr = "invalid access to map value, value_size=16 off=12 size=8",
806	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
807},
808{
809	"map helper access to adjusted map (via const imm): out-of-bound 2",
810	.insns = {
811	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
812	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
813	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
814	BPF_LD_MAP_FD(BPF_REG_1, 0),
815	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
816	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 5),
817	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
818	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),
819	BPF_LD_MAP_FD(BPF_REG_1, 0),
820	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
821	BPF_EXIT_INSN(),
822	},
823	.fixup_map_hash_16b = { 3, 9 },
824	.result = REJECT,
825	.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
826	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
827},
828{
829	"map helper access to adjusted map (via const reg)",
830	.insns = {
831	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
832	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
833	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
834	BPF_LD_MAP_FD(BPF_REG_1, 0),
835	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
836	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
837	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
838	BPF_MOV64_IMM(BPF_REG_3, offsetof(struct other_val, bar)),
839	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
840	BPF_LD_MAP_FD(BPF_REG_1, 0),
841	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
842	BPF_EXIT_INSN(),
843	},
844	.fixup_map_hash_16b = { 3, 10 },
845	.result = ACCEPT,
846	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
847},
848{
849	"map helper access to adjusted map (via const reg): out-of-bound 1",
850	.insns = {
851	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
852	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
853	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
854	BPF_LD_MAP_FD(BPF_REG_1, 0),
855	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
856	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
857	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
858	BPF_MOV64_IMM(BPF_REG_3, sizeof(struct other_val) - 4),
859	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
860	BPF_LD_MAP_FD(BPF_REG_1, 0),
861	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
862	BPF_EXIT_INSN(),
863	},
864	.fixup_map_hash_16b = { 3, 10 },
865	.result = REJECT,
866	.errstr = "invalid access to map value, value_size=16 off=12 size=8",
867	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
868},
869{
870	"map helper access to adjusted map (via const reg): out-of-bound 2",
871	.insns = {
872	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
873	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
874	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
875	BPF_LD_MAP_FD(BPF_REG_1, 0),
876	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
877	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
878	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
879	BPF_MOV64_IMM(BPF_REG_3, -4),
880	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
881	BPF_LD_MAP_FD(BPF_REG_1, 0),
882	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
883	BPF_EXIT_INSN(),
884	},
885	.fixup_map_hash_16b = { 3, 10 },
886	.result = REJECT,
887	.errstr = "invalid access to map value, value_size=16 off=-4 size=8",
888	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
889},
890{
891	"map helper access to adjusted map (via variable)",
892	.insns = {
893	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
894	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
895	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
896	BPF_LD_MAP_FD(BPF_REG_1, 0),
897	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
898	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
899	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
900	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
901	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar), 4),
902	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
903	BPF_LD_MAP_FD(BPF_REG_1, 0),
904	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
905	BPF_EXIT_INSN(),
906	},
907	.fixup_map_hash_16b = { 3, 11 },
908	.result = ACCEPT,
909	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
910},
911{
912	"map helper access to adjusted map (via variable): no max check",
913	.insns = {
914	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
915	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
916	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
917	BPF_LD_MAP_FD(BPF_REG_1, 0),
918	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
919	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
920	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
921	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
922	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
923	BPF_LD_MAP_FD(BPF_REG_1, 0),
924	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
925	BPF_EXIT_INSN(),
926	},
927	.fixup_map_hash_16b = { 3, 10 },
928	.result = REJECT,
929	.errstr = "R2 unbounded memory access, make sure to bounds check any such access",
930	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
931},
932{
933	"map helper access to adjusted map (via variable): wrong max check",
934	.insns = {
935	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
936	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
937	BPF_ST_MEM(BPF_DW, BPF_REG_2, 0, 0),
938	BPF_LD_MAP_FD(BPF_REG_1, 0),
939	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
940	BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 7),
941	BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),
942	BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_0, 0),
943	BPF_JMP_IMM(BPF_JGT, BPF_REG_3, offsetof(struct other_val, bar) + 1, 4),
944	BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_3),
945	BPF_LD_MAP_FD(BPF_REG_1, 0),
946	BPF_EMIT_CALL(BPF_FUNC_map_lookup_elem),
947	BPF_EXIT_INSN(),
948	},
949	.fixup_map_hash_16b = { 3, 11 },
950	.result = REJECT,
951	.errstr = "invalid access to map value, value_size=16 off=9 size=8",
952	.prog_type = BPF_PROG_TYPE_TRACEPOINT,
953},
954