Patchwork [RFC,v2,bpf-next,5/5] selftests/bpf: verifier, check bpf_map_lookup_elem access in bpf prog

login
register
mail settings
Submitter Prashant Bhole
Date Oct. 2, 2018, 5:35 a.m.
Message ID <20181002053519.8000-6-bhole_prashant_q7@lab.ntt.co.jp>
Download mbox | patch
Permalink /patch/625643/
State New
Headers show

Comments

Prashant Bhole - Oct. 2, 2018, 5:35 a.m.
map_lookup_elem isn't supported by certain map types like:
- BPF_MAP_TYPE_PROG_ARRAY
- BPF_MAP_TYPE_STACK_TRACE
- BPF_MAP_TYPE_XSKMAP
- BPF_MAP_TYPE_SOCKMAP/BPF_MAP_TYPE_SOCKHASH
Let's add verfier tests to check whether verifier prevents
bpf_map_lookup_elem call on above programs from bpf program.

Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
---
 tools/testing/selftests/bpf/test_verifier.c | 121 +++++++++++++++++++-
 1 file changed, 120 insertions(+), 1 deletion(-)
Alexei Starovoitov - Oct. 5, 2018, 1:51 a.m.
On Tue, Oct 02, 2018 at 02:35:19PM +0900, Prashant Bhole wrote:
> map_lookup_elem isn't supported by certain map types like:
> - BPF_MAP_TYPE_PROG_ARRAY
> - BPF_MAP_TYPE_STACK_TRACE
> - BPF_MAP_TYPE_XSKMAP
> - BPF_MAP_TYPE_SOCKMAP/BPF_MAP_TYPE_SOCKHASH
> Let's add verfier tests to check whether verifier prevents
> bpf_map_lookup_elem call on above programs from bpf program.
> 
> Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
> ---
>  tools/testing/selftests/bpf/test_verifier.c | 121 +++++++++++++++++++-
>  1 file changed, 120 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
> index c7d25f23baf9..afa7e67f66e4 100644
> --- a/tools/testing/selftests/bpf/test_verifier.c
> +++ b/tools/testing/selftests/bpf/test_verifier.c
> @@ -47,7 +47,7 @@
>  
>  #define MAX_INSNS	BPF_MAXINSNS
>  #define MAX_FIXUPS	8
> -#define MAX_NR_MAPS	8
> +#define MAX_NR_MAPS	13
>  #define POINTER_VALUE	0xcafe4all
>  #define TEST_DATA_LEN	64
>  
> @@ -64,6 +64,10 @@ struct bpf_test {
>  	int fixup_map2[MAX_FIXUPS];
>  	int fixup_map3[MAX_FIXUPS];
>  	int fixup_map4[MAX_FIXUPS];
> +	int fixup_map5[MAX_FIXUPS];
> +	int fixup_map6[MAX_FIXUPS];
> +	int fixup_map7[MAX_FIXUPS];
> +	int fixup_map8[MAX_FIXUPS];
>  	int fixup_prog1[MAX_FIXUPS];
>  	int fixup_prog2[MAX_FIXUPS];
>  	int fixup_map_in_map[MAX_FIXUPS];
> @@ -4391,6 +4395,85 @@ static struct bpf_test tests[] = {
>  		.errstr = "invalid access to packet",
>  		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
>  	},
> +	{
> +		"prevent map lookup in sockmap",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_map5 = { 3 },
> +		.result = REJECT,
> +		.errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
> +		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
> +	},
> +	{
> +		"prevent map lookup in sockhash",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_map6 = { 3 },
> +		.result = REJECT,
> +		.errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
> +		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
> +	},
> +	{
> +		"prevent map lookup in xskmap",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_map7 = { 3 },
> +		.result = REJECT,
> +		.errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
> +		.prog_type = BPF_PROG_TYPE_XDP,
> +	},
> +	{
> +		"prevent map lookup in stack trace",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_map8 = { 3 },
> +		.result = REJECT,
> +		.errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
> +		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
> +	},
> +	{
> +		"prevent map lookup in prog array",
> +		.insns = {
> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
> +				     BPF_FUNC_map_lookup_elem),
> +			BPF_EXIT_INSN(),
> +		},
> +		.fixup_prog2 = { 3 },
> +		.result = REJECT,
> +		.errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",

excellent tests. exactly what I was hoping to see.

> +	},
>  	{
>  		"valid map access into an array with a constant",
>  		.insns = {
> @@ -12755,6 +12838,10 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
>  	int *fixup_map2 = test->fixup_map2;
>  	int *fixup_map3 = test->fixup_map3;
>  	int *fixup_map4 = test->fixup_map4;
> +	int *fixup_map5 = test->fixup_map5;
> +	int *fixup_map6 = test->fixup_map6;
> +	int *fixup_map7 = test->fixup_map7;
> +	int *fixup_map8 = test->fixup_map8;
>  	int *fixup_prog1 = test->fixup_prog1;
>  	int *fixup_prog2 = test->fixup_prog2;
>  	int *fixup_map_in_map = test->fixup_map_in_map;
> @@ -12843,6 +12930,38 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
>  			fixup_percpu_cgroup_storage++;
>  		} while (*fixup_percpu_cgroup_storage);
>  	}
> +	if (*fixup_map5) {
> +		map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
> +					sizeof(int), 1);
> +		do {
> +			prog[*fixup_map5].imm = map_fds[9];
> +			fixup_map5++;
> +		} while (*fixup_map5);
> +	}
> +	if (*fixup_map6) {
> +		map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
> +					sizeof(int), 1);
> +		do {
> +			prog[*fixup_map6].imm = map_fds[10];
> +			fixup_map6++;
> +		} while (*fixup_map6);
> +	}
> +	if (*fixup_map7) {
> +		map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
> +					sizeof(int), 1);
> +		do {
> +			prog[*fixup_map7].imm = map_fds[11];
> +			fixup_map7++;
> +		} while (*fixup_map7);
> +	}
> +	if (*fixup_map8) {
> +		map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
> +					 sizeof(u64), 1);
> +		do {
> +			prog[*fixup_map8].imm = map_fds[12];
> +			fixup_map8++;
> +		} while (fixup_map8);

I understand that you're following the existing naming convention
with fixup_mapN, but it was ugly before and these 4 additions
make it completely unreadable.

Could you please refactor the old names:
fixup_map1 -> fixup_map_hash_8b
fixup_map2 -> fixup_map_hash_48b (pls double check my math)
fixup_map3 -> fixup_map_hash_16b
fixup_map4 -> fixup_map_array_48b

then your new diff will use
fixup_map5 -> fixup_map_sockmap
fixup_map6 -> fixup_map_sockhash
...

and please drop rfc tag from the next respin.
Thanks!
Prashant Bhole - Oct. 5, 2018, 2:07 a.m.
On 10/5/2018 10:51 AM, Alexei Starovoitov wrote:
> On Tue, Oct 02, 2018 at 02:35:19PM +0900, Prashant Bhole wrote:
>> map_lookup_elem isn't supported by certain map types like:
>> - BPF_MAP_TYPE_PROG_ARRAY
>> - BPF_MAP_TYPE_STACK_TRACE
>> - BPF_MAP_TYPE_XSKMAP
>> - BPF_MAP_TYPE_SOCKMAP/BPF_MAP_TYPE_SOCKHASH
>> Let's add verfier tests to check whether verifier prevents
>> bpf_map_lookup_elem call on above programs from bpf program.
>>
>> Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
>> ---
>>   tools/testing/selftests/bpf/test_verifier.c | 121 +++++++++++++++++++-
>>   1 file changed, 120 insertions(+), 1 deletion(-)
>>
>> diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
>> index c7d25f23baf9..afa7e67f66e4 100644
>> --- a/tools/testing/selftests/bpf/test_verifier.c
>> +++ b/tools/testing/selftests/bpf/test_verifier.c
>> @@ -47,7 +47,7 @@
>>   
>>   #define MAX_INSNS	BPF_MAXINSNS
>>   #define MAX_FIXUPS	8
>> -#define MAX_NR_MAPS	8
>> +#define MAX_NR_MAPS	13
>>   #define POINTER_VALUE	0xcafe4all
>>   #define TEST_DATA_LEN	64
>>   
>> @@ -64,6 +64,10 @@ struct bpf_test {
>>   	int fixup_map2[MAX_FIXUPS];
>>   	int fixup_map3[MAX_FIXUPS];
>>   	int fixup_map4[MAX_FIXUPS];
>> +	int fixup_map5[MAX_FIXUPS];
>> +	int fixup_map6[MAX_FIXUPS];
>> +	int fixup_map7[MAX_FIXUPS];
>> +	int fixup_map8[MAX_FIXUPS];
>>   	int fixup_prog1[MAX_FIXUPS];
>>   	int fixup_prog2[MAX_FIXUPS];
>>   	int fixup_map_in_map[MAX_FIXUPS];
>> @@ -4391,6 +4395,85 @@ static struct bpf_test tests[] = {
>>   		.errstr = "invalid access to packet",
>>   		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
>>   	},
>> +	{
>> +		"prevent map lookup in sockmap",
>> +		.insns = {
>> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
>> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
>> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
>> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
>> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
>> +				     BPF_FUNC_map_lookup_elem),
>> +			BPF_EXIT_INSN(),
>> +		},
>> +		.fixup_map5 = { 3 },
>> +		.result = REJECT,
>> +		.errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
>> +		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
>> +	},
>> +	{
>> +		"prevent map lookup in sockhash",
>> +		.insns = {
>> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
>> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
>> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
>> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
>> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
>> +				     BPF_FUNC_map_lookup_elem),
>> +			BPF_EXIT_INSN(),
>> +		},
>> +		.fixup_map6 = { 3 },
>> +		.result = REJECT,
>> +		.errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
>> +		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
>> +	},
>> +	{
>> +		"prevent map lookup in xskmap",
>> +		.insns = {
>> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
>> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
>> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
>> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
>> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
>> +				     BPF_FUNC_map_lookup_elem),
>> +			BPF_EXIT_INSN(),
>> +		},
>> +		.fixup_map7 = { 3 },
>> +		.result = REJECT,
>> +		.errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
>> +		.prog_type = BPF_PROG_TYPE_XDP,
>> +	},
>> +	{
>> +		"prevent map lookup in stack trace",
>> +		.insns = {
>> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
>> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
>> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
>> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
>> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
>> +				     BPF_FUNC_map_lookup_elem),
>> +			BPF_EXIT_INSN(),
>> +		},
>> +		.fixup_map8 = { 3 },
>> +		.result = REJECT,
>> +		.errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
>> +		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
>> +	},
>> +	{
>> +		"prevent map lookup in prog array",
>> +		.insns = {
>> +			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
>> +			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
>> +			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
>> +			BPF_LD_MAP_FD(BPF_REG_1, 0),
>> +			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
>> +				     BPF_FUNC_map_lookup_elem),
>> +			BPF_EXIT_INSN(),
>> +		},
>> +		.fixup_prog2 = { 3 },
>> +		.result = REJECT,
>> +		.errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
> 
> excellent tests. exactly what I was hoping to see.
> 
>> +	},
>>   	{
>>   		"valid map access into an array with a constant",
>>   		.insns = {
>> @@ -12755,6 +12838,10 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
>>   	int *fixup_map2 = test->fixup_map2;
>>   	int *fixup_map3 = test->fixup_map3;
>>   	int *fixup_map4 = test->fixup_map4;
>> +	int *fixup_map5 = test->fixup_map5;
>> +	int *fixup_map6 = test->fixup_map6;
>> +	int *fixup_map7 = test->fixup_map7;
>> +	int *fixup_map8 = test->fixup_map8;
>>   	int *fixup_prog1 = test->fixup_prog1;
>>   	int *fixup_prog2 = test->fixup_prog2;
>>   	int *fixup_map_in_map = test->fixup_map_in_map;
>> @@ -12843,6 +12930,38 @@ static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
>>   			fixup_percpu_cgroup_storage++;
>>   		} while (*fixup_percpu_cgroup_storage);
>>   	}
>> +	if (*fixup_map5) {
>> +		map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
>> +					sizeof(int), 1);
>> +		do {
>> +			prog[*fixup_map5].imm = map_fds[9];
>> +			fixup_map5++;
>> +		} while (*fixup_map5);
>> +	}
>> +	if (*fixup_map6) {
>> +		map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
>> +					sizeof(int), 1);
>> +		do {
>> +			prog[*fixup_map6].imm = map_fds[10];
>> +			fixup_map6++;
>> +		} while (*fixup_map6);
>> +	}
>> +	if (*fixup_map7) {
>> +		map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
>> +					sizeof(int), 1);
>> +		do {
>> +			prog[*fixup_map7].imm = map_fds[11];
>> +			fixup_map7++;
>> +		} while (*fixup_map7);
>> +	}
>> +	if (*fixup_map8) {
>> +		map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
>> +					 sizeof(u64), 1);
>> +		do {
>> +			prog[*fixup_map8].imm = map_fds[12];
>> +			fixup_map8++;
>> +		} while (fixup_map8);
> 
> I understand that you're following the existing naming convention
> with fixup_mapN, but it was ugly before and these 4 additions
> make it completely unreadable.
> 
> Could you please refactor the old names:
> fixup_map1 -> fixup_map_hash_8b
> fixup_map2 -> fixup_map_hash_48b (pls double check my math)
> fixup_map3 -> fixup_map_hash_16b
> fixup_map4 -> fixup_map_array_48b
> 
> then your new diff will use
> fixup_map5 -> fixup_map_sockmap
> fixup_map6 -> fixup_map_sockhash
> ...
> 
> and please drop rfc tag from the next respin.
> Thanks!
> 

Thanks for reviewing. I will fix the naming convention in the next patch 
series.

-Prashant

Patch

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index c7d25f23baf9..afa7e67f66e4 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -47,7 +47,7 @@ 
 
 #define MAX_INSNS	BPF_MAXINSNS
 #define MAX_FIXUPS	8
-#define MAX_NR_MAPS	8
+#define MAX_NR_MAPS	13
 #define POINTER_VALUE	0xcafe4all
 #define TEST_DATA_LEN	64
 
@@ -64,6 +64,10 @@  struct bpf_test {
 	int fixup_map2[MAX_FIXUPS];
 	int fixup_map3[MAX_FIXUPS];
 	int fixup_map4[MAX_FIXUPS];
+	int fixup_map5[MAX_FIXUPS];
+	int fixup_map6[MAX_FIXUPS];
+	int fixup_map7[MAX_FIXUPS];
+	int fixup_map8[MAX_FIXUPS];
 	int fixup_prog1[MAX_FIXUPS];
 	int fixup_prog2[MAX_FIXUPS];
 	int fixup_map_in_map[MAX_FIXUPS];
@@ -4391,6 +4395,85 @@  static struct bpf_test tests[] = {
 		.errstr = "invalid access to packet",
 		.prog_type = BPF_PROG_TYPE_SCHED_CLS,
 	},
+	{
+		"prevent map lookup in sockmap",
+		.insns = {
+			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+			BPF_LD_MAP_FD(BPF_REG_1, 0),
+			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+				     BPF_FUNC_map_lookup_elem),
+			BPF_EXIT_INSN(),
+		},
+		.fixup_map5 = { 3 },
+		.result = REJECT,
+		.errstr = "cannot pass map_type 15 into func bpf_map_lookup_elem",
+		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
+	},
+	{
+		"prevent map lookup in sockhash",
+		.insns = {
+			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+			BPF_LD_MAP_FD(BPF_REG_1, 0),
+			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+				     BPF_FUNC_map_lookup_elem),
+			BPF_EXIT_INSN(),
+		},
+		.fixup_map6 = { 3 },
+		.result = REJECT,
+		.errstr = "cannot pass map_type 18 into func bpf_map_lookup_elem",
+		.prog_type = BPF_PROG_TYPE_SOCK_OPS,
+	},
+	{
+		"prevent map lookup in xskmap",
+		.insns = {
+			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+			BPF_LD_MAP_FD(BPF_REG_1, 0),
+			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+				     BPF_FUNC_map_lookup_elem),
+			BPF_EXIT_INSN(),
+		},
+		.fixup_map7 = { 3 },
+		.result = REJECT,
+		.errstr = "cannot pass map_type 17 into func bpf_map_lookup_elem",
+		.prog_type = BPF_PROG_TYPE_XDP,
+	},
+	{
+		"prevent map lookup in stack trace",
+		.insns = {
+			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+			BPF_LD_MAP_FD(BPF_REG_1, 0),
+			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+				     BPF_FUNC_map_lookup_elem),
+			BPF_EXIT_INSN(),
+		},
+		.fixup_map8 = { 3 },
+		.result = REJECT,
+		.errstr = "cannot pass map_type 7 into func bpf_map_lookup_elem",
+		.prog_type = BPF_PROG_TYPE_PERF_EVENT,
+	},
+	{
+		"prevent map lookup in prog array",
+		.insns = {
+			BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+			BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+			BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+			BPF_LD_MAP_FD(BPF_REG_1, 0),
+			BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0,
+				     BPF_FUNC_map_lookup_elem),
+			BPF_EXIT_INSN(),
+		},
+		.fixup_prog2 = { 3 },
+		.result = REJECT,
+		.errstr = "cannot pass map_type 3 into func bpf_map_lookup_elem",
+	},
 	{
 		"valid map access into an array with a constant",
 		.insns = {
@@ -12755,6 +12838,10 @@  static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
 	int *fixup_map2 = test->fixup_map2;
 	int *fixup_map3 = test->fixup_map3;
 	int *fixup_map4 = test->fixup_map4;
+	int *fixup_map5 = test->fixup_map5;
+	int *fixup_map6 = test->fixup_map6;
+	int *fixup_map7 = test->fixup_map7;
+	int *fixup_map8 = test->fixup_map8;
 	int *fixup_prog1 = test->fixup_prog1;
 	int *fixup_prog2 = test->fixup_prog2;
 	int *fixup_map_in_map = test->fixup_map_in_map;
@@ -12843,6 +12930,38 @@  static void do_test_fixup(struct bpf_test *test, struct bpf_insn *prog,
 			fixup_percpu_cgroup_storage++;
 		} while (*fixup_percpu_cgroup_storage);
 	}
+	if (*fixup_map5) {
+		map_fds[9] = create_map(BPF_MAP_TYPE_SOCKMAP, sizeof(int),
+					sizeof(int), 1);
+		do {
+			prog[*fixup_map5].imm = map_fds[9];
+			fixup_map5++;
+		} while (*fixup_map5);
+	}
+	if (*fixup_map6) {
+		map_fds[10] = create_map(BPF_MAP_TYPE_SOCKHASH, sizeof(int),
+					sizeof(int), 1);
+		do {
+			prog[*fixup_map6].imm = map_fds[10];
+			fixup_map6++;
+		} while (*fixup_map6);
+	}
+	if (*fixup_map7) {
+		map_fds[11] = create_map(BPF_MAP_TYPE_XSKMAP, sizeof(int),
+					sizeof(int), 1);
+		do {
+			prog[*fixup_map7].imm = map_fds[11];
+			fixup_map7++;
+		} while (*fixup_map7);
+	}
+	if (*fixup_map8) {
+		map_fds[12] = create_map(BPF_MAP_TYPE_STACK_TRACE, sizeof(u32),
+					 sizeof(u64), 1);
+		do {
+			prog[*fixup_map8].imm = map_fds[12];
+			fixup_map8++;
+		} while (fixup_map8);
+	}
 }
 
 static void do_test_single(struct bpf_test *test, bool unpriv,