Re: [PATCH bpf-next 3/4] selftests/bpf: Keep verifier_map_ptr exercising ops pointer access

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] Test suite regression on 32-bit architectures due to hardcoded 64-bit struct offsets.
--

commit 3edf5d52e70729a68d2f02df9f51787362f009a3
Author: Daniel Borkmann <daniel@iogearbox.net>

selftests/bpf: Keep verifier_map_ptr exercising ops pointer access

This commit recovers the old test for verifier_map_ptr with the right
offsets to exercise ops pointer access. It also adds the existing test
as an additional test case.

> diff --git a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> index d8e822d1a8bab..1661936598703 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_map_ptr.c
[ ... ]
> @@ -72,17 +72,43 @@ __naked void bpf_map_ptr_write_rejected(void)
[ ... ]
>  __description("bpf_map_ptr: read non-existent field rejected")
>  __failure
> -__msg("access beyond the end of member excl (mend:36) in struct bpf_map with off 33 size 4")
> +__msg("cannot access ptr member ops with moff 40 in struct bpf_map with off 41 size 4")
>  __failure_unpriv
>  __msg_unpriv("access is allowed only to CAP_PERFMON and CAP_SYS_ADMIN")
>  __flag(BPF_F_ANY_ALIGNMENT)
>  __naked void read_non_existent_field_rejected(void)
> +{
> +	asm volatile ("					\
> +	r6 = 0;						\
> +	r1 = %[map_array_48b] ll;			\
> +	r6 = *(u32*)(r1 + 41);				\

[Severity: Medium]
Does this hardcoded offset in read_non_existent_field_rejected() cause test
failures on 32-bit architectures?

Since pointers are 4 bytes long on 32-bit, the excl field at offset 32
would be followed by ops at offset 36. Offset 41 would point inside
inner_map_meta instead, causing the verifier error message to mismatch
the expected __msg above.

[ ... ]
> @@ -105,7 +131,7 @@ __naked void ptr_read_ops_field_accepted(void)
>  	asm volatile ("					\
>  	r6 = 0;						\
>  	r1 = %[map_array_48b] ll;			\
> -	r6 = *(u64*)(r1 + 0);				\
> +	r6 = *(u64*)(r1 + 40);				\

[Severity: Medium]
Will reading 8 bytes at offset 40 in ptr_read_ops_field_accepted() fail on
32-bit architectures?

On 32-bit, offset 40 corresponds to inner_map_meta which is only 4 bytes.
The verifier requires an exact size match for pointer reads, so a size 8
read would trigger a rejection instead of the expected success.

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260602133052.423725-1-daniel@iogearbox.net?part=3