[PATCH bpf 2/2] selftests/bpf: Add inner map template lookup NULLness test

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sun Jian <sun.jian.kdev@gmail.com>
To: bpf@vger.kernel.org
Cc: sun.jian.kdev@gmail.com, linux-kernel@vger.kernel.org,
	linux-kselftest@vger.kernel.org, ast@kernel.org,
	daniel@iogearbox.net, john.fastabend@gmail.com,
	andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com,
	memxor@gmail.com, song@kernel.org, yonghong.song@linux.dev,
	jolsa@kernel.org, shuah@kernel.org, dxu@dxuuu.xyz
Subject: [PATCH bpf 2/2] selftests/bpf: Add inner map template lookup NULLness test
Date: Wed, 24 Jun 2026 15:20:31 +0800	[thread overview]
Message-ID: <20260624072031.735846-2-sun.jian.kdev@gmail.com> (raw)
In-Reply-To: <20260624072031.735846-1-sun.jian.kdev@gmail.com>

Add a verifier test that performs an inner array lookup with a constant
key that is within the template's max_entries, and then dereferences the
lookup result without a NULL check.

The test covers array maps used as inner map templates, where the
template's max_entries does not prove that a runtime lookup against a
concrete inner map cannot return NULL.

The verifier should reject the program because the lookup result must
remain PTR_TO_MAP_VALUE_OR_NULL.

Signed-off-by: Sun Jian <sun.jian.kdev@gmail.com>
---
 .../selftests/bpf/progs/verifier_map_in_map.c | 44 +++++++++++++++++++
 1 file changed, 44 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_map_in_map.c b/tools/testing/selftests/bpf/progs/verifier_map_in_map.c
index 16b761e510f0..c650731c6151 100644
--- a/tools/testing/selftests/bpf/progs/verifier_map_in_map.c
+++ b/tools/testing/selftests/bpf/progs/verifier_map_in_map.c
@@ -18,6 +18,20 @@ struct {
 	});
 } map_in_map SEC(".maps");
 
+struct {
+	__uint(type, BPF_MAP_TYPE_ARRAY_OF_MAPS);
+	__uint(max_entries, 1);
+	__type(key, int);
+	__type(value, int);
+	__array(values, struct {
+		__uint(type, BPF_MAP_TYPE_ARRAY);
+		__uint(max_entries, 8);
+		__uint(map_flags, BPF_F_INNER_MAP);
+		__type(key, int);
+		__type(value, int);
+	});
+} map_in_map_inner_array SEC(".maps");
+
 SEC("socket")
 __description("map in map access")
 __success __success_unpriv __retval(0)
@@ -139,6 +153,36 @@ __naked void on_the_inner_map_pointer(void)
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("inner array lookup requires null check")
+__failure __msg("invalid mem access 'map_value_or_null'")
+__failure_unpriv
+__naked void inner_array_lookup_requires_null_check(void)
+{
+	asm volatile ("					\
+	r1 = 0;						\
+	*(u32*)(r10 - 4) = r1;				\
+	r2 = r10;					\
+	r2 += -4;					\
+	r1 = %[map_in_map_inner_array] ll;		\
+	call %[bpf_map_lookup_elem];			\
+	if r0 == 0 goto l0_%=;				\
+	r1 = 6;						\
+	*(u32*)(r10 - 4) = r1;				\
+	r2 = r10;					\
+	r2 += -4;					\
+	r1 = r0;					\
+	call %[bpf_map_lookup_elem];			\
+	r0 = *(u32*)(r0 + 0);				\
+	exit;						\
+l0_%=:	r0 = 0;						\
+	exit;						\
+"	:
+	: __imm(bpf_map_lookup_elem),
+	  __imm_addr(map_in_map_inner_array)
+	: __clobber_all);
+}
+
 SEC("socket")
 __description("map_ptr is never null")
 __success
-- 
2.43.0

next prev parent reply	other threads:[~2026-06-24  7:21 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-24  7:20 [PATCH bpf 1/2] bpf: Avoid eliding lookup NULLness for inner map templates Sun Jian
2026-06-24  7:20 ` Sun Jian [this message]
2026-06-24  7:37 ` sashiko-bot
2026-06-24  7:41   ` sun jian

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:16b761e510f dfblob:c650731c615 )
 OR (
bs:"[PATCH bpf 2/2] selftests/bpf: Add inner map template lookup NULLness test" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260624072031.735846-2-sun.jian.kdev@gmail.com \
    --to=sun.jian.kdev@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=dxu@dxuuu.xyz \
    --cc=eddyz87@gmail.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=shuah@kernel.org \
    --cc=song@kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.