Re: [PATCH bpf 1/2] bpf: Keep dynamic inner array lookups nullable

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Suchit Karunakaran <magneto712003@gmail.com>
To: Nuiqi Gui <gnq25@mails.tsinghua.edu.cn>
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
	dxu@dxuuu.xyz, stable@vger.kernel.org,
	John Fastabend <john.fastabend@gmail.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Kumar Kartikeya Dwivedi <memxor@gmail.com>,
	Song Liu <song@kernel.org>,
	Yonghong Song <yonghong.song@linux.dev>,
	Jiri Olsa <jolsa@kernel.org>,
	bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf 1/2] bpf: Keep dynamic inner array lookups nullable
Date: Fri, 5 Jun 2026 00:05:40 +0530	[thread overview]
Message-ID: <aiHFbuC-nCAf-QLh@archlinux> (raw)
In-Reply-To: <20260604151153.2488051-2-gnq25@mails.tsinghua.edu.cn>

On Thu, Jun 04, 2026 at 11:11:52PM +0800, Nuiqi Gui wrote:
> An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its
> inner map template. A concrete inner array with a different max_entries
> value can then replace the template.
> 
> After a successful outer map lookup, the verifier represents the
> resulting map pointer using the inner map template. Const-key lookup
> nullness elision consequently uses the template max_entries even though
> the runtime helper uses the concrete inner map max_entries.
> 
> Do not elide lookup result nullness for maps marked with BPF_F_INNER_MAP,
> because the template max_entries does not prove that the key is in bounds
> for the concrete runtime map.
> 
> Fixes: d2102f2f5d75 ("bpf: verifier: Support eliding map lookup nullness")
> Cc: stable@vger.kernel.org
> Signed-off-by: Nuiqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
>  kernel/bpf/verifier.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4d..bffe12d0bb289 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -8471,7 +8471,7 @@ static int get_constant_map_key(struct bpf_verifier_env *env,
>  	return 0;
>  }
>  
> -static bool can_elide_value_nullness(enum bpf_map_type type);
> +static bool can_elide_value_nullness(const struct bpf_map *map);
>  
>  static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>  			  struct bpf_call_arg_meta *meta,
> @@ -8621,7 +8621,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>  		err = check_helper_mem_access(env, regno, key_size, BPF_READ, false, NULL);
>  		if (err)
>  			return err;
> -		if (can_elide_value_nullness(meta->map.ptr->map_type)) {
> +		if (can_elide_value_nullness(meta->map.ptr)) {
>  			err = get_constant_map_key(env, reg, key_size, &meta->const_map_key);
>  			if (err < 0) {
>  				meta->const_map_key = -1;
> @@ -10225,9 +10225,12 @@ static void update_loop_inline_state(struct bpf_verifier_env *env, u32 subprogno
>   * lookup return value nullness check. This is possible if the key
>   * is statically known.
>   */
> -static bool can_elide_value_nullness(enum bpf_map_type type)
> +static bool can_elide_value_nullness(const struct bpf_map *map)
>  {
> -	switch (type) {
> +	if (map->map_flags & BPF_F_INNER_MAP)
> +		return false;

One small nit: the can_elide_value_nullness() function comment appears
to be out of sync with the updated parameter.
Resending because somehow my mutt config got messed up with my other email address.

next prev parent reply	other threads:[~2026-06-04 18:35 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-04 15:11 [PATCH bpf 0/2] Keep dynamic inner array lookups nullable Nuiqi Gui
2026-06-04 15:11 ` [PATCH bpf 1/2] bpf: " Nuiqi Gui
2026-06-04 18:13   ` Magneto
2026-06-04 18:35   ` Suchit Karunakaran [this message]
2026-06-05  9:47   ` Eduard Zingerman
2026-06-04 15:11 ` [PATCH bpf 2/2] selftests/bpf: Cover dynamic inner array lookup nullability Nuiqi Gui
2026-06-05  9:48   ` Eduard Zingerman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=aiHFbuC-nCAf-QLh@archlinux \
    --to=magneto712003@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=dxu@dxuuu.xyz \
    --cc=eddyz87@gmail.com \
    --cc=gnq25@mails.tsinghua.edu.cn \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=song@kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=yonghong.song@linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.