Re: [PATCH v3 2/5] bpf/verifier: do not limit maximum direct offset into arena map

["Emil Tsalapatis" <emil@etsalapatis.com>]

On Mon Dec 15, 2025 at 3:19 PM EST, Eduard Zingerman wrote:
> On Mon, 2025-12-15 at 11:13 -0500, Emil Tsalapatis wrote:
>> The verifier currently limits direct offsets into a map to 512MiB
>> to avoid overflow during pointer arithmetic. However, this prevents
>> arena maps from using direct addressing instructions to access data
>> at the end of > 512MiB arena maps. This is necessary when moving
>> arena globals to the end of the arena instead of the front.
>> 
>> Refactor the verifier code to remove the offset calculation during
>> direct value access calculations. This is possible because the only
>> two map types that implement .map_direct_value_addr() are arrays and
>> arenas, and they both do their own internal checks to ensure the
>> offset is within bounds.
>
> Nit: instruction array map also implements it (bpf_insn_array.c).
>
>> 
>> Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
>> ---
>
> I double checked implementations for all 3 map types and confirm that
> the above is correct. Also, I commented out the range checks in kernel
> implementations (as in the attached patch), and no tests seem to fail.
> Do we need to extend selftests?

I forgot to address a couple selftest errors from this patch in this version,
but after fixing them for v4 and applying the attached patch I am getting a
couple failures - direct map access tests #332, #334, #336, #337, #338, #345.
#332 (write test 7) is an unexpected load success, while the rest are about a 
mismatch in the error message. Maybe the test wasn't being marked as an 
unexpected success because I hadn't fixed it up?

>
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
 
I will omit the Acked-by tag in v4 because I changed the selftests - sorry for the 
after-the-fact changes.

> [...]