From: "Emil Tsalapatis" <emil@etsalapatis.com>
To: "Eduard Zingerman" <eddyz87@gmail.com>, <bpf@vger.kernel.org>
Cc: <andrii@kernel.org>, <ast@kernel.org>, <daniel@iogearbox.net>,
<john.fastabend@gmail.com>, <memxor@gmail.com>,
<yonghong.song@linux.dev>
Subject: Re: [PATCH v3 2/5] bpf/verifier: do not limit maximum direct offset into arena map
Date: Tue, 16 Dec 2025 16:48:12 -0500 [thread overview]
Message-ID: <DEZYZTVXVGIO.10E92BXV43Q2T@etsalapatis.com> (raw)
In-Reply-To: <4edb0de3c4eb13d276df8741c663e398ddde5708.camel@gmail.com>
On Tue Dec 16, 2025 at 3:13 PM EST, Eduard Zingerman wrote:
> On Tue, 2025-12-16 at 12:25 -0500, Emil Tsalapatis wrote:
>> On Mon Dec 15, 2025 at 3:19 PM EST, Eduard Zingerman wrote:
>> > On Mon, 2025-12-15 at 11:13 -0500, Emil Tsalapatis wrote:
>> > > The verifier currently limits direct offsets into a map to 512MiB
>> > > to avoid overflow during pointer arithmetic. However, this prevents
>> > > arena maps from using direct addressing instructions to access data
>> > > at the end of > 512MiB arena maps. This is necessary when moving
>> > > arena globals to the end of the arena instead of the front.
>> > >
>> > > Refactor the verifier code to remove the offset calculation during
>> > > direct value access calculations. This is possible because the only
>> > > two map types that implement .map_direct_value_addr() are arrays and
>> > > arenas, and they both do their own internal checks to ensure the
>> > > offset is within bounds.
>> >
>> > Nit: instruction array map also implements it (bpf_insn_array.c).
>> >
>> > >
>> > > Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
>> > > ---
>> >
>> > I double checked implementations for all 3 map types and confirm that
>> > the above is correct. Also, I commented out the range checks in kernel
>> > implementations (as in the attached patch), and no tests seem to fail.
>> > Do we need to extend selftests?
>>
>> I forgot to address a couple selftest errors from this patch in this version,
>> but after fixing them for v4 and applying the attached patch I am getting a
>> couple failures - direct map access tests #332, #334, #336, #337, #338, #345.
>
> Uh-oh, sorry, I forgot about test_verifier binary.
>
>> #332 (write test 7) is an unexpected load success, while the rest are about a
>> mismatch in the error message. Maybe the test wasn't being marked as an
>> unexpected success because I hadn't fixed it up?
>
> For me it shows:
>
> #332/p direct map access, write test 7 FAIL
> Unexpected verifier log!
> EXP: direct value offset of 4294967295 is not allowed
> RES:
> FAIL
> Unexpected error message!
> EXP: direct value offset of 4294967295 is not allowed
> RES: invalid access to map value pointer, value_size=48 off=4294967295
>
> So, seem to be an expected behavior given your changes?
Yes, for v3 this was the expected behavior: The tests used to trigger
the old error msg (in EXP), but even after removing it they fail
because the map isn't actually large enough to support the value
offset offset of the tests ((-1) and (1UL << 29) for tests 7 and
12). The RES output is from the .map_direct_value_addr() method
doing bounds checking and rejecting the out-of-bounds offset.
next prev parent reply other threads:[~2025-12-16 21:48 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-12-15 16:13 [PATCH v3 0/5] libbpf: move arena variables out of the zero page Emil Tsalapatis
2025-12-15 16:13 ` [PATCH v3 1/5] selftests/bpf: explicitly account for globals in verifier_arena_large Emil Tsalapatis
2025-12-15 16:13 ` [PATCH v3 2/5] bpf/verifier: do not limit maximum direct offset into arena map Emil Tsalapatis
2025-12-15 20:19 ` Eduard Zingerman
2025-12-16 17:25 ` Emil Tsalapatis
2025-12-16 20:13 ` Eduard Zingerman
2025-12-16 21:48 ` Emil Tsalapatis [this message]
2025-12-15 16:13 ` [PATCH v3 3/5] libbpf: turn relo_core->sym_off unsigned Emil Tsalapatis
2025-12-15 16:37 ` bot+bpf-ci
2025-12-15 17:08 ` Emil Tsalapatis
2025-12-15 20:05 ` Eduard Zingerman
2025-12-15 16:13 ` [PATCH v3 4/5] libbpf: move arena globals to the end of the arena Emil Tsalapatis
2025-12-15 21:12 ` Eduard Zingerman
2025-12-15 16:13 ` [PATCH v3 5/5] selftests/bpf: add tests for the arena offset of globals Emil Tsalapatis
2025-12-15 21:26 ` Eduard Zingerman
2025-12-16 2:28 ` Emil Tsalapatis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DEZYZTVXVGIO.10E92BXV43Q2T@etsalapatis.com \
--to=emil@etsalapatis.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=memxor@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox