selftests/bpf: Add arena direct-value one-past-end reject test

BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array
maps its map value_size is zero and the valid direct-value range is the
arena mmap size, max_entries * PAGE_SIZE.

Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena
direct-value access") fixed arena_map_direct_value_addr() to reject an
offset exactly at the end of the arena mapping. Add a regression test
that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies
that the verifier rejects it with the expected offset in the log.

This is intentionally kept as a userspace raw-instruction test. I tried
expressing the same BPF_PSEUDO_MAP_VALUE + off == arena_size case in
verifier_arena.c with inline assembly. The only form that produces the
desired instruction bytes uses __imm_addr(arena), but that emits
R_BPF_64_NODYLD32, which the libbpf/bpftool link step rejects. Other
register, immediate, and memory constraints either fail in the BPF
backend or lower to a normal R_BPF_64_64 load followed by an ALU add,
which does not exercise arena_map_direct_value_addr() with the boundary
offset in the second ldimm64 slot.

A legacy test_verifier fixture can express the raw instruction directly,
but it needs arena map creation, mmap, and fixup plumbing in the legacy
runner. That is more intrusive than the small prog_tests raw-instruction
test.

Use the userspace raw-instruction test, following the existing selftests
pattern used for direct map-value pseudo loads, so insns[1].imm can be
set to arena_size precisely.

Assisted-by: ChatGPT:gpt-5.5
Signed-off-by: Woojin Ji <random6.xyz@gmail.com>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Cc: Emil Tsalapatis <emil@etsalapatis.com>
Cc: Junyoung Jang <graypanda.inzag@gmail.com>
Link: https://lore.kernel.org/r/20260612-arena-direct-value-v1-v4-1-b81b642f5277@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
new file mode 100644 (file)
index 0000000..4b4adb3
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include <bpf/bpf.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define ARENA_PAGES 32
+
+static char log_buf[16384];
+
+static void test_arena_direct_value_one_past_end(void)
+{
+       char expected[128];
+       __u32 arena_sz = ARENA_PAGES * getpagesize();
+       struct bpf_insn insns[] = {
+               BPF_LD_IMM64_RAW(BPF_REG_1, BPF_PSEUDO_MAP_VALUE, 0),
+               BPF_MOV64_IMM(BPF_REG_0, 0),
+               BPF_EXIT_INSN(),
+       };
+       LIBBPF_OPTS(bpf_map_create_opts, map_opts);
+       LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
+       void *arena;
+       int map_fd, prog_fd;
+
+       map_opts.map_flags = BPF_F_MMAPABLE;
+       prog_opts.log_buf = log_buf;
+       prog_opts.log_size = sizeof(log_buf);
+       prog_opts.log_level = 1;
+
+       map_fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_direct_value",
+                               0, 0, ARENA_PAGES, &map_opts);
+       if (map_fd < 0) {
+               if (errno == EOPNOTSUPP) {
+                       test__skip();
+                       return;
+               }
+               ASSERT_GE(map_fd, 0, "bpf_map_create");
+               return;
+       }
+
+       arena = mmap(NULL, arena_sz, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
+       if (!ASSERT_NEQ(arena, MAP_FAILED, "arena_mmap"))
+               goto cleanup;
+
+       insns[0].imm = map_fd;
+       insns[1].imm = arena_sz;
+
+       prog_fd = bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT,
+                               "arena_direct_value", "GPL", insns,
+                               ARRAY_SIZE(insns), &prog_opts);
+       if (!ASSERT_LT(prog_fd, 0, "prog_load")) {
+               close(prog_fd);
+               goto cleanup;
+       }
+
+       snprintf(expected, sizeof(expected),
+                "invalid access to map value pointer, value_size=0 off=%u",
+                arena_sz);
+       ASSERT_HAS_SUBSTR(log_buf, expected, "verifier_log");
+
+cleanup:
+       if (arena != MAP_FAILED)
+               munmap(arena, arena_sz);
+       close(map_fd);
+}
+
+void test_arena_direct_value(void)
+{
+       if (test__start_subtest("one_past_end"))
+               test_arena_direct_value_one_past_end();
+}