From: Woojin Ji Date: Fri, 12 Jun 2026 05:26:55 +0000 (+0900) Subject: selftests/bpf: Add arena direct-value one-past-end reject test X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7bfb93e3475be9de894f1cecd3a727d3e1649b03;p=thirdparty%2Flinux.git selftests/bpf: Add arena direct-value one-past-end reject test BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array maps its map value_size is zero and the valid direct-value range is the arena mmap size, max_entries * PAGE_SIZE. Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena direct-value access") fixed arena_map_direct_value_addr() to reject an offset exactly at the end of the arena mapping. Add a regression test that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies that the verifier rejects it with the expected offset in the log. This is intentionally kept as a userspace raw-instruction test. I tried expressing the same BPF_PSEUDO_MAP_VALUE + off == arena_size case in verifier_arena.c with inline assembly. The only form that produces the desired instruction bytes uses __imm_addr(arena), but that emits R_BPF_64_NODYLD32, which the libbpf/bpftool link step rejects. Other register, immediate, and memory constraints either fail in the BPF backend or lower to a normal R_BPF_64_64 load followed by an ALU add, which does not exercise arena_map_direct_value_addr() with the boundary offset in the second ldimm64 slot. A legacy test_verifier fixture can express the raw instruction directly, but it needs arena map creation, mmap, and fixup plumbing in the legacy runner. That is more intrusive than the small prog_tests raw-instruction test. Use the userspace raw-instruction test, following the existing selftests pattern used for direct map-value pseudo loads, so insns[1].imm can be set to arena_size precisely. Assisted-by: ChatGPT:gpt-5.5 Signed-off-by: Woojin Ji Reviewed-by: Emil Tsalapatis Cc: Emil Tsalapatis Cc: Junyoung Jang Link: https://lore.kernel.org/r/20260612-arena-direct-value-v1-v4-1-b81b642f5277@gmail.com Signed-off-by: Alexei Starovoitov --- diff --git a/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c new file mode 100644 index 000000000000..4b4adb3f4b71 --- /dev/null +++ b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c @@ -0,0 +1,73 @@ +// SPDX-License-Identifier: GPL-2.0 + +#include +#include +#include +#include +#include + +#define ARENA_PAGES 32 + +static char log_buf[16384]; + +static void test_arena_direct_value_one_past_end(void) +{ + char expected[128]; + __u32 arena_sz = ARENA_PAGES * getpagesize(); + struct bpf_insn insns[] = { + BPF_LD_IMM64_RAW(BPF_REG_1, BPF_PSEUDO_MAP_VALUE, 0), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }; + LIBBPF_OPTS(bpf_map_create_opts, map_opts); + LIBBPF_OPTS(bpf_prog_load_opts, prog_opts); + void *arena; + int map_fd, prog_fd; + + map_opts.map_flags = BPF_F_MMAPABLE; + prog_opts.log_buf = log_buf; + prog_opts.log_size = sizeof(log_buf); + prog_opts.log_level = 1; + + map_fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_direct_value", + 0, 0, ARENA_PAGES, &map_opts); + if (map_fd < 0) { + if (errno == EOPNOTSUPP) { + test__skip(); + return; + } + ASSERT_GE(map_fd, 0, "bpf_map_create"); + return; + } + + arena = mmap(NULL, arena_sz, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0); + if (!ASSERT_NEQ(arena, MAP_FAILED, "arena_mmap")) + goto cleanup; + + insns[0].imm = map_fd; + insns[1].imm = arena_sz; + + prog_fd = bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT, + "arena_direct_value", "GPL", insns, + ARRAY_SIZE(insns), &prog_opts); + if (!ASSERT_LT(prog_fd, 0, "prog_load")) { + close(prog_fd); + goto cleanup; + } + + snprintf(expected, sizeof(expected), + "invalid access to map value pointer, value_size=0 off=%u", + arena_sz); + ASSERT_HAS_SUBSTR(log_buf, expected, "verifier_log"); + +cleanup: + if (arena != MAP_FAILED) + munmap(arena, arena_sz); + close(map_fd); +} + +void test_arena_direct_value(void) +{ + if (test__start_subtest("one_past_end")) + test_arena_direct_value_one_past_end(); +}