From: Qi Tang <tpluszz77@gmail.com>
Date: Tue, 7 Apr 2026 14:54:21 +0000 (+0800)
Subject: selftests/bpf: add test for nullable PTR_TO_BUF access
X-Git-Tag: v7.1-rc1~174^2~36
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a4985a1755ec9e5aa5cfb89468ba4b51546b5eeb;p=thirdparty%2Fkernel%2Flinux.git

selftests/bpf: add test for nullable PTR_TO_BUF access

Add iter_buf_null_fail with two tests and a test runner:
  - iter_buf_null_deref: verifier must reject direct dereference of
    ctx->key (PTR_TO_BUF | PTR_MAYBE_NULL) without a null check
  - iter_buf_null_check_ok: verifier must accept dereference after
    an explicit null check

Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Signed-off-by: Qi Tang <tpluszz77@gmail.com>
Link: https://lore.kernel.org/r/20260407145421.4315-1-tpluszz77@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---

diff --git a/tools/testing/selftests/bpf/prog_tests/iter_buf_null_fail.c b/tools/testing/selftests/bpf/prog_tests/iter_buf_null_fail.c
new file mode 100644
index 0000000000000..ea97787b870d0
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/iter_buf_null_fail.c
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include "iter_buf_null_fail.skel.h"
+
+void test_iter_buf_null_fail(void)
+{
+	RUN_TESTS(iter_buf_null_fail);
+}
diff --git a/tools/testing/selftests/bpf/progs/iter_buf_null_fail.c b/tools/testing/selftests/bpf/progs/iter_buf_null_fail.c
new file mode 100644
index 0000000000000..3daad40515e6a
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/iter_buf_null_fail.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Qi Tang */
+
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+char _license[] SEC("license") = "GPL";
+
+/* Verify that the verifier rejects direct access to nullable PTR_TO_BUF. */
+SEC("iter/bpf_map_elem")
+__failure __msg("invalid mem access")
+int iter_buf_null_deref(struct bpf_iter__bpf_map_elem *ctx)
+{
+	/*
+	 * ctx->key is PTR_TO_BUF | PTR_MAYBE_NULL | MEM_RDONLY.
+	 * Direct access without null check must be rejected.
+	 */
+	volatile __u32 v = *(__u32 *)ctx->key;
+
+	(void)v;
+	return 0;
+}
+
+/* Verify that access after a null check is still accepted. */
+SEC("iter/bpf_map_elem")
+__success
+int iter_buf_null_check_ok(struct bpf_iter__bpf_map_elem *ctx)
+{
+	__u32 *key = ctx->key;
+
+	if (!key)
+		return 0;
+
+	volatile __u32 v = *key;
+
+	(void)v;
+	return 0;
+}