1. Patchew
  2. linux
  3. View series

[PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test

Woojin Ji posted 1 patch 4 days, 18 hours ago
There is a newer version of this series
.../selftests/bpf/prog_tests/arena_direct_value.c  | 73 ++++++++++++++++++++++
1 file changed, 73 insertions(+)
[PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by Woojin Ji 4 days, 18 hours ago 
BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array
maps its map value_size is zero and the valid direct-value range is the
arena mmap size, max_entries * PAGE_SIZE.

Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena
direct-value access") fixed arena_map_direct_value_addr() to reject an
offset exactly at the end of the arena mapping. Add a regression test
that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies
that the verifier rejects it with the expected offset in the log.

Unlike __arena global relocation, where insn[1].imm depends on
compiler/layout, this raw instruction directly drives
map_direct_value_addr(map, &addr, off) with off == arena_size, so the
boundary check is exercised directly.

Assisted-by: ChatGPT:gpt-5.5
Signed-off-by: Woojin Ji <random6.xyz@gmail.com>
---
Tested with a reduced test_progs runner because the local source/output
combination has unrelated build failures in progs/bpf_cubic.c and
test_kmods/bpf_testmod.ko, so the stock full test_progs binary is not
produced.

Before fix, on host Arch kernel 7.0.10-arch1-1:
  arena_direct_value/one_past_end: FAIL, prog_load returned fd 5

After fix, on QEMU guest 7.1.0-rc6-00063-gba3e43a9e601:
  #1/1     arena_direct_value/one_past_end:OK
  #1       arena_direct_value:OK
  Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
---
 .../selftests/bpf/prog_tests/arena_direct_value.c  | 73 ++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
new file mode 100644
index 000000000000..b7760b021670
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include <bpf/bpf.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define ARENA_PAGES 32
+
+static void test_arena_direct_value_one_past_end(void)
+{
+	char log_buf[16384] = {}, expected[128];
+	__u32 arena_sz = ARENA_PAGES * getpagesize();
+	struct bpf_insn insns[] = {
+		BPF_LD_IMM64_RAW(BPF_REG_1, BPF_PSEUDO_MAP_VALUE, 0),
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	};
+	LIBBPF_OPTS(bpf_map_create_opts, map_opts);
+	LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
+	void *arena = MAP_FAILED;
+	int map_fd, prog_fd;
+
+	map_opts.map_flags = BPF_F_MMAPABLE;
+	prog_opts.log_buf = log_buf;
+	prog_opts.log_size = sizeof(log_buf);
+	prog_opts.log_level = 1;
+
+	map_fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_direct_value",
+				0, 0, ARENA_PAGES, &map_opts);
+	if (map_fd < 0) {
+		if (errno == EOPNOTSUPP || errno == EINVAL) {
+			test__skip();
+			return;
+		}
+		ASSERT_GE(map_fd, 0, "bpf_map_create");
+		return;
+	}
+
+	arena = mmap(NULL, arena_sz, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
+	if (!ASSERT_NEQ(arena, MAP_FAILED, "arena_mmap"))
+		goto cleanup;
+
+	insns[0].imm = map_fd;
+	insns[1].imm = arena_sz;
+
+	prog_fd = bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT,
+				"arena_direct_value", "GPL", insns,
+				ARRAY_SIZE(insns), &prog_opts);
+	if (!ASSERT_LT(prog_fd, 0, "prog_load")) {
+		if (prog_fd >= 0)
+			close(prog_fd);
+		prog_fd = -1;
+		goto cleanup;
+	}
+
+	snprintf(expected, sizeof(expected),
+		 "invalid access to map value pointer, value_size=0 off=%u",
+		 arena_sz);
+	ASSERT_HAS_SUBSTR(log_buf, expected, "verifier_log");
+
+cleanup:
+	if (arena != MAP_FAILED)
+		munmap(arena, arena_sz);
+	close(map_fd);
+}
+
+void test_arena_direct_value(void)
+{
+	if (test__start_subtest("one_past_end"))
+		test_arena_direct_value_one_past_end();
+}

---
base-commit: ba3e43a9e601636f5edb54e259a74f96ca3b8fd8
change-id: 20260603-arena-direct-value-v1-ef4df857b98b

Best regards,
--  
Woojin Ji <random6.xyz@gmail.com>
Re: [PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by Emil Tsalapatis 4 days, 14 hours ago 
On Wed Jun 3, 2026 at 8:09 AM EDT, Woojin Ji wrote:
> BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array
> maps its map value_size is zero and the valid direct-value range is the
> arena mmap size, max_entries * PAGE_SIZE.
>
> Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena
> direct-value access") fixed arena_map_direct_value_addr() to reject an
> offset exactly at the end of the arena mapping. Add a regression test
> that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies
> that the verifier rejects it with the expected offset in the log.
>
> Unlike __arena global relocation, where insn[1].imm depends on
> compiler/layout, this raw instruction directly drives
> map_direct_value_addr(map, &addr, off) with off == arena_size, so the
> boundary check is exercised directly.
>
> Assisted-by: ChatGPT:gpt-5.5
> Signed-off-by: Woojin Ji <random6.xyz@gmail.com>
> ---

Makes sense to add this, but I don't see why this isn't a single test
program in verifier_arena.c and requires a whole new userspace test.

> Tested with a reduced test_progs runner because the local source/output
> combination has unrelated build failures in progs/bpf_cubic.c and
> test_kmods/bpf_testmod.ko, so the stock full test_progs binary is not
> produced.
>
> Before fix, on host Arch kernel 7.0.10-arch1-1:
>   arena_direct_value/one_past_end: FAIL, prog_load returned fd 5
>
> After fix, on QEMU guest 7.1.0-rc6-00063-gba3e43a9e601:
>   #1/1     arena_direct_value/one_past_end:OK
>   #1       arena_direct_value:OK
>   Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
> ---
>  .../selftests/bpf/prog_tests/arena_direct_value.c  | 73 ++++++++++++++++++++++
>  1 file changed, 73 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
> new file mode 100644
> index 000000000000..b7760b021670
> --- /dev/null
> +++ b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
> @@ -0,0 +1,73 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include <test_progs.h>
> +#include <bpf/bpf.h>
> +#include <errno.h>
> +#include <sys/mman.h>
> +#include <unistd.h>
> +
> +#define ARENA_PAGES 32
> +
> +static void test_arena_direct_value_one_past_end(void)
> +{
> +	char log_buf[16384] = {}, expected[128];
> +	__u32 arena_sz = ARENA_PAGES * getpagesize();
> +	struct bpf_insn insns[] = {
> +		BPF_LD_IMM64_RAW(BPF_REG_1, BPF_PSEUDO_MAP_VALUE, 0),
> +		BPF_MOV64_IMM(BPF_REG_0, 0),
> +		BPF_EXIT_INSN(),
> +	};
> +	LIBBPF_OPTS(bpf_map_create_opts, map_opts);
> +	LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
> +	void *arena = MAP_FAILED;
> +	int map_fd, prog_fd;
> +
> +	map_opts.map_flags = BPF_F_MMAPABLE;
> +	prog_opts.log_buf = log_buf;
> +	prog_opts.log_size = sizeof(log_buf);
> +	prog_opts.log_level = 1;
> +
> +	map_fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_direct_value",
> +				0, 0, ARENA_PAGES, &map_opts);
> +	if (map_fd < 0) {
> +		if (errno == EOPNOTSUPP || errno == EINVAL) {
> +			test__skip();
> +			return;
> +		}
> +		ASSERT_GE(map_fd, 0, "bpf_map_create");
> +		return;
> +	}
> +
> +	arena = mmap(NULL, arena_sz, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
> +	if (!ASSERT_NEQ(arena, MAP_FAILED, "arena_mmap"))
> +		goto cleanup;
> +
> +	insns[0].imm = map_fd;
> +	insns[1].imm = arena_sz;
> +
> +	prog_fd = bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT,
> +				"arena_direct_value", "GPL", insns,
> +				ARRAY_SIZE(insns), &prog_opts);
> +	if (!ASSERT_LT(prog_fd, 0, "prog_load")) {
> +		if (prog_fd >= 0)
> +			close(prog_fd);
> +		prog_fd = -1;
> +		goto cleanup;
> +	}
> +
> +	snprintf(expected, sizeof(expected),
> +		 "invalid access to map value pointer, value_size=0 off=%u",
> +		 arena_sz);
> +	ASSERT_HAS_SUBSTR(log_buf, expected, "verifier_log");
> +
> +cleanup:
> +	if (arena != MAP_FAILED)
> +		munmap(arena, arena_sz);
> +	close(map_fd);
> +}
> +
> +void test_arena_direct_value(void)
> +{
> +	if (test__start_subtest("one_past_end"))
> +		test_arena_direct_value_one_past_end();
> +}
>
> ---
> base-commit: ba3e43a9e601636f5edb54e259a74f96ca3b8fd8
> change-id: 20260603-arena-direct-value-v1-ef4df857b98b
>
> Best regards,
> --  
> Woojin Ji <random6.xyz@gmail.com>
Re: [PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by Woojin Ji 3 days, 15 hours ago 
Thanks for the review.

I tried moving this into verifier_arena.c, but this test needs to set the
second BPF_PSEUDO_MAP_VALUE ldimm64 immediate to arena_size exactly. The
__arena C forms I checked materialize the arena-end offset as a separate ALU
add or memory access offset instead, so they do not exercise
arena_map_direct_value_addr() with off == arena_size.

So v2 keeps the userspace raw-instruction test and expands the commit message
to explain why it is needed.

v2: https://lore.kernel.org/all/20260605-arena-direct-value-v1-v2-1-a92cb281e376@gmail.com/
Re: [PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by Emil Tsalapatis 3 days, 14 hours ago 
On Thu Jun 4, 2026 at 11:37 AM EDT, Woojin Ji wrote:
> Thanks for the review.
>
> I tried moving this into verifier_arena.c, but this test needs to set the
> second BPF_PSEUDO_MAP_VALUE ldimm64 immediate to arena_size exactly. The
> __arena C forms I checked materialize the arena-end offset as a separate ALU
> add or memory access offset instead, so they do not exercise
> arena_map_direct_value_addr() with off == arena_size.
>
> So v2 keeps the userspace raw-instruction test and expands the commit message
> to explain why it is needed.

This sounds like the problem is that we can't really get BPF C to be
compiled down to problematic code. Can't we still use inline assembly
in the BPF C file to do so? I don't see why not.

>
> v2: https://lore.kernel.org/all/20260605-arena-direct-value-v1-v2-1-a92cb281e376@gmail.com/
Re: [PATCH bpf-next] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by Woojin Ji 2 days, 21 hours ago 
Thanks, I dug into the inline assembly route more.

A hand-encoded BPF_PSEUDO_MAP_VALUE ldimm64 in verifier_arena.c can produce
the right instruction bytes only with __imm_addr(arena), but that emits
R_BPF_64_NODYLD32. The selftests libbpf/bpftool link step rejects that
relocation type.

I also tried register, immediate, and memory constraints with raw bytes. Those
either fail in the BPF backend address matching or NOP padding path, or lower
to a normal R_BPF_64_64 load followed by an ALU add. The latter does not
exercise arena_map_direct_value_addr() with off == arena_size; it tests a
later ALU-add path instead.

I also checked the legacy test_verifier route. It can express the raw insn
directly, but it requires adding arena-specific map creation and mmap fixup
plumbing to the legacy runner. That seems more intrusive and less aligned with
new selftests than the small prog_tests raw-instruction test.

So my current preference is still to keep the userspace raw-instruction test.
If that sounds reasonable, I can send v3 with this rationale added to the
commit message/changelog.

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.