1. Patchew
  2. linux
  3. View series

[PATCH bpf-next v2] selftests/bpf: Add arena direct-value one-past-end reject test

Woojin Ji posted 1 patch 3 days, 15 hours ago 
.../selftests/bpf/prog_tests/arena_direct_value.c  | 73 ++++++++++++++++++++++
1 file changed, 73 insertions(+)
[PATCH bpf-next v2] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by Woojin Ji 3 days, 15 hours ago 
BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array
maps its map value_size is zero and the valid direct-value range is the
arena mmap size, max_entries * PAGE_SIZE.

Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena
direct-value access") fixed arena_map_direct_value_addr() to reject an
offset exactly at the end of the arena mapping. Add a regression test
that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies
that the verifier rejects it with the expected offset in the log.

This is awkward to express as a verifier_arena.c failure program. For
arena globals, libbpf handles the relocation as RELO_DATA and sets
BPF_PSEUDO_MAP_VALUE from that relocation. The second ldimm64 slot is
derived from the arena-relative symbol offset, so a C-level __arena
global cannot make that immediate equal to arena_size without placing a
global one past the end of the arena.

Use a userspace raw-instruction test instead, following the existing
selftests pattern used for direct map-value pseudo loads, so insns[1].imm
can be set to arena_size precisely.

Assisted-by: ChatGPT:gpt-5.5
Signed-off-by: Woojin Ji <random6.xyz@gmail.com>
Cc: Emil Tsalapatis <emil@etsalapatis.com>
Cc: Junyoung Jang <graypanda.inzag@gmail.com>
---
Changes in v2:
- Explain why this uses a userspace raw-instruction test rather than a
  verifier_arena.c failure program: the test must set the second
  BPF_PSEUDO_MAP_VALUE ldimm64 immediate to arena_size exactly. For
  arena globals, libbpf derives that immediate from the arena-relative
  symbol offset, so the boundary value cannot be represented directly as
  a verifier_arena.c C-level failure program.
- Link to v1: https://patch.msgid.link/20260603-arena-direct-value-v1-v1-1-7b31cc0a8cac@gmail.com

Tested on x86_64 with tools/testing/selftests/bpf/vmtest.sh:
  $ ./test_progs -t arena_direct_value
  #2/1     arena_direct_value/one_past_end:OK
  #2       arena_direct_value:OK
  Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
---
 .../selftests/bpf/prog_tests/arena_direct_value.c  | 73 ++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
new file mode 100644
index 000000000000..b7760b021670
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include <bpf/bpf.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define ARENA_PAGES 32
+
+static void test_arena_direct_value_one_past_end(void)
+{
+	char log_buf[16384] = {}, expected[128];
+	__u32 arena_sz = ARENA_PAGES * getpagesize();
+	struct bpf_insn insns[] = {
+		BPF_LD_IMM64_RAW(BPF_REG_1, BPF_PSEUDO_MAP_VALUE, 0),
+		BPF_MOV64_IMM(BPF_REG_0, 0),
+		BPF_EXIT_INSN(),
+	};
+	LIBBPF_OPTS(bpf_map_create_opts, map_opts);
+	LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
+	void *arena = MAP_FAILED;
+	int map_fd, prog_fd;
+
+	map_opts.map_flags = BPF_F_MMAPABLE;
+	prog_opts.log_buf = log_buf;
+	prog_opts.log_size = sizeof(log_buf);
+	prog_opts.log_level = 1;
+
+	map_fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_direct_value",
+				0, 0, ARENA_PAGES, &map_opts);
+	if (map_fd < 0) {
+		if (errno == EOPNOTSUPP || errno == EINVAL) {
+			test__skip();
+			return;
+		}
+		ASSERT_GE(map_fd, 0, "bpf_map_create");
+		return;
+	}
+
+	arena = mmap(NULL, arena_sz, PROT_READ | PROT_WRITE, MAP_SHARED, map_fd, 0);
+	if (!ASSERT_NEQ(arena, MAP_FAILED, "arena_mmap"))
+		goto cleanup;
+
+	insns[0].imm = map_fd;
+	insns[1].imm = arena_sz;
+
+	prog_fd = bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT,
+				"arena_direct_value", "GPL", insns,
+				ARRAY_SIZE(insns), &prog_opts);
+	if (!ASSERT_LT(prog_fd, 0, "prog_load")) {
+		if (prog_fd >= 0)
+			close(prog_fd);
+		prog_fd = -1;
+		goto cleanup;
+	}
+
+	snprintf(expected, sizeof(expected),
+		 "invalid access to map value pointer, value_size=0 off=%u",
+		 arena_sz);
+	ASSERT_HAS_SUBSTR(log_buf, expected, "verifier_log");
+
+cleanup:
+	if (arena != MAP_FAILED)
+		munmap(arena, arena_sz);
+	close(map_fd);
+}
+
+void test_arena_direct_value(void)
+{
+	if (test__start_subtest("one_past_end"))
+		test_arena_direct_value_one_past_end();
+}

---
base-commit: ba3e43a9e601636f5edb54e259a74f96ca3b8fd8
change-id: 20260603-arena-direct-value-v1-ef4df857b98b

Best regards,
--  
Woojin Ji <random6.xyz@gmail.com>
Re: [PATCH bpf-next v2] selftests/bpf: Add arena direct-value one-past-end reject test
Posted by bot+bpf-ci@kernel.org 3 days, 14 hours ago 
> commit fe93bf61d92a97b713eb292a1ccbae1cef5b23f1
> Author: Woojin Ji <random6.xyz@gmail.com>
> Date:   Fri Jun 5 00:23:42 2026 +0900
>
>     selftests/bpf: Add arena direct-value one-past-end reject test
>
>     BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array
>     maps its map value_size is zero and the valid direct-value range is the
>     arena mmap size, max_entries * PAGE_SIZE.
>
>     Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena
>     direct-value access") fixed arena_map_direct_value_addr() to reject an
>     offset exactly at the end of the arena mapping. Add a regression test
>     that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies
>     that the verifier rejects it with the expected offset in the log.
>
>     This is awkward to express as a verifier_arena.c failure program. For
>     arena globals, libbpf handles the relocation as RELO_DATA and sets
>     BPF_PSEUDO_MAP_VALUE from that relocation. The second ldimm64 slot is
>     derived from the arena-relative symbol offset, so a C-level __arena
>     global cannot make that immediate equal to arena_size without placing a
>     global one past the end of the arena.
>
>     Use a userspace raw-instruction test instead, following the existing
>     selftests pattern used for direct map-value pseudo loads, so insns[1].imm
>     can be set to arena_size precisely.

Emil Tsalapatis suggested using inline assembly in the BPF C file
(verifier_arena.c) instead of creating a userspace raw-instruction test.
The commit message explains why the userspace approach was chosen, but
could inline assembly address the limitation with libbpf relocations?

Reference: https://lore.kernel.org/bpf/DJ0DRM980L8V.3MR51HBLAVAEP@etsalapatis.com/
"Can't we still use inline assembly in the BPF C file to do so? I don't
see why not." - Emil Tsalapatis, Thu, 04 Jun 2026 11:46:39 -0400

>
>     Assisted-by: ChatGPT:gpt-5.5
>     Signed-off-by: Woojin Ji <random6.xyz@gmail.com>
>     Cc: Emil Tsalapatis <emil@etsalapatis.com>
>     Cc: Junyoung Jang <graypanda.inzag@gmail.com>

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/26962723906

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.