1. Patchew
  2. linux
  3. View series

[PATCH bpf v2 0/2] Keep dynamic inner array lookups nullable

Nuoqi Gui posted 2 patches 13 hours ago 
kernel/bpf/verifier.c                              | 15 ++++----
.../selftests/bpf/progs/verifier_map_in_map.c      | 40 ++++++++++++++++++++++
2 files changed, 49 insertions(+), 6 deletions(-)
[PATCH bpf v2 0/2] Keep dynamic inner array lookups nullable
Posted by Nuoqi Gui 13 hours ago 
An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its
inner map template. The flag allows a concrete inner array with a
different max_entries value to replace the template.

The verifier currently uses the template's max_entries to elide
nullness for a constant-key lookup through the inner map pointer. At
runtime, the lookup uses the concrete inner array's max_entries instead.
The verifier can therefore accept an unchecked dereference even though
the runtime helper returns NULL.

Patch 1 keeps lookups through BPF_F_INNER_MAP array templates nullable.
Patch 2 adds a verifier regression test for the unchecked dereference.

Before the fix, the regression program is accepted and the runtime
reproducer triggers a NULL dereference. With the fix, both programs are
rejected with an invalid map_value_or_null access.

Tested by compiling kernel/bpf/verifier.o and
verifier_map_in_map.bpf.o, and by running the regression program and
runtime reproducer in QEMU before and after the fix.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
v1->v2:
- Update the can_elide_value_nullness() comment to match the changed
  parameter (const struct bpf_map *map).

v1: https://patch.msgid.link/20260604151153.2488051-1-gnq25@mails.tsinghua.edu.cn

To: Alexei Starovoitov <ast@kernel.org>
To: Daniel Borkmann <daniel@iogearbox.net>
To: Andrii Nakryiko <andrii@kernel.org>
Cc: Daniel Xu <dxu@dxuuu.xyz>
Cc: Eduard Zingerman <eddyz87@gmail.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Martin KaFai Lau <martin.lau@linux.dev>
Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Cc: Song Liu <song@kernel.org>
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Ihor Solodrai <isolodrai@meta.com>
Cc: bpf@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: linux-kselftest@vger.kernel.org

---
Nuoqi Gui (2):
      bpf: Keep dynamic inner array lookups nullable
      selftests/bpf: Cover dynamic inner array lookup nullability

 kernel/bpf/verifier.c                              | 15 ++++----
 .../selftests/bpf/progs/verifier_map_in_map.c      | 40 ++++++++++++++++++++++
 2 files changed, 49 insertions(+), 6 deletions(-)
---
base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d
change-id: 20260606-f01-v2-324fb92185a2

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.