On Sun, Jun 07, 2026 at 09:24:12PM +0800, Nuoqi Gui wrote: > An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its > inner map template. The flag allows a concrete inner array with a > different max_entries value to replace the template. > > The verifier currently uses the template's max_entries to elide > nullness for a constant-key lookup through the inner map pointer. At > runtime, the lookup uses the concrete inner array's max_entries instead. > The verifier can therefore accept an unchecked dereference even though > the runtime helper returns NULL. > > Patch 1 keeps lookups through BPF_F_INNER_MAP array templates nullable. > Patch 2 adds a verifier regression test for the unchecked dereference. > > Before the fix, the regression program is accepted and the runtime > reproducer triggers a NULL dereference. With the fix, both programs are > rejected with an invalid map_value_or_null access. > > Tested by compiling kernel/bpf/verifier.o and > verifier_map_in_map.bpf.o, and by running the regression program and > runtime reproducer in QEMU before and after the fix. > > Signed-off-by: Nuoqi Gui <[email protected]> > --- > v1->v2: > - Update the can_elide_value_nullness() comment to match the changed > parameter (const struct bpf_map *map).
Acked-by: Jiri Olsa <[email protected]> jirka > > v1: > https://patch.msgid.link/[email protected] > > To: Alexei Starovoitov <[email protected]> > To: Daniel Borkmann <[email protected]> > To: Andrii Nakryiko <[email protected]> > Cc: Daniel Xu <[email protected]> > Cc: Eduard Zingerman <[email protected]> > Cc: John Fastabend <[email protected]> > Cc: Martin KaFai Lau <[email protected]> > Cc: Kumar Kartikeya Dwivedi <[email protected]> > Cc: Song Liu <[email protected]> > Cc: Yonghong Song <[email protected]> > Cc: Jiri Olsa <[email protected]> > Cc: Shuah Khan <[email protected]> > Cc: Ihor Solodrai <[email protected]> > Cc: [email protected] > Cc: [email protected] > Cc: [email protected] > > --- > Nuoqi Gui (2): > bpf: Keep dynamic inner array lookups nullable > selftests/bpf: Cover dynamic inner array lookup nullability > > kernel/bpf/verifier.c | 15 ++++---- > .../selftests/bpf/progs/verifier_map_in_map.c | 40 > ++++++++++++++++++++++ > 2 files changed, 49 insertions(+), 6 deletions(-) > --- > base-commit: e7ae89a0c97ce2b68b0983cd01eda67cf373517d > change-id: 20260606-f01-v2-324fb92185a2 > > Best regards, > -- > Nuoqi Gui <[email protected]> >
