> selftests/bpf: Cover scalar add from rdonly untrusted memory
>
> Add a verifier test for scalar += rdonly_untrusted_mem. The program gets a
> read-only untrusted memory value from bpf_rdonly_cast(..., 0), adds it to a
> scalar destination, and then applies a bitwise operation to the result.
>
> The addition itself is allowed, but the result must be tracked as a
> pointer. The verifier should reject the following bitwise operation instead
> of preserving stale scalar state.
>
> Add coverage for scalar -= pointer and scalar ^= pointer as well. This
> prevents the early return from bypassing normal pointer ALU rejection.
>
> Signed-off-by: Nuoqi Gui <[email protected]>
This selftest covers the early return in adjust_ptr_min_max_vals() that left
stale scalar state on the destination for scalar += rdonly_untrusted_mem,
which could let a later pointer ALU operation be accepted. That early return
came in with f2362a57aeff, and the companion functional fix carries a
Fixes: tag, but this selftest commit does not.
Should this include:
Fixes: f2362a57aeff ("bpf: allow void* cast using bpf_rdonly_cast()")
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27467222513
