BPF_MAP_TYPE_ARENA supports direct-value pseudo loads, but unlike array
maps its map value_size is zero and the valid direct-value range is the
arena mmap size, max_entries * PAGE_SIZE.
Commit 3ac1a467e376 ("bpf: Fix off-by-one boundary validation in arena
direct-value access") fixed arena_map_direct_value_addr() to reject an
offset exactly at the end of the arena mapping. Add a regression test
that loads a BPF_PSEUDO_MAP_VALUE with off == arena_size and verifies
that the verifier rejects it with the expected offset in the log.
Unlike __arena global relocation, where insn[1].imm depends on
compiler/layout, this raw instruction directly drives
map_direct_value_addr(map, &addr, off) with off == arena_size, so the
boundary check is exercised directly.
Assisted-by: ChatGPT:gpt-5.5
Signed-off-by: Woojin Ji <[email protected]>
---
Tested with a reduced test_progs runner because the local source/output
combination has unrelated build failures in progs/bpf_cubic.c and
test_kmods/bpf_testmod.ko, so the stock full test_progs binary is not
produced.
Before fix, on host Arch kernel 7.0.10-arch1-1:
arena_direct_value/one_past_end: FAIL, prog_load returned fd 5
After fix, on QEMU guest 7.1.0-rc6-00063-gba3e43a9e601:
#1/1 arena_direct_value/one_past_end:OK
#1 arena_direct_value:OK
Summary: 1/1 PASSED, 0 SKIPPED, 0 FAILED
---
.../selftests/bpf/prog_tests/arena_direct_value.c | 73 ++++++++++++++++++++++
1 file changed, 73 insertions(+)
diff --git a/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
new file mode 100644
index 000000000000..b7760b021670
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/arena_direct_value.c
@@ -0,0 +1,73 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include <bpf/bpf.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <unistd.h>
+
+#define ARENA_PAGES 32
+
+static void test_arena_direct_value_one_past_end(void)
+{
+ char log_buf[16384] = {}, expected[128];
+ __u32 arena_sz = ARENA_PAGES * getpagesize();
+ struct bpf_insn insns[] = {
+ BPF_LD_IMM64_RAW(BPF_REG_1, BPF_PSEUDO_MAP_VALUE, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ };
+ LIBBPF_OPTS(bpf_map_create_opts, map_opts);
+ LIBBPF_OPTS(bpf_prog_load_opts, prog_opts);
+ void *arena = MAP_FAILED;
+ int map_fd, prog_fd;
+
+ map_opts.map_flags = BPF_F_MMAPABLE;
+ prog_opts.log_buf = log_buf;
+ prog_opts.log_size = sizeof(log_buf);
+ prog_opts.log_level = 1;
+
+ map_fd = bpf_map_create(BPF_MAP_TYPE_ARENA, "arena_direct_value",
+ 0, 0, ARENA_PAGES, &map_opts);
+ if (map_fd < 0) {
+ if (errno == EOPNOTSUPP || errno == EINVAL) {
+ test__skip();
+ return;
+ }
+ ASSERT_GE(map_fd, 0, "bpf_map_create");
+ return;
+ }
+
+ arena = mmap(NULL, arena_sz, PROT_READ | PROT_WRITE, MAP_SHARED,
map_fd, 0);
+ if (!ASSERT_NEQ(arena, MAP_FAILED, "arena_mmap"))
+ goto cleanup;
+
+ insns[0].imm = map_fd;
+ insns[1].imm = arena_sz;
+
+ prog_fd = bpf_prog_load(BPF_PROG_TYPE_RAW_TRACEPOINT,
+ "arena_direct_value", "GPL", insns,
+ ARRAY_SIZE(insns), &prog_opts);
+ if (!ASSERT_LT(prog_fd, 0, "prog_load")) {
+ if (prog_fd >= 0)
+ close(prog_fd);
+ prog_fd = -1;
+ goto cleanup;
+ }
+
+ snprintf(expected, sizeof(expected),
+ "invalid access to map value pointer, value_size=0 off=%u",
+ arena_sz);
+ ASSERT_HAS_SUBSTR(log_buf, expected, "verifier_log");
+
+cleanup:
+ if (arena != MAP_FAILED)
+ munmap(arena, arena_sz);
+ close(map_fd);
+}
+
+void test_arena_direct_value(void)
+{
+ if (test__start_subtest("one_past_end"))
+ test_arena_direct_value_one_past_end();
+}
---
base-commit: ba3e43a9e601636f5edb54e259a74f96ca3b8fd8
change-id: 20260603-arena-direct-value-v1-ef4df857b98b
Best regards,
--
Woojin Ji <[email protected]>
