Re: [PATCH bpf 1/2] bpf: Keep dynamic inner array lookups nullable

Next message: Wentao Liang: "[PATCH] drm/amdgpu: fix refcount leak in amdgpu_ttm_clear_buffer()"
Previous message: Yan Zhao: "Re: [PATCH] KVM: guest_memfd: Elaborate on how release() vs. get_pfn() is safe against UAF"
In reply to: Suchit Karunakaran: "Re: [PATCH bpf 1/2] bpf: Keep dynamic inner array lookups nullable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eduard Zingerman

Date: Fri Jun 05 2026 - 05:52:32 EST

On Thu, 2026-06-04 at 23:11 +0800, Nuiqi Gui wrote:
> An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its
> inner map template. A concrete inner array with a different max_entries
> value can then replace the template.
>
> After a successful outer map lookup, the verifier represents the
> resulting map pointer using the inner map template. Const-key lookup
> nullness elision consequently uses the template max_entries even though
> the runtime helper uses the concrete inner map max_entries.
>
> Do not elide lookup result nullness for maps marked with BPF_F_INNER_MAP,
> because the template max_entries does not prove that the key is in bounds
> for the concrete runtime map.
>
> Fixes: d2102f2f5d75 ("bpf: verifier: Support eliding map lookup nullness")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Nuiqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> ---

Thank you for spotting this issue.

Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>