Re: [PATCH bpf 1/2] bpf: Keep dynamic inner array lookups nullable

[Magneto]

On Thu, Jun 4, 2026 at 9:00 PM Nuiqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx> wrote:
>
> An ARRAY_OF_MAPS can use an array created with BPF_F_INNER_MAP as its
> inner map template. A concrete inner array with a different max_entries
> value can then replace the template.
>
> After a successful outer map lookup, the verifier represents the
> resulting map pointer using the inner map template. Const-key lookup
> nullness elision consequently uses the template max_entries even though
> the runtime helper uses the concrete inner map max_entries.
>
> Do not elide lookup result nullness for maps marked with BPF_F_INNER_MAP,
> because the template max_entries does not prove that the key is in bounds
> for the concrete runtime map.
>
> Fixes: d2102f2f5d75 ("bpf: verifier: Support eliding map lookup nullness")
> Cc: stable@xxxxxxxxxxxxxxx
> Signed-off-by: Nuiqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
> ---
>  kernel/bpf/verifier.c | 13 ++++++++-----
>  1 file changed, 8 insertions(+), 5 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 7fb88e1cd7c4d..bffe12d0bb289 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -8471,7 +8471,7 @@ static int get_constant_map_key(struct bpf_verifier_env *env,
>         return 0;
>  }
>
> -static bool can_elide_value_nullness(enum bpf_map_type type);
> +static bool can_elide_value_nullness(const struct bpf_map *map);
>
>  static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>                           struct bpf_call_arg_meta *meta,
> @@ -8621,7 +8621,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
>                 err = check_helper_mem_access(env, regno, key_size, BPF_READ, false, NULL);
>                 if (err)
>                         return err;
> -               if (can_elide_value_nullness(meta->map.ptr->map_type)) {
> +               if (can_elide_value_nullness(meta->map.ptr)) {
>                         err = get_constant_map_key(env, reg, key_size, &meta->const_map_key);
>                         if (err < 0) {
>                                 meta->const_map_key = -1;
> @@ -10225,9 +10225,12 @@ static void update_loop_inline_state(struct bpf_verifier_env *env, u32 subprogno
>   * lookup return value nullness check. This is possible if the key
>   * is statically known.
>   */
> -static bool can_elide_value_nullness(enum bpf_map_type type)
> +static bool can_elide_value_nullness(const struct bpf_map *map)
>  {
> -       switch (type) {
> +       if (map->map_flags & BPF_F_INNER_MAP)
> +               return false;

One small nit: the can_elide_value_nullness() function comment appears
to be out of sync with the updated parameter.