Re: [PATCH bpf-next v2 2/2] selftests/bpf: Cover scalar add from rdonly untrusted memory

Next message: Biren Pandya: "[PATCH] media: i2c: rdacm21: Fix missing media_entity_cleanup()"
Previous message: Yang Wen: "Re: [PATCH 2/2] preserve the next empty-entry hint after allocation"
In reply to: Nuoqi Gui: "[PATCH bpf-next v2 2/2] selftests/bpf: Cover scalar add from rdonly untrusted memory"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: bot+bpf-ci

Date: Sat Jun 13 2026 - 09:19:25 EST

> selftests/bpf: Cover scalar add from rdonly untrusted memory
>
> Add a verifier test for scalar += rdonly_untrusted_mem. The program gets a
> read-only untrusted memory value from bpf_rdonly_cast(..., 0), adds it to a
> scalar destination, and then applies a bitwise operation to the result.
>
> The addition itself is allowed, but the result must be tracked as a
> pointer. The verifier should reject the following bitwise operation instead
> of preserving stale scalar state.
>
> Add coverage for scalar -= pointer and scalar ^= pointer as well. This
> prevents the early return from bypassing normal pointer ALU rejection.
>
> Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>

This selftest covers the early return in adjust_ptr_min_max_vals() that left
stale scalar state on the destination for scalar += rdonly_untrusted_mem,
which could let a later pointer ALU operation be accepted. That early return
came in with f2362a57aeff, and the companion functional fix carries a
Fixes: tag, but this selftest commit does not.

Should this include:

Fixes: f2362a57aeff ("bpf: allow void* cast using bpf_rdonly_cast()")

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27467222513