Commit d2102f2f5d75 ("bpf: verifier: Support eliding map lookup
nullness") allowed the verifier to elide NULLness of
bpf_map_lookup_elem() for array maps when the key is statically known to
be within max_entries.
This is not valid for array maps used as inner map templates. For such
maps, the template's max_entries is not necessarily the same as the
max_entries of the concrete inner map used at runtime. As a result, a
key that is within the template's max_entries can still be out of range
for the concrete inner map, and the lookup may return NULL.
Do not elide lookup NULLness for array maps used as inner map templates.
Fixes: d2102f2f5d75 ("bpf: verifier: Support eliding map lookup nullness")
Signed-off-by: Sun Jian <[email protected]>
---
kernel/bpf/verifier.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7fb88e1cd7c4..3f38f85c3cb8 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -10590,6 +10590,7 @@ static int check_helper_call(struct bpf_verifier_env
*env, struct bpf_insn *insn
if (func_id == BPF_FUNC_map_lookup_elem &&
can_elide_value_nullness(meta.map.ptr->map_type) &&
+ !(meta.map.ptr->map_flags & BPF_F_INNER_MAP) &&
meta.const_map_key >= 0 &&
meta.const_map_key < meta.map.ptr->max_entries)
ret_flag &= ~PTR_MAYBE_NULL;
--
2.43.0
