selftests/bpf: add test for nullable PTR_TO_BUF access

Add iter_buf_null_fail with two tests and a test runner: - iter_buf_null_deref: verifier must reject direct dereference of ctx->key (PTR_TO_BUF | PTR_MAYBE_NULL) without a null check - iter_buf_null_check_ok: verifier must accept dereference after an explicit null check Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Reviewed-by: Amery Hung <ameryhung@gmail.com> Signed-off-by: Qi Tang <tpluszz77@gmail.com> Link: https://lore.kernel.org/r/20260407145421.4315-1-tpluszz77@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Qi Tang <tpluszz77@gmail.com> 2026-04-07 22:54:21 +0800
committer: Alexei Starovoitov <ast@kernel.org> 2026-04-07 15:53:45 -0700
commit: a4985a1755ec9e5aa5cfb89468ba4b51546b5eeb (patch)
tree: 93b6e994639f1877730fe7e46b2bc4a0030477ac /tools/testing/selftests/bpf
parent: 57b23c0f612dcfa1aae99c9422d6d36ced1670d4 (diff)
2 files changed, 48 insertions, 0 deletions
diff --git a/tools/testing/selftests/bpf/prog_tests/iter_buf_null_fail.c b/tools/testing/selftests/bpf/prog_tests/iter_buf_null_fail.c
new file mode 100644
index 000000000000..ea97787b870d
--- /dev/null
+++ b/tools/testing/selftests/bpf/prog_tests/iter_buf_null_fail.c
@@ -0,0 +1,9 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <test_progs.h>
+#include "iter_buf_null_fail.skel.h"
+
+void test_iter_buf_null_fail(void)
+{
+	RUN_TESTS(iter_buf_null_fail);
+}
diff --git a/tools/testing/selftests/bpf/progs/iter_buf_null_fail.c b/tools/testing/selftests/bpf/progs/iter_buf_null_fail.c
new file mode 100644
index 000000000000..3daad40515e6
--- /dev/null
+++ b/tools/testing/selftests/bpf/progs/iter_buf_null_fail.c
@@ -0,0 +1,39 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2026 Qi Tang */
+
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include "bpf_misc.h"
+
+char _license[] SEC("license") = "GPL";
+
+/* Verify that the verifier rejects direct access to nullable PTR_TO_BUF. */
+SEC("iter/bpf_map_elem")
+__failure __msg("invalid mem access")
+int iter_buf_null_deref(struct bpf_iter__bpf_map_elem *ctx)
+{
+	/*
+	 * ctx->key is PTR_TO_BUF | PTR_MAYBE_NULL | MEM_RDONLY.
+	 * Direct access without null check must be rejected.
+	 */
+	volatile __u32 v = *(__u32 *)ctx->key;
+
+	(void)v;
+	return 0;
+}
+
+/* Verify that access after a null check is still accepted. */
+SEC("iter/bpf_map_elem")
+__success
+int iter_buf_null_check_ok(struct bpf_iter__bpf_map_elem *ctx)
+{
+	__u32 *key = ctx->key;
+
+	if (!key)
+		return 0;
+
+	volatile __u32 v = *key;
+
+	(void)v;
+	return 0;
+}
author	Qi Tang <tpluszz77@gmail.com>	2026-04-07 22:54:21 +0800
committer	Alexei Starovoitov <ast@kernel.org>	2026-04-07 15:53:45 -0700
commit	a4985a1755ec9e5aa5cfb89468ba4b51546b5eeb (patch)
tree	93b6e994639f1877730fe7e46b2bc4a0030477ac /tools/testing/selftests/bpf
parent	57b23c0f612dcfa1aae99c9422d6d36ced1670d4 (diff)