bpf: detect non null pointer with register operand in JEQ/JNE.

This patch adds support to validate a pointer as not null when its
value is compared to a register whose value the verifier knows to be
null.
Initial pattern only verifies against an immediate operand.

Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
Cc: David Faust  <david.faust@oracle.com>
Cc: Jose Marchesi  <jose.marchesi@oracle.com>
Cc: Elena Zannoni  <elena.zannoni@oracle.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260304195018.181396-3-cupertino.miranda@oracle.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8e4f69918693ea441d9ff1f7109647f9f49723e2..4fbacd2149cdc2e6c43ffe0eda79393fb0755452 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -17678,12 +17678,15 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
        }
 
        /* detect if R == 0 where R is returned from bpf_map_lookup_elem().
+        * Also does the same detection for a register whose the value is
+        * known to be 0.
         * NOTE: these optimizations below are related with pointer comparison
         *       which will never be JMP32.
         */
-       if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&
-           insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
-           type_may_be_null(dst_reg->type)) {
+       if (!is_jmp32 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
+           type_may_be_null(dst_reg->type) &&
+           ((BPF_SRC(insn->code) == BPF_K && insn->imm == 0) ||
+            (BPF_SRC(insn->code) == BPF_X && register_is_null(src_reg)))) {
                /* Mark all identical registers in each branch as either
                 * safe or unknown depending R == 0 or R != 0 conditional.
                 */