Commit c03a532f authored Jun 09, 2025 by Ihor Solodrai Committed by Greg Kroah-Hartman Aug 28, 2025

bpf: Make reg_not_null() true for CONST_PTR_TO_MAP



[ Upstream commit 5534e58f ]

When reg->type is CONST_PTR_TO_MAP, it can not be null. However the
verifier explores the branches under rX == 0 in check_cond_jmp_op()
even if reg->type is CONST_PTR_TO_MAP, because it was not checked for
in reg_not_null().

Fix this by adding CONST_PTR_TO_MAP to the set of types that are
considered non nullable in reg_not_null().

An old "unpriv: cmp map pointer with zero" selftest fails with this
change, because now early out correctly triggers in
check_cond_jmp_op(), making the verification to pass.

In practice verifier may allow pointer to null comparison in unpriv,
since in many cases the relevant branch and comparison op are removed
as dead code. So change the expected test result to __success_unpriv.

Signed-off-by: Ihor Solodrai <isolodrai@meta.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250609183024.359974-2-isolodrai@meta.com


Signed-off-by: Sasha Levin <sashal@kernel.org>

parent 86f3cff5

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit ce2b36d4
· Nov 05, 2025

mentioned in commit ce2b36d4

mentioned in commit ce2b36d4e09680a95a26962f0ddb3edd4bc8ae28

Toggle commit list

Please to comment