tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'bpf-support-for-non_null-ptr-detection-with-jeq-jne-with-register-operand'

Cupertino Miranda says:

====================
bpf: support for non_null ptr detection with JEQ/JNE with register operand

Changes from v1:
- Corrected typos in commit messages.
- Fixed indentation.
- Replaced text by simpler version suggested by Eduard.
Changes from v2:
- Small fixes after AI patch checker complaints.
Changes from v3:
- Removed log file. No idea how that got added.
====================

Link: https://patch.msgid.link/20260304195018.181396-1-cupertino.miranda@oracle.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov 437350df bd2e02e3

+60 -3
+6 -3
kernel/bpf/verifier.c
··· 17678 17678 } 17679 17679 17680 17680 /* detect if R == 0 where R is returned from bpf_map_lookup_elem(). 17681 + * Also does the same detection for a register whose the value is 17682 + * known to be 0. 17681 17683 * NOTE: these optimizations below are related with pointer comparison 17682 17684 * which will never be JMP32. 17683 17685 */ 17684 - if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K && 17685 - insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) && 17686 - type_may_be_null(dst_reg->type)) { 17686 + if (!is_jmp32 && (opcode == BPF_JEQ || opcode == BPF_JNE) && 17687 + type_may_be_null(dst_reg->type) && 17688 + ((BPF_SRC(insn->code) == BPF_K && insn->imm == 0) || 17689 + (BPF_SRC(insn->code) == BPF_X && register_is_null(src_reg)))) { 17687 17690 /* Mark all identical registers in each branch as either 17688 17691 * safe or unknown depending R == 0 or R != 0 conditional. 17689 17692 */
+54
tools/testing/selftests/bpf/progs/verifier_jeq_infer_not_null.c
··· 210 210 : __clobber_all); 211 211 } 212 212 213 + /* Verified that we can detect the pointer as non_null when comparing with 214 + * register with value 0. JEQ test case. 215 + */ 216 + SEC("xdp") 217 + __success __log_level(2) 218 + /* to make sure the branch is not falsely predicted*/ 219 + __msg("r0 = *(u32 *)(r0 +0)") 220 + __msg("from 7 to 9") 221 + __naked void jeq_reg_reg_null_check(void) 222 + { 223 + asm volatile (" \ 224 + *(u32*)(r10 - 8) = 0; \ 225 + r1 = %[map_xskmap] ll; \ 226 + r2 = r10; \ 227 + r2 += -8; \ 228 + call %[bpf_map_lookup_elem]; \ 229 + r1 = 0; \ 230 + if r0 == r1 goto 1f; \ 231 + r0 = *(u32*)(r0 +0); \ 232 + 1: r0 = 0; \ 233 + exit; \ 234 + " : 235 + : __imm(bpf_map_lookup_elem), 236 + __imm_addr(map_xskmap) 237 + : __clobber_all); 238 + } 239 + 240 + /* Same as above but for JNE. 241 + */ 242 + SEC("xdp") 243 + __success __log_level(2) 244 + /* to make sure the branch is not falsely predicted*/ 245 + __msg("r0 = *(u32 *)(r0 +0)") 246 + __msg("from 7 to 9") 247 + __naked void jne_reg_reg_null_check(void) 248 + { 249 + asm volatile (" \ 250 + *(u32*)(r10 - 8) = 0; \ 251 + r1 = %[map_xskmap] ll; \ 252 + r2 = r10; \ 253 + r2 += -8; \ 254 + call %[bpf_map_lookup_elem]; \ 255 + r1 = 0; \ 256 + if r0 != r1 goto 1f; \ 257 + goto 2f; \ 258 + 1: r0 = *(u32*)(r0 +0); \ 259 + 2: r0 = 0; \ 260 + exit; \ 261 + " : 262 + : __imm(bpf_map_lookup_elem), 263 + __imm_addr(map_xskmap) 264 + : __clobber_all); 265 + } 266 + 213 267 char _license[] SEC("license") = "GPL";