[PATCH 0/2] bpf: support for non_null ptr detection with JEQ/JNE with register operand

[PATCH 0/2] bpf: support for non_null ptr detection with JEQ/JNE with register operand

[Cupertino Miranda]

Hi everyone,

This patch is a small extension to allow the verifier to mark non_null
pointers as such when the condition that makes the runtime check uses a
register with the value 0 instead of the immediate 0.

The following example, is the output within bpftune when compiling BPF
code with an earlier version of GCC. The same also happens in BPF
selftests with latest master GCC.

  bpftune: libbpf: prog 'probe_cong_iter': -- BEGIN PROG LOAD LOG --
  0: R1=ctx() R10=fp0
  0: (b7) r0 = 0                        ; R0_w=0
  1: (7b) *(u64 *)(r10 -16) = r0        ; R0_w=0 R10=fp0 fp-16_w=0
  2: (7b) *(u64 *)(r10 -8) = r0         ; R0_w=0 R10=fp0 fp-8_w=0
  3: (79) r1 = *(u64 *)(r1 +8)          ; R1_w=trusted_ptr_or_null_sock_common(id=1)
  4: (1d) if r1 == r0 goto pc+9         ; R0_w=0 R1_w=trusted_ptr_or_null_sock_common(id=1)
  5: (85) call bpf_skc_to_tcp_sock#137
  R1 type=trusted_ptr_or_null_ expected=sock_common, sock, tcp_sock, xdp_sock, ptr_, trusted_ptr_
  processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
  -- END PROG LOAD LOG --
  bpftune: libbpf: prog 'probe_cong_iter': failed to load: -EACCES
  bpftune: libbpf: failed to load object 'probe_bpf'

With this patch, R1 is properly marked as non_null and the call to
bpf_skc_to_tcp_sock#137 is further accepted by the verifier.

No regressions for clang.

With GCC we get the following improvements:
  Before:
    Summary: 566/5032 PASSED, 113 SKIPPED, 131 FAILED
  After
    Summary: 569/5046 PASSED, 113 SKIPPED, 128 FAILED

1480c1480
< #155     jit_probe_mem:FAIL
---
> #155     jit_probe_mem:OK
3918c3918
< #452/19  task_kfunc/task_kfunc_xchg_unreleased:FAIL
---
> #452/19  task_kfunc/task_kfunc_xchg_unreleased:OK
3934c3934
< #452     task_kfunc:FAIL
---
> #452     task_kfunc:OK
3942,3943c3942,3943
< #454/5   task_local_storage/uptr_basic:FAIL
< #454/6   task_local_storage/uptr_across_pages:FAIL
---
> #454/5   task_local_storage/uptr_basic:OK
> #454/6   task_local_storage/uptr_across_pages:OK
4011,4012c4011,4012
< #476/1   test_bpf_ma/batch_alloc_free:FAIL
< #476/2   test_bpf_ma/free_through_map_free:FAIL
---
> #476/1   test_bpf_ma/batch_alloc_free:OK
> #476/2   test_bpf_ma/free_through_map_free:OK
4015c4015
< #476     test_bpf_ma:FAIL
---
> #476     test_bpf_ma:OK

Looking forward to your comments.

Cheers,
Cupertino

Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
Cc: David Faust  <david.faust@oracle.com>
Cc: Jose Marchesi  <jose.marchesi@oracle.com>
Cc: Elena Zannoni  <elena.zannoni@oracle.com>

Cupertino Miranda (2):
  bpf: detect non null pointer with register operand in JEQ/JNE.
  selftests/bpf: tests to non_null ptr detection using register operand
    in JEQ/JNE

 kernel/bpf/verifier.c                         |   9 +-
 .../bpf/progs/verifier_jeq_infer_not_null.c   | 187 ++++++++++++++++++
 2 files changed, 193 insertions(+), 3 deletions(-)

-- 
2.47.3

[PATCH 1/2] bpf: detect non null pointer with register operand in JEQ/JNE.

[Cupertino Miranda]

This patch adds support to validate a pointer as not null when its
value is compared to a register which the verifiers knows to be null.
Initial pattern only verifies against an immediate operand.

Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
Cc: David Faust  <david.faust@oracle.com>
Cc: Jose Marchesi  <jose.marchesi@oracle.com>
Cc: Elena Zannoni  <elena.zannoni@oracle.com>
---
 kernel/bpf/verifier.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index fc4ccd1de569..6e3fcdfa3643 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -17608,12 +17608,15 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 	}
 
 	/* detect if R == 0 where R is returned from bpf_map_lookup_elem().
+         * Also does the same detection for a register which the value is
+         * known to be 0.
 	 * NOTE: these optimizations below are related with pointer comparison
 	 *       which will never be JMP32.
 	 */
-	if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&
-	    insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
-	    type_may_be_null(dst_reg->type)) {
+        if (!is_jmp32 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
+            type_may_be_null(dst_reg->type) &&
+	    ((BPF_SRC(insn->code) == BPF_K && insn->imm == 0) ||
+             (BPF_SRC(insn->code) == BPF_X && register_is_null (src_reg)))) {
 		/* Mark all identical registers in each branch as either
 		 * safe or unknown depending R == 0 or R != 0 conditional.
 		 */
-- 
2.47.3

Re: [PATCH 1/2] bpf: detect non null pointer with register operand in JEQ/JNE.

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 2273 bytes --]

> bpf: detect non null pointer with register operand in JEQ/JNE.
>
> This patch adds support to validate a pointer as not null when its
> value is compared to a register which the verifiers knows to be null.

"verifiers" looks like a typo for "verifier", and "which the verifier
knows" should probably be "whose value the verifier knows".

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index fc4ccd1de569..6e3fcdfa3643 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -17608,12 +17608,15 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
>  	}
>
>  	/* detect if R == 0 where R is returned from bpf_map_lookup_elem().
> +         * Also does the same detection for a register which the value is
> +         * known to be 0.

These two comment lines are indented with spaces instead of a tab.
Same "which the value" grammar as the commit message -- should this
be "whose value"?

> -	if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K &&
> -	    insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
> -	    type_may_be_null(dst_reg->type)) {
> +        if (!is_jmp32 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
> +            type_may_be_null(dst_reg->type) &&
> +	    ((BPF_SRC(insn->code) == BPF_K && insn->imm == 0) ||
> +             (BPF_SRC(insn->code) == BPF_X && register_is_null (src_reg)))) {

The if-statement and its continuation lines use a mix of spaces and
tabs for indentation.  Are tabs intended throughout, matching the
rest of check_cond_jmp_op()?

Also, there is a space between register_is_null and the opening
parenthesis.


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22585365823

AI-authorship-score: low
AI-authorship-explanation: Grammar errors and mixed indentation are consistent with manual editing by a non-native English speaker, not AI generation.
issues-found: 3
issue-severity-score: low
issue-severity-explanation: All issues are coding style violations (mixed tabs/spaces, space before function call parenthesis) and comment/commit-message grammar errors; no functional or security regressions.

Re: [PATCH 1/2] bpf: detect non null pointer with register operand in JEQ/JNE.

[Eduard Zingerman]

On Mon, 2026-03-02 at 16:17 +0000, Cupertino Miranda wrote:
> This patch adds support to validate a pointer as not null when its
> value is compared to a register which the verifiers knows to be null.
> Initial pattern only verifies against an immediate operand.
> 
> Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
> Cc: David Faust  <david.faust@oracle.com>
> Cc: Jose Marchesi  <jose.marchesi@oracle.com>
> Cc: Elena Zannoni  <elena.zannoni@oracle.com>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

[...]

[PATCH 2/2] selftests/bpf: tests to non_null ptr detection using register operand in JEQ/JNE

[Cupertino Miranda]

The 5 added tests are copies of the already existing tests in the same
file, but changed to use R3 instead of an immediate 0.

Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
Cc: David Faust  <david.faust@oracle.com>
Cc: Jose Marchesi  <jose.marchesi@oracle.com>
Cc: Elena Zannoni  <elena.zannoni@oracle.com>
---
 .../bpf/progs/verifier_jeq_infer_not_null.c   | 187 ++++++++++++++++++
 1 file changed, 187 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_jeq_infer_not_null.c b/tools/testing/selftests/bpf/progs/verifier_jeq_infer_not_null.c
index bf16b00502f2..6253d48566da 100644
--- a/tools/testing/selftests/bpf/progs/verifier_jeq_infer_not_null.c
+++ b/tools/testing/selftests/bpf/progs/verifier_jeq_infer_not_null.c
@@ -210,4 +210,191 @@ l0_%=:	/* return 0; */					\
 	: __clobber_all);
 }
 
+/* All the functions below do the same as above but compare with a register
+ * instead of the immediate 0.
+ */
+SEC("cgroup/skb")
+__description("jne/jeq with register infer not null, PTR_TO_SOCKET_OR_NULL -> PTR_TO_SOCKET for JNE false branch")
+__success __failure_unpriv __msg_unpriv("R7 pointer comparison")
+__retval(0)
+__naked void socket_for_jne_false_branch_register(void)
+{
+	asm volatile ("					\
+	r3 = 0;						\
+	/* r6 = skb->sk; */				\
+	r6 = *(u64*)(r1 + %[__sk_buff_sk]);		\
+	/* if (r6 == r3) return 0; */			\
+	if r6 == r3 goto l0_%=;				\
+	/* r7 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r7 = r0;					\
+	/* r0 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r3 = 0;						\
+	/* if (r0 == null) return 0; */			\
+	if r0 == r3 goto l0_%=;				\
+	/* if (r0 == r7) r0 = *(r7->type); */		\
+	if r0 != r7 goto l0_%=;		/* Use ! JNE ! */\
+	r0 = *(u32*)(r7 + %[bpf_sock_type]);		\
+l0_%=:	/* return 0 */					\
+	r0 = 0;						\
+	exit;						\
+"	:
+	: __imm(bpf_sk_fullsock),
+	  __imm_const(__sk_buff_sk, offsetof(struct __sk_buff, sk)),
+	  __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type))
+	: __clobber_all);
+}
+
+SEC("cgroup/skb")
+__description("jne/jeq with register infer not null, PTR_TO_SOCKET_OR_NULL unchanged for JNE true branch")
+__failure __msg("R7 invalid mem access 'sock_or_null'")
+__failure_unpriv __msg_unpriv("R7 pointer comparison")
+__naked void unchanged_for_jne_true_branch_register(void)
+{
+	asm volatile ("					\
+	r3 = 0;						\
+	/* r6 = skb->sk */				\
+	r6 = *(u64*)(r1 + %[__sk_buff_sk]);		\
+	/* if (r6 == r3) return 0; */			\
+	if r6 == r3 goto l0_%=;				\
+	/* r7 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r7 = r0;					\
+	/* r0 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	/* if (r0 == null) return 0; */			\
+	if r0 != 0 goto l0_%=;				\
+	/* if (r0 == r7) return 0; */			\
+	if r0 != r7 goto l1_%=;		/* Use ! JNE ! */\
+	goto l0_%=;					\
+l1_%=:	/* r0 = *(r7->type); */				\
+	r0 = *(u32*)(r7 + %[bpf_sock_type]);		\
+l0_%=:	/* return 0 */					\
+	r0 = 0;						\
+	exit;						\
+"	:
+	: __imm(bpf_sk_fullsock),
+	  __imm_const(__sk_buff_sk, offsetof(struct __sk_buff, sk)),
+	  __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type))
+	: __clobber_all);
+}
+
+SEC("cgroup/skb")
+__description("jne/jeq with register infer not null, PTR_TO_SOCKET_OR_NULL -> PTR_TO_SOCKET for JEQ true branch")
+__success __failure_unpriv __msg_unpriv("R7 pointer comparison")
+__retval(0)
+__naked void socket_for_jeq_true_branch_register(void)
+{
+	asm volatile ("					\
+	/* r6 = skb->sk; */				\
+	r6 = *(u64*)(r1 + %[__sk_buff_sk]);		\
+	/* if (r6 == null) return 0; */			\
+	if r6 == 0 goto l0_%=;				\
+	/* r7 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r7 = r0;					\
+	/* r0 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r3 = 0;						\
+	/* if (r0 == r3) return 0; */			\
+	if r0 == r3 goto l0_%=;				\
+	/* if (r0 != r7) return 0; */			\
+	if r0 == r7 goto l1_%=;		/* Use ! JEQ ! */\
+	goto l0_%=;					\
+l1_%=:	/* r0 = *(r7->type); */				\
+	r0 = *(u32*)(r7 + %[bpf_sock_type]);		\
+l0_%=:	/* return 0; */					\
+	r0 = 0;						\
+	exit;						\
+"	:
+	: __imm(bpf_sk_fullsock),
+	  __imm_const(__sk_buff_sk, offsetof(struct __sk_buff, sk)),
+	  __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type))
+	: __clobber_all);
+}
+
+SEC("cgroup/skb")
+__description("jne/jeq with register infer not null, PTR_TO_SOCKET_OR_NULL unchanged for JEQ false branch")
+__failure __msg("R7 invalid mem access 'sock_or_null'")
+__failure_unpriv __msg_unpriv("R7 pointer comparison")
+__naked void unchanged_for_jeq_false_branch_register(void)
+{
+	asm volatile ("					\
+	r3 = 0;						\
+	/* r6 = skb->sk; */				\
+	r6 = *(u64*)(r1 + %[__sk_buff_sk]);		\
+	/* if (r6 == r3) return 0; */			\
+	r3 = 0;						\
+	if r6 == r3 goto l0_%=;				\
+	/* r7 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r7 = r0;					\
+	/* r0 = sk_fullsock(skb); */			\
+	r1 = r6;					\
+	call %[bpf_sk_fullsock];			\
+	r3 = 0;						\
+	/* if (r0 == r3) return 0; */			\
+	r3 = 0;						\
+	if r0 == r3 goto l0_%=;				\
+	/* if (r0 != r7) r0 = *(r7->type); */		\
+	if r0 == r7 goto l0_%=;		/* Use ! JEQ ! */\
+	r0 = *(u32*)(r7 + %[bpf_sock_type]);		\
+l0_%=:	/* return 0; */					\
+	r0 = 0;						\
+	exit;						\
+"	:
+	: __imm(bpf_sk_fullsock),
+	  __imm_const(__sk_buff_sk, offsetof(struct __sk_buff, sk)),
+	  __imm_const(bpf_sock_type, offsetof(struct bpf_sock, type))
+	: __clobber_all);
+}
+
+SEC("xdp")
+__description("jne/jeq with register infer not null, PTR_TO_MAP_VALUE_OR_NULL -> PTR_TO_MAP_VALUE")
+__success __retval(0)
+__naked void null_ptr_to_map_value_register(void)
+{
+	asm volatile ("					\
+	/* r9 = &some stack to use as key */		\
+	r1 = 0;						\
+	*(u32*)(r10 - 8) = r1;				\
+	r9 = r10;					\
+	r9 += -8;					\
+	/* r8 = process local map */			\
+	r8 = %[map_xskmap] ll;				\
+	/* r6 = map_lookup_elem(r8, r9); */		\
+	r1 = r8;					\
+	r2 = r9;					\
+	call %[bpf_map_lookup_elem];			\
+	r6 = r0;					\
+	/* r7 = map_lookup_elem(r8, r9); */		\
+	r1 = r8;					\
+	r2 = r9;					\
+	call %[bpf_map_lookup_elem];			\
+	r3 = 0;						\
+	r7 = r0;					\
+	/* if (r6 == r3) return 0; */			\
+	if r6 == r3 goto l0_%=;				\
+	/* if (r6 != r7) return 0; */			\
+	if r6 != r7 goto l0_%=;				\
+	/* read *r7; */					\
+	r0 = *(u32*)(r7 + %[bpf_xdp_sock_queue_id]);	\
+l0_%=:	/* return 0; */					\
+	r0 = 0;						\
+	exit;						\
+"	:
+	: __imm(bpf_map_lookup_elem),
+	  __imm_addr(map_xskmap),
+	  __imm_const(bpf_xdp_sock_queue_id, offsetof(struct bpf_xdp_sock, queue_id))
+	: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";
-- 
2.47.3

Re: [PATCH 2/2] selftests/bpf: tests to non_null ptr detection using register operand in JEQ/JNE

[Eduard Zingerman]

On Mon, 2026-03-02 at 16:17 +0000, Cupertino Miranda wrote:
> The 5 added tests are copies of the already existing tests in the same
> file, but changed to use R3 instead of an immediate 0.
>
> Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
> Cc: David Faust  <david.faust@oracle.com>
> Cc: Jose Marchesi  <jose.marchesi@oracle.com>
> Cc: Elena Zannoni  <elena.zannoni@oracle.com>
> ---

I think this is an overkill, these tests check nullness propagation
over id chains etc. For the purpose of this change something like
below should suffice:

+SEC("xdp")
+__success __log_level(2)
+/* to make sure the branch is not falsely predicted*/
+__msg("r0 = *(u32 *)(r0 +0)")
+__msg("from 7 to 9")
+__naked void jeq_reg_reg_null_check(void)
+{
+        asm volatile ("                                 \
+        *(u32*)(r10 - 8) = 0;                           \
+        r1 = %[map_xskmap] ll;                          \
+        r2 = r10;                                       \
+        r2 += -8;                                       \
+        call %[bpf_map_lookup_elem];                    \
+        r1 = 0;                                         \
+        if r0 == r1 goto 1f;                            \
+        r0 = *(u32*)(r0 +0);                            \
+1:      r0 = 0;                                         \
+        exit;                                           \
+"       :
+        : __imm(bpf_map_lookup_elem),
+          __imm_addr(map_xskmap)
+        : __clobber_all);
+}

And maybe a variant of this with `if r1 != r0` or maybe not.

[...]

Re: [PATCH 2/2] selftests/bpf: tests to non_null ptr detection using register operand in JEQ/JNE

[Cupertino Miranda]

Hi Edward,

Thanks for the quick feedback.
Will prepare a v2, soon.

Cheers,
Cupertino

On 03-03-2026 6:12 PM, Eduard Zingerman wrote:
> On Mon, 2026-03-02 at 16:17 +0000, Cupertino Miranda wrote:
>> The 5 added tests are copies of the already existing tests in the same
>> file, but changed to use R3 instead of an immediate 0.
>>
>> Signed-off-by: Cupertino Miranda <cupertino.miranda@oracle.com>
>> Cc: David Faust  <david.faust@oracle.com>
>> Cc: Jose Marchesi  <jose.marchesi@oracle.com>
>> Cc: Elena Zannoni  <elena.zannoni@oracle.com>
>> ---
> 
> I think this is an overkill, these tests check nullness propagation
> over id chains etc. For the purpose of this change something like
> below should suffice:
> 
> +SEC("xdp")
> +__success __log_level(2)
> +/* to make sure the branch is not falsely predicted*/
> +__msg("r0 = *(u32 *)(r0 +0)")
> +__msg("from 7 to 9")
> +__naked void jeq_reg_reg_null_check(void)
> +{
> +        asm volatile ("                                 \
> +        *(u32*)(r10 - 8) = 0;                           \
> +        r1 = %[map_xskmap] ll;                          \
> +        r2 = r10;                                       \
> +        r2 += -8;                                       \
> +        call %[bpf_map_lookup_elem];                    \
> +        r1 = 0;                                         \
> +        if r0 == r1 goto 1f;                            \
> +        r0 = *(u32*)(r0 +0);                            \
> +1:      r0 = 0;                                         \
> +        exit;                                           \
> +"       :
> +        : __imm(bpf_map_lookup_elem),
> +          __imm_addr(map_xskmap)
> +        : __clobber_all);
> +}
> 
> And maybe a variant of this with `if r1 != r0` or maybe not.
> 
> [...]