bpf: fix nullness propagation for reg to reg comparisons

[linux-block.git] / kernel / bpf / verifier.c

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a5255a0dcbb681f1e3681d1b7eac9694627095c1..243d06ce68426c8a50f476fc1d13c73e0fd55def 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11822,10 +11822,17 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
         *      register B - not null
         * for JNE A, B, ... - A is not null in the false branch;
         * for JEQ A, B, ... - A is not null in the true branch.
+        *
+        * Since PTR_TO_BTF_ID points to a kernel struct that does
+        * not need to be null checked by the BPF program, i.e.,
+        * could be null even without PTR_MAYBE_NULL marking, so
+        * only propagate nullness when neither reg is that type.
         */
        if (!is_jmp32 && BPF_SRC(insn->code) == BPF_X &&
            __is_pointer_value(false, src_reg) && __is_pointer_value(false, dst_reg) &&
-           type_may_be_null(src_reg->type) != type_may_be_null(dst_reg->type)) {
+           type_may_be_null(src_reg->type) != type_may_be_null(dst_reg->type) &&
+           base_type(src_reg->type) != PTR_TO_BTF_ID &&
+           base_type(dst_reg->type) != PTR_TO_BTF_ID) {
                eq_branch_regs = NULL;
                switch (opcode) {
                case BPF_JEQ: