[PATCH bpf 2/2] selftests/bpf: Cover bpf_get_kmem_cache() null return
From: Nuoqi Gui
Date: Sat Jun 20 2026 - 11:49:03 EST
Add verifier coverage for bpf_get_kmem_cache(0). A direct read from the
returned kmem_cache pointer must reject because the kfunc can return NULL,
while the same read after an explicit null check remains accepted.
Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
---
.../bpf/progs/verifier_kfunc_prog_types.c | 29 ++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c b/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c
index 1fce7a7e8d030..a062f3b7bc756 100644
--- a/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c
+++ b/tools/testing/selftests/bpf/progs/verifier_kfunc_prog_types.c
@@ -168,3 +168,32 @@ int BPF_PROG(cpumask_kfunc_perf_event)
cpumask_kfunc_load_test();
return 0;
}
+
+/*********************
+ * kmem_cache kfunc *
+ *********************/
+
+extern struct kmem_cache *bpf_get_kmem_cache(u64 addr) __ksym;
+
+SEC("raw_tp")
+__failure __msg("R0 invalid mem access 'untrusted_ptr_or_null_'")
+int bpf_get_kmem_cache_no_null_check(void *ctx)
+{
+ struct kmem_cache *s;
+
+ s = bpf_get_kmem_cache(0);
+ return s->size;
+}
+
+SEC("raw_tp")
+__success
+int bpf_get_kmem_cache_null_check(void *ctx)
+{
+ struct kmem_cache *s;
+
+ s = bpf_get_kmem_cache(0);
+ if (!s)
+ return 0;
+
+ return s->size;
+}
--
2.34.1