From: syzbot <syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com>
To: linux-kernel@vger.kernel.org
Subject: Forwarded: [PATCH] bpf: fix NULL pointer dereference in print_reg_state()
Date: Tue, 23 Sep 2025 10:10:24 -0700 [thread overview]
Message-ID: <68d2d480.a70a0220.1b52b.02b4.GAE@google.com> (raw)
In-Reply-To: <68d26227.a70a0220.1b52b.02a4.GAE@google.com>
For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.
***
Subject: [PATCH] bpf: fix NULL pointer dereference in print_reg_state()
Author: listout@listout.xyz
#syz test
Syzkaller reported a general protection fault due to a NULL pointer
dereference in print_reg_state() when accessing reg->map_ptr without
checking if it is NULL.
The existing code assumes reg->map_ptr is always valid before
dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
reg->map_ptr->value_size.
Fix this by adding explicit NULL checks before accessing reg->map_ptr
and its members. This prevents crashes when reg->map_ptr is NULL,
improving the robustness of the BPF verifier's verbose logging.
Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
kernel/bpf/log.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
index 38050f4ee400..14c0a442a85b 100644
--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -715,11 +715,10 @@ static void print_reg_state(struct bpf_verifier_env *env,
verbose_a("ref_obj_id=%d", reg->ref_obj_id);
if (type_is_non_owning_ref(reg->type))
verbose_a("%s", "non_own_ref");
- if (type_is_map_ptr(t)) {
+ if (type_is_map_ptr(t) && reg->map_ptr) {
if (reg->map_ptr->name[0])
verbose_a("map=%s", reg->map_ptr->name);
- verbose_a("ks=%d,vs=%d",
- reg->map_ptr->key_size,
+ verbose_a("ks=%d,vs=%d", reg->map_ptr->key_size,
reg->map_ptr->value_size);
}
if (t != SCALAR_VALUE && reg->off) {
--
2.51.0
next prev parent reply other threads:[~2025-09-23 17:10 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-23 9:02 [syzbot] [bpf?] general protection fault in print_reg_state syzbot
2025-09-23 16:41 ` [PATCH 1/1] bpf: fix NULL pointer dereference in print_reg_state() Brahmajit Das
2025-10-01 19:17 ` [PATCH v4 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register Brahmajit Das
2025-10-01 19:17 ` [PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer Brahmajit Das
2025-10-01 19:32 ` Eduard Zingerman
2025-10-01 19:17 ` [PATCH v4 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP Brahmajit Das
2025-10-01 19:33 ` Eduard Zingerman
2025-10-01 21:10 ` [PATCH v4 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register patchwork-bot+netdevbpf
2025-09-23 16:43 ` [PATCH 1/1] bpf: fix NULL pointer dereference in print_reg_state() Brahmajit Das
2025-09-23 18:52 ` Alexei Starovoitov
2025-09-23 17:10 ` syzbot [this message]
2025-09-23 17:47 ` [PATCH v2] " Brahmajit Das
2025-09-24 7:32 ` Alexei Starovoitov
2025-09-24 9:09 ` Brahmajit Das
2025-09-24 15:40 ` Brahmajit Das
2025-09-24 17:28 ` Alexei Starovoitov
2025-09-24 17:38 ` KaFai Wan
2025-09-24 18:28 ` Brahmajit Das
2025-09-25 15:31 ` KaFai Wan
2025-09-26 1:04 ` Brahmajit Das
2025-09-26 1:56 ` Brahmajit Das
2025-09-26 10:36 ` KaFai Wan
2025-09-30 18:21 ` Brahmajit Das
2025-10-01 5:08 ` KaFai Wan
2025-09-29 18:23 ` [syzbot] [bpf?] general protection fault in print_reg_state syzbot
2025-10-01 9:56 ` [PATCH v3 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register Brahmajit Das
2025-10-01 9:56 ` [PATCH v3 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer Brahmajit Das
2025-10-01 16:55 ` Alexei Starovoitov
2025-10-01 18:29 ` Eduard Zingerman
2025-10-01 18:49 ` Brahmajit Das
2025-10-01 18:54 ` Eduard Zingerman
2025-10-01 9:56 ` [PATCH v3 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP Brahmajit Das
2025-10-01 18:37 ` Eduard Zingerman
2025-10-01 18:40 ` [PATCH v3 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register Eduard Zingerman
2025-10-01 19:28 ` [PATCH v4 " Brahmajit Das
2025-10-01 19:28 ` [PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer Brahmajit Das
2025-10-01 21:10 ` patchwork-bot+netdevbpf
2025-10-01 19:28 ` [PATCH v4 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP Brahmajit Das
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=68d2d480.a70a0220.1b52b.02b4.GAE@google.com \
--to=syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.