* [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar into kptr slot
@ 2026-04-16 18:08 Mykyta Yatsenko
2026-04-16 18:08 ` [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Mykyta Yatsenko
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Mykyta Yatsenko @ 2026-04-16 18:08 UTC (permalink / raw)
To: bpf, ast, andrii, daniel, kafai, kernel-team, eddyz87, memxor
Cc: Mykyta Yatsenko, Hiker Cl
map_kptr_match_type() accesses reg->btf before confirming the register
is PTR_TO_BTF_ID. A scalar store into a kptr slot has no btf, causing
a NULL pointer dereference. Guard base_type() first.
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
---
Mykyta Yatsenko (2):
bpf: Fix NULL deref in map_kptr_match_type for scalar regs
selftests/bpf: Reject scalar store into kptr slot
kernel/bpf/verifier.c | 5 ++++-
tools/testing/selftests/bpf/progs/map_kptr_fail.c | 15 +++++++++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
---
base-commit: 009c77e8c29f17614b4f197e08afd91916599dd7
change-id: 20260416-kptr_crash-572ae35c4400
Best regards,
--
Mykyta Yatsenko <yatsenko@meta.com>
^ permalink raw reply [flat|nested] 6+ messages in thread* [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs
2026-04-16 18:08 [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar into kptr slot Mykyta Yatsenko
@ 2026-04-16 18:08 ` Mykyta Yatsenko
2026-04-16 22:16 ` Paul Chaignon
2026-04-16 18:08 ` [PATCH bpf-next 2/2] selftests/bpf: Reject scalar store into kptr slot Mykyta Yatsenko
2026-04-16 22:30 ` [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar " patchwork-bot+netdevbpf
2 siblings, 1 reply; 6+ messages in thread
From: Mykyta Yatsenko @ 2026-04-16 18:08 UTC (permalink / raw)
To: bpf, ast, andrii, daniel, kafai, kernel-team, eddyz87, memxor
Cc: Mykyta Yatsenko, Hiker Cl
From: Mykyta Yatsenko <yatsenko@meta.com>
Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local
kptr") refactored map_kptr_match_type() to branch on btf_is_kernel()
before checking base_type(). A scalar register stored into a kptr
slot has no btf, so the btf_is_kernel(reg->btf) call dereferences
NULL.
Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf
access.
Fixes: ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr")
Reported-by: Hiker Cl <clhiker365@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221372
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
---
kernel/bpf/verifier.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9e4980128151..a4f3f367988c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4544,6 +4544,9 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
int perm_flags;
const char *reg_name = "";
+ if (base_type(reg->type) != PTR_TO_BTF_ID)
+ goto bad_type;
+
if (btf_is_kernel(reg->btf)) {
perm_flags = PTR_MAYBE_NULL | PTR_TRUSTED | MEM_RCU;
@@ -4556,7 +4559,7 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
perm_flags |= MEM_PERCPU;
}
- if (base_type(reg->type) != PTR_TO_BTF_ID || (type_flag(reg->type) & ~perm_flags))
+ if (type_flag(reg->type) & ~perm_flags)
goto bad_type;
/* We need to verify reg->type and reg->btf, before accessing reg->btf */
--
2.52.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs
2026-04-16 18:08 ` [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Mykyta Yatsenko
@ 2026-04-16 22:16 ` Paul Chaignon
0 siblings, 0 replies; 6+ messages in thread
From: Paul Chaignon @ 2026-04-16 22:16 UTC (permalink / raw)
To: Mykyta Yatsenko
Cc: bpf, ast, andrii, daniel, kafai, kernel-team, eddyz87, memxor,
Mykyta Yatsenko, Hiker Cl
On Thu, Apr 16, 2026 at 11:08:07AM -0700, Mykyta Yatsenko wrote:
> From: Mykyta Yatsenko <yatsenko@meta.com>
>
> Commit ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local
> kptr") refactored map_kptr_match_type() to branch on btf_is_kernel()
> before checking base_type(). A scalar register stored into a kptr
> slot has no btf, so the btf_is_kernel(reg->btf) call dereferences
> NULL.
>
> Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf
> access.
>
> Fixes: ab6c637ad027 ("bpf: Fix a bpf_kptr_xchg() issue with local kptr")
> Reported-by: Hiker Cl <clhiker365@gmail.com>
> Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221372
> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
I believe this should be sent to bpf, not bpf-next (though it currently
applies cleanly to both). With that:
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
> ---
> kernel/bpf/verifier.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 9e4980128151..a4f3f367988c 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -4544,6 +4544,9 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
> int perm_flags;
> const char *reg_name = "";
>
> + if (base_type(reg->type) != PTR_TO_BTF_ID)
> + goto bad_type;
> +
> if (btf_is_kernel(reg->btf)) {
> perm_flags = PTR_MAYBE_NULL | PTR_TRUSTED | MEM_RCU;
>
> @@ -4556,7 +4559,7 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
> perm_flags |= MEM_PERCPU;
> }
>
> - if (base_type(reg->type) != PTR_TO_BTF_ID || (type_flag(reg->type) & ~perm_flags))
> + if (type_flag(reg->type) & ~perm_flags)
> goto bad_type;
>
> /* We need to verify reg->type and reg->btf, before accessing reg->btf */
>
> --
> 2.52.0
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH bpf-next 2/2] selftests/bpf: Reject scalar store into kptr slot
2026-04-16 18:08 [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar into kptr slot Mykyta Yatsenko
2026-04-16 18:08 ` [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Mykyta Yatsenko
@ 2026-04-16 18:08 ` Mykyta Yatsenko
2026-04-16 22:20 ` Paul Chaignon
2026-04-16 22:30 ` [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar " patchwork-bot+netdevbpf
2 siblings, 1 reply; 6+ messages in thread
From: Mykyta Yatsenko @ 2026-04-16 18:08 UTC (permalink / raw)
To: bpf, ast, andrii, daniel, kafai, kernel-team, eddyz87, memxor
Cc: Mykyta Yatsenko
From: Mykyta Yatsenko <yatsenko@meta.com>
Verify that the verifier rejects a direct scalar write to a kptr map
value slot without crashing.
Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
---
tools/testing/selftests/bpf/progs/map_kptr_fail.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/map_kptr_fail.c b/tools/testing/selftests/bpf/progs/map_kptr_fail.c
index 6443b320c732..ee053b24e6ca 100644
--- a/tools/testing/selftests/bpf/progs/map_kptr_fail.c
+++ b/tools/testing/selftests/bpf/progs/map_kptr_fail.c
@@ -385,4 +385,19 @@ int kptr_xchg_possibly_null(struct __sk_buff *ctx)
return 0;
}
+SEC("?tc")
+__failure __msg("invalid kptr access, R")
+int reject_scalar_store_to_kptr(struct __sk_buff *ctx)
+{
+ struct map_value *v;
+ int key = 0;
+
+ v = bpf_map_lookup_elem(&array_map, &key);
+ if (!v)
+ return 0;
+
+ *(volatile u64 *)&v->unref_ptr = 0xBADC0DE;
+ return 0;
+}
+
char _license[] SEC("license") = "GPL";
--
2.52.0
^ permalink raw reply related [flat|nested] 6+ messages in thread* Re: [PATCH bpf-next 2/2] selftests/bpf: Reject scalar store into kptr slot
2026-04-16 18:08 ` [PATCH bpf-next 2/2] selftests/bpf: Reject scalar store into kptr slot Mykyta Yatsenko
@ 2026-04-16 22:20 ` Paul Chaignon
0 siblings, 0 replies; 6+ messages in thread
From: Paul Chaignon @ 2026-04-16 22:20 UTC (permalink / raw)
To: Mykyta Yatsenko
Cc: bpf, ast, andrii, daniel, kafai, kernel-team, eddyz87, memxor,
Mykyta Yatsenko
On Thu, Apr 16, 2026 at 11:08:08AM -0700, Mykyta Yatsenko wrote:
> From: Mykyta Yatsenko <yatsenko@meta.com>
>
> Verify that the verifier rejects a direct scalar write to a kptr map
> value slot without crashing.
>
> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
The test makes sense and causes a NULL pointer dereference as expected
when the fix isn't applied.
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
> ---
> tools/testing/selftests/bpf/progs/map_kptr_fail.c | 15 +++++++++++++++
> 1 file changed, 15 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/map_kptr_fail.c b/tools/testing/selftests/bpf/progs/map_kptr_fail.c
> index 6443b320c732..ee053b24e6ca 100644
> --- a/tools/testing/selftests/bpf/progs/map_kptr_fail.c
> +++ b/tools/testing/selftests/bpf/progs/map_kptr_fail.c
> @@ -385,4 +385,19 @@ int kptr_xchg_possibly_null(struct __sk_buff *ctx)
> return 0;
> }
>
> +SEC("?tc")
> +__failure __msg("invalid kptr access, R")
> +int reject_scalar_store_to_kptr(struct __sk_buff *ctx)
> +{
> + struct map_value *v;
> + int key = 0;
> +
> + v = bpf_map_lookup_elem(&array_map, &key);
> + if (!v)
> + return 0;
> +
> + *(volatile u64 *)&v->unref_ptr = 0xBADC0DE;
> + return 0;
> +}
> +
> char _license[] SEC("license") = "GPL";
>
> --
> 2.52.0
>
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar into kptr slot
2026-04-16 18:08 [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar into kptr slot Mykyta Yatsenko
2026-04-16 18:08 ` [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Mykyta Yatsenko
2026-04-16 18:08 ` [PATCH bpf-next 2/2] selftests/bpf: Reject scalar store into kptr slot Mykyta Yatsenko
@ 2026-04-16 22:30 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 6+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-04-16 22:30 UTC (permalink / raw)
To: Mykyta Yatsenko
Cc: bpf, ast, andrii, daniel, kafai, kernel-team, eddyz87, memxor,
yatsenko, clhiker365
Hello:
This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Thu, 16 Apr 2026 11:08:06 -0700 you wrote:
> map_kptr_match_type() accesses reg->btf before confirming the register
> is PTR_TO_BTF_ID. A scalar store into a kptr slot has no btf, causing
> a NULL pointer dereference. Guard base_type() first.
>
> Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
> ---
> Mykyta Yatsenko (2):
> bpf: Fix NULL deref in map_kptr_match_type for scalar regs
> selftests/bpf: Reject scalar store into kptr slot
>
> [...]
Here is the summary with links:
- [bpf-next,1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs
https://git.kernel.org/bpf/bpf/c/4d0a375887ab
- [bpf-next,2/2] selftests/bpf: Reject scalar store into kptr slot
https://git.kernel.org/bpf/bpf/c/fcd11ff8bd0e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2026-04-16 22:30 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-16 18:08 [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar into kptr slot Mykyta Yatsenko
2026-04-16 18:08 ` [PATCH bpf-next 1/2] bpf: Fix NULL deref in map_kptr_match_type for scalar regs Mykyta Yatsenko
2026-04-16 22:16 ` Paul Chaignon
2026-04-16 18:08 ` [PATCH bpf-next 2/2] selftests/bpf: Reject scalar store into kptr slot Mykyta Yatsenko
2026-04-16 22:20 ` Paul Chaignon
2026-04-16 22:30 ` [PATCH bpf-next 0/2] bpf: Fix NULL deref when storing scalar " patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox