[syzbot] [bpf?] general protection fault in print_reg_state

[syzbot] [bpf?] general protection fault in print_reg_state

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    cec1e6e5d1ab Merge tag 'sched_ext-for-6.17-rc7-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=175418e2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f01d8629880e620
dashboard link: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=113bf8e2580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1608c27c580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-cec1e6e5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2833a04dba30/vmlinux-cec1e6e5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/632491f232df/bzImage-cec1e6e5.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com

Oops: general protection fault, probably for non-canonical address 0xdffffc000000000c: 0000 [#1] SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000060-0x0000000000000067]
CPU: 1 UID: 0 PID: 6117 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:print_reg_state+0x2dc/0x1010 kernel/bpf/log.c:719
Code: c1 ea 03 80 3c 02 00 0f 85 5c 0c 00 00 48 ba 00 00 00 00 00 fc ff df 4c 8b 7b 08 49 8d 47 60 48 89 c1 48 89 04 24 48 c1 e9 03 <0f> b6 14 11 84 d2 74 06 0f 8e 45 0b 00 00 41 0f b6 57 60 48 8b 44
RSP: 0018:ffffc90004e67398 EFLAGS: 00010206
RAX: 0000000000000060 RBX: ffff8880275a5000 RCX: 000000000000000c
RDX: dffffc0000000000 RSI: ffffffff81daeb8b RDI: 0000000000000005
RBP: ffffc90004e674b0 R08: 0000000000000005 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888037df0000
R13: 0000000000000003 R14: 1ffff920009cce79 R15: 0000000000000000
FS:  0000555587b13500(0000) GS:ffff8880d67b2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000100 CR3: 0000000033bb5000 CR4: 0000000000352ef0
Call Trace:
 <TASK>
 print_verifier_state+0x234/0x1170 kernel/bpf/log.c:775
 do_check kernel/bpf/verifier.c:20071 [inline]
 do_check_common+0x283e/0xb410 kernel/bpf/verifier.c:23264
 do_check_main kernel/bpf/verifier.c:23347 [inline]
 bpf_check+0x869f/0xc670 kernel/bpf/verifier.c:24707
 bpf_prog_load+0xe41/0x2490 kernel/bpf/syscall.c:2979
 __sys_bpf+0x4a3f/0x4de0 kernel/bpf/syscall.c:6029
 __do_sys_bpf kernel/bpf/syscall.c:6139 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:6137 [inline]
 __x64_sys_bpf+0x78/0xc0 kernel/bpf/syscall.c:6137
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xcd/0x4e0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f1041d8eec9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd44cefdd8 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00007f1041fe5fa0 RCX: 00007f1041d8eec9
RDX: 0000000000000094 RSI: 0000200000000100 RDI: 0000000000000005
RBP: 00007f1041e11f91 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f1041fe5fa0 R14: 00007f1041fe5fa0 R15: 0000000000000003
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:print_reg_state+0x2dc/0x1010 kernel/bpf/log.c:719
Code: c1 ea 03 80 3c 02 00 0f 85 5c 0c 00 00 48 ba 00 00 00 00 00 fc ff df 4c 8b 7b 08 49 8d 47 60 48 89 c1 48 89 04 24 48 c1 e9 03 <0f> b6 14 11 84 d2 74 06 0f 8e 45 0b 00 00 41 0f b6 57 60 48 8b 44
RSP: 0018:ffffc90004e67398 EFLAGS: 00010206
RAX: 0000000000000060 RBX: ffff8880275a5000 RCX: 000000000000000c
RDX: dffffc0000000000 RSI: ffffffff81daeb8b RDI: 0000000000000005
RBP: ffffc90004e674b0 R08: 0000000000000005 R09: 0000000000000002
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888037df0000
R13: 0000000000000003 R14: 1ffff920009cce79 R15: 0000000000000000
FS:  0000555587b13500(0000) GS:ffff8880d67b2000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000200000000100 CR3: 0000000033bb5000 CR4: 0000000000352ef0
----------------
Code disassembly (best guess):
   0:	c1 ea 03             	shr    $0x3,%edx
   3:	80 3c 02 00          	cmpb   $0x0,(%rdx,%rax,1)
   7:	0f 85 5c 0c 00 00    	jne    0xc69
   d:	48 ba 00 00 00 00 00 	movabs $0xdffffc0000000000,%rdx
  14:	fc ff df
  17:	4c 8b 7b 08          	mov    0x8(%rbx),%r15
  1b:	49 8d 47 60          	lea    0x60(%r15),%rax
  1f:	48 89 c1             	mov    %rax,%rcx
  22:	48 89 04 24          	mov    %rax,(%rsp)
  26:	48 c1 e9 03          	shr    $0x3,%rcx
* 2a:	0f b6 14 11          	movzbl (%rcx,%rdx,1),%edx <-- trapping instruction
  2e:	84 d2                	test   %dl,%dl
  30:	74 06                	je     0x38
  32:	0f 8e 45 0b 00 00    	jle    0xb7d
  38:	41 0f b6 57 60       	movzbl 0x60(%r15),%edx
  3d:	48                   	rex.W
  3e:	8b                   	.byte 0x8b
  3f:	44                   	rex.R


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

[PATCH 1/1] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

Syzkaller reported a general protection fault due to a NULL pointer
dereference in print_reg_state() when accessing reg->map_ptr without
checking if it is NULL.

The existing code assumes reg->map_ptr is always valid before
dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
reg->map_ptr->value_size.

Fix this by adding explicit NULL checks before accessing reg->map_ptr
and its members. This prevents crashes when reg->map_ptr is NULL,
improving the robustness of the BPF verifier's verbose logging.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
 kernel/bpf/log.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
index 38050f4ee400..a2368b21486a 100644
--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -3,6 +3,7 @@
  * Copyright (c) 2016 Facebook
  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
  */
+#include "linux/printk.h"
 #include <uapi/linux/btf.h>
 #include <linux/kernel.h>
 #include <linux/types.h>
@@ -716,11 +717,12 @@ static void print_reg_state(struct bpf_verifier_env *env,
 	if (type_is_non_owning_ref(reg->type))
 		verbose_a("%s", "non_own_ref");
 	if (type_is_map_ptr(t)) {
-		if (reg->map_ptr->name[0])
+		if (reg->map_ptr != NULL && reg->map_ptr->name[0] != '\0')
 			verbose_a("map=%s", reg->map_ptr->name);
-		verbose_a("ks=%d,vs=%d",
-			  reg->map_ptr->key_size,
-			  reg->map_ptr->value_size);
+		if (reg->map_ptr != NULL)
+			verbose_a("ks=%d,vs=%d",
+					reg->map_ptr->key_size,
+					reg->map_ptr->value_size);
 	}
 	if (t != SCALAR_VALUE && reg->off) {
 		verbose_a("off=");
-- 
2.51.0

[PATCH 1/1] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

Syzkaller reported a general protection fault due to a NULL pointer
dereference in print_reg_state() when accessing reg->map_ptr without
checking if it is NULL.

The existing code assumes reg->map_ptr is always valid before
dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
reg->map_ptr->value_size.

Fix this by adding explicit NULL checks before accessing reg->map_ptr
and its members. This prevents crashes when reg->map_ptr is NULL,
improving the robustness of the BPF verifier's verbose logging.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
 kernel/bpf/log.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
index 38050f4ee400..b38efbbf22cf 100644
--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -716,11 +716,12 @@ static void print_reg_state(struct bpf_verifier_env *env,
 	if (type_is_non_owning_ref(reg->type))
 		verbose_a("%s", "non_own_ref");
 	if (type_is_map_ptr(t)) {
-		if (reg->map_ptr->name[0])
+		if (reg->map_ptr != NULL && reg->map_ptr->name[0] != '\0')
 			verbose_a("map=%s", reg->map_ptr->name);
-		verbose_a("ks=%d,vs=%d",
-			  reg->map_ptr->key_size,
-			  reg->map_ptr->value_size);
+		if (reg->map_ptr != NULL)
+			verbose_a("ks=%d,vs=%d",
+					reg->map_ptr->key_size,
+					reg->map_ptr->value_size);
 	}
 	if (t != SCALAR_VALUE && reg->off) {
 		verbose_a("off=");
-- 
2.51.0

Forwarded: [PATCH] bpf: fix NULL pointer dereference in print_reg_state()

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org.

***

Subject: [PATCH] bpf: fix NULL pointer dereference in print_reg_state()
Author: listout@listout.xyz

#syz test

Syzkaller reported a general protection fault due to a NULL pointer
dereference in print_reg_state() when accessing reg->map_ptr without
checking if it is NULL.

The existing code assumes reg->map_ptr is always valid before
dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
reg->map_ptr->value_size.

Fix this by adding explicit NULL checks before accessing reg->map_ptr
and its members. This prevents crashes when reg->map_ptr is NULL,
improving the robustness of the BPF verifier's verbose logging.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
 kernel/bpf/log.c | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
index 38050f4ee400..14c0a442a85b 100644
--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -715,11 +715,10 @@ static void print_reg_state(struct bpf_verifier_env *env,
 		verbose_a("ref_obj_id=%d", reg->ref_obj_id);
 	if (type_is_non_owning_ref(reg->type))
 		verbose_a("%s", "non_own_ref");
-	if (type_is_map_ptr(t)) {
+	if (type_is_map_ptr(t) && reg->map_ptr) {
 		if (reg->map_ptr->name[0])
 			verbose_a("map=%s", reg->map_ptr->name);
-		verbose_a("ks=%d,vs=%d",
-			  reg->map_ptr->key_size,
+		verbose_a("ks=%d,vs=%d", reg->map_ptr->key_size,
 			  reg->map_ptr->value_size);
 	}
 	if (t != SCALAR_VALUE && reg->off) {
-- 
2.51.0

Re: [syzbot] [bpf?] general protection fault in print_reg_state

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Tested-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com

Tested on:

commit:         cec1e6e5 Merge tag 'sched_ext-for-6.17-rc7-fixes' of g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=14ed0f12580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=8f01d8629880e620
dashboard link: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
compiler:       gcc (Debian 12.2.0-14+deb12u1) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=1647627c580000

Note: testing is done by a robot and is best-effort only.

[PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

Syzkaller reported a general protection fault due to a NULL pointer
dereference in print_reg_state() when accessing reg->map_ptr without
checking if it is NULL.

The existing code assumes reg->map_ptr is always valid before
dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
reg->map_ptr->value_size.

Fix this by adding explicit NULL checks before accessing reg->map_ptr
and its members. This prevents crashes when reg->map_ptr is NULL,
improving the robustness of the BPF verifier's verbose logging.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
 kernel/bpf/log.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
index f50533169cc3..5ffb8d778b92 100644
--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -704,7 +704,7 @@ static void print_reg_state(struct bpf_verifier_env *env,
 		verbose_a("ref_obj_id=%d", reg->ref_obj_id);
 	if (type_is_non_owning_ref(reg->type))
 		verbose_a("%s", "non_own_ref");
-	if (type_is_map_ptr(t)) {
+	if (type_is_map_ptr(t) && reg->map_ptr) {
 		if (reg->map_ptr->name[0])
 			verbose_a("map=%s", reg->map_ptr->name);
 		verbose_a("ks=%d,vs=%d",
-- 
2.51.0

Re: [PATCH 1/1] bpf: fix NULL pointer dereference in print_reg_state()

[Alexei Starovoitov]

On Tue, Sep 23, 2025 at 9:44 AM Brahmajit Das <listout@listout.xyz> wrote:
>
> Syzkaller reported a general protection fault due to a NULL pointer
> dereference in print_reg_state() when accessing reg->map_ptr without
> checking if it is NULL.
>
> The existing code assumes reg->map_ptr is always valid before
> dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
> reg->map_ptr->value_size.
>
> Fix this by adding explicit NULL checks before accessing reg->map_ptr
> and its members. This prevents crashes when reg->map_ptr is NULL,
> improving the robustness of the BPF verifier's verbose logging.
>
> Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> Signed-off-by: Brahmajit Das <listout@listout.xyz>
> ---
>  kernel/bpf/log.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> index 38050f4ee400..b38efbbf22cf 100644
> --- a/kernel/bpf/log.c
> +++ b/kernel/bpf/log.c
> @@ -716,11 +716,12 @@ static void print_reg_state(struct bpf_verifier_env *env,
>         if (type_is_non_owning_ref(reg->type))
>                 verbose_a("%s", "non_own_ref");
>         if (type_is_map_ptr(t)) {
> -               if (reg->map_ptr->name[0])
> +               if (reg->map_ptr != NULL && reg->map_ptr->name[0] != '\0')
>                         verbose_a("map=%s", reg->map_ptr->name);

Looks like you're bandaiding a symptome instead of fixing
underlying issue. For map types map_ptr should always be set.

pw-bot: cr

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Alexei Starovoitov]

On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz> wrote:
>
> Syzkaller reported a general protection fault due to a NULL pointer
> dereference in print_reg_state() when accessing reg->map_ptr without
> checking if it is NULL.
>
> The existing code assumes reg->map_ptr is always valid before
> dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
> reg->map_ptr->value_size.
>
> Fix this by adding explicit NULL checks before accessing reg->map_ptr
> and its members. This prevents crashes when reg->map_ptr is NULL,
> improving the robustness of the BPF verifier's verbose logging.
>
> Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> Signed-off-by: Brahmajit Das <listout@listout.xyz>
> ---
>  kernel/bpf/log.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> index f50533169cc3..5ffb8d778b92 100644
> --- a/kernel/bpf/log.c
> +++ b/kernel/bpf/log.c
> @@ -704,7 +704,7 @@ static void print_reg_state(struct bpf_verifier_env *env,
>                 verbose_a("ref_obj_id=%d", reg->ref_obj_id);
>         if (type_is_non_owning_ref(reg->type))
>                 verbose_a("%s", "non_own_ref");
> -       if (type_is_map_ptr(t)) {
> +       if (type_is_map_ptr(t) && reg->map_ptr) {

You ignored earlier feedback.
Fix the root cause, not the symptom.

pw-bot: cr

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 24.09.2025 09:32, Alexei Starovoitov wrote:
> On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz> wrote:
> >
> > Syzkaller reported a general protection fault due to a NULL pointer
> > dereference in print_reg_state() when accessing reg->map_ptr without
> > checking if it is NULL.
> >
> > The existing code assumes reg->map_ptr is always valid before
> > dereferencing reg->map_ptr->name, reg->map_ptr->key_size, and
> > reg->map_ptr->value_size.
> >
> > Fix this by adding explicit NULL checks before accessing reg->map_ptr
> > and its members. This prevents crashes when reg->map_ptr is NULL,
> > improving the robustness of the BPF verifier's verbose logging.
> >
> > Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> > Signed-off-by: Brahmajit Das <listout@listout.xyz>
> > ---
> >  kernel/bpf/log.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> > index f50533169cc3..5ffb8d778b92 100644
> > --- a/kernel/bpf/log.c
> > +++ b/kernel/bpf/log.c
> > @@ -704,7 +704,7 @@ static void print_reg_state(struct bpf_verifier_env *env,
> >                 verbose_a("ref_obj_id=%d", reg->ref_obj_id);
> >         if (type_is_non_owning_ref(reg->type))
> >                 verbose_a("%s", "non_own_ref");
> > -       if (type_is_map_ptr(t)) {
> > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> 
> You ignored earlier feedback.
> Fix the root cause, not the symptom.
> 
> pw-bot: cr

Alexei, I did not, the patches (v1 and v2) were sent in a very short
timeframe, when you gave me the feedback I had already sent the v2 so
your feedback applies to v2 as well :)

I'm working on fixing/understanding the issue. I went one function lower
from where print_reg_state is being called and added a few debugging
statements like this

--- a/kernel/bpf/log.c
+++ b/kernel/bpf/log.c
@@ -758,6 +758,12 @@ void print_verifier_state(struct bpf_verifier_env *env, const struct bpf_verifie
                        continue;
                if (!print_all && !reg_scratched(env, i))
                        continue;
+               pr_err("&state->regs[%d] = %p\n", i, (void *)&state->regs[i]);
+               pr_err("reg               = %p\n", (void *)reg);
+               pr_err("&reg->map_ptr      = %p\n", (void *)&reg->map_ptr);
+               pr_err("&state->regs[%d].map_ptr = %p\n", i, (void *)&state->regs[i].map_ptr);
+               pr_err("state->regs[%d].map_ptr is NULL %d\n", i, state->regs[i].map_ptr == NULL);
+               pr_err("regs->map_ptr is NULL %d\n", reg->map_ptr == NULL);
                verbose(env, " R%d", i);
                verbose(env, "=");
                print_reg_state(env, state, reg);

Both reg->map_ptr and state->regs[i].map_ptr reports map_ptr is NULL.
For now I'm bit stuck and trying to understand why that would be.
I got the reproducer from
https://syzkaller.appspot.com/text?tag=ReproC&x=1608c27c580000

-- 
Regards,
listout

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 24.09.2025 09:32, Alexei Starovoitov wrote:
> On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz> wrote:
> >
> > Syzkaller reported a general protection fault due to a NULL pointer
> > dereference in print_reg_state() when accessing reg->map_ptr without
> > checking if it is NULL.
> >
...snip...
> > -       if (type_is_map_ptr(t)) {
> > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> 
> You ignored earlier feedback.
> Fix the root cause, not the symptom.
> 
> pw-bot: cr

I'm not sure if I'm headed the write direction but it seems like in
check_alu_op, we are calling adjust_scalar_min_max_vals when we get an
BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode is
BPF_NEG. And __mark_reg_known clears map_ptr with

	/* Clear off and union(map_ptr, range) */
	memset(((u8 *)reg) + sizeof(reg->type), 0,
	       offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));

-- 
Regards,
listout

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Alexei Starovoitov]

On Wed, Sep 24, 2025 at 4:41 PM Brahmajit Das <listout@listout.xyz> wrote:
>
> On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz> wrote:
> > >
> > > Syzkaller reported a general protection fault due to a NULL pointer
> > > dereference in print_reg_state() when accessing reg->map_ptr without
> > > checking if it is NULL.
> > >
> ...snip...
> > > -       if (type_is_map_ptr(t)) {
> > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> >
> > You ignored earlier feedback.
> > Fix the root cause, not the symptom.
> >
> > pw-bot: cr
>
> I'm not sure if I'm headed the write direction but it seems like in
> check_alu_op, we are calling adjust_scalar_min_max_vals when we get an
> BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode is
> BPF_NEG. And __mark_reg_known clears map_ptr with

Looks like we're getting somewhere.
It seems the verifier is not clearing reg->type.
adjust_scalar_min_max_vals() should be called on scalar types only.

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[KaFai Wan]

On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz>
> > wrote:
> > > 
> > > Syzkaller reported a general protection fault due to a NULL
> > > pointer
> > > dereference in print_reg_state() when accessing reg->map_ptr
> > > without
> > > checking if it is NULL.
> > > 
> ...snip...
> > > -       if (type_is_map_ptr(t)) {
> > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > 
> > You ignored earlier feedback.
> > Fix the root cause, not the symptom.
> > 
> > pw-bot: cr
> 
> I'm not sure if I'm headed the write direction but it seems like in
> check_alu_op, we are calling adjust_scalar_min_max_vals when we get
> an
> BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode
> is
> BPF_NEG. And __mark_reg_known clears map_ptr with
> 
> 	/* Clear off and union(map_ptr, range) */
> 	memset(((u8 *)reg) + sizeof(reg->type), 0,
> 	       offsetof(struct bpf_reg_state, var_off) - sizeof(reg-
> >type));
> 

I think you are right. The following code can reproduce the error.

	asm volatile ("					\
	r0 = %[map_hash_48b] ll;			\
	r0 = -r0;					\
	exit;						\
"	:
	: __imm_addr(map_hash_48b)
	: __clobber_all);


BPF_NEG calls __mark_reg_known(dst_reg, 0) which clears the 'off' and
'union(map_ptr, range)' of dst_reg, but keeps the 'type', which is
CONST_PTR_TO_MAP.

Perhaps we can only allow the SCALAR_VALUE type to run BPF_NEG as an
opcode, while for other types same as the before BPF_NEG.

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e892df386eed..dbf9f1efc6e7 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15346,13 +15346,15 @@ static bool
is_safe_to_compute_dst_reg_range(struct bpf_insn *insn,
 	switch (BPF_OP(insn->code)) {
 	case BPF_ADD:
 	case BPF_SUB:
-	case BPF_NEG:
 	case BPF_AND:
 	case BPF_XOR:
 	case BPF_OR:
 	case BPF_MUL:
 		return true;
 
+	case BPF_NEG:
+		return base_type(src_reg->type) == SCALAR_VALUE;
+


-- 
Thanks,
KaFai

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 25.09.2025 01:38, KaFai Wan wrote:
> On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz>
> > > wrote:
> > > > 
> > > > Syzkaller reported a general protection fault due to a NULL
> > > > pointer
> > > > dereference in print_reg_state() when accessing reg->map_ptr
> > > > without
> > > > checking if it is NULL.
> > > > 
> > ...snip...
> > > > -       if (type_is_map_ptr(t)) {
> > > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > > 
> > > You ignored earlier feedback.
> > > Fix the root cause, not the symptom.
> > > 
> > > pw-bot: cr
> > 
> > I'm not sure if I'm headed the write direction but it seems like in
> > check_alu_op, we are calling adjust_scalar_min_max_vals when we get
> > an
> > BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode
> > is
> > BPF_NEG. And __mark_reg_known clears map_ptr with
> > 
> > 	/* Clear off and union(map_ptr, range) */
> > 	memset(((u8 *)reg) + sizeof(reg->type), 0,
> > 	       offsetof(struct bpf_reg_state, var_off) - sizeof(reg-
> > >type));
> > 
> 
> I think you are right. The following code can reproduce the error.
> 
> 	asm volatile ("					\
> 	r0 = %[map_hash_48b] ll;			\
> 	r0 = -r0;					\
> 	exit;						\
> "	:
> 	: __imm_addr(map_hash_48b)
> 	: __clobber_all);
> 
> 
> BPF_NEG calls __mark_reg_known(dst_reg, 0) which clears the 'off' and
> 'union(map_ptr, range)' of dst_reg, but keeps the 'type', which is
> CONST_PTR_TO_MAP.
> 
> Perhaps we can only allow the SCALAR_VALUE type to run BPF_NEG as an
> opcode, while for other types same as the before BPF_NEG.
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e892df386eed..dbf9f1efc6e7 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15346,13 +15346,15 @@ static bool
> is_safe_to_compute_dst_reg_range(struct bpf_insn *insn,
>  	switch (BPF_OP(insn->code)) {
>  	case BPF_ADD:
>  	case BPF_SUB:
> -	case BPF_NEG:
>  	case BPF_AND:
>  	case BPF_XOR:
>  	case BPF_OR:
>  	case BPF_MUL:
>  		return true;
>  
> +	case BPF_NEG:
> +		return base_type(src_reg->type) == SCALAR_VALUE;
> +
> 
> 
> -- 
> Thanks,
> KaFai

Before even going into adjust_scalar_min_max_vals we have a check in
check_alu_op, which I think is not being respected. Going to expand on
this below as response to Alexei.

On 24.09.2025 18:28, Alexei Starovoitov wrote:
> On Wed, Sep 24, 2025 at 4:41 PM Brahmajit Das <listout@listout.xyz> wrote:
> >
> > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@listout.xyz> wrote:
> > > >
> > > > Syzkaller reported a general protection fault due to a NULL pointer
> > > > dereference in print_reg_state() when accessing reg->map_ptr without
> > > > checking if it is NULL.
> > > >
> > ...snip...
> > > > -       if (type_is_map_ptr(t)) {
> > > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > >
> > > You ignored earlier feedback.
> > > Fix the root cause, not the symptom.
> > >
> > > pw-bot: cr
> >
> > I'm not sure if I'm headed the write direction but it seems like in
> > check_alu_op, we are calling adjust_scalar_min_max_vals when we get an
> > BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode is
> > BPF_NEG. And __mark_reg_known clears map_ptr with
> 
> Looks like we're getting somewhere.
> It seems the verifier is not clearing reg->type.
> adjust_scalar_min_max_vals() should be called on scalar types only.

Right, there is a check in check_alu_op

		if (is_pointer_value(env, insn->dst_reg)) {
			verbose(env, "R%d pointer arithmetic prohibited\n",
				insn->dst_reg);
			return -EACCES;
		}

is_pointer_value calls __is_pointer_value which takes bool
allow_ptr_leaks as the first argument. Now for some reason in this case
allow_ptr_leaks is being passed as true, as a result __is_pointer_value
(and in turn is_pointer_value) returns false when even when register
type is CONST_PTR_TO_MAP.

-- 
Regards,
listout

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[KaFai Wan]

On Wed, 2025-09-24 at 23:58 +0530, Brahmajit Das wrote:
> On 25.09.2025 01:38, KaFai Wan wrote:
> > On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > <listout@listout.xyz>
> > > > wrote:
> > > > > 
> > > > > Syzkaller reported a general protection fault due to a NULL
> > > > > pointer
> > > > > dereference in print_reg_state() when accessing reg->map_ptr
> > > > > without
> > > > > checking if it is NULL.
> > > > > 
> > > ...snip...
> > > > > -       if (type_is_map_ptr(t)) {
> > > > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > > > 
> > > > You ignored earlier feedback.
> > > > Fix the root cause, not the symptom.
> > > > 
> > > > pw-bot: cr
> > > 
> > > I'm not sure if I'm headed the write direction but it seems like
> > > in
> > > check_alu_op, we are calling adjust_scalar_min_max_vals when we
> > > get
> > > an
> > > BPF_NEG as opcode. Which has a call to __mark_reg_known when
> > > opcode
> > > is
> > > BPF_NEG. And __mark_reg_known clears map_ptr with
> > > 
> > > 	/* Clear off and union(map_ptr, range) */
> > > 	memset(((u8 *)reg) + sizeof(reg->type), 0,
> > > 	       offsetof(struct bpf_reg_state, var_off) -
> > > sizeof(reg-
> > > > type));
> > > 
> > 
> > I think you are right. The following code can reproduce the error.
> > 
> > 	asm volatile ("					\
> > 	r0 = %[map_hash_48b] ll;			\
> > 	r0 = -r0;					\
> > 	exit;						\
> > "	:
> > 	: __imm_addr(map_hash_48b)
> > 	: __clobber_all);
> > 
> > 
> > BPF_NEG calls __mark_reg_known(dst_reg, 0) which clears the 'off'
> > and
> > 'union(map_ptr, range)' of dst_reg, but keeps the 'type', which is
> > CONST_PTR_TO_MAP.
> > 
> > Perhaps we can only allow the SCALAR_VALUE type to run BPF_NEG as
> > an
> > opcode, while for other types same as the before BPF_NEG.
> > 
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index e892df386eed..dbf9f1efc6e7 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -15346,13 +15346,15 @@ static bool
> > is_safe_to_compute_dst_reg_range(struct bpf_insn *insn,
> >  	switch (BPF_OP(insn->code)) {
> >  	case BPF_ADD:
> >  	case BPF_SUB:
> > -	case BPF_NEG:
> >  	case BPF_AND:
> >  	case BPF_XOR:
> >  	case BPF_OR:
> >  	case BPF_MUL:
> >  		return true;
> >  
> > +	case BPF_NEG:
> > +		return base_type(src_reg->type) == SCALAR_VALUE;
> > +
> > 
> > 
> > -- 
> > Thanks,
> > KaFai
> 
> Before even going into adjust_scalar_min_max_vals we have a check in
> check_alu_op, which I think is not being respected. Going to expand
> on
> this below as response to Alexei.
> 
> On 24.09.2025 18:28, Alexei Starovoitov wrote:
> > On Wed, Sep 24, 2025 at 4:41 PM Brahmajit Das <listout@listout.xyz>
> > wrote:
> > > 
> > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > <listout@listout.xyz> wrote:
> > > > > 
> > > > > Syzkaller reported a general protection fault due to a NULL
> > > > > pointer
> > > > > dereference in print_reg_state() when accessing reg->map_ptr
> > > > > without
> > > > > checking if it is NULL.
> > > > > 
> > > ...snip...
> > > > > -       if (type_is_map_ptr(t)) {
> > > > > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> > > > 
> > > > You ignored earlier feedback.
> > > > Fix the root cause, not the symptom.
> > > > 
> > > > pw-bot: cr
> > > 
> > > I'm not sure if I'm headed the write direction but it seems like
> > > in
> > > check_alu_op, we are calling adjust_scalar_min_max_vals when we
> > > get an
> > > BPF_NEG as opcode. Which has a call to __mark_reg_known when
> > > opcode is
> > > BPF_NEG. And __mark_reg_known clears map_ptr with
> > 
> > Looks like we're getting somewhere.
> > It seems the verifier is not clearing reg->type.
> > adjust_scalar_min_max_vals() should be called on scalar types only.
> 
> Right, there is a check in check_alu_op
> 
> 		if (is_pointer_value(env, insn->dst_reg)) {
> 			verbose(env, "R%d pointer arithmetic
> prohibited\n",
> 				insn->dst_reg);
> 			return -EACCES;
> 		}
> 
> is_pointer_value calls __is_pointer_value which takes bool
> allow_ptr_leaks as the first argument. Now for some reason in this
> case
> allow_ptr_leaks is being passed as true, as a result
> __is_pointer_value
> (and in turn is_pointer_value) returns false when even when register
> type is CONST_PTR_TO_MAP.
> 

IIUC, `env->allow_ptr_leaks` set true means privileged mode (
CAP_PERFMON or CAP_SYS_ADMIN ), false for unprivileged mode. 


We can use __is_pointer_value to check if the register type is a
pointer. For pointers, we check as before (before checking BPF_NEG
separately), and for scalars, it remains unchanged. Perhaps this way we
can fix the error.

if (opcode == BPF_NEG) {
	if (__is_pointer_value(false, &regs[insn->dst_reg])) {
		err = check_reg_arg(env, insn->dst_reg, DST_OP);
	} else {
		err = check_reg_arg(env, insn->dst_reg,
DST_OP_NO_MARK);
		err = err ?: adjust_scalar_min_max_vals(env, insn,
						&regs[insn->dst_reg],
						regs[insn->dst_reg]);
	}
} else {


-- 
Thanks,
KaFai

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 25.09.2025 23:31, KaFai Wan wrote:
> On Wed, 2025-09-24 at 23:58 +0530, Brahmajit Das wrote:
> > On 25.09.2025 01:38, KaFai Wan wrote:
> > > On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > > <listout@listout.xyz>
> > > > > wrote:
> > > > > > 
> > > > > > Syzkaller reported a general protection fault due to a NULL
> > > > > > pointer
> > > > > > dereference in print_reg_state() when accessing reg->map_ptr
> > > > > > without
> > > > > > checking if it is NULL.
> > > > > > 
...snip...
> > > 
> > > Looks like we're getting somewhere.
> > > It seems the verifier is not clearing reg->type.
> > > adjust_scalar_min_max_vals() should be called on scalar types only.
> > 
> > Right, there is a check in check_alu_op
> > 
> > 		if (is_pointer_value(env, insn->dst_reg)) {
> > 			verbose(env, "R%d pointer arithmetic
> > prohibited\n",
> > 				insn->dst_reg);
> > 			return -EACCES;
> > 		}
> > 
> > is_pointer_value calls __is_pointer_value which takes bool
> > allow_ptr_leaks as the first argument. Now for some reason in this
> > case
> > allow_ptr_leaks is being passed as true, as a result
> > __is_pointer_value
> > (and in turn is_pointer_value) returns false when even when register
> > type is CONST_PTR_TO_MAP.
> > 
> 
> IIUC, `env->allow_ptr_leaks` set true means privileged mode (
> CAP_PERFMON or CAP_SYS_ADMIN ), false for unprivileged mode. 
> 
> 
> We can use __is_pointer_value to check if the register type is a
> pointer. For pointers, we check as before (before checking BPF_NEG
> separately), and for scalars, it remains unchanged. Perhaps this way we
> can fix the error.
> 
> if (opcode == BPF_NEG) {
> 	if (__is_pointer_value(false, &regs[insn->dst_reg])) {
> 		err = check_reg_arg(env, insn->dst_reg, DST_OP);
> 	} else {
> 		err = check_reg_arg(env, insn->dst_reg,
> DST_OP_NO_MARK);
> 		err = err ?: adjust_scalar_min_max_vals(env, insn,
> 						&regs[insn->dst_reg],
> 						regs[insn->dst_reg]);
> 	}
> } else {
> 
> 
> -- 
> Thanks,
> KaFai

Yep, that works.

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15505,10 +15505,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)

                /* check dest operand */
                if (opcode == BPF_NEG) {
-                       err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
-                       err = err ?: adjust_scalar_min_max_vals(env, insn,
-                                                        &regs[insn->dst_reg],
-                                                        regs[insn->dst_reg]);
+                       if (__is_pointer_value(false, &regs[insn->dst_reg])) {
+                               err = check_reg_arg(env, insn->dst_reg, DST_OP);
+                       } else {
+                               err = check_reg_arg(env, insn->dst_reg,
+                                                   DST_OP_NO_MARK);
+                               err = err   ?:
+                                             adjust_scalar_min_max_vals(
+                                                     env, insn,
+                                                     &regs[insn->dst_reg],
+                                                     regs[insn->dst_reg]);
+                       }
                } else {
                        err = check_reg_arg(env, insn->dst_reg, DST_OP);
                }

I'll just wait for other developer or Alexei, in case they have any
feedback before sending a v3.

-- 
Regards,
listout

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 26.09.2025 06:34, Brahmajit Das wrote:
> On 25.09.2025 23:31, KaFai Wan wrote:
> > On Wed, 2025-09-24 at 23:58 +0530, Brahmajit Das wrote:
> > > On 25.09.2025 01:38, KaFai Wan wrote:
> > > > On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > > > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > > > <listout@listout.xyz>
> > > > > > wrote:
> > > > > > > 
> > > > > > > Syzkaller reported a general protection fault due to a NULL
> > > > > > > pointer
> > > > > > > dereference in print_reg_state() when accessing reg->map_ptr
> > > > > > > without
> > > > > > > checking if it is NULL.
> > > > > > > 
> ...snip...
> > > > 
> > > > Looks like we're getting somewhere.
> > > > It seems the verifier is not clearing reg->type.
> > > > adjust_scalar_min_max_vals() should be called on scalar types only.
> > > 
> > > Right, there is a check in check_alu_op
> > > 
> > > 		if (is_pointer_value(env, insn->dst_reg)) {
> > > 			verbose(env, "R%d pointer arithmetic
> > > prohibited\n",
> > > 				insn->dst_reg);
> > > 			return -EACCES;
> > > 		}
> > > 
> > > is_pointer_value calls __is_pointer_value which takes bool
> > > allow_ptr_leaks as the first argument. Now for some reason in this
> > > case
> > > allow_ptr_leaks is being passed as true, as a result
> > > __is_pointer_value
> > > (and in turn is_pointer_value) returns false when even when register
> > > type is CONST_PTR_TO_MAP.
> > > 
> > 
> > IIUC, `env->allow_ptr_leaks` set true means privileged mode (
> > CAP_PERFMON or CAP_SYS_ADMIN ), false for unprivileged mode. 
> > 
> > 
> > We can use __is_pointer_value to check if the register type is a
> > pointer. For pointers, we check as before (before checking BPF_NEG
> > separately), and for scalars, it remains unchanged. Perhaps this way we
> > can fix the error.
> > 
> > if (opcode == BPF_NEG) {
> > 	if (__is_pointer_value(false, &regs[insn->dst_reg])) {
> > 		err = check_reg_arg(env, insn->dst_reg, DST_OP);
> > 	} else {
> > 		err = check_reg_arg(env, insn->dst_reg,
> > DST_OP_NO_MARK);
> > 		err = err ?: adjust_scalar_min_max_vals(env, insn,
> > 						&regs[insn->dst_reg],
> > 						regs[insn->dst_reg]);
> > 	}
> > } else {
> > 
> > 
> > -- 
> > Thanks,
> > KaFai
> 
> Yep, that works.
> 
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15505,10 +15505,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
> 
>                 /* check dest operand */
>                 if (opcode == BPF_NEG) {
> -                       err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
> -                       err = err ?: adjust_scalar_min_max_vals(env, insn,
> -                                                        &regs[insn->dst_reg],
> -                                                        regs[insn->dst_reg]);
> +                       if (__is_pointer_value(false, &regs[insn->dst_reg])) {
> +                               err = check_reg_arg(env, insn->dst_reg, DST_OP);
> +                       } else {
> +                               err = check_reg_arg(env, insn->dst_reg,
> +                                                   DST_OP_NO_MARK);
> +                               err = err   ?:
> +                                             adjust_scalar_min_max_vals(
> +                                                     env, insn,
> +                                                     &regs[insn->dst_reg],
> +                                                     regs[insn->dst_reg]);
> +                       }
>                 } else {
>                         err = check_reg_arg(env, insn->dst_reg, DST_OP);
>                 }
> 
> I'll just wait for other developer or Alexei, in case they have any
> feedback before sending a v3.

Just my 2 cents, thought this looked cleaner

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15497,7 +15497,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                if (err)
                        return err;

-               if (is_pointer_value(env, insn->dst_reg)) {
+               if (is_pointer_value(env, insn->dst_reg) ||
+                   __is_pointer_value(false, &regs[insn->dst_reg])) {
                        verbose(env, "R%d pointer arithmetic prohibited\n",
                                insn->dst_reg);
                        return -EACCES;

-- 
Regards,
listout

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[KaFai Wan]

On Fri, 2025-09-26 at 06:34 +0530, Brahmajit Das wrote:
> On 25.09.2025 23:31, KaFai Wan wrote:
> > On Wed, 2025-09-24 at 23:58 +0530, Brahmajit Das wrote:
> > > On 25.09.2025 01:38, KaFai Wan wrote:
> > > > On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > > > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > > > <listout@listout.xyz>
> > > > > > wrote:
> > > > > > > 
> > > > > > > Syzkaller reported a general protection fault due to a
> > > > > > > NULL
> > > > > > > pointer
> > > > > > > dereference in print_reg_state() when accessing reg-
> > > > > > > >map_ptr
> > > > > > > without
> > > > > > > checking if it is NULL.
> > > > > > > 
> ...snip...
> > > > 
> > > > Looks like we're getting somewhere.
> > > > It seems the verifier is not clearing reg->type.
> > > > adjust_scalar_min_max_vals() should be called on scalar types
> > > > only.
> > > 
> > > Right, there is a check in check_alu_op
> > > 
> > > 		if (is_pointer_value(env, insn->dst_reg)) {
> > > 			verbose(env, "R%d pointer arithmetic
> > > prohibited\n",
> > > 				insn->dst_reg);
> > > 			return -EACCES;
> > > 		}
> > > 
> > > is_pointer_value calls __is_pointer_value which takes bool
> > > allow_ptr_leaks as the first argument. Now for some reason in
> > > this
> > > case
> > > allow_ptr_leaks is being passed as true, as a result
> > > __is_pointer_value
> > > (and in turn is_pointer_value) returns false when even when
> > > register
> > > type is CONST_PTR_TO_MAP.
> > > 
> > 
> > IIUC, `env->allow_ptr_leaks` set true means privileged mode (
> > CAP_PERFMON or CAP_SYS_ADMIN ), false for unprivileged mode. 
> > 
> > 
> > We can use __is_pointer_value to check if the register type is a
> > pointer. For pointers, we check as before (before checking BPF_NEG
> > separately), and for scalars, it remains unchanged. Perhaps this
> > way we
> > can fix the error.
> > 
> > if (opcode == BPF_NEG) {
> > 	if (__is_pointer_value(false, &regs[insn->dst_reg])) {
> > 		err = check_reg_arg(env, insn->dst_reg, DST_OP);
> > 	} else {
> > 		err = check_reg_arg(env, insn->dst_reg,
> > DST_OP_NO_MARK);
> > 		err = err ?: adjust_scalar_min_max_vals(env, insn,
> > 						&regs[insn-
> > >dst_reg],
> > 						regs[insn-
> > >dst_reg]);
> > 	}
> > } else {
> > 
> > 
> > -- 
> > Thanks,
> > KaFai
> 
> Yep, that works.
> 
Ok
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15505,10 +15505,17 @@ static int check_alu_op(struct
> bpf_verifier_env *env, struct bpf_insn *insn)
> 
>                 /* check dest operand */
>                 if (opcode == BPF_NEG) {
> -                       err = check_reg_arg(env, insn->dst_reg,
> DST_OP_NO_MARK);
> -                       err = err ?: adjust_scalar_min_max_vals(env,
> insn,
> -                                                        &regs[insn-
> >dst_reg],
> -                                                        regs[insn-
> >dst_reg]);
> +                       if (__is_pointer_value(false, &regs[insn-
> >dst_reg])) {
> +                               err = check_reg_arg(env, insn-
> >dst_reg, DST_OP);
> +                       } else {
> +                               err = check_reg_arg(env, insn-
> >dst_reg,
> +                                                   DST_OP_NO_MARK);
> +                               err = err   ?:
> +                                            
> adjust_scalar_min_max_vals(
> +                                                     env, insn,
> +                                                     &regs[insn-
> >dst_reg],
> +                                                     regs[insn-
> >dst_reg]);
> +                       }
>                 } else {
>                         err = check_reg_arg(env, insn->dst_reg,
> DST_OP);
>                 }
> 

We can make code cleaner and change just one line for all.

if (opcode == BPF_NEG && !__is_pointer_value(false, &regs[insn-
>dst_reg])) {
	err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
	err = err ?: adjust_scalar_min_max_vals(env, insn,
					 &regs[insn->dst_reg],
					 regs[insn->dst_reg]);
} else {
	err = check_reg_arg(env, insn->dst_reg, DST_OP);
}

> 
> I'll just wait for other developer or Alexei, in case they have any
> feedback before sending a v3.
> 

You should add a Fixes label in the commit log and add selftest for it
in V3. 
Fixes label is Fixes: aced132599b3 ("bpf: Add range tracking for
BPF_NEG")
For selftest you may check the test in verifier_value_illegal_alu.c and
other files.  

The code in your next post would change the behavior of BPF_NEG and 
BPF_END, you can run the selftest to check that.


The email I sent last time was rejected by the mail server because it
was in HTML format，sorry for that.
-- 
Thanks,
KaFai

Re: [syzbot] [bpf?] general protection fault in print_reg_state

[syzbot]

syzbot has bisected this issue to:

commit aced132599b3c8884c050218d4c48eef203678f6
Author: Song Liu <song@kernel.org>
Date:   Wed Jun 25 16:40:24 2025 +0000

    bpf: Add range tracking for BPF_NEG

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=13931ae2580000
start commit:   bf40f4b87761 Merge tag 'probes-fixes-v6.17-rc7' of git://g..
git tree:       bpf
final oops:     https://syzkaller.appspot.com/x/report.txt?x=10531ae2580000
console output: https://syzkaller.appspot.com/x/log.txt?x=17931ae2580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4d8792ecb6308d0f
dashboard link: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=16010942580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=12caeae2580000

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")

For information about bisection process see: https://goo.gl/tpsmEJ#bisection

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 26.09.2025 18:36, KaFai Wan wrote:
> On Fri, 2025-09-26 at 06:34 +0530, Brahmajit Das wrote:
> > On 25.09.2025 23:31, KaFai Wan wrote:
> > > On Wed, 2025-09-24 at 23:58 +0530, Brahmajit Das wrote:
> > > > On 25.09.2025 01:38, KaFai Wan wrote:
> > > > > On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > > > > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > > > > <listout@listout.xyz>
> > > > > > > wrote:
> > > > > > > > 
> > > > > > > > Syzkaller reported a general protection fault due to a
> > > > > > > > NULL
> > > > > > > > pointer
> > > > > > > > dereference in print_reg_state() when accessing reg-
> > > > > > > > >map_ptr
> > > > > > > > without
> > > > > > > > checking if it is NULL.
> > > > > > > > 
...snip...
> 
> You should add a Fixes label in the commit log and add selftest for it
> in V3. 
> Fixes label is Fixes: aced132599b3 ("bpf: Add range tracking for
> BPF_NEG")
> For selftest you may check the test in verifier_value_illegal_alu.c and
> other files.  
> 
> The code in your next post would change the behavior of BPF_NEG and 
> BPF_END, you can run the selftest to check that.
> 

KaFai, I'm quite new to kernel development. I'm been trying to write a
selftest for this unfortunately been having a hard time. I would really
appreciate some help. For now I tried to create on from the initial test
you used to verify this bug i.e. r0 -= r0.

I have tried testing my changes via sending a pull request on the
kernel-patches/bpf repository, but seems like it's failing.
My pull request: https://github.com/kernel-patches/bpf/pull/9900

-- 
Regards,
listout

Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[KaFai Wan]

[-- Attachment #1: Type: text/plain, Size: 2101 bytes --]

On Tue, 2025-09-30 at 23:51 +0530, Brahmajit Das wrote:
> On 26.09.2025 18:36, KaFai Wan wrote:
> > On Fri, 2025-09-26 at 06:34 +0530, Brahmajit Das wrote:
> > > On 25.09.2025 23:31, KaFai Wan wrote:
> > > > On Wed, 2025-09-24 at 23:58 +0530, Brahmajit Das wrote:
> > > > > On 25.09.2025 01:38, KaFai Wan wrote:
> > > > > > On Wed, 2025-09-24 at 21:10 +0530, Brahmajit Das wrote:
> > > > > > > On 24.09.2025 09:32, Alexei Starovoitov wrote:
> > > > > > > > On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das
> > > > > > > > <listout@listout.xyz>
> > > > > > > > wrote:
> > > > > > > > > 
> > > > > > > > > Syzkaller reported a general protection fault due to a
> > > > > > > > > NULL
> > > > > > > > > pointer
> > > > > > > > > dereference in print_reg_state() when accessing reg-
> > > > > > > > > > map_ptr
> > > > > > > > > without
> > > > > > > > > checking if it is NULL.
> > > > > > > > > 
> ...snip...
> > 
> > You should add a Fixes label in the commit log and add selftest for it
> > in V3. 
> > Fixes label is Fixes: aced132599b3 ("bpf: Add range tracking for
> > BPF_NEG")
> > For selftest you may check the test in verifier_value_illegal_alu.c and
> > other files.  
> > 
> > The code in your next post would change the behavior of BPF_NEG and 
> > BPF_END, you can run the selftest to check that.
> > 
> 
> KaFai, I'm quite new to kernel development. I'm been trying to write a
> selftest for this unfortunately been having a hard time. I would really
> appreciate some help. For now I tried to create on from the initial test
> you used to verify this bug i.e. r0 -= r0.
> 
> I have tried testing my changes via sending a pull request on the
> kernel-patches/bpf repository, but seems like it's failing.
> My pull request: https://github.com/kernel-patches/bpf/pull/9900
> 

The attachment is the patch for selftest, you can apply it.

The patch#1 in your PR, Add the Oops call trace or the Closes label in commit
log could be better. 

Closes: https://lore.kernel.org/all/68d26227.a70a0220.1b52b.02a4.GAE@google.com/
-- 
Thanks,
KaFai

[-- Attachment #2: 0001-selftests-bpf-Add-test-for-BPF_NEG-alu-on-CONST_PTR_.patch --]
[-- Type: text/x-patch, Size: 1652 bytes --]

From 2cb7fe5d4c707d8f5663829bacf2606648be185a Mon Sep 17 00:00:00 2001
From: KaFai Wan <kafai.wan@linux.dev>
Date: Wed, 1 Oct 2025 11:56:51 +0800
Subject: [PATCH] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

From: KaFai Wan <kafai.wan@linux.dev>

Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
scalar value and do not trigger Oops in privileged mode.

Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
---
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
index a99b86c506f7..a850dde95d0e 100644
--- a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
+++ b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
@@ -182,6 +182,24 @@ __naked void map_ptr_illegal_alu_op(void)
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("map_ptr illegal alu op, map_ptr = -map_ptr")
+__failure __msg("R0 invalid mem access 'scalar'")
+__failure_unpriv __msg_unpriv("R0 pointer arithmetic prohibited")
+__flag(BPF_F_ANY_ALIGNMENT)
+__naked void map_ptr_illegal_alu_op(void)
+{
+	asm volatile ("					\
+	r0 = %[map_hash_48b] ll;			\
+	r0 = -r0;					\
+	r1 = 22;					\
+	*(u64*)(r0 + 0) = r1;				\
+	exit;						\
+"	:
+	: __imm_addr(map_hash_48b)
+	: __clobber_all);
+}
+
 SEC("flow_dissector")
 __description("flow_keys illegal alu op with variable offset")
 __failure __msg("R7 pointer arithmetic on flow_keys prohibited")
-- 
2.43.0

[PATCH v3 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register

[Brahmajit Das]

This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
operation is applied to a pointer-typed register. The verifier now
checks that the destination register is not a pointer before performing
the operation.

Tested with syzkaller reproducer and new BPF sefltest.
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58

Brahmajit Das (1):
  bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

KaFai Wan (1):
  selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

 kernel/bpf/verifier.c                          |  3 ++-
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

-- 
2.51.0

[PATCH v3 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Brahmajit Das]

In check_alu_op(), the verifier currently calls check_reg_arg() and
adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
However, if the destination register holds a pointer, these scalar
adjustments are unnecessary and potentially incorrect.

This patch adds a check to skip the adjustment logic when the destination
register contains a pointer.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
Suggested-by: KaFai Wan <kafai.wan@linux.dev>
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e892df386eed..4b0924c38657 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15645,7 +15645,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
 		}
 
 		/* check dest operand */
-		if (opcode == BPF_NEG) {
+		if (opcode == BPF_NEG &&
+		    !__is_pointer_value(false, &regs[insn->dst_reg])) {
 			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
 			err = err ?: adjust_scalar_min_max_vals(env, insn,
 							 &regs[insn->dst_reg],
-- 
2.51.0

[PATCH v3 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

[Brahmajit Das]

From: KaFai Wan <kafai.wan@linux.dev>

Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
scalar value and do not trigger Oops in privileged mode.

Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
---
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
index a9ab37d3b9e2..dcaab61a11a0 100644
--- a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
+++ b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
@@ -146,6 +146,24 @@ l0_%=:	exit;						\
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("map_ptr illegal alu op, map_ptr = -map_ptr")
+__failure __msg("R0 invalid mem access 'scalar'")
+__failure_unpriv __msg_unpriv("R0 pointer arithmetic prohibited")
+__flag(BPF_F_ANY_ALIGNMENT)
+__naked void map_ptr_illegal_alu_op(void)
+{
+	asm volatile ("					\
+	r0 = %[map_hash_48b] ll;			\
+	r0 = -r0;					\
+	r1 = 22;					\
+	*(u64*)(r0 + 0) = r1;				\
+	exit;						\
+"	:
+	: __imm_addr(map_hash_48b)
+	: __clobber_all);
+}
+
 SEC("flow_dissector")
 __description("flow_keys illegal alu op with variable offset")
 __failure __msg("R7 pointer arithmetic on flow_keys prohibited")
-- 
2.51.0

Re: [PATCH v3 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Alexei Starovoitov]

On Wed, Oct 1, 2025 at 2:56 AM Brahmajit Das <listout@listout.xyz> wrote:
>
> In check_alu_op(), the verifier currently calls check_reg_arg() and
> adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
> However, if the destination register holds a pointer, these scalar
> adjustments are unnecessary and potentially incorrect.
>
> This patch adds a check to skip the adjustment logic when the destination
> register contains a pointer.
>
> Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
> Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
> Suggested-by: KaFai Wan <kafai.wan@linux.dev>
> Signed-off-by: Brahmajit Das <listout@listout.xyz>
> ---
>  kernel/bpf/verifier.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e892df386eed..4b0924c38657 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15645,7 +15645,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
>                 }
>
>                 /* check dest operand */
> -               if (opcode == BPF_NEG) {
> +               if (opcode == BPF_NEG &&
> +                   !__is_pointer_value(false, &regs[insn->dst_reg])) {
>                         err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);


The fix makes sense.

Song,
Eduard,

please take a look.

Re: [PATCH v3 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Eduard Zingerman]

On Wed, 2025-10-01 at 15:26 +0530, Brahmajit Das wrote:
> In check_alu_op(), the verifier currently calls check_reg_arg() and
> adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
> However, if the destination register holds a pointer, these scalar
> adjustments are unnecessary and potentially incorrect.
> 
> This patch adds a check to skip the adjustment logic when the destination
> register contains a pointer.
> 
> Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
> Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
> Suggested-by: KaFai Wan <kafai.wan@linux.dev>
> Signed-off-by: Brahmajit Das <listout@listout.xyz>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

>  kernel/bpf/verifier.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e892df386eed..4b0924c38657 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15645,7 +15645,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
>  		}
>  
>  		/* check dest operand */
> -		if (opcode == BPF_NEG) {
> +		if (opcode == BPF_NEG &&
> +		    !__is_pointer_value(false, &regs[insn->dst_reg])) {

Nit: I'd made this a bit simpler: `regs[insn->dst_reg].type == SCALAR_VALUE`,
     instead of __is_pointer_value() call.

>  			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
>  			err = err ?: adjust_scalar_min_max_vals(env, insn,
>  							 &regs[insn->dst_reg],

Re: [PATCH v3 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

[Eduard Zingerman]

On Wed, 2025-10-01 at 15:26 +0530, Brahmajit Das wrote:
> From: KaFai Wan <kafai.wan@linux.dev>
> 
> Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
> BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
> scalar value and do not trigger Oops in privileged mode.
> 
> Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
> ---

Can confirm, the test reproduces original issue,
patch #1 fixes it.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

[...]

Re: [PATCH v3 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register

[Eduard Zingerman]

On Wed, 2025-10-01 at 15:26 +0530, Brahmajit Das wrote:
> This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
> operation is applied to a pointer-typed register. The verifier now
> checks that the destination register is not a pointer before performing
> the operation.
> 
> Tested with syzkaller reproducer and new BPF sefltest.
> Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58

Nit: In the future, could you please include links to previous
     patch-set versions in the cover letter?  These links are usually
     accompanied with a short description of changes from version to
     version.

> 
> Brahmajit Das (1):
>   bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer
> 
> KaFai Wan (1):
>   selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP
> 
>  kernel/bpf/verifier.c                          |  3 ++-
>  .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
>  2 files changed, 20 insertions(+), 1 deletion(-)

Re: [PATCH v3 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Brahmajit Das]

On 01.10.2025 11:29, Eduard Zingerman wrote:
> On Wed, 2025-10-01 at 15:26 +0530, Brahmajit Das wrote:
> > In check_alu_op(), the verifier currently calls check_reg_arg() and
> > adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
> > However, if the destination register holds a pointer, these scalar
> > adjustments are unnecessary and potentially incorrect.
> > 
> > This patch adds a check to skip the adjustment logic when the destination
> > register contains a pointer.
> > 
> > Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
> > Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
> > Suggested-by: KaFai Wan <kafai.wan@linux.dev>
> > Signed-off-by: Brahmajit Das <listout@listout.xyz>
> > ---
> 
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> 
Thanks
> 
> Nit: I'd made this a bit simpler: `regs[insn->dst_reg].type == SCALAR_VALUE`,
>      instead of __is_pointer_value() call.
> 
> >  			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
> >  			err = err ?: adjust_scalar_min_max_vals(env, insn,
> >  							 &regs[insn->dst_reg],
Do I need to send a v4?

-- 
Regards,
listout

Re: [PATCH v3 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Eduard Zingerman]

On Thu, 2025-10-02 at 00:19 +0530, Brahmajit Das wrote:
> On 01.10.2025 11:29, Eduard Zingerman wrote:
> > On Wed, 2025-10-01 at 15:26 +0530, Brahmajit Das wrote:
> > > In check_alu_op(), the verifier currently calls check_reg_arg() and
> > > adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
> > > However, if the destination register holds a pointer, these scalar
> > > adjustments are unnecessary and potentially incorrect.
> > > 
> > > This patch adds a check to skip the adjustment logic when the destination
> > > register contains a pointer.
> > > 
> > > Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> > > Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
> > > Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
> > > Suggested-by: KaFai Wan <kafai.wan@linux.dev>
> > > Signed-off-by: Brahmajit Das <listout@listout.xyz>
> > > ---
> > 
> > Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> > 
> Thanks
> > 
> > Nit: I'd made this a bit simpler: `regs[insn->dst_reg].type == SCALAR_VALUE`,
> >      instead of __is_pointer_value() call.
> > 
> > >  			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
> > >  			err = err ?: adjust_scalar_min_max_vals(env, insn,
> > >  							 &regs[insn->dst_reg],
> Do I need to send a v4?

As you see fit.
If you agree with my suggestion, please send v4,
leaving it as-is also fine by me.

[PATCH v4 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register

[Brahmajit Das]

This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
operation is applied to a pointer-typed register. The verifier now
checks that the destination register is not a pointer before performing
the operation.

Tested with syzkaller reproducer and new BPF sefltest.
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58

Brahmajit Das (1):
  bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

KaFai Wan (1):
  selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

 kernel/bpf/verifier.c                          |  3 ++-
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

-- 
2.51.0

[PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Brahmajit Das]

In check_alu_op(), the verifier currently calls check_reg_arg() and
adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
However, if the destination register holds a pointer, these scalar
adjustments are unnecessary and potentially incorrect.

This patch adds a check to skip the adjustment logic when the destination
register contains a pointer.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
Suggested-by: KaFai Wan <kafai.wan@linux.dev>
Suggested-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
Changes v4:
Cleaning up, instead of using __is_pointer_value it's further
simplified by checking if regs[insn->dst_reg].type of SCALAR_VALUE
Link: 

Changes in v3:
using __is_pointer_value to check if register if of pointer type
Link: https://lore.kernel.org/all/20251001095613.267475-1-listout@listout.xyz/

Changes in v2: 
Checking if reg->map_ptr is NULL in bpf/log.c (wrong approach)
Link: https://lore.kernel.org/all/20250923174738.1713751-1-listout@listout.xyz/
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e892df386eed..f3d8ba142faa 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15645,7 +15645,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
 		}
 
 		/* check dest operand */
-		if (opcode == BPF_NEG) {
+		if (opcode == BPF_NEG &&
+		    regs[insn->dst_reg].type == SCALAR_VALUE) {
 			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
 			err = err ?: adjust_scalar_min_max_vals(env, insn,
 							 &regs[insn->dst_reg],
-- 
2.51.0

[PATCH v4 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

[Brahmajit Das]

From: KaFai Wan <kafai.wan@linux.dev>

Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
scalar value and do not trigger Oops in privileged mode.

Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
---
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
index a9ab37d3b9e2..dcaab61a11a0 100644
--- a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
+++ b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
@@ -146,6 +146,24 @@ l0_%=:	exit;						\
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("map_ptr illegal alu op, map_ptr = -map_ptr")
+__failure __msg("R0 invalid mem access 'scalar'")
+__failure_unpriv __msg_unpriv("R0 pointer arithmetic prohibited")
+__flag(BPF_F_ANY_ALIGNMENT)
+__naked void map_ptr_illegal_alu_op(void)
+{
+	asm volatile ("					\
+	r0 = %[map_hash_48b] ll;			\
+	r0 = -r0;					\
+	r1 = 22;					\
+	*(u64*)(r0 + 0) = r1;				\
+	exit;						\
+"	:
+	: __imm_addr(map_hash_48b)
+	: __clobber_all);
+}
+
 SEC("flow_dissector")
 __description("flow_keys illegal alu op with variable offset")
 __failure __msg("R7 pointer arithmetic on flow_keys prohibited")
-- 
2.51.0

[PATCH v4 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register

[Brahmajit Das]

This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
operation is applied to a pointer-typed register. The verifier now
checks that the destination register is not a pointer before performing
the operation.

Tested with syzkaller reproducer and new BPF sefltest.
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58

Brahmajit Das (1):
  bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

KaFai Wan (1):
  selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

 kernel/bpf/verifier.c                          |  3 ++-
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

-- 
2.51.0

[PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Brahmajit Das]

In check_alu_op(), the verifier currently calls check_reg_arg() and
adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
However, if the destination register holds a pointer, these scalar
adjustments are unnecessary and potentially incorrect.

This patch adds a check to skip the adjustment logic when the destination
register contains a pointer.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
Suggested-by: KaFai Wan <kafai.wan@linux.dev>
Suggested-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Brahmajit Das <listout@listout.xyz>
---
Changes v4:
Cleaning up, instead of using __is_pointer_value it's further
simplified by checking if regs[insn->dst_reg].type of SCALAR_VALUE
Link: 

Changes in v3:
using __is_pointer_value to check if register if of pointer type
Link: https://lore.kernel.org/all/20251001095613.267475-1-listout@listout.xyz/

Changes in v2: 
Checking if reg->map_ptr is NULL in bpf/log.c but with cleaner approach
(wrong approach)
Link: https://lore.kernel.org/all/20250923174738.1713751-1-listout@listout.xyz/

Changes in v1: 
Checking if reg->map_ptr is NULL in bpf/log.c (wrong approach)
Link: https://lore.kernel.org/all/20250923164144.1573636-1-listout@listout.xyz/
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e892df386eed..f3d8ba142faa 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15645,7 +15645,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
 		}
 
 		/* check dest operand */
-		if (opcode == BPF_NEG) {
+		if (opcode == BPF_NEG &&
+		    regs[insn->dst_reg].type == SCALAR_VALUE) {
 			err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK);
 			err = err ?: adjust_scalar_min_max_vals(env, insn,
 							 &regs[insn->dst_reg],
-- 
2.51.0

[PATCH v4 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

[Brahmajit Das]

From: KaFai Wan <kafai.wan@linux.dev>

Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
scalar value and do not trigger Oops in privileged mode.

Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
---
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
index a9ab37d3b9e2..dcaab61a11a0 100644
--- a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
+++ b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c
@@ -146,6 +146,24 @@ l0_%=:	exit;						\
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("map_ptr illegal alu op, map_ptr = -map_ptr")
+__failure __msg("R0 invalid mem access 'scalar'")
+__failure_unpriv __msg_unpriv("R0 pointer arithmetic prohibited")
+__flag(BPF_F_ANY_ALIGNMENT)
+__naked void map_ptr_illegal_alu_op(void)
+{
+	asm volatile ("					\
+	r0 = %[map_hash_48b] ll;			\
+	r0 = -r0;					\
+	r1 = 22;					\
+	*(u64*)(r0 + 0) = r1;				\
+	exit;						\
+"	:
+	: __imm_addr(map_hash_48b)
+	: __clobber_all);
+}
+
 SEC("flow_dissector")
 __description("flow_keys illegal alu op with variable offset")
 __failure __msg("R7 pointer arithmetic on flow_keys prohibited")
-- 
2.51.0

Re: [PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[Eduard Zingerman]

On Thu, 2025-10-02 at 00:47 +0530, Brahmajit Das wrote:
> In check_alu_op(), the verifier currently calls check_reg_arg() and
> adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
> However, if the destination register holds a pointer, these scalar
> adjustments are unnecessary and potentially incorrect.
> 
> This patch adds a check to skip the adjustment logic when the destination
> register contains a pointer.
> 
> Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
> Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG")
> Suggested-by: KaFai Wan <kafai.wan@linux.dev>
> Suggested-by: Eduard Zingerman <eddyz87@gmail.com>
> Signed-off-by: Brahmajit Das <listout@listout.xyz>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

[...]

Re: [PATCH v4 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

[Eduard Zingerman]

On Thu, 2025-10-02 at 00:47 +0530, Brahmajit Das wrote:
> From: KaFai Wan <kafai.wan@linux.dev>
> 
> Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
> BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
> scalar value and do not trigger Oops in privileged mode.
> 
> Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
> ---

Acked-by: Eduard Zingerman <eddyz87@gmail.com>

(in the future, once you have an Ack, please copy it to the next
 revision, unless there are some dramatic changes to the code).

Re: [PATCH v4 0/2] bpf: Fix verifier crash on BPF_NEG with pointer register

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Thu,  2 Oct 2025 00:47:37 +0530 you wrote:
> This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
> operation is applied to a pointer-typed register. The verifier now
> checks that the destination register is not a pointer before performing
> the operation.
> 
> Tested with syzkaller reproducer and new BPF sefltest.
> Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
> 
> [...]

Here is the summary with links:
  - [v4,1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer
    https://git.kernel.org/bpf/bpf/c/34904582b502
  - [v4,2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP
    https://git.kernel.org/bpf/bpf/c/8709c1685220

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

Re: [PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

[patchwork-bot+netdevbpf]

Hello:

This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Thu,  2 Oct 2025 00:58:58 +0530 you wrote:
> In check_alu_op(), the verifier currently calls check_reg_arg() and
> adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
> However, if the destination register holds a pointer, these scalar
> adjustments are unnecessary and potentially incorrect.
> 
> This patch adds a check to skip the adjustment logic when the destination
> register contains a pointer.
> 
> [...]

Here is the summary with links:
  - [v4,1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer
    https://git.kernel.org/bpf/bpf/c/34904582b502
  - [v4,2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP
    https://git.kernel.org/bpf/bpf/c/8709c1685220

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html