bpf: fix NULL pointer dereference in print_reg_state()

listout · Kernel Patches Daemon · commit dbd63e8fe8ae · 2025-09-23T09:44:10.000-07:00
Syzkaller reported a general protection fault due to a NULL pointer
dereference in print_reg_state() when accessing reg-&gt;map_ptr without
checking if it is NULL.

The existing code assumes reg-&gt;map_ptr is always valid before
dereferencing reg-&gt;map_ptr-&gt;name, reg-&gt;map_ptr-&gt;key_size, and
reg-&gt;map_ptr-&gt;value_size.

Fix this by adding explicit NULL checks before accessing reg-&gt;map_ptr
and its members. This prevents crashes when reg-&gt;map_ptr is NULL,
improving the robustness of the BPF verifier's verbose logging.

Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com
Signed-off-by: Brahmajit Das &lt;listout@listout.xyz&gt;
diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
@@ -3,6 +3,7 @@
  * Copyright (c) 2016 Facebook
  * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io
  */
+#include "linux/printk.h"
 #include <uapi/linux/btf.h>
 #include <linux/kernel.h>
 #include <linux/types.h>
@@ -705,11 +706,12 @@ static void print_reg_state(struct bpf_verifier_env *env,
 	if (type_is_non_owning_ref(reg->type))
 		verbose_a("%s", "non_own_ref");
 	if (type_is_map_ptr(t)) {
-		if (reg->map_ptr->name[0])
+		if (reg->map_ptr != NULL && reg->map_ptr->name[0] != '\0')
 			verbose_a("map=%s", reg->map_ptr->name);
-		verbose_a("ks=%d,vs=%d",
-			  reg->map_ptr->key_size,
-			  reg->map_ptr->value_size);
+		if (reg->map_ptr != NULL)
+			verbose_a("ks=%d,vs=%d",
+					reg->map_ptr->key_size,
+					reg->map_ptr->value_size);
 	}
 	if (t != SCALAR_VALUE && reg->off) {
 		verbose_a("off=");
