Skip to content

bpf: Fix verifier crash on BPF_NEG with pointer register #6080

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

bpf: Fix verifier crash on BPF_NEG with pointer register #6080

wants to merge 2 commits into from

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot commented Oct 1, 2025

Pull request for series with
subject: bpf: Fix verifier crash on BPF_NEG with pointer register
version: 4
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007800

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Oct 1, 2025

Upstream branch: 4ef77dd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007800
version: 4

listout and others added 2 commits October 1, 2025 12:38
@listout
bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer
0252523 
In check_alu_op(), the verifier currently calls check_reg_arg() and
adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations.
However, if the destination register holds a pointer, these scalar
adjustments are unnecessary and potentially incorrect.

This patch adds a check to skip the adjustment logic when the destination
register contains a pointer.

Reported-by: [email protected]
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58
Fixes: aced132 ("bpf: Add range tracking for BPF_NEG")
Suggested-by: KaFai Wan <[email protected]>
Suggested-by: Eduard Zingerman <[email protected]>
Signed-off-by: Brahmajit Das <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
@mannkafai
selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP
323da5e 
Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if
BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a
scalar value and do not trigger Oops in privileged mode.

Signed-off-by: KaFai Wan <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Oct 1, 2025

Upstream branch: 4ef77dd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1007800
version: 4

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Oct 1, 2025

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1007800 irrelevant now. Closing PR.

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/1007800=>bpf-next branch October 1, 2025 21:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

accepted bpf-next V4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@listout @mannkafai