Commit 4d0a3758 authored Apr 16, 2026 by Mykyta Yatsenko Committed by Alexei Starovoitov Apr 16, 2026

bpf: Fix NULL deref in map_kptr_match_type for scalar regs



Commit ab6c637a ("bpf: Fix a bpf_kptr_xchg() issue with local
kptr") refactored map_kptr_match_type() to branch on btf_is_kernel()
before checking base_type(). A scalar register stored into a kptr
slot has no btf, so the btf_is_kernel(reg->btf) call dereferences
NULL.

Move the base_type() != PTR_TO_BTF_ID guard before any reg->btf
access.

Fixes: ab6c637a ("bpf: Fix a bpf_kptr_xchg() issue with local kptr")
Reported-by: Hiker Cl <clhiker365@gmail.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=221372


Signed-off-by: Mykyta Yatsenko <yatsenko@meta.com>
Acked-by: Paul Chaignon <paul.chaignon@gmail.com>
Link: https://lore.kernel.org/r/20260416-kptr_crash-v1-1-5589356584b4@meta.com


Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent e5f635ed

kernel/bpf/verifier.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -4549,6 +4549,9 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
		int perm_flags;
		const char *reg_name = "";

		if (base_type(reg->type) != PTR_TO_BTF_ID)
		goto bad_type;

		if (btf_is_kernel(reg->btf)) {
		perm_flags = PTR_MAYBE_NULL \| PTR_TRUSTED \| MEM_RCU;

		@@ -4561,7 +4564,7 @@ static int map_kptr_match_type(struct bpf_verifier_env *env,
		perm_flags \|= MEM_PERCPU;
		}

		if (base_type(reg->type) != PTR_TO_BTF_ID \|\| (type_flag(reg->type) & ~perm_flags))
		if (type_flag(reg->type) & ~perm_flags)
		goto bad_type;

		/* We need to verify reg->type and reg->btf, before accessing reg->btf */