Commit ad2c03e6 authored by Benjamin Tissoires's avatar Benjamin Tissoires Committed by Alexei Starovoitov
Browse files

bpf: verifier: bail out if the argument is not a map 



When a kfunc is declared with a KF_ARG_PTR_TO_MAP, we should have
reg->map_ptr set to a non NULL value, otherwise, that means that the
underlying type is not a map.

Signed-off-by: default avatarBenjamin Tissoires <bentiss@kernel.org>
Link: https://lore.kernel.org/r/20240420-bpf_wq-v2-7-6c986a5a741f@kernel.org


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent f1d0a2fb

kernel/bpf/verifier.c

+5 −0
Original line number Diff line number Diff line
@@ -11720,6 +11720,11 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_ 
		case KF_ARG_PTR_TO_NULL:

			continue;

		case KF_ARG_PTR_TO_MAP:

			if (!reg->map_ptr) {

				verbose(env, "pointer in R%d isn't map pointer\n", regno);

				return -EINVAL;

			}

			fallthrough;

		case KF_ARG_PTR_TO_ALLOC_BTF_ID:

		case KF_ARG_PTR_TO_BTF_ID:

			if (!is_kfunc_trusted_args(meta) && !is_kfunc_rcu(meta))