This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
operation is applied to a pointer-typed register. The verifier now
checks that the destination register is not a pointer before performing
the operation.

Tested with syzkaller reproducer and new BPF sefltest.
Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58

Brahmajit Das (1):
  bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer

KaFai Wan (1):
  selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP

 kernel/bpf/verifier.c                          |  3 ++-
 .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

-- 
2.51.0

On Wed, 2025-10-01 at 15:26 +0530, Brahmajit Das wrote:
> This patch fixes a crash in the BPF verifier triggered when the BPF_NEG
> operation is applied to a pointer-typed register. The verifier now
> checks that the destination register is not a pointer before performing
> the operation.
> 
> Tested with syzkaller reproducer and new BPF sefltest.
> Closes: https://syzkaller.appspot.com/bug?extid=d36d5ae81e1b0a53ef58

Nit: In the future, could you please include links to previous
     patch-set versions in the cover letter?  These links are usually
     accompanied with a short description of changes from version to
     version.

> 
> Brahmajit Das (1):
>   bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer
> 
> KaFai Wan (1):
>   selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP
> 
>  kernel/bpf/verifier.c                          |  3 ++-
>  .../bpf/progs/verifier_value_illegal_alu.c     | 18 ++++++++++++++++++
>  2 files changed, 20 insertions(+), 1 deletion(-)