From nobody Mon Feb 9 08:05:30 2026 Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [80.241.56.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6A3DC20468E; Wed, 1 Oct 2025 19:18:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.241.56.161 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759346303; cv=none; b=MiSFU0qM0xHeJe1S519c0Z0s/fuOteQSNp1wJjO56i4ZG/0Cu51tXIJ6+6Ne3eNGOonltGuK776cV+4n9iRnVUowFjWA2cAfrXB1QFHNELt5l8w4MTkwsYVtBGdToVhF0LQ76hRh5AdzRTm1Wlmn68ByyxmTLWrFOrjuY21p10Q= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759346303; c=relaxed/simple; bh=7c/pfBV5QewVyLQBc0s/t2vvYsqq8BcZ97dslz/nDGk=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=kVbRiUT1mMEiuvP6G65TGauEwsKMcBXotY5ILYIfLWSIb6/j1Ujaj4fJfun2NOTUQQe2WJ91WU3i00OsNFd5749KSGvmFl910XPdm0yNFJOCXibZPm72Q/yMG/2dSfizEcRRoXvLkKardQpizR/314BAKRkWNlJ9eqEKkxdx9JA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=listout.xyz; spf=pass smtp.mailfrom=listout.xyz; dkim=pass (2048-bit key) header.d=listout.xyz header.i=@listout.xyz header.b=H3McHMU5; arc=none smtp.client-ip=80.241.56.161 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=listout.xyz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=listout.xyz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=listout.xyz header.i=@listout.xyz header.b="H3McHMU5" Received: from smtp1.mailbox.org (smtp1.mailbox.org [IPv6:2001:67c:2050:b231:465::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4ccPpc52vgz9tgj; Wed, 1 Oct 2025 21:18:16 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=listout.xyz; s=MBO0001; t=1759346296; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YxfXZ9WZ6TZzRb+UC3EpRPEYKpysPdldEIWFjqgbt4Y=; b=H3McHMU5bfnj7lEBLSL9WvtPpBuaDJzHkveZvnfXtVRbU46ULlB5xUTqBPo4e5+AqIuZOy LJWDNcYNuYmfLyLOcJ4J859wXhliur0hz4yJsSzP/ipXz48Uz5JiecJ90JMNanrNknwW6S Gc8XgsYjao4747dmTXV57bNEKMva8cdqpbNoEmFkIZV33crgExDdqRt0ZaC3i7PWZ83yu/ navu9aDpdMSaoq/75n2MNoC0Rv87p4RJZ4Ho74Vz7XoOe2B2UbAwx8rbbojlPi7z4b62c+ buN6Xjt2ywZ0CUyTT/fnMaXQAYxAP8sbQyxeHUJTJEG1w8j5FD/fHhKx8KbxrQ== Authentication-Results: outgoing_mbo_mout; dkim=none; spf=pass (outgoing_mbo_mout: domain of listout@listout.xyz designates 2001:67c:2050:b231:465::1 as permitted sender) smtp.mailfrom=listout@listout.xyz From: Brahmajit Das To: listout@listout.xyz Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, linux-kernel@vger.kernel.org, martin.lau@linux.dev, sdf@fomichev.me, song@kernel.org, syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev, KaFai Wan Subject: [PATCH v4 1/2] bpf: Skip scalar adjustment for BPF_NEG if dst is a pointer Date: Thu, 2 Oct 2025 00:47:38 +0530 Message-ID: <20251001191739.2323644-2-listout@listout.xyz> In-Reply-To: <20251001191739.2323644-1-listout@listout.xyz> References: <20250923164144.1573636-1-listout@listout.xyz> <20251001191739.2323644-1-listout@listout.xyz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Rspamd-Queue-Id: 4ccPpc52vgz9tgj Content-Type: text/plain; charset="utf-8" In check_alu_op(), the verifier currently calls check_reg_arg() and adjust_scalar_min_max_vals() unconditionally for BPF_NEG operations. However, if the destination register holds a pointer, these scalar adjustments are unnecessary and potentially incorrect. This patch adds a check to skip the adjustment logic when the destination register contains a pointer. Reported-by: syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd36d5ae81e1b0a53ef58 Fixes: aced132599b3 ("bpf: Add range tracking for BPF_NEG") Suggested-by: KaFai Wan Suggested-by: Eduard Zingerman Signed-off-by: Brahmajit Das Acked-by: Eduard Zingerman --- Changes v4: Cleaning up, instead of using __is_pointer_value it's further simplified by checking if regs[insn->dst_reg].type of SCALAR_VALUE Link:=20 Changes in v3: using __is_pointer_value to check if register if of pointer type Link: https://lore.kernel.org/all/20251001095613.267475-1-listout@listout.x= yz/ Changes in v2:=20 Checking if reg->map_ptr is NULL in bpf/log.c (wrong approach) Link: https://lore.kernel.org/all/20250923174738.1713751-1-listout@listout.= xyz/ --- kernel/bpf/verifier.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index e892df386eed..f3d8ba142faa 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -15645,7 +15645,8 @@ static int check_alu_op(struct bpf_verifier_env *en= v, struct bpf_insn *insn) } =20 /* check dest operand */ - if (opcode =3D=3D BPF_NEG) { + if (opcode =3D=3D BPF_NEG && + regs[insn->dst_reg].type =3D=3D SCALAR_VALUE) { err =3D check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); err =3D err ?: adjust_scalar_min_max_vals(env, insn, ®s[insn->dst_reg], --=20 2.51.0 From nobody Mon Feb 9 08:05:30 2026 Received: from mout-p-103.mailbox.org (mout-p-103.mailbox.org [80.241.56.161]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5ED9E20468E; Wed, 1 Oct 2025 19:18:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=80.241.56.161 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759346313; cv=none; b=Oy31wcYbi0xd4w0rjFEVDvXhib9BqbvWf1+3RjJ7jxhnQ2IAVqY+Ov8EQtmfTLq/ceWxyseWd8V+dx8nAh8RM8I3CrZNXBcxGDAJ2J4sAmXtn74wNvH5bLSzaT4GDT2JfGh54sJ3OcnyKfMxgd8QM+p7/GZGGbei6fIyxlzpaLM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1759346313; c=relaxed/simple; bh=HLYhW50XHaRj/9ZRdiTUSGg8dvCftmf3opE4NOaKOFI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Gg1rf3jq71a0oVyRrnRQFVDfhXXmahERn7XdhLmKThxh9cbuLZ9TxAvs3MrwpY7kTL8sHxQexG7MQgVsR5SMTtINlkV/vW4x3WxLjMx5PMHLK8Z8MQhJc43SQSNQv0vkE6HvuGkaXeTJGyn84cX0nEhyd+eUzsWaidL5Z2JvMRw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=listout.xyz; spf=pass smtp.mailfrom=listout.xyz; dkim=pass (2048-bit key) header.d=listout.xyz header.i=@listout.xyz header.b=0R2wAved; arc=none smtp.client-ip=80.241.56.161 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=listout.xyz Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=listout.xyz Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=listout.xyz header.i=@listout.xyz header.b="0R2wAved" Received: from smtp1.mailbox.org (smtp1.mailbox.org [10.196.197.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-103.mailbox.org (Postfix) with ESMTPS id 4ccPpq6CF0z9tMQ; Wed, 1 Oct 2025 21:18:27 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=listout.xyz; s=MBO0001; t=1759346307; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=mFOt7Q6Yh4zU6HGqC4KBvS7uM2NDq7KoM7BsVGIWIDU=; b=0R2wAvedEj44h9wfDrmE2K33AFr+WYGHh48El2DBatyjGDx8kAHW7h8CwACiigHt8YsN70 gFOYV3cmViY7tR56qgSVdPjnuxsK8KmYgzATEERmOlTqujp/ydQhAfWw+K7KXq0J4grbGn WsZ03ckhhSEGi1yB6SYrQPpjItVZIi2s6cT5y4N/6tPrjBsUj2Uuz0s9cIRtMgf6qx+CJN gw51wGWUraqoykbbe1mGlhCJSFW4wzoNOhouF42tL8Ta4cQFq3eUTd2RGQOBmxjyIGTxab 2a/Wk0AYsJxT8OM7zEavwZl29aVNkxDYZ1wA0Z9ptapJl9ndNyd1iYmBLUWNOg== From: Brahmajit Das To: listout@listout.xyz Cc: andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net, eddyz87@gmail.com, haoluo@google.com, john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org, linux-kernel@vger.kernel.org, martin.lau@linux.dev, sdf@fomichev.me, song@kernel.org, syzbot+d36d5ae81e1b0a53ef58@syzkaller.appspotmail.com, syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev, KaFai Wan Subject: [PATCH v4 2/2] selftests/bpf: Add test for BPF_NEG alu on CONST_PTR_TO_MAP Date: Thu, 2 Oct 2025 00:47:39 +0530 Message-ID: <20251001191739.2323644-3-listout@listout.xyz> In-Reply-To: <20251001191739.2323644-1-listout@listout.xyz> References: <20250923164144.1573636-1-listout@listout.xyz> <20251001191739.2323644-1-listout@listout.xyz> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" From: KaFai Wan Add a test case for BPF_NEG operation on CONST_PTR_TO_MAP. Tests if BPF_NEG operation on map_ptr is rejected in unprivileged mode and is a scalar value and do not trigger Oops in privileged mode. Signed-off-by: KaFai Wan Acked-by: Eduard Zingerman --- .../bpf/progs/verifier_value_illegal_alu.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c= b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c index a9ab37d3b9e2..dcaab61a11a0 100644 --- a/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c +++ b/tools/testing/selftests/bpf/progs/verifier_value_illegal_alu.c @@ -146,6 +146,24 @@ l0_%=3D: exit; \ : __clobber_all); } =20 +SEC("socket") +__description("map_ptr illegal alu op, map_ptr =3D -map_ptr") +__failure __msg("R0 invalid mem access 'scalar'") +__failure_unpriv __msg_unpriv("R0 pointer arithmetic prohibited") +__flag(BPF_F_ANY_ALIGNMENT) +__naked void map_ptr_illegal_alu_op(void) +{ + asm volatile (" \ + r0 =3D %[map_hash_48b] ll; \ + r0 =3D -r0; \ + r1 =3D 22; \ + *(u64*)(r0 + 0) =3D r1; \ + exit; \ +" : + : __imm_addr(map_hash_48b) + : __clobber_all); +} + SEC("flow_dissector") __description("flow_keys illegal alu op with variable offset") __failure __msg("R7 pointer arithmetic on flow_keys prohibited") --=20 2.51.0