Re: [PATCH v2] bpf: fix NULL pointer dereference in print_reg_state()

[Brahmajit Das]

On 24.09.2025 09:32, Alexei Starovoitov wrote:
> On Wed, Sep 24, 2025 at 1:43 AM Brahmajit Das <listout@xxxxxxxxxxx> wrote:
> >
> > Syzkaller reported a general protection fault due to a NULL pointer
> > dereference in print_reg_state() when accessing reg->map_ptr without
> > checking if it is NULL.
> >
...snip...
> > -       if (type_is_map_ptr(t)) {
> > +       if (type_is_map_ptr(t) && reg->map_ptr) {
> 
> You ignored earlier feedback.
> Fix the root cause, not the symptom.
> 
> pw-bot: cr

I'm not sure if I'm headed the write direction but it seems like in
check_alu_op, we are calling adjust_scalar_min_max_vals when we get an
BPF_NEG as opcode. Which has a call to __mark_reg_known when opcode is
BPF_NEG. And __mark_reg_known clears map_ptr with

	/* Clear off and union(map_ptr, range) */
	memset(((u8 *)reg) + sizeof(reg->type), 0,
	       offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type));

-- 
Regards,
listout