> syzbot found the following issue on: > > HEAD commit: f28214603dc6 Merge branch 'selftests-bpf-move-test_lwt_seg.. > git tree: bpf-next > console+strace: https://syzkaller.appspot.com/x/log.txt?x=15f84664580000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b7bde34acd8f53b1 > dashboard link: https://syzkaller.appspot.com/bug?extid=a5964227adc0f904549c > compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=16450ba8580000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11f5fa54580000 #syz test --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7788,6 +7788,12 @@ static int check_atomic_rmw(struct bpf_verifier_env *env, static int check_atomic_load(struct bpf_verifier_env *env, struct bpf_insn *insn) { + int err; + + err = check_load_mem(env, insn, true, false, false, "atomic_load"); + if (err) + return err; + if (!atomic_ptr_type_ok(env, insn->src_reg, insn)) { verbose(env, "BPF_ATOMIC loads from R%d %s is not allowed\n", insn->src_reg, @@ -7795,12 +7801,18 @@ static int check_atomic_load(struct bpf_verifier_env *env, return -EACCES; } - return check_load_mem(env, insn, true, false, false, "atomic_load"); + return 0; } static int check_atomic_store(struct bpf_verifier_env *env, struct bpf_insn *insn) { + int err; + + err = check_store_reg(env, insn, true); + if (err) + return err; + if (!atomic_ptr_type_ok(env, insn->dst_reg, insn)) { verbose(env, "BPF_ATOMIC stores into R%d %s is not allowed\n", insn->dst_reg, @@ -7808,7 +7820,7 @@ static int check_atomic_store(struct bpf_verifier_env *env, return -EACCES; } - return check_store_reg(env, insn, true); + return 0; } static int check_atomic(struct bpf_verifier_env *env, struct bpf_insn *insn)
