bpf: Fix NULL pointer dereference in __btf_resolve_helper_id()

Prevent __btf_resolve_helper_id() from dereferencing `btf_vmlinux`
as NULL. This patch fixes the following syzbot bug:

    https://syzkaller.appspot.com/bug?id=f823224ada908fa5c207902a5a62065e53ca0fcc

Reported-by: syzbot+ee09bda7017345f1fbe6@syzkaller.appspotmail.com
Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20200714180904.277512-1-yepeilin.cs@gmail.com

diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index 9a1a98dd9e97c7c9576ec78513e6ced95f7bb4ae..0443600146dc27edd385e5c7dd594b087605a012 100644 (file)
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -4058,6 +4058,11 @@ static int __btf_resolve_helper_id(struct bpf_verifier_log *log, void *fn,
        const char *tname, *sym;
        u32 btf_id, i;
 
+       if (!btf_vmlinux) {
+               bpf_log(log, "btf_vmlinux doesn't exist\n");
+               return -EINVAL;
+       }
+
        if (IS_ERR(btf_vmlinux)) {
                bpf_log(log, "btf_vmlinux is malformed\n");
                return -EINVAL;