tree: https://git.kernel.org/pub/scm/linux/kernel/git/toke/linux.git bpf-freplace-multi-attach-alt-04 head: 4b32f3fa732bbc5ab739fc9a0b9864c66a6183fd commit: b166eea4ca70570e9998331165242454c2a357c0 [3/8] bpf: wrap prog->aux->linked_prog in a bpf_tracing_link config: x86_64-randconfig-m001-20200916 (attached as .config) compiler: gcc-9 (Debian 9.3.0-15) 9.3.0 If you fix the issue, kindly add following tag as appropriate Reported-by: kernel test robot <lkp(a)intel.com&gt; Reported-by: Dan Carpenter <dan.carpenter(a)oracle.com&gt; smatch warnings: kernel/bpf/verifier.c:11344 check_attach_btf_id() error: we previously assumed 'prog->aux->tgt_link' could be null (see line 11286) # https://git.kernel.org/pub/scm/linux/kernel/git/toke/linux.git/commit/?id... git remote add toke https://git.kernel.org/pub/scm/linux/kernel/git/toke/linux.git git fetch --no-tags toke bpf-freplace-multi-attach-alt-04 git checkout b166eea4ca70570e9998331165242454c2a357c0 vim +11344 kernel/bpf/verifier.c 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11273 static int check_attach_btf_id(struct bpf_verifier_env *env) 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11274 { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11275 struct bpf_prog *prog = env->prog; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11276 u32 btf_id = prog->aux->attach_btf_id; b166eea4ca70570 Toke Høiland-Jørgensen 2020-09-01 11277 struct bpf_prog *tgt_prog = NULL; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11278 struct btf_func_model fmodel; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11279 struct bpf_trampoline *tr; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11280 const struct btf_type *t; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11281 const char *tname; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11282 long addr; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11283 int ret; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11284 u64 key; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11285 b166eea4ca70570 Toke Høiland-Jørgensen 2020-09-01 @11286 if (prog->aux->tgt_link) ^^^^^^^^^^^^^^^^^^^ This code assumed ->tgt_link can be NULL. b166eea4ca70570 Toke Høiland-Jørgensen 2020-09-01 11287 tgt_prog = prog->aux->tgt_link->tgt_prog; b166eea4ca70570 Toke Høiland-Jørgensen 2020-09-01 11288 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11289 if (prog->aux->sleepable && prog->type != BPF_PROG_TYPE_TRACING && 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11290 prog->type != BPF_PROG_TYPE_LSM) { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11291 verbose(env, "Only fentry/fexit/fmod_ret and lsm programs can be sleepable\n"); 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11292 return -EINVAL; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11293 } 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11294 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11295 if (prog->type == BPF_PROG_TYPE_STRUCT_OPS) 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11296 return check_struct_ops_btf_id(env); 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11297 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11298 if (prog->type != BPF_PROG_TYPE_TRACING && 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11299 prog->type != BPF_PROG_TYPE_LSM && 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11300 prog->type != BPF_PROG_TYPE_EXT) 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11301 return 0; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11302 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11303 ret = bpf_check_attach_target(&env->log, prog, tgt_prog, btf_id, 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11304 &fmodel, &addr, &tname, &t); 18644cec714aabb Alexei Starovoitov 2020-05-28 11305 if (ret) 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11306 return ret; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11307 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11308 if (tgt_prog) { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11309 if (prog->type == BPF_PROG_TYPE_EXT) { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11310 env->ops = bpf_verifier_ops[tgt_prog->type]; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11311 prog->expected_attach_type = 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11312 tgt_prog->expected_attach_type; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11313 } 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11314 key = ((u64)tgt_prog->aux->id) << 32 | btf_id; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11315 } else { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11316 key = btf_id; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11317 } 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11318 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11319 /* remember two read only pointers that are valid for 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11320 * the life time of the kernel 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11321 */ 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11322 prog->aux->attach_func_proto = t; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11323 prog->aux->attach_func_name = tname; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11324 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11325 if (prog->expected_attach_type == BPF_TRACE_RAW_TP) { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11326 prog->aux->attach_btf_trace = true; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11327 return 0; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11328 } else if (prog->expected_attach_type == BPF_TRACE_ITER) { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11329 if (!bpf_iter_prog_supported(prog)) 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11330 return -EINVAL; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11331 return 0; 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11332 } 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11333 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11334 if (prog->type == BPF_PROG_TYPE_LSM) { 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11335 ret = bpf_lsm_verify_prog(&env->log, prog); 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11336 if (ret < 0) fec56f5890d93fc Alexei Starovoitov 2019-11-14 11337 return ret; f1b9509c2fb0ef4 Alexei Starovoitov 2019-10-30 11338 } 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11339 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11340 tr = bpf_trampoline_get(key, (void *)addr, &fmodel); 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11341 if (IS_ERR(tr)) 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11342 return PTR_ERR(tr); 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11343 b166eea4ca70570 Toke Høiland-Jørgensen 2020-09-01 @11344 prog->aux->tgt_link->trampoline = tr; ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Unchecked dereference. 90c87648e09050a Toke Høiland-Jørgensen 2020-07-13 11345 return 0; 382072916044015 Martin KaFai Lau 2019-10-24 11346 } --- 0-DAY CI Kernel Test Service, Intel Corporation https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org _______________________________________________ kbuild mailing list -- kbuild(a)lists.01.org To unsubscribe send an email to kbuild-leave(a)lists.01.org