From: Kui-Feng Lee <thinker.li@xxxxxxxxx> Check whether the returned pointer is NULL. Previously, it was assumed that an error code would be returned if BTF is not available or fails to parse. However, it actually returns NULL if BTF is disabled. In the function check_struct_ops_btf_id(), we have stopped using btf_vmlinux as a backup because attach_btf is never null when attach_btf_id is set. However, the function test_libbpf_probe_prog_types() in libbpf_probes.c does not set both attach_btf_obj_fd and attach_btf_id, resulting in attach_btf being null, and it expects ENOTSUPP as a result. So, if attach_btf_id is not set, it will return ENOTSUPP. Changes from v1: - Remove an unnecessary NULL check in check_struct_ops_btf_id() Reported-by: syzbot+88f0aafe5f950d7489d7@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://lore.kernel.org/bpf/00000000000040d68a060fc8db8c@xxxxxxxxxx/ Reported-by: syzbot+1336f3d4b10bcda75b89@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://lore.kernel.org/bpf/00000000000026353b060fc21c07@xxxxxxxxxx/ Fixes: fcc2c1fb0651 ("bpf: pass attached BTF to the bpf_struct_ops subsystem") Signed-off-by: Kui-Feng Lee <thinker.li@xxxxxxxxx> --- kernel/bpf/bpf_struct_ops.c | 2 ++ kernel/bpf/verifier.c | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c index defc052e4622..0decd862dfe0 100644 --- a/kernel/bpf/bpf_struct_ops.c +++ b/kernel/bpf/bpf_struct_ops.c @@ -669,6 +669,8 @@ static struct bpf_map *bpf_struct_ops_map_alloc(union bpf_attr *attr) btf = bpf_get_btf_vmlinux(); if (IS_ERR(btf)) return ERR_CAST(btf); + if (!btf) + return ERR_PTR(-ENOTSUPP); } st_ops_desc = bpf_struct_ops_find_value(btf, attr->btf_vmlinux_value_type_id); diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index fe833e831cb6..c5d68a9d8acc 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -20298,7 +20298,10 @@ static int check_struct_ops_btf_id(struct bpf_verifier_env *env) return -EINVAL; } - btf = prog->aux->attach_btf ?: bpf_get_btf_vmlinux(); + if (!prog->aux->attach_btf_id) + return -ENOTSUPP; + + btf = prog->aux->attach_btf; if (btf_is_module(btf)) { /* Make sure st_ops is valid through the lifetime of env */ env->attach_btf_mod = btf_try_get_module(btf); -- 2.34.1