Hello Kui-Feng Lee,
Commit 1338b9334658 ("bpf: pass btf object id in bpf_map_info.") from
Jan 19, 2024 (linux-next), leads to the following Smatch static
checker warning:
./kernel/bpf/syscall.c:4903 bpf_map_get_info_by_fd()
error: we previously assumed 'map->btf' could be null (see line 4896)
./kernel/bpf/syscall.c
4871 static int bpf_map_get_info_by_fd(struct file *file,
4872 struct bpf_map *map,
4873 const union bpf_attr *attr,
4874 union bpf_attr __user *uattr)
4875 {
4876 struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info);
4877 struct bpf_map_info info;
4878 u32 info_len = attr->info.info_len;
4879 int err;
4880
4881 err = bpf_check_uarg_tail_zero(USER_BPFPTR(uinfo), sizeof(info), info_len);
4882 if (err)
4883 return err;
4884 info_len = min_t(u32, sizeof(info), info_len);
4885
4886 memset(&info, 0, sizeof(info));
4887 info.type = map->map_type;
4888 info.id = map->id;
4889 info.key_size = map->key_size;
4890 info.value_size = map->value_size;
4891 info.max_entries = map->max_entries;
4892 info.map_flags = map->map_flags;
4893 info.map_extra = map->map_extra;
4894 memcpy(info.name, map->name, sizeof(map->name));
4895
4896 if (map->btf) {
^^^^^^^^
map->btf can be NULL
4897 info.btf_id = btf_obj_id(map->btf);
4898 info.btf_key_type_id = map->btf_key_type_id;
4899 info.btf_value_type_id = map->btf_value_type_id;
4900 }
4901 info.btf_vmlinux_value_type_id = map->btf_vmlinux_value_type_id;
4902 if (map->map_type == BPF_MAP_TYPE_STRUCT_OPS)
--> 4903 bpf_map_struct_ops_info_fill(&info, map);
^^^
Unchecked dereference inside this function. Potentially for BPF_MAP_TYPE_STRUCT_OPS
it can't be NULL, I haven't reviewed the callers. Could be a false positive.
4904
4905 if (bpf_map_is_offloaded(map)) {
4906 err = bpf_map_offload_info_fill(&info, map);
4907 if (err)
4908 return err;
4909 }
4910
4911 if (copy_to_user(uinfo, &info, info_len) ||
4912 put_user(info_len, &uattr->info.info_len))
4913 return -EFAULT;
4914
4915 return 0;
4916 }
regards,
dan carpenter
