Re: [PATCH bpf-next] bpf: Silence Coverity warning for find_kfunc_desc_btf

Andrii Nakryiko <andrii.nakryiko@xxxxxxxxx> · Fri, 8 Oct 2021 13:39:46 -0700

On Fri, Oct 8, 2021 at 10:07 AM Kumar Kartikeya Dwivedi
<memxor@xxxxxxxxx> wrote:
>
> The helper function returns a pointer that in the failure case encodes
> an error in the struct btf pointer. The current code lead to Coverity
> warning about the use of the invalid pointer:
>
>  *** CID 1507963:  Memory - illegal accesses  (USE_AFTER_FREE)
>  /kernel/bpf/verifier.c: 1788 in find_kfunc_desc_btf()
>  1782                          return ERR_PTR(-EINVAL);
>  1783                  }
>  1784
>  1785                  kfunc_btf = __find_kfunc_desc_btf(env, offset, btf_modp);
>  1786                  if (IS_ERR_OR_NULL(kfunc_btf)) {
>  1787                          verbose(env, "cannot find module BTF for func_id %u\n", func_id);
>  >>>      CID 1507963:  Memory - illegal accesses  (USE_AFTER_FREE)
>  >>>      Using freed pointer "kfunc_btf".
>  1788                          return kfunc_btf ?: ERR_PTR(-ENOENT);
>  1789                  }
>  1790                  return kfunc_btf;
>  1791          }
>  1792          return btf_vmlinux ?: ERR_PTR(-ENOENT);
>  1793     }
>
> Daniel suggested the use of ERR_CAST so that the intended use is clear
> to Coverity, but on closer look it seems that we never return NULL from
> the helper, hence it can just be switched to checking for IS_ERR and
> returning the pointer, similar to the cases elsewhere in the kernel.
>
> Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> ---
>  kernel/bpf/verifier.c | 4 +---
>  1 file changed, 1 insertion(+), 3 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 20900a1bac12..2551b6be8d42 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1783,10 +1783,8 @@ static struct btf *find_kfunc_desc_btf(struct bpf_verifier_env *env,
>                 }
>
>                 kfunc_btf = __find_kfunc_desc_btf(env, offset, btf_modp);

Seems like __find_kfunc_desc_btf() already logs most of possible
reasons for the failure, with possibly btf_get_by_fd failure being the
biggest user-visible omission. If you complete __find_kfunc_desc_btf
logging and just pass through its result here without extra check,
wouldn't it work?

> -               if (IS_ERR_OR_NULL(kfunc_btf)) {
> +               if (IS_ERR(kfunc_btf))
>                         verbose(env, "cannot find module BTF for func_id %u\n", func_id);
> -                       return kfunc_btf ?: ERR_PTR(-ENOENT);
> -               }
>                 return kfunc_btf;
>         }
>         return btf_vmlinux ?: ERR_PTR(-ENOENT);
> --
> 2.33.0
>