On Mon, Sep 09, 2024 at 08:09:58PM -0300, Diogo Jahchan Koike wrote:
> From: Yonghong Song <yhs@xxxxxx>
>
> commit e6c2f594ed961273479505b42040782820190305 upstream.
>
> syzbot reported a warning in [1] with the following stacktrace:
> WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
> ...
> RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988
> ...
> Call Trace:
> <TASK>
> map_check_btf kernel/bpf/syscall.c:1024 [inline]
> map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198
> __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040
> __do_sys_bpf kernel/bpf/syscall.c:5162 [inline]
> __se_sys_bpf kernel/bpf/syscall.c:5160 [inline]
> __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x63/0xcd
>
> With the following btf
> [1] DECL_TAG 'a' type_id=4 component_idx=-1
> [2] PTR '(anon)' type_id=0
> [3] TYPE_TAG 'a' type_id=2
> [4] VAR 'a' type_id=3, linkage=static
> and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG),
> the following WARN_ON_ONCE in btf_type_id_size() is triggered:
> if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) &&
> !btf_type_is_var(size_type)))
> return NULL;
>
> Note that 'return NULL' is the correct behavior as we don't want
> a DECL_TAG type to be used as a btf_{key,value}_type_id even
> for the case like 'DECL_TAG -> STRUCT'. So there
> is no correctness issue here, we just want to silence warning.
>
> To silence the warning, I added DECL_TAG as one of kinds in
> btf_type_nosize() which will cause btf_type_id_size() returning
> NULL earlier without the warning.
>
> [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@xxxxxxxxxx/
>
> Reported-by: syzbot+958967f249155967d42a@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Yonghong Song <yhs@xxxxxx>
> Link: https://lore.kernel.org/r/20230530205029.264910-1-yhs@xxxxxx
> Signed-off-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
> (cherry picked from commit e6c2f594ed961273479505b42040782820190305)
> Signed-off-by: Diogo Jahchan Koike <djahchankoike@xxxxxxxxx>
> ---
> kernel/bpf/btf.c | 13 +++++++------
> 1 file changed, 7 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 7582ec4fd413..2c58a6c3f978 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c
> @@ -466,10 +466,16 @@ static bool btf_type_is_fwd(const struct btf_type *t)
> return BTF_INFO_KIND(t->info) == BTF_KIND_FWD;
> }
>
> +static bool btf_type_is_decl_tag(const struct btf_type *t)
> +{
> + return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG;
> +}
> +
> static bool btf_type_nosize(const struct btf_type *t)
> {
> return btf_type_is_void(t) || btf_type_is_fwd(t) ||
> - btf_type_is_func(t) || btf_type_is_func_proto(t);
> + btf_type_is_func(t) || btf_type_is_func_proto(t) ||
> + btf_type_is_decl_tag(t);
> }
>
> static bool btf_type_nosize_or_null(const struct btf_type *t)
> @@ -492,11 +498,6 @@ static bool btf_type_is_datasec(const struct btf_type *t)
> return BTF_INFO_KIND(t->info) == BTF_KIND_DATASEC;
> }
>
> -static bool btf_type_is_decl_tag(const struct btf_type *t)
> -{
> - return BTF_INFO_KIND(t->info) == BTF_KIND_DECL_TAG;
> -}
> -
> static bool btf_type_is_decl_tag_target(const struct btf_type *t)
> {
> return btf_type_is_func(t) || btf_type_is_struct(t) ||
> --
> 2.43.0
>
>
Now queued up, thanks.
greg k-h
