[PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer

BPF List
 help / color / mirror / Atom feed

* [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()
@ 2025-10-20  6:07 Shardul Bankar
  2025-10-21  3:26 ` Eduard Zingerman
  0 siblings, 1 reply; 3+ messages in thread
From: Shardul Bankar @ 2025-10-20  6:07 UTC (permalink / raw)
  To: bpf
  Cc: shardulsb08, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Eduard Zingerman, Song Liu, Yonghong Song,
	John Fastabend, KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa,
	open list

propagate_to_outer_instance() calls get_outer_instance() and then uses the
returned pointer to reset/commit stack write marks. When get_outer_instance()
fails (e.g., __lookup_instance() returns -ENOMEM), it may return an ERR_PTR.
Without a check, the code dereferences this error pointer.

Protect the call with IS_ERR() and propagate the error.

Reported-by: kernel-patches-review-bot (https://github.com/kernel-patches/bpf/pull/10006#issuecomment-3409419240)
Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
v2: Drop Fixes tag per Eduard’s review (not a functional bug).
---
 kernel/bpf/liveness.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
index 3c611aba7f52..ae31f9ee4994 100644
--- a/kernel/bpf/liveness.c
+++ b/kernel/bpf/liveness.c
@@ -522,6 +522,8 @@ static int propagate_to_outer_instance(struct bpf_verifier_env *env,
 
 	this_subprog_start = callchain_subprog_start(callchain);
 	outer_instance = get_outer_instance(env, instance);
+	if (IS_ERR(outer_instance))
+		return PTR_ERR(outer_instance);
 	callsite = callchain->callsites[callchain->curframe - 1];
 
 	reset_stack_write_marks(env, outer_instance, callsite);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()
  2025-10-20  6:07 [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance() Shardul Bankar
@ 2025-10-21  3:26 ` Eduard Zingerman
  2025-10-21  8:10   ` Shardul Bankar
  0 siblings, 1 reply; 3+ messages in thread
From: Eduard Zingerman @ 2025-10-21  3:26 UTC (permalink / raw)
  To: Shardul Bankar, bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
	KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, open list

On Mon, 2025-10-20 at 11:37 +0530, Shardul Bankar wrote:
> propagate_to_outer_instance() calls get_outer_instance() and then uses the
> returned pointer to reset/commit stack write marks. When get_outer_instance()
> fails (e.g., __lookup_instance() returns -ENOMEM), it may return an ERR_PTR.
> Without a check, the code dereferences this error pointer.

This description is misleading.
The only reasons for this patch to land are:
- reduce cognitive load to avoid thinking about special case;
- silence the false-positive notices from the tooling.

That's what has to be reflected in the description.

> 
> Protect the call with IS_ERR() and propagate the error.
> 
> Reported-by: kernel-patches-review-bot (https://github.com/kernel-patches/bpf/pull/10006#issuecomment-3409419240)
> Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
> v2: Drop Fixes tag per Eduard’s review (not a functional bug).
> ---
>  kernel/bpf/liveness.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
> index 3c611aba7f52..ae31f9ee4994 100644
> --- a/kernel/bpf/liveness.c
> +++ b/kernel/bpf/liveness.c
> @@ -522,6 +522,8 @@ static int propagate_to_outer_instance(struct bpf_verifier_env *env,
>  
>  	this_subprog_start = callchain_subprog_start(callchain);
>  	outer_instance = get_outer_instance(env, instance);
> +	if (IS_ERR(outer_instance))
> +		return PTR_ERR(outer_instance);
>  	callsite = callchain->callsites[callchain->curframe - 1];
>  
>  	reset_stack_write_marks(env, outer_instance, callsite);

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()
  2025-10-21  3:26 ` Eduard Zingerman
@ 2025-10-21  8:10   ` Shardul Bankar
  0 siblings, 0 replies; 3+ messages in thread
From: Shardul Bankar @ 2025-10-21  8:10 UTC (permalink / raw)
  To: Eduard Zingerman, bpf
  Cc: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
	Martin KaFai Lau, Song Liu, Yonghong Song, John Fastabend,
	KP Singh, Stanislav Fomichev, Hao Luo, Jiri Olsa, open list

On Mon, 2025-10-20 at 20:26 -0700, Eduard Zingerman wrote:
> This description is misleading.
> The only reasons for this patch to land are:
> - reduce cognitive load to avoid thinking about special case;
> - silence the false-positive notices from the tooling.
Thanks, Eduard.
I’ve updated the commit message in v3 to reflect your points — the
patch now clarifies intent and notes that it reduces cognitive load and
silences tooling false positives.
No functional change is claimed.

Link:
https://lore.kernel.org/all/20251021080849.860072-1-shardulsb08@gmail.com/

Thanks again for the detailed review,
Shardul

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2025-10-21  8:10 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-10-20  6:07 [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance() Shardul Bankar
2025-10-21  3:26 ` Eduard Zingerman
2025-10-21  8:10   ` Shardul Bankar

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox