summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorYonghong Song <yonghong.song@linux.dev>2026-05-13 07:50:10 +0300
committerAlexei Starovoitov <ast@kernel.org>2026-05-13 19:27:30 +0300
commit3ab5bd317ee280b198b00ea2114adaad7a458ef8 (patch)
treeb84ed039e66bf09cd493895c46ce2258152db0d1
parent78bbe61632f11b1091c03259f92b6559489222ae (diff)
downloadlinux-3ab5bd317ee280b198b00ea2114adaad7a458ef8.tar.xz
bpf: Set sub->arg_cnt earlier in btf_prepare_func_args()
Move the "sub->arg_cnt = nargs" assignment to immediately after nargs is computed from btf_type_vlen(), instead of at the end of btf_prepare_func_args(). btf_prepare_func_args() can return -EINVAL early in several cases, e.g. when a static function has some non-int/enum arguments. Since -EINVAL from btf_prepare_func_args() does not immediately reject verification, arg_cnt remains zero after the early return. This causes later stack argument based load/store insns to incorrectly assume the function has no arguments. Setting arg_cnt right after nargs ensures it is available regardless of which path btf_prepare_func_args() takes. Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20260513045010.2384635-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-rw-r--r--kernel/bpf/btf.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index a6bf4781943c..099d7ca5a980 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -7864,6 +7864,7 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog)
}
args = (const struct btf_param *)(t + 1);
nargs = btf_type_vlen(t);
+ sub->arg_cnt = nargs;
if (nargs > MAX_BPF_FUNC_REG_ARGS) {
if (!is_global)
return -EINVAL;
@@ -8051,7 +8052,6 @@ skip_pointer:
return -EINVAL;
}
- sub->arg_cnt = nargs;
sub->args_cached = true;
return 0;