diff options
| author | Yonghong Song <yonghong.song@linux.dev> | 2026-05-13 07:50:10 +0300 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2026-05-13 19:27:30 +0300 |
| commit | 3ab5bd317ee280b198b00ea2114adaad7a458ef8 (patch) | |
| tree | b84ed039e66bf09cd493895c46ce2258152db0d1 | |
| parent | 78bbe61632f11b1091c03259f92b6559489222ae (diff) | |
| download | linux-3ab5bd317ee280b198b00ea2114adaad7a458ef8.tar.xz | |
bpf: Set sub->arg_cnt earlier in btf_prepare_func_args()
Move the "sub->arg_cnt = nargs" assignment to immediately after
nargs is computed from btf_type_vlen(), instead of at the end of
btf_prepare_func_args().
btf_prepare_func_args() can return -EINVAL early in several cases,
e.g. when a static function has some non-int/enum arguments.
Since -EINVAL from btf_prepare_func_args() does not immediately
reject verification, arg_cnt remains zero after the early return.
This causes later stack argument based load/store insns to
incorrectly assume the function has no arguments.
Setting arg_cnt right after nargs ensures it is available regardless
of which path btf_prepare_func_args() takes.
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260513045010.2384635-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
| -rw-r--r-- | kernel/bpf/btf.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index a6bf4781943c..099d7ca5a980 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -7864,6 +7864,7 @@ int btf_prepare_func_args(struct bpf_verifier_env *env, int subprog) } args = (const struct btf_param *)(t + 1); nargs = btf_type_vlen(t); + sub->arg_cnt = nargs; if (nargs > MAX_BPF_FUNC_REG_ARGS) { if (!is_global) return -EINVAL; @@ -8051,7 +8052,6 @@ skip_pointer: return -EINVAL; } - sub->arg_cnt = nargs; sub->args_cached = true; return 0; |
