bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()

[PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()

Posted by Shardul Bankar 3 months, 2 weeks ago

propagate_to_outer_instance() calls get_outer_instance() and then uses the
returned pointer to reset/commit stack write marks. When get_outer_instance()
fails (e.g., __lookup_instance() returns -ENOMEM), it may return an ERR_PTR.
Without a check, the code dereferences this error pointer.

Protect the call with IS_ERR() and propagate the error.

Reported-by: kernel-patches-review-bot (https://github.com/kernel-patches/bpf/pull/10006#issuecomment-3409419240)
Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
v2: Drop Fixes tag per Eduard’s review (not a functional bug).
---
 kernel/bpf/liveness.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
index 3c611aba7f52..ae31f9ee4994 100644
--- a/kernel/bpf/liveness.c
+++ b/kernel/bpf/liveness.c
@@ -522,6 +522,8 @@ static int propagate_to_outer_instance(struct bpf_verifier_env *env,
 
 	this_subprog_start = callchain_subprog_start(callchain);
 	outer_instance = get_outer_instance(env, instance);
+	if (IS_ERR(outer_instance))
+		return PTR_ERR(outer_instance);
 	callsite = callchain->callsites[callchain->curframe - 1];
 
 	reset_stack_write_marks(env, outer_instance, callsite);
-- 
2.34.1

Re: [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()

Posted by Eduard Zingerman 3 months, 2 weeks ago

On Mon, 2025-10-20 at 11:37 +0530, Shardul Bankar wrote:
> propagate_to_outer_instance() calls get_outer_instance() and then uses the
> returned pointer to reset/commit stack write marks. When get_outer_instance()
> fails (e.g., __lookup_instance() returns -ENOMEM), it may return an ERR_PTR.
> Without a check, the code dereferences this error pointer.

This description is misleading.
The only reasons for this patch to land are:
- reduce cognitive load to avoid thinking about special case;
- silence the false-positive notices from the tooling.

That's what has to be reflected in the description.

> 
> Protect the call with IS_ERR() and propagate the error.
> 
> Reported-by: kernel-patches-review-bot (https://github.com/kernel-patches/bpf/pull/10006#issuecomment-3409419240)
> Signed-off-by: Shardul Bankar <shardulsb08@gmail.com>
> v2: Drop Fixes tag per Eduard’s review (not a functional bug).
> ---
>  kernel/bpf/liveness.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
> index 3c611aba7f52..ae31f9ee4994 100644
> --- a/kernel/bpf/liveness.c
> +++ b/kernel/bpf/liveness.c
> @@ -522,6 +522,8 @@ static int propagate_to_outer_instance(struct bpf_verifier_env *env,
>  
>  	this_subprog_start = callchain_subprog_start(callchain);
>  	outer_instance = get_outer_instance(env, instance);
> +	if (IS_ERR(outer_instance))
> +		return PTR_ERR(outer_instance);
>  	callsite = callchain->callsites[callchain->curframe - 1];
>  
>  	reset_stack_write_marks(env, outer_instance, callsite);

Re: [PATCH v2 bpf] bpf: liveness: Handle ERR_PTR from get_outer_instance() in propagate_to_outer_instance()

Posted by Shardul Bankar 3 months, 2 weeks ago

On Mon, 2025-10-20 at 20:26 -0700, Eduard Zingerman wrote:
> This description is misleading.
> The only reasons for this patch to land are:
> - reduce cognitive load to avoid thinking about special case;
> - silence the false-positive notices from the tooling.
Thanks, Eduard.
I’ve updated the commit message in v3 to reflect your points — the
patch now clarifies intent and notes that it reduces cognitive load and
silences tooling false positives.
No functional change is claimed.

Link:
https://lore.kernel.org/all/20251021080849.860072-1-shardulsb08@gmail.com/

Thanks again for the detailed review,
Shardul