On Fri, 18 Apr 2025 at 09:49, Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx> wrote: > > The calculation of the index used to access the mask field in 'struct > bpf_raw_tp_null_args' is done with 'int' type, which could overflow when > the tracepoint being attached has more than 8 arguments. > > While none of the tracepoints mentioned in raw_tp_null_args[] currently > have more than 8 arguments, there do exist tracepoints that had more > than 8 arguments (e.g. iocost_iocg_forgive_debt), so use the correct > type for calculation and avoid Smatch static checker warning. > > Cc: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> > Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> > Closes: https://lore.kernel.org/r/843a3b94-d53d-42db-93d4-be10a4090146@stanley.mountain/ > Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx> > --- Not sure how I missed this, but thanks for fixing. Acked-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> > kernel/bpf/btf.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c > index 16ba36f34dfa..656ee11aff67 100644 > --- a/kernel/bpf/btf.c > +++ b/kernel/bpf/btf.c > @@ -6829,10 +6829,10 @@ bool btf_ctx_access(int off, int size, enum bpf_access_type type, > /* Is this a func with potential NULL args? */ > if (strcmp(tname, raw_tp_null_args[i].func)) > continue; > - if (raw_tp_null_args[i].mask & (0x1 << (arg * 4))) > + if (raw_tp_null_args[i].mask & (0x1ULL << (arg * 4))) > info->reg_type |= PTR_MAYBE_NULL; > /* Is the current arg IS_ERR? */ > - if (raw_tp_null_args[i].mask & (0x2 << (arg * 4))) > + if (raw_tp_null_args[i].mask & (0x2ULL << (arg * 4))) > ptr_err_raw_tp = true; > break; > } > -- > 2.49.0 >
