Before handling the tail call in record_func_key(), we check that the
map is of the expected type and log a verifier error if it isn't. Such
an error however doesn't indicate anything wrong with the verifier. The
check for map<>func compatibility is done after record_func_key(), by
check_map_func_compatibility().
Therefore, this patch logs the error as a typical reject instead of a
verifier error.
Fixes: d2e4c1e6c294 ("bpf: Constant map key tracking for prog array pokes")
Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors")
Reported-by: syzbot+efb099d5833bca355e51@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Paul Chaignon <paul.chaignon@xxxxxxxxx>
---
Note: I'm sending this to bpf-next and not bpf because the warning
addition from commit 0df1a55afa83 didn't make it into bpf yet.
kernel/bpf/verifier.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 52e36fd23f40..c71e75e4740a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11081,8 +11081,8 @@ record_func_key(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta,
if (func_id != BPF_FUNC_tail_call)
return 0;
if (!map || map->map_type != BPF_MAP_TYPE_PROG_ARRAY) {
- verifier_bug(env, "expected array map for tail call");
- return -EFAULT;
+ verbose(env, "expected prog array map for tail call");
+ return -EINVAL;
}
reg = ®s[BPF_REG_3];
--
2.43.0
