[PATCH] bpf: Fix signedness bug

Next message: Steven Feng: "[PATCH] block: optimize I/O merge hot path with unlikely() hints"
Previous message: Chen Yu: "[PATCH v3 3/6] x86/resctrl: Rename prev_msr to prev_mon_val"
Next in thread: bot+bpf-ci: "Re: [PATCH] bpf: Fix signedness bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ethan Tidmore

Date: Fri Jun 05 2026 - 22:46:36 EST

The function acquire_reference() returns negative error codes and 'id'
is an unsigned integer, so the check (id < 0) is always impossible.

Detected by Smatch:
kernel/bpf/verifier.c:13115 check_kfunc_call()
warn: unsigned 'id' is never less than zero.

Fixes: 308c7a0ae8859 ("bpf: Refactor object relationship tracking and fix dynptr UAF bug")
Signed-off-by: Ethan Tidmore <ethantidmore06@xxxxxxxxx>
---
kernel/bpf/verifier.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8ed484cb1a8a..aa8f10fce071 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -13111,9 +13111,11 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
}
mark_btf_func_reg_size(env, BPF_REG_0, sizeof(void *));
if (is_kfunc_acquire(&meta)) {
- id = acquire_reference(env, insn_idx, 0);
- if (id < 0)
- return id;
+ err = acquire_reference(env, insn_idx, 0);
+ if (err < 0)
+ return err;
+ id = err;
+
regs[BPF_REG_0].id = id;
} else if (is_rbtree_node_type(ptr_type) || is_list_node_type(ptr_type)) {
ref_set_non_owning(env, &regs[BPF_REG_0]);
--
Thanks,
ET
https://github.com/sponsors/ethantidmore