> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index c6cd6ccb870b..139df8484edb 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
[ ... ]
> +bool btf_type_is_traceable_func(const struct btf *btf, const struct btf_type
> *t)
> +{
[ ... ]
> + /* No support for struct/union return argument type. */
> + t = btf__type_by_id(btf, proto->type);
> + while (t && btf_type_is_modifier(t))
> + t = btf__type_by_id(btf, t->type);
> +
> + if (btf_is_struct(t) || btf_is_union(t))
> + return false;
It looks like t can be NULL after the while loop exits, since
btf__type_by_id() returns NULL for out-of-range type ids.
btf_is_struct() and btf_is_union() would then dereference it.
The kernel's __get_type_size(), which btf_distill_func_proto()
calls for the same purpose, has this after an identical while loop:
kernel/bpf/btf.c:__get_type_size() {
...
while (t && btf_type_is_modifier(t))
t = btf_type_by_id(btf, t->type);
if (!t)
return -EINVAL;
...
}
Should there be a similar NULL check here before calling
btf_is_struct(t)?
> +
> + for (i = 0; i < nargs; i++) {
[ ... ]
> + return true;
> +}
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/23480161822
