On Tue, Mar 24, 2026 at 08:58:39AM +0000, [email protected] wrote:
> > diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> > index c6cd6ccb870b..139df8484edb 100644
> > --- a/tools/lib/bpf/libbpf.c
> > +++ b/tools/lib/bpf/libbpf.c
>
> [ ... ]
>
> > +bool btf_type_is_traceable_func(const struct btf *btf, const struct
> > btf_type *t)
> > +{
>
> [ ... ]
>
> > + /* No support for struct/union return argument type. */
> > + t = btf__type_by_id(btf, proto->type);
> > + while (t && btf_type_is_modifier(t))
> > + t = btf__type_by_id(btf, t->type);
> > +
> > + if (btf_is_struct(t) || btf_is_union(t))
> > + return false;
>
> It looks like t can be NULL after the while loop exits, since
> btf__type_by_id() returns NULL for out-of-range type ids.
> btf_is_struct() and btf_is_union() would then dereference it.
>
> The kernel's __get_type_size(), which btf_distill_func_proto()
> calls for the same purpose, has this after an identical while loop:
>
> kernel/bpf/btf.c:__get_type_size() {
> ...
> while (t && btf_type_is_modifier(t))
> t = btf_type_by_id(btf, t->type);
> if (!t)
> return -EINVAL;
> ...
> }
>
> Should there be a similar NULL check here before calling
> btf_is_struct(t)?
I don't think so, __get_type_size has btf_id as argument, so it needs
to be cautios, but while loop in here takes type from proto->type id
which must exist unless we have broken BTF data
jirka
>
> > +
> > + for (i = 0; i < nargs; i++) {
>
> [ ... ]
>
> > + return true;
> > +}
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/23480161822
