[ Replying to Sashiko:
https://sashiko.dev/?list=org.kernel.vger.linux-trace-kernel#/patchset/20260521225033.56458336%40fedora
]
> > @@ -653,6 +686,20 @@ static int parse_btf_arg(char *varname,
> > return -EOPNOTSUPP;
> > }
> >
> > + if (ctx->flags & TPARG_FL_TEVENT) {
> > + int ret;
> > +
> > + ret = parse_trace_event(varname, code, ctx);
> > + if (ret < 0)
> > + return ret;
> When parse_trace_event() returns a negative error code (such as -EINVAL or
> -ENOENT) because a field name is invalid, the error is propagated back up
> the stack. Does this path miss calling trace_probe_log_err()?
> If so, users might receive a generic failure without context or a caret
> pointing to the specific syntax error.
Hmm, there's a comment in the parse_trace_event() that sets ctx->offset for
backward compatibility. I'll investigate to see if we can fix that now.
> > +
> > + if (ctx->flags & TPARG_FL_TYPECAST) {
> > + type = ctx->last_struct;
> > + goto found_type;
> > + }
> > + return 0;
> > + }
> ...
> > @@ -758,7 +806,70 @@ static int parse_btf_bitfield(struct fetch_insn
> > **pcode,
> > return 0;
> > }
> >
> > +static int handle_typecast(char *arg, struct fetch_insn **pcode,
> > + struct fetch_insn *end,
> > + struct traceprobe_parse_context *ctx)
> > +{
> ...
> > + ctx->flags |= TPARG_FL_TYPECAST;
> > + tmp++;
> > +
> > + ctx->offset += tmp - arg;
> > + ret = parse_btf_arg(tmp, pcode, end, ctx);
> > + ctx->flags &= ~TPARG_FL_TYPECAST;
> Since TPARG_FL_TYPECAST is cleared here, will it break automatic type
> inference later?
> The traceprobe_parse_context is used for subsequent steps like
> find_fetch_type_from_btf_type() and check_prepare_btf_string_fetch(),
> which execute in traceprobe_parse_probe_arg() after this function returns.
> These functions rely on ctx_btf(), which needs TPARG_FL_TYPECAST to be
> set to return ctx->struct_btf.
> > + ctx->last_struct = NULL;
> > +out_put:
> > + btf_put(ctx->struct_btf);
> Because ctx->struct_btf is not set to NULL after calling btf_put(),
> can this cause a refcount underflow and use-after-free?
> If a user creates an eprobe with multiple typecasted arguments, the shared
> traceprobe_parse_context means the second argument will enter
> query_btf_struct() and see ctx->struct_btf is not NULL. It will skip
> acquiring a new reference but still use the pointer. At the end of parsing
> the second argument, btf_put(ctx->struct_btf) will be called again
> unconditionally.
Oops, I forgot to do:
ctx->struct_buf = NULL;
here.
Will fix.
Thanks,
-- Steve
> > + return ret;
> > +}
