bpf: Check acquire_reference() error for "__ref" struct_ops arguments

When acquiring references for struct_ops program arguments tagged with
"__ref", the return value of acquire_reference() was stored directly
into u32 ctx_arg_info[i].ref_id without checking for failure.
acquire_reference() returns -ENOMEM when acquire_reference_state() fails
to allocate, so the error was silently stored as a ref_id instead of
aborting verification. Fix it by checking the return.

Fixes: a687df2008f6 ("bpf: Support getting referenced kptr from struct_ops argument")
Signed-off-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20260605202056.1780352-3-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a741bf4479318154590df9123edda4cfddb5e561..3b874bbbaac0b897b59209ad2a30eb1542b37e12 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18363,9 +18363,13 @@ static int do_check_common(struct bpf_verifier_env *env, int subprog)
 
        /* Acquire references for struct_ops program arguments tagged with "__ref" */
        if (!subprog && env->prog->type == BPF_PROG_TYPE_STRUCT_OPS) {
-               for (i = 0; i < aux->ctx_arg_info_size; i++)
-                       aux->ctx_arg_info[i].ref_id = aux->ctx_arg_info[i].refcounted ?
-                                                     acquire_reference(env, 0, 0) : 0;
+               for (i = 0; i < aux->ctx_arg_info_size; i++) {
+                       ret = aux->ctx_arg_info[i].refcounted ? acquire_reference(env, 0, 0) : 0;
+                       if (ret < 0)
+                               goto out;
+
+                       aux->ctx_arg_info[i].ref_id = ret;
+               }
        }
 
        ret = do_check(env);