bpf: Remove WARN_ON_ONCE in check_ids()

check_ids() warned when it ran out of idmap slots, assuming this was
impossible because the slots are bounded by the number of registers and
stack slots. That assumption no longer holds: referenced dynptrs acquire
an intermediate reference that lives in refs[] but is not backed by any
register or stack slot [0], so a program can accumulate more reference
ids than the idmap can hold and exhaust it.

Exhaustion is fine for verification correctness. check_ids() already
returns false, which makes the states compare as not equivalent and
prevents unsound pruning. The only effect of the WARN_ON_ONCE() is log
noise, or a panic under panic_on_warn. Drop the warning and keep
returning false.

[0] 308c7a0ae885 ("bpf: Refactor object relationship tracking and fix dynptr UAF bug")

Signed-off-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20260605202056.1780352-5-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/states.c b/kernel/bpf/states.c
index 06d9ae24f006b5864a4eba428fd8c177c83cd914..32f346ce3ffc77a9ccf4c52ad9252fe6d03b4b65 100644 (file)
--- a/kernel/bpf/states.c
+++ b/kernel/bpf/states.c
@@ -343,8 +343,12 @@ static bool check_ids(u32 old_id, u32 cur_id, struct bpf_idmap *idmap)
                return true;
        }
 
-       /* We ran out of idmap slots, which should be impossible */
-       WARN_ON_ONCE(1);
+       /*
+        * idmap slots are bounded by the number of registers and stack slots.
+        * Since referenced dynptrs acquire intermediate references that do
+        * not live in either, so the map can be exhausted. Since it is unlikely,
+        * fail the verification by treating the states as not equivalent.
+        */
        return false;
 }