bpf: Do not increment tailcall count when prog is NULL

Currently, tailcall count is incremented in the interpreter even when
tailcall fails due to non-existent prog. Fix this by holding off on
the tailcall count increment until after NULL check on the prog.

Suggested-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Link: https://lore.kernel.org/r/20260220062959.195101-1-hbathini@linux.ibm.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 3ece2da55625cb9a7d4d5f46ce00dd2678892356..229c74f3d6ae7a07cb0101a9f8d6a3b8f6377612 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2060,12 +2060,12 @@ select_insn:
                if (unlikely(tail_call_cnt >= MAX_TAIL_CALL_CNT))
                        goto out;
 
-               tail_call_cnt++;
-
                prog = READ_ONCE(array->ptrs[index]);
                if (!prog)
                        goto out;
 
+               tail_call_cnt++;
+
                /* ARG1 at this point is guaranteed to point to CTX from
                 * the verifier side due to the fact that the tail call is
                 * handled like a helper, that is, bpf_tail_call_proto,