bpf: cleanup aux->used_maps after jit · tjh.dev/kernel@fad8040

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

bpf: cleanup aux->used_maps after jit

In commit b4ce5923e780 ("bpf, x86: add new map type: instructions array")
env->used_map was copied to func[i]->aux->used_maps before jitting.
Clear these fields out after jitting such that pointer to freed memory
(env->used_maps is freed later) are not kept in a live data structure.

The reason why the copies were initially added is explained in
https://lore.kernel.org/bpf/20251105090410.1250500-1-a.s.protopopov@gmail.com

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Fixes: b4ce5923e780 ("bpf, x86: add new map type: instructions array")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20251124151515.2543403-1-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Anton Protopopov and committed by

Alexei Starovoitov 4 months ago fad80400 c4273208

1 changed file

expand all

kernel

bpf

verifier.c

kernel/bpf/verifier.c

··· 22266 22266 cond_resched(); 22267 22267 } 22268 22268 22269 + /* 22270 + * Cleanup func[i]->aux fields which aren't required 22271 + * or can become invalid in future 22272 + */ 22273 + for (i = 0; i < env->subprog_cnt; i++) { 22274 + func[i]->aux->used_maps = NULL; 22275 + func[i]->aux->used_map_cnt = 0; 22276 + } 22277 + 22269 22278 /* finally lock prog and jit images for all functions and 22270 22279 * populate kallsysm. Begin at the first subprogram, since 22271 22280 * bpf_prog_load will add the kallsyms for the main program.