]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7a7ce5d) | patch
bpf: Fix missing prog untrack in release_maps
authorDaniel Borkmann <daniel@iogearbox.net>
Mon, 16 Dec 2019 16:49:00 +0000 (17:49 +0100)
committerAlexei Starovoitov <ast@kernel.org>
Mon, 16 Dec 2019 18:59:29 +0000 (10:59 -0800)
commit22d051f9ad939b7ec20b860d6ed3c9c02cd7451a
treeffc04818616b047ecbd2b64f1ae3d9c33108a727tree | snapshot
parent7a7ce5d02a1408b9ad65a40f59c4fb898fb8e1a2commit | diff
bpf: Fix missing prog untrack in release_maps

Commit d50dbe86b9d4 ("bpf: Add poke dependency tracking for prog array
maps") wrongly assumed that in case of prog load errors, we're cleaning
up all program tracking via bpf_free_used_maps().

However, it can happen that we're still at the point where we didn't copy
map pointers into the prog's aux section such that env->prog->aux->used_maps
is still zero, running into a UAF. In such case, the verifier has similar
release_maps() helper that drops references to used maps from its env.

Consolidate the release code into __bpf_free_used_maps() and call it from
all sides to fix it.

Fixes: d50dbe86b9d4 ("bpf: Add poke dependency tracking for prog array maps")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/1c2909484ca524ae9f55109b06f22b6213e76376.1576514756.git.daniel@iogearbox.net
include/linux/bpf.h diff | blob | history
kernel/bpf/core.c diff | blob | history
kernel/bpf/verifier.c diff | blob | history
Linux Kernel Source Tree.