]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commit - kernel/bpf/core.c
projects / mirror_ubuntu-jammy-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 5133498) | patch
bpf: Fix missing prog untrack in release_maps
authorDaniel Borkmann <daniel@iogearbox.net>
Mon, 16 Dec 2019 16:49:00 +0000 (17:49 +0100)
committerAlexei Starovoitov <ast@kernel.org>
Mon, 16 Dec 2019 18:59:29 +0000 (10:59 -0800)
commita2ea07465c8d7984cc6b8b1f0b3324f9b138094a
treeffc04818616b047ecbd2b64f1ae3d9c33108a727tree
parent5133498f4ad1123a5ffd4c08df6431dab882cc32commit | diff
bpf: Fix missing prog untrack in release_maps

Commit da765a2f5993 ("bpf: Add poke dependency tracking for prog array
maps") wrongly assumed that in case of prog load errors, we're cleaning
up all program tracking via bpf_free_used_maps().

However, it can happen that we're still at the point where we didn't copy
map pointers into the prog's aux section such that env->prog->aux->used_maps
is still zero, running into a UAF. In such case, the verifier has similar
release_maps() helper that drops references to used maps from its env.

Consolidate the release code into __bpf_free_used_maps() and call it from
all sides to fix it.

Fixes: da765a2f5993 ("bpf: Add poke dependency tracking for prog array maps")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/1c2909484ca524ae9f55109b06f22b6213e76376.1576514756.git.daniel@iogearbox.net
include/linux/bpf.h diff | blob | blame | history
kernel/bpf/core.c diff | blob | blame | history
kernel/bpf/verifier.c diff | blob | blame | history
Ubuntu Jammy Linux kernel mirror