Commit fad80400 authored Nov 24, 2025 by Anton Protopopov Committed by Alexei Starovoitov Nov 24, 2025

bpf: cleanup aux->used_maps after jit

In commit b4ce5923 ("bpf, x86: add new map type: instructions array")
env->used_map was copied to func[i]->aux->used_maps before jitting.
Clear these fields out after jitting such that pointer to freed memory
(env->used_maps is freed later) are not kept in a live data structure.

The reason why the copies were initially added is explained in
https://lore.kernel.org/bpf/20251105090410.1250500-1-a.s.protopopov@gmail.com



Suggested-by: Alexei Starovoitov <ast@kernel.org>
Fixes: b4ce5923 ("bpf, x86: add new map type: instructions array")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20251124151515.2543403-1-a.s.protopopov@gmail.com


Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent c4273208

kernel/bpf/verifier.c

+9 −0

Original line number	Diff line number	Diff line
		@@ -22266,6 +22266,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)
		cond_resched();
		}

		/*
		* Cleanup func[i]->aux fields which aren't required
		* or can become invalid in future
		*/
		for (i = 0; i < env->subprog_cnt; i++) {
		func[i]->aux->used_maps = NULL;
		func[i]->aux->used_map_cnt = 0;
		}

		/* finally lock prog and jit images for all functions and
		* populate kallsysm. Begin at the first subprogram, since
		* bpf_prog_load will add the kallsyms for the main program.