bpf: Fix error path under memory pressure

Restore the 'if (env->cur_state)' check that was incorrectly removed during code move. Under memory pressure env->cur_state can be freed and zeroed inside do_check(). Hence the check is necessary. Fixes: 51c39bb1d5d1 ("bpf: Introduce function-by-function verification") Reported-by: syzbot+b296579ba5015704d9fa@syzkaller.appspotmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Song Liu <songliubraving@fb.com> Link: https://lore.kernel.org/bpf/20200122024138.3385590-1-ast@kernel.org
author: Alexei Starovoitov 2020-01-21 18:41:38 -0800
committer: Daniel Borkmann 2020-01-22 12:09:02 +0100
commit: f59bbfc2f6099e8655f9e8f585e10ffde17176d0 (patch)
tree: 0e3289384ee6ad1a13499afe74509574be73f27c
parent: 05d57f1793fb250c85028c9952c3720010baa853 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ca17dccc17ba..6defbec9eb62 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9594,8 +9594,13 @@ static int do_check_common(struct bpf_verifier_env *env, int subprog)
 
 	ret = do_check(env);
 out:
-	free_verifier_state(env->cur_state, true);
-	env->cur_state = NULL;
+	/* check for NULL is necessary, since cur_state can be freed inside
+	 * do_check() under memory pressure.
+	 */
+	if (env->cur_state) {
+		free_verifier_state(env->cur_state, true);
+		env->cur_state = NULL;
+	}
 	while (!pop_stack(env, NULL, NULL));
 	free_states(env);
 	if (ret)
author	Alexei Starovoitov	2020-01-21 18:41:38 -0800
committer	Daniel Borkmann	2020-01-22 12:09:02 +0100
commit	f59bbfc2f6099e8655f9e8f585e10ffde17176d0 (patch)
tree	0e3289384ee6ad1a13499afe74509574be73f27c
parent	05d57f1793fb250c85028c9952c3720010baa853 (diff)