On 12/16/19 8:49 AM, Daniel Borkmann wrote:
> Commit da765a2f5993 ("bpf: Add poke dependency tracking for prog array
> maps") wrongly assumed that in case of prog load errors, we're cleaning
> up all program tracking via bpf_free_used_maps().
>
> However, it can happen that we're still at the point where we didn't copy
> map pointers into the prog's aux section such that env->prog->aux->used_maps
> is still zero, running into a UAF. In such case, the verifier has similar
> release_maps() helper that drops references to used maps from its env.
>
> Consolidate the release code into __bpf_free_used_maps() and call it from
> all sides to fix it.
>
> Fixes: da765a2f5993 ("bpf: Add poke dependency tracking for prog array maps")
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Acked-by: Yonghong Song <yhs@xxxxxx>
