> On Thu, 2022-06-23 at 11:21 +0300, Dan Carpenter wrote: > Hello Eduard Zingerman, > > The patch 1ade23711971: "bpf: Inline calls to bpf_loop when callback > is known" from Jun 21, 2022, leads to the following Smatch static > checker warning: > > kernel/bpf/verifier.c:14420 inline_bpf_loop() > error: dereferencing freed memory 'env->prog' > > kernel/bpf/verifier.c > 14350 static struct bpf_prog *inline_bpf_loop(...) [...] > 14411 new_prog = bpf_patch_insn_data(env, position, insn_buf, *cnt); > > The bpf_patch_insn_data() function sometimes frees the old "env->prog" > and returns "new_prog". > > 14412 if (!new_prog) > 14413 return new_prog; > 14414 > 14415 /* callback start is known only after patching */ > 14416 callback_start = env->subprog_info[callback_subprogno].start; > 14417 /* Note: insn_buf[12] is an offset of BPF_CALL_REL instruction */ > 14418 call_insn_offset = position + 12; > 14419 callback_offset = callback_start - call_insn_offset - 1; > --> 14420 env->prog->insnsi[call_insn_offset].imm = callback_offset; Hi Dan, Thank you for the report, you are correct! > Presumably somewhere there is a "env->prog = new_prog;" This assignment is inside `optimize_bpf_loop` right after the call to `inline_bpf_loop`. > But it feels like it would be more readable to say: > > new_prog->insnsi[call_insn_offset].imm = callback_offset; Yes, I agree. Alexei, could you please suggest how should I proceed: - submit a new patch with a fix, or - submit a the complete patchset with the fix included? Thanks, Eduard
