These two patches fix the use after free bug in inline_bpf_loop() reported by Dan Carpenter. The fix for verifier.c and the test case in test_verifier.c are split into separate commits. While the first patch is necessary, I'm not sure about the second. The test case is somewhat fragile because of the following line: const int len = getpagesize() - 25; Here 25 is a magical number that allows env->prog to fit in one page before bpf_loop inlining and don't fit after the bpf_loop inlining. I'd prefer to use sizeof(struct bpf_prog) instead of this constant, but definition of the struct bpf_prog is not available in test_verifier.c. Eduard Zingerman (2): bpf: fix for use after free bug in inline_bpf_loop selftest/bpf: test for use after free bug fix in inline_bpf_loop kernel/bpf/verifier.c | 2 +- tools/testing/selftests/bpf/test_verifier.c | 39 +++++++++++++++++++ .../selftests/bpf/verifier/bpf_loop_inline.c | 11 ++++++ 3 files changed, 51 insertions(+), 1 deletion(-) -- 2.25.1
