Patch "bpf: Fix resetting logic for unreferenced kptrs" has been added to the 6.0-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 10 Oct 2022 08:50:09 +0200

This is a note to let you know that I've just added the patch titled

    bpf: Fix resetting logic for unreferenced kptrs

to the 6.0-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-resetting-logic-for-unreferenced-kptrs.patch
and it can be found in the queue-6.0 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 9fad7fe5b29803584c7f17a2abe6c2936fec6828 Mon Sep 17 00:00:00 2001
From: Jules Irenge <jbi.octave@xxxxxxxxx>
Date: Wed, 7 Sep 2022 16:24:20 +0100
Subject: bpf: Fix resetting logic for unreferenced kptrs

From: Jules Irenge <jbi.octave@xxxxxxxxx>

commit 9fad7fe5b29803584c7f17a2abe6c2936fec6828 upstream.

Sparse reported a warning at bpf_map_free_kptrs()
"warning: Using plain integer as NULL pointer"
During the process of fixing this warning, it was discovered that the current
code erroneously writes to the pointer variable instead of deferencing and
writing to the actual kptr. Hence, Sparse tool accidentally helped to uncover
this problem. Fix this by doing WRITE_ONCE(*p, 0) instead of WRITE_ONCE(p, 0).

Note that the effect of this bug is that unreferenced kptrs will not be cleared
during check_and_free_fields. It is not a problem if the clearing is not done
during map_free stage, as there is nothing to free for them.

Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr")
Signed-off-by: Jules Irenge <jbi.octave@xxxxxxxxx>
Link: https://lore.kernel.org/r/Yxi3pJaK6UDjVJSy@playground
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 kernel/bpf/syscall.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -598,7 +598,7 @@ void bpf_map_free_kptrs(struct bpf_map *
 		if (off_desc->type == BPF_KPTR_UNREF) {
 			u64 *p = (u64 *)btf_id_ptr;
 
-			WRITE_ONCE(p, 0);
+			WRITE_ONCE(*p, 0);
 			continue;
 		}
 		old_ptr = xchg(btf_id_ptr, 0);


Patches currently in stable-queue which might be from jbi.octave@xxxxxxxxx are

queue-6.0/bpf-fix-resetting-logic-for-unreferenced-kptrs.patch






