Patch "bpf: fix potential error return" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 4 Jan 2025 13:07:39 -0500

This is a note to let you know that I've just added the patch titled

    bpf: fix potential error return

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-potential-error-return.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 2d62772de4884bf87656afa2d276ddf7c3c7a0c0
Author: Anton Protopopov <aspsk@xxxxxxxxxxxxx>
Date:   Tue Dec 10 11:42:45 2024 +0000

    bpf: fix potential error return
    
    [ Upstream commit c4441ca86afe4814039ee1b32c39d833c1a16bbc ]
    
    The bpf_remove_insns() function returns WARN_ON_ONCE(error), where
    error is a result of bpf_adj_branches(), and thus should be always 0
    However, if for any reason it is not 0, then it will be converted to
    boolean by WARN_ON_ONCE and returned to user space as 1, not an actual
    error value. Fix this by returning the original err after the WARN check.
    
    Signed-off-by: Anton Protopopov <aspsk@xxxxxxxxxxxxx>
    Acked-by: Jiri Olsa <jolsa@xxxxxxxxxx>
    Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20241210114245.836164-1-aspsk@xxxxxxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 0ea0d50a7c16..83b416af4da1 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -523,6 +523,8 @@ struct bpf_prog *bpf_patch_insn_single(struct bpf_prog *prog, u32 off,
 
 int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt)
 {
+	int err;
+
 	/* Branch offsets can't overflow when program is shrinking, no need
 	 * to call bpf_adj_branches(..., true) here
 	 */
@@ -530,7 +532,9 @@ int bpf_remove_insns(struct bpf_prog *prog, u32 off, u32 cnt)
 		sizeof(struct bpf_insn) * (prog->len - off - cnt));
 	prog->len -= cnt;
 
-	return WARN_ON_ONCE(bpf_adj_branches(prog, off, off + cnt, off, false));
+	err = bpf_adj_branches(prog, off, off + cnt, off, false);
+	WARN_ON_ONCE(err);
+	return err;
 }
 
 static void bpf_prog_kallsyms_del_subprogs(struct bpf_prog *fp)







