Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3708940imm; Mon, 18 Jun 2018 02:44:04 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJF03Lgee1/zgxz0RirDghk0aVBlEDjBh4XX3z+k6blfCvUJvdsiw6BbpkziA3/AAMMWlZ5 X-Received: by 2002:a63:b041:: with SMTP id z1-v6mr9992705pgo.397.1529315044698; Mon, 18 Jun 2018 02:44:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529315044; cv=none; d=google.com; s=arc-20160816; b=BJvEd+DZG4ELii/RRqPsvAUNm1gr2NSl1R5Ava8CLiCZBtNHAoEnEjXl4qMwJNU5EG jXhtig5fpzNQVfwZEWb1H2KsG5ApxUizjNJCYOWC8Amro7dn2KeTVfjJDPggN7D6sCkZ nmf/b2j+buVxOTQ/iN8f99+rfwNjMaOevsvvRtP4jZOgu3I0qrqRz+Fv2wdwZAZWt0pw n4D12VtqX65fx81hOYdRl9fXMASm+i3MS7ioA+wudGkoRSqPFnlvXcG16O+hnUCLqa5v VwXxoBX975RpuWbufyTpZUA0zbvDpv4KmQcmD0/nO0ckGmuIviNB9UKED+uEuv4UuLPp 1kKQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ppBuvfKfpxbTCpbWYH/fsbBLVItP2VFn5cnFzWDDEqM=; b=V1q49JrVBVeBogBgxteDiND0Uu+m0pQqzWoF+HS2M+iO2YWwEegbrzR2nYf9Q73DgN 8ipX37GcfEBnEnhzY6v9QMEa+v5dH0Da3UFvJ5FpPR3z4WDecKIBZgVmiNHjTkk2/gFH J3uUSpHJAoR6ISSoeECtGtinCGwPM+AJn2yUzvpXfn68eMR/WnnH091QGrJHiCciTcj2 ignYYQ4tVhBs/XgHM4mpP6kzlVlFj+o53Nj4RrgweqyIgqL/9NnWlhEDYJjYUAbd4+PZ ZlwbZJShYpXsjZYGVlhFFFDfX6NzpJ/asVKsFrAU5G8KCit3ltVfr1It7jXy3g0VA572 hKow== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d2-v6si14909320plo.42.2018.06.18.02.43.51; Mon, 18 Jun 2018 02:44:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965543AbeFRIWd (ORCPT + 99 others); Mon, 18 Jun 2018 04:22:33 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:55550 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S965515AbeFRIW3 (ORCPT ); Mon, 18 Jun 2018 04:22:29 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id C1D18C84; Mon, 18 Jun 2018 08:22:28 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , Alexei Starovoitov , "David S. Miller" , Sasha Levin Subject: [PATCH 4.16 157/279] bpf, x64: fix memleak when not converging on calls Date: Mon, 18 Jun 2018 10:12:22 +0200 Message-Id: <20180618080615.325301681@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180618080608.851973560@linuxfoundation.org> References: <20180618080608.851973560@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ Upstream commit 39f56ca945af86112753646316c4c92dcd4acd82 ] The JIT logic in jit_subprogs() is as follows: for all subprogs we allocate a bpf_prog_alloc(), populate it (prog->is_func = 1 here), and pass it to bpf_int_jit_compile(). If a failure occurred during JIT and prog->jited is not set, then we bail out from attempting to JIT the whole program, and punt to the interpreter instead. In case JITing went successful, we fixup BPF call offsets and do another pass to bpf_int_jit_compile() (extra_pass is true at that point) to complete JITing calls. Given that requires to pass JIT context around addrs and jit_data from x86 JIT are freed in the extra_pass in bpf_int_jit_compile() when calls are involved (if not, they can be freed immediately). However, if in the original pass, the JIT image didn't converge then we leak addrs and jit_data since image itself is NULL, the prog->is_func is set and extra_pass is false in that case, meaning both will become unreachable and are never cleaned up, therefore we need to free as well on !image. Only x64 JIT is affected. Fixes: 1c2a088a6626 ("bpf: x64: add JIT support for multi-function programs") Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: David S. Miller Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- arch/x86/net/bpf_jit_comp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1249,7 +1249,7 @@ out_image: prog = orig_prog; } - if (!prog->is_func || extra_pass) { + if (!image || !prog->is_func || extra_pass) { out_addrs: kfree(addrs); kfree(jit_data);