From: Lorenz Bauer lmb@cloudflare.com
mainline inclusion from mainline-v5.14-rc1 commit 06ab6a505583f9adbf5e1f05d86e7bdd7b02248e category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I932VT CVE: CVE-2023-52452
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Eliminate a couple needless kfree / kmalloc cycles by using copy_array for jmp_history.
Signed-off-by: Lorenz Bauer lmb@cloudflare.com Signed-off-by: Alexei Starovoitov ast@kernel.org Link: https://lore.kernel.org/bpf/20210429134656.122225-3-lmb@cloudflare.com Signed-off-by: Pu Lehui pulehui@huawei.com --- kernel/bpf/verifier.c | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 463889e40e3a..38a77a2c1992 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -882,16 +882,13 @@ static int copy_verifier_state(struct bpf_verifier_state *dst_state, const struct bpf_verifier_state *src) { struct bpf_func_state *dst; - u32 jmp_sz = sizeof(struct bpf_idx_pair) * src->jmp_history_cnt; int i, err;
- if (dst_state->jmp_history_cnt < src->jmp_history_cnt) { - kfree(dst_state->jmp_history); - dst_state->jmp_history = kmalloc(jmp_sz, GFP_USER); - if (!dst_state->jmp_history) - return -ENOMEM; - } - memcpy(dst_state->jmp_history, src->jmp_history, jmp_sz); + dst_state->jmp_history = copy_array(dst_state->jmp_history, src->jmp_history, + src->jmp_history_cnt, sizeof(struct bpf_idx_pair), + GFP_USER); + if (!dst_state->jmp_history) + return -ENOMEM; dst_state->jmp_history_cnt = src->jmp_history_cnt;
/* if dst has more stack frames then src frame, free them */