bpf: cleanup aux->used_maps after jit

In commit b4ce5923e780 ("bpf, x86: add new map type: instructions array")
env->used_map was copied to func[i]->aux->used_maps before jitting.
Clear these fields out after jitting such that pointer to freed memory
(env->used_maps is freed later) are not kept in a live data structure.

The reason why the copies were initially added is explained in
https://lore.kernel.org/bpf/20251105090410.1250500-1-a.s.protopopov@gmail.com

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Fixes: b4ce5923e780 ("bpf, x86: add new map type: instructions array")
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20251124151515.2543403-1-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2e170be647bd720e4231cf1c1f9455b0d2da7952..766695491bc5b71249ce86910ac71cb2e0baa5f0 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -22266,6 +22266,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)
                cond_resched();
        }
 
+       /*
+        * Cleanup func[i]->aux fields which aren't required
+        * or can become invalid in future
+        */
+       for (i = 0; i < env->subprog_cnt; i++) {
+               func[i]->aux->used_maps = NULL;
+               func[i]->aux->used_map_cnt = 0;
+       }
+
        /* finally lock prog and jit images for all functions and
         * populate kallsysm. Begin at the first subprogram, since
         * bpf_prog_load will add the kallsyms for the main program.