[PATCH bpf-next v12 1/5] bpf: Move constants blinding out of arch-specific JITs
bot+bpf-ci at kernel.org
bot+bpf-ci at kernel.org
Fri Apr 3 07:30:50 PDT 2026
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index a431b7d50e1b..66cef3744fde 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
[ ... ]
> +static void restore_insn_aux_data(struct bpf_verifier_env *env,
> + struct bpf_insn_aux_data *orig_insn_aux)
> +{
> + /* the expanded elements are zero-filled, so no special handling is required */
> + vfree(env->insn_aux_data);
> + env->insn_aux_data = orig_insn_aux;
> +}
[ ... ]
> +out_restore:
> + restore_subprog_starts(env, orig_subprog_starts);
> + restore_insn_aux_data(env, orig_insn_aux);
> + kvfree(orig_subprog_starts);
> +out_free_aux:
> + kvfree(orig_insn_aux);
> +out_cleanup:
> + /* cleanup main prog to be interpreted */
> + prog->jit_requested = 0;
> + prog->blinding_requested = 0;
> + return err;
Is there a double-free of env->insn_aux_data on the out_restore path?
restore_insn_aux_data() sets env->insn_aux_data = orig_insn_aux, then
out_restore falls through to out_free_aux which does
kvfree(orig_insn_aux), freeing the just-restored pointer.
Later, bpf_check() cleanup runs:
clear_insn_aux_data(env, 0, env->prog->len);
vfree(env->insn_aux_data);
which would be a use-after-free followed by a double-free.
The out_restore path is reached when bpf_jit_blind_constants() or
__jit_subprogs() fails while blinding was active, which can happen
under memory pressure with multi-subprog BPF programs.
It looks like out_restore needs a goto out_cleanup (or similar) after
kvfree(orig_subprog_starts) to skip the out_free_aux label, since after
restoring, orig_insn_aux is owned by env->insn_aux_data and must not be
freed here.
This regression is not fixed by later commits in the series.
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/23948799625
More information about the linux-arm-kernel
mailing list