net, sockmap: Don't call bpf_prog_put() on NULL pointer (83c11c17) · Commits · 戴 / test

If bpf_prog_inc_not_zero() fails for skb_parser, then bpf_prog_put() is called unconditionally on skb_verdict, even though it may be NULL. Fix and tidy up error path. Fixes: ("bpf, sockmap: Check skb_verdict and skb_parser programs explicitly") Addresses-Coverity-ID: 1497799: Null pointer dereferences (FORWARD_NULL) Signed-off-by:

Alex Dewar <alex.dewar90@gmail.com> Signed-off-by:

Daniel Borkmann <daniel@iogearbox.net> Acked-by:

Jakub Sitnicki <jakub@cloudflare.com> Acked-by:

John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/bpf/20201012170952.60750-1-alex.dewar90@gmail.com

net/core/sock_map.c

+9 −7

Original line number	Diff line number	Diff line
		@@ -238,17 +238,18 @@ static int sock_map_link(struct bpf_map map, struct sk_psock_progs progs,
		int ret;

		skb_verdict = READ_ONCE(progs->skb_verdict);
		skb_parser = READ_ONCE(progs->skb_parser);
		if (skb_verdict) {
		skb_verdict = bpf_prog_inc_not_zero(skb_verdict);
		if (IS_ERR(skb_verdict))
		return PTR_ERR(skb_verdict);
		}

		skb_parser = READ_ONCE(progs->skb_parser);
		if (skb_parser) {
		skb_parser = bpf_prog_inc_not_zero(skb_parser);
		if (IS_ERR(skb_parser)) {
		bpf_prog_put(skb_verdict);
		return PTR_ERR(skb_parser);
		ret = PTR_ERR(skb_parser);
		goto out_put_skb_verdict;
		}
		}

		@@ -257,7 +258,7 @@ static int sock_map_link(struct bpf_map map, struct sk_psock_progs progs,
		msg_parser = bpf_prog_inc_not_zero(msg_parser);
		if (IS_ERR(msg_parser)) {
		ret = PTR_ERR(msg_parser);
		goto out;
		goto out_put_skb_parser;
		}
		}

		@@ -311,11 +312,12 @@ out_drop:
		out_progs:
		if (msg_parser)
		bpf_prog_put(msg_parser);
		out:
		if (skb_verdict)
		bpf_prog_put(skb_verdict);
		out_put_skb_parser:
		if (skb_parser)
		bpf_prog_put(skb_parser);
		out_put_skb_verdict:
		if (skb_verdict)
		bpf_prog_put(skb_verdict);
		return ret;
		}

Admin message