2 files changed, 23 insertions, 16 deletions
diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 5d141f16f6fa..272071e9112f 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1707,20 +1707,26 @@ static int bpf_prog_load(union bpf_attr *attr, union bpf_attr __user *uattr)
        if (err)
                goto free_used_maps;
-        err = bpf_prog_new_fd(prog);
+        /* Upon success of bpf_prog_alloc_id(), the BPF prog is
-        if (err < 0) {
+         * effectively publicly exposed. However, retrieving via
-                /* failed to allocate fd.
+         * bpf_prog_get_fd_by_id() will take another reference,
-                 * bpf_prog_put() is needed because the above
+         * therefore it cannot be gone underneath us.
-                 * bpf_prog_alloc_id() has published the prog
+         *
-                 * to the userspace and the userspace may
+         * Only for the time /after/ successful bpf_prog_new_fd()
-                 * have refcnt-ed it through BPF_PROG_GET_FD_BY_ID.
+         * and before returning to userspace, we might just hold
-                 */
+         * one reference and any parallel close on that fd could
-                bpf_prog_put(prog);
+         * rip everything out. Hence, below notifications must
-                return err;
+         * happen before bpf_prog_new_fd().
-        }
+         *
+         * Also, any failure handling from this point onwards must
+         * be using bpf_prog_put() given the program is exposed.
+         */
        bpf_prog_kallsyms_add(prog);
        perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
+        err = bpf_prog_new_fd(prog);
+        if (err < 0)
+                bpf_prog_put(prog);
        return err;
 free_used_maps:
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 10c0ff93f52b..16d66bd7af09 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -985,9 +985,6 @@ static void __mark_reg_unbounded(struct bpf_reg_state *reg)
        reg->smax_value = S64_MAX;
        reg->umin_value = 0;
        reg->umax_value = U64_MAX;
-        /* constant backtracking is enabled for root only for now */
-        reg->precise = capable(CAP_SYS_ADMIN) ? false : true;
 }
 /* Mark a register as having a completely unknown (scalar) value. */
@@ -1014,7 +1011,11 @@ static void mark_reg_unknown(struct bpf_verifier_env *env,
                        __mark_reg_not_init(regs + regno);
                return;
        }
-        __mark_reg_unknown(regs + regno);
+        regs += regno;
+        __mark_reg_unknown(regs);
+        /* constant backtracking is enabled for root without bpf2bpf calls */
+        regs->precise = env->subprog_cnt > 1 || !env->allow_ptr_leaks ?
+                        true : false;
 }
 static void __mark_reg_not_init(struct bpf_reg_state *reg)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index 5d141f16f6fa..272071e9112f 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c
@@ -1707,20 +1707,26 @@ static int bpf_prog_load(union bpf_attr attr, union bpf_attr __user uattr)
1707	if (err)	1707	if (err)
1708	goto free_used_maps;	1708	goto free_used_maps;
1709		1709
1710	err = bpf_prog_new_fd(prog);	1710	/* Upon success of bpf_prog_alloc_id(), the BPF prog is
1711	if (err < 0) {	1711	* effectively publicly exposed. However, retrieving via
1712	/* failed to allocate fd.	1712	* bpf_prog_get_fd_by_id() will take another reference,
1713	* bpf_prog_put() is needed because the above	1713	* therefore it cannot be gone underneath us.
1714	* bpf_prog_alloc_id() has published the prog	1714	*
1715	* to the userspace and the userspace may	1715	* Only for the time /after/ successful bpf_prog_new_fd()
1716	* have refcnt-ed it through BPF_PROG_GET_FD_BY_ID.	1716	* and before returning to userspace, we might just hold
1717	*/	1717	* one reference and any parallel close on that fd could
1718	bpf_prog_put(prog);	1718	* rip everything out. Hence, below notifications must
1719	return err;	1719	* happen before bpf_prog_new_fd().
1720	}	1720	*
1721		1721	* Also, any failure handling from this point onwards must
		1722	* be using bpf_prog_put() given the program is exposed.
		1723	*/
1722	bpf_prog_kallsyms_add(prog);	1724	bpf_prog_kallsyms_add(prog);
1723	perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);	1725	perf_event_bpf_event(prog, PERF_BPF_EVENT_PROG_LOAD, 0);
		1726
		1727	err = bpf_prog_new_fd(prog);
		1728	if (err < 0)
		1729	bpf_prog_put(prog);
1724	return err;	1730	return err;
1725		1731
1726	free_used_maps:	1732	free_used_maps:


diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 10c0ff93f52b..16d66bd7af09 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c
@@ -985,9 +985,6 @@ static void __mark_reg_unbounded(struct bpf_reg_state *reg)
985	reg->smax_value = S64_MAX;	985	reg->smax_value = S64_MAX;
986	reg->umin_value = 0;	986	reg->umin_value = 0;
987	reg->umax_value = U64_MAX;	987	reg->umax_value = U64_MAX;
988
989	/* constant backtracking is enabled for root only for now */
990	reg->precise = capable(CAP_SYS_ADMIN) ? false : true;
991	}	988	}
992		989
993	/* Mark a register as having a completely unknown (scalar) value. */	990	/* Mark a register as having a completely unknown (scalar) value. */
@@ -1014,7 +1011,11 @@ static void mark_reg_unknown(struct bpf_verifier_env *env,
1014	__mark_reg_not_init(regs + regno);	1011	__mark_reg_not_init(regs + regno);
1015	return;	1012	return;
1016	}	1013	}
1017	__mark_reg_unknown(regs + regno);	1014	regs += regno;
		1015	__mark_reg_unknown(regs);
		1016	/* constant backtracking is enabled for root without bpf2bpf calls */
		1017	regs->precise = env->subprog_cnt > 1 \|\| !env->allow_ptr_leaks ?
		1018	true : false;
1018	}	1019	}
1019		1020
1020	static void __mark_reg_not_init(struct bpf_reg_state *reg)	1021	static void __mark_reg_not_init(struct bpf_reg_state *reg)