Re: [PATCH bpf v9 8/8] powerpc64/bpf: fix percpu private stack leak on JIT failure

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:

Pre-existing issues:
- [High] bpf_jit_free() ignores the return value of bpf_jit_binary_pack_finalize(), leading to a double free, use-after-free, and modmem underflow if finalization fails.
- [Medium] The exact same percpu memory leak fixed in powerpc by this patch is also present in the arm64 BPF JIT compiler.
--

commit bd7becf49ebb21e1322fb30107d94244f94e35a2
Author: Abhishek Dubey <adubey@linux.ibm.com>

powerpc64/bpf: fix percpu private stack leak on JIT failure

This patch fixes a percpu private stack leak on JIT failure in the powerpc64
BPF JIT compiler. It ensures the private stack is freed whenever JIT
compilation fails by checking !fp->jited instead of !image.

Reported-by: sashiko-bot@kernel.org
Closes: https://lore.kernel.org/bpf/20260616135426.A06B71F000E9@smtp.kernel.org
Fixes: 156d985123b6 ("powerpc64/bpf: Implement JIT support for private stack")
Cc: stable@vger.kernel.org
Signed-off-by: Abhishek Dubey <adubey@linux.ibm.com>

> diff --git a/arch/powerpc/net/bpf_jit_comp.c b/arch/powerpc/net/bpf_jit_comp.c
> index 8396ff556f026..cdd16b979c10c 100644
> --- a/arch/powerpc/net/bpf_jit_comp.c
> +++ b/arch/powerpc/net/bpf_jit_comp.c
> @@ -403,7 +403,7 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_verifier_env *env, struct bpf_pr
>  				(void *)fimage + FUNCTION_DESCR_SIZE);
>  
>  out_addrs:
> -		if (!image && priv_stack_ptr) {
> +		if (!fp->jited && priv_stack_ptr) {

[Severity: Medium]
This is a pre-existing issue, but the exact same percpu memory leak fixed
here in powerpc is also present in the arm64 BPF JIT compiler.

In arm64's bpf_int_jit_compile(), if JIT fails after ro_header is allocated:

arch/arm64/net/bpf_jit_comp.c:bpf_int_jit_compile() {
    ...
    if (header) {
        bpf_arch_text_copy(&ro_header->size, &header->size,
                   sizeof(header->size));
        bpf_jit_binary_pack_free(ro_header, header);
    }
    goto out_off;
    ...
out_off:
    if (!ro_header && priv_stack_ptr) {
        free_percpu(priv_stack_ptr);
        prog->aux->priv_stack_ptr = NULL;
    }
    ...
}

Because ro_header is freed but not set to NULL, it bypasses the cleanup at
out_off, leaking the private stack allocation. Should a similar fix be
applied to arm64?

[Severity: High]
This is a pre-existing issue, but there is a double-free vulnerability in
bpf_jit_free() that affects powerpc, arm64, and x86 when finalization fails.

In arch/powerpc/net/bpf_jit_comp.c:bpf_jit_free():

    if (jit_data) {
        bpf_jit_binary_pack_finalize(jit_data->fhdr, jit_data->hdr);
        ...
    }
    hdr = bpf_jit_binary_pack_hdr(fp);
    bpf_jit_binary_pack_free(hdr, NULL);

If bpf_jit_binary_pack_finalize() fails (e.g., due to memory permission
errors), it explicitly frees the RO header internally. However, its return
value is ignored here. The code proceeds to extract the same header and call
bpf_jit_binary_pack_free() again, leading to a double-free and use-after-free
(dereferencing the freed size).

The exact same vulnerability exists in the arm64 and x86 JIT compilers. Does
the return value of bpf_jit_binary_pack_finalize() need to be checked to
prevent this double free?

>  			fp->aux->priv_stack_ptr = NULL;
>  			free_percpu(priv_stack_ptr);
>  		}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260623231411.6216-1-adubey@linux.ibm.com?part=8