Re: [PATCH 2/3] bpf: introduce bpf_jit_insn_aux_data

Next message: David Laight: "Re: [PATCH v3 next 2/5] Optimise vcpu_is_preempted() check"
Previous message: David Laight: "Re: [PATCH v3 next 3/5] Use node-&gt;prev_cpu instead of saving node-&gt;prev"
In reply to: Yeoreum Yun: "Re: [PATCH 2/3] bpf: introduce bpf_jit_insn_aux_data"
Next in thread: Yeoreum Yun: "Re: [PATCH 2/3] bpf: introduce bpf_jit_insn_aux_data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: bot+bpf-ci

Date: Fri Mar 06 2026 - 18:02:54 EST

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index d4a73a34c46b..68152dbe9a24 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

> @@ -23020,6 +23026,9 @@ static int jit_subprogs(struct bpf_verifier_env *env)
> for (i = 0; i < env->subprog_cnt; i++) {
> func[i]->aux->used_maps = NULL;
> func[i]->aux->used_map_cnt = 0;
> + func[i]->aux->insn_aux_data = NULL;
> + kvfree(func[i]->aux->insn_aux_data);
> + func[i]->aux->insn_aux_data = NULL;
> }

Does this leak insn_aux_data for every subprog on the success path?
The pointer is set to NULL before kvfree() is called, so kvfree()
receives NULL and the allocated memory is never freed.

The error path (out_free) has the correct ordering:

> if (func[i]->aux->insn_aux_data) {
> kvfree(func[i]->aux->insn_aux_data);
> func[i]->aux->insn_aux_data = NULL;;
> }

It looks like the success path should match:

kvfree(func[i]->aux->insn_aux_data);
func[i]->aux->insn_aux_data = NULL;

Neither __bpf_prog_free() nor bpf_prog_free_deferred() free
insn_aux_data, so this would be a permanent leak for every
successfully JITed BPF program with multiple subprogs.

Also, there is a double semicolon on the NULL assignment in the
error path above.

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/22784798570