From eda04c10cbc942fdbdfe7d35d0c627041d43c5e5 Mon Sep 17 00:00:00 2001
From: Peng Sun <sironhide0null@gmail.com>
Date: Tue, 19 Mar 2019 23:23:20 +0800
Subject: [PATCH] bpf: decrease usercnt if bpf_map_new_fd() fails in
 bpf_map_get_fd_by_id()

mainline inclusion
from mainline-5.0
commit 781e62823cb81b972dc8652c1827205cda2ac9ac
category: bugfix
bugzilla: 11101
CVE: NA

-------------------------------------------------
In bpf/syscall.c, bpf_map_get_fd_by_id() use bpf_map_inc_not_zero()
to increase the refcount, both map->refcnt and map->usercnt. Then, if
bpf_map_new_fd() fails, should handle map->usercnt too.

Fixes: bd5f5f4ecb78 ("bpf: Add BPF_MAP_GET_FD_BY_ID")
Signed-off-by: Peng Sun <sironhide0null@gmail.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
(cherry picked from commit 781e62823cb81b972dc8652c1827205cda2ac9ac)
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Reviewed-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
---
 kernel/bpf/syscall.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 33eb8c49aa21..0599aa1e5d93 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -1880,7 +1880,7 @@ static int bpf_map_get_fd_by_id(const union bpf_attr *attr)
 
 	fd = bpf_map_new_fd(map, f_flags);
 	if (fd < 0)
-		bpf_map_put(map);
+		bpf_map_put_with_uref(map);
 
 	return fd;
 }
-- 
GitLab