From 1b22393f44802d738f28fb98581640525ecebef4 Mon Sep 17 00:00:00 2001
From: Luis Gerhorst <gerhorst@cs.fau.de>
Date: Fri, 2 Jun 2023 21:24:17 +0200
Subject: [PATCH] [DRAFT] bpf: Fix push_stack() in process_iter_next_call()

TODO: Can BUG_ON be triggered if the current path is already speculative?
---
 kernel/bpf/verifier.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d1f1c7ad92f2..8366dd81a0d4 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7449,9 +7449,10 @@ static int process_iter_next_call(struct bpf_verifier_env *env, int insn_idx,
 
 	if (cur_iter->iter.state == BPF_ITER_STATE_ACTIVE) {
 		/* branch out active iter state */
-		queued_st = push_stack(env, insn_idx + 1, insn_idx, false);
-		if (!queued_st)
-			return -ENOMEM;
+		int err = push_stack(env, insn_idx + 1, insn_idx, false, &queued_st);
+		if (err)
+			return err;
+		BUG_ON(!queued_st);
 
 		queued_iter = &queued_st->frame[iter_frameno]->stack[iter_spi].spilled_ptr;
 		queued_iter->iter.state = BPF_ITER_STATE_ACTIVE;
-- 
GitLab