Skip to content

bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach #6294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach #6294

wants to merge 1 commit into from

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot commented Nov 5, 2025

Pull request for series with
subject: bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1019810

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 5, 2025

Upstream branch: 44e8f13
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1019810
version: 1

bpf: Fix invalid mem access when update_effective_progs fails in __cg…
c1aedd5 
…roup_bpf_detach

Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:

__cgroup_bpf_detach
  update_effective_progs
    compute_effective_progs
      bpf_prog_array_alloc <-- fault inject
  purge_effective_progs
    /* change to dummy_bpf_prog */
    array->items[index] = &dummy_bpf_prog.prog

---softirq start---
__do_softirq
  ...
    __cgroup_bpf_run_filter_skb
      __bpf_prog_run_save_cb
        bpf_prog_run
          stats = this_cpu_ptr(prog->stats)
          /* invalid memory access */
          flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---

  static_branch_dec(&cgroup_bpf_enabled_key[atype])

The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.

To fix it, we can skip executing the prog when it's dummy_bpf_prog.prog.

Fixes: 4c46091 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
Signed-off-by: Pu Lehui <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 6, 2025

Upstream branch: e427054
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1019810
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 6, 2025

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1019810 expired. Closing PR.

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/1019810=>bpf branch November 8, 2025 10:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf changes-requested V1-ci-fail V1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant