Skip to content

bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach #6363

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach #6363

wants to merge 1 commit into from

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Pull request for series with
subject: bpf: Fix invalid mem access when update_effective_progs fails in __cgroup_bpf_detach
version: 4
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1023798

bpf: Fix invalid mem access when update_effective_progs fails in __cg…
64b7e72 
…roup_bpf_detach

Syzkaller triggers an invalid memory access issue following fault
injection in update_effective_progs. The issue can be described as
follows:

__cgroup_bpf_detach
  update_effective_progs
    compute_effective_progs
      bpf_prog_array_alloc <-- fault inject
  purge_effective_progs
    /* change to dummy_bpf_prog */
    array->items[index] = &dummy_bpf_prog.prog

---softirq start---
__do_softirq
  ...
    __cgroup_bpf_run_filter_skb
      __bpf_prog_run_save_cb
        bpf_prog_run
          stats = this_cpu_ptr(prog->stats)
          /* invalid memory access */
          flags = u64_stats_update_begin_irqsave(&stats->syncp)
---softirq end---

  static_branch_dec(&cgroup_bpf_enabled_key[atype])

The reason is that fault injection caused update_effective_progs to fail
and then changed the original prog into dummy_bpf_prog.prog in
purge_effective_progs. Then a softirq came, and accessing the members of
dummy_bpf_prog.prog in the softirq triggers invalid mem access.

To fix it, we can skip updating stats when stats is NULL.

Fixes: 4c46091 ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
Signed-off-by: Pu Lehui <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

kernel-patches-daemon-bpf-rc bot commented Nov 15, 2025

Upstream branch: 7a0892d
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1023798
version: 4

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot deleted the series/1023798=>bpf branch November 17, 2025 18:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf new V4-ci-fail V4

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant