tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

bpf: Dissociate struct_ops program with map if map_update fails

Currently, when bpf_struct_ops_map_update_elem() fails, the programs'
st_ops_assoc will remain set. They may become dangling pointers if the
map is freed later, but they will never be dereferenced since the
struct_ops attachment did not succeed. However, if one of the programs
is subsequently attached as part of another struct_ops map, its
st_ops_assoc will be poisoned even though its old st_ops_assoc was stale
from a failed attachment.

Fix the spurious poisoned st_ops_assoc by dissociating struct_ops
programs with a map if the attachment fails. Move
bpf_prog_assoc_struct_ops() to after *plink++ to make sure
bpf_prog_disassoc_struct_ops() will not miss a program when iterating
st_map->links.

Note that, dissociating a program from a map requires some attention as
it must not reset a poisoned st_ops_assoc or a st_ops_assoc pointing to
another map. The former is already guarded in
bpf_prog_disassoc_struct_ops(). The latter also will not happen since
st_ops_assoc of programs in st_map->links are set by
bpf_prog_assoc_struct_ops(), which can only be poisoned or pointing to
the current map.

Signed-off-by: Amery Hung <ameryhung@gmail.com>
Link: https://lore.kernel.org/r/20260417174900.2895486-1-ameryhung@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Amery Hung and committed by
Alexei Starovoitov f75aeb2d 2845989f

+4 -3
+4 -3
kernel/bpf/bpf_struct_ops.c
··· 811 811 goto reset_unlock; 812 812 } 813 813 814 - /* Poison pointer on error instead of return for backward compatibility */ 815 - bpf_prog_assoc_struct_ops(prog, &st_map->map); 816 - 817 814 link = kzalloc_obj(*link, GFP_USER); 818 815 if (!link) { 819 816 bpf_prog_put(prog); ··· 820 823 bpf_link_init(&link->link, BPF_LINK_TYPE_STRUCT_OPS, 821 824 &bpf_struct_ops_link_lops, prog, prog->expected_attach_type); 822 825 *plink++ = &link->link; 826 + 827 + /* Poison pointer on error instead of return for backward compatibility */ 828 + bpf_prog_assoc_struct_ops(prog, &st_map->map); 823 829 824 830 ksym = kzalloc_obj(*ksym, GFP_USER); 825 831 if (!ksym) { ··· 906 906 reset_unlock: 907 907 bpf_struct_ops_map_free_ksyms(st_map); 908 908 bpf_struct_ops_map_free_image(st_map); 909 + bpf_struct_ops_map_dissoc_progs(st_map); 909 910 bpf_struct_ops_map_put_progs(st_map); 910 911 memset(uvalue, 0, map->value_size); 911 912 memset(kvalue, 0, map->value_size);