[PATCH] Fix KASAN: use-after-free Read in compute_effective_progs
1 view
Skip to first unread message
Tadeusz Struk
Apr 4, 2022, 9:56:31 PM4/4/22
to syzbot+f264bf...@syzkaller.appspotmail.com, tadeus...@linaro.org, syzkaller-a...@googlegroups.com
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
=======================================
index 128028efda64..3a1d401cd915 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -723,10 +723,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
pl->link = NULL;
err = update_effective_progs(cgrp, atype);
- if (err)
- goto cleanup;
-
- /* now can actually delete it from this cgroup list */
+ /*
+ * Proceed regardless of err. The link and/or prog might be freed
+ * just after this function returns so just delete it from this
+ * cgroup list and return the error code.
+ */
list_del(&pl->node);
kfree(pl);
if (list_empty(progs))
@@ -735,12 +736,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
if (old_prog)
bpf_prog_put(old_prog);
static_branch_dec(&cgroup_bpf_enabled_key[atype]);
- return 0;
-
-cleanup:
- /* restore back prog or link */
- pl->prog = old_prog;
- pl->link = link;
return err;
}
@@ -881,6 +876,7 @@ static void bpf_cgroup_link_release(struct bpf_link *link)
struct bpf_cgroup_link *cg_link =
container_of(link, struct bpf_cgroup_link, link);
struct cgroup *cg;
+ int err;
/* link might have been auto-detached by dying cgroup already,
* in that case our work is done here
@@ -896,8 +892,10 @@ static void bpf_cgroup_link_release(struct bpf_link *link)
return;
}
- WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
- cg_link->type));
+ err = __cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
+ cg_link->type);
+ if (err)
+ printk("cgroup_bpf_detach failed err, %d\n", err);
cg = cg_link->cgroup;
cg_link->cgroup = NULL;
--
2.35.1
=======================================
index 128028efda64..3a1d401cd915 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -723,10 +723,11 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
pl->link = NULL;
err = update_effective_progs(cgrp, atype);
- if (err)
- goto cleanup;
-
- /* now can actually delete it from this cgroup list */
+ /*
+ * Proceed regardless of err. The link and/or prog might be freed
+ * just after this function returns so just delete it from this
+ * cgroup list and return the error code.
+ */
list_del(&pl->node);
kfree(pl);
if (list_empty(progs))
@@ -735,12 +736,6 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
if (old_prog)
bpf_prog_put(old_prog);
static_branch_dec(&cgroup_bpf_enabled_key[atype]);
- return 0;
-
-cleanup:
- /* restore back prog or link */
- pl->prog = old_prog;
- pl->link = link;
return err;
}
@@ -881,6 +876,7 @@ static void bpf_cgroup_link_release(struct bpf_link *link)
struct bpf_cgroup_link *cg_link =
container_of(link, struct bpf_cgroup_link, link);
struct cgroup *cg;
+ int err;
/* link might have been auto-detached by dying cgroup already,
* in that case our work is done here
@@ -896,8 +892,10 @@ static void bpf_cgroup_link_release(struct bpf_link *link)
return;
}
- WARN_ON(__cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
- cg_link->type));
+ err = __cgroup_bpf_detach(cg_link->cgroup, NULL, cg_link,
+ cg_link->type);
+ if (err)
+ printk("cgroup_bpf_detach failed err, %d\n", err);
cg = cg_link->cgroup;
cg_link->cgroup = NULL;
--
2.35.1
Tadeusz Struk
Apr 4, 2022, 9:57:27 PM4/4/22
to syzbot+cfc5bc...@syzkaller.appspotmail.com, tadeus...@linaro.org, syzkaller-a...@googlegroups.com
syzbot
Apr 4, 2022, 10:07:08 PM4/4/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f264bf...@syzkaller.appspotmail.com
Tested on:
commit: 31231092 Linux 5.18-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=43e74a6abb9c3fce
dashboard link: https://syzkaller.appspot.com/bug?extid=f264bffdfbd5614f3bb2
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1744f36b700000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f264bf...@syzkaller.appspotmail.com
Tested on:
commit: 31231092 Linux 5.18-rc1
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=43e74a6abb9c3fce
dashboard link: https://syzkaller.appspot.com/bug?extid=f264bffdfbd5614f3bb2
compiler: Debian clang version 11.0.1-2, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=1744f36b700000
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages