[PATCH] fix-use-after-free-read-in-compute_effective_progs-2
0 views
Skip to first unread message
Tadeusz Struk
Apr 13, 2022, 1:50:06 PM4/13/22
to syzbot+f264bf...@syzkaller.appspotmail.com, syzkaller-a...@googlegroups.com, tadeus...@linaro.org
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
======================================================
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 128028efda64..5a47740c317b 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -226,7 +226,8 @@ static bool hierarchy_allows_attach(struct cgroup *cgrp,
*/
static int compute_effective_progs(struct cgroup *cgrp,
enum cgroup_bpf_attach_type atype,
- struct bpf_prog_array **array)
+ struct bpf_prog_array **array,
+ gfp_t flags)
{
struct bpf_prog_array_item *item;
struct bpf_prog_array *progs;
@@ -241,7 +242,7 @@ static int compute_effective_progs(struct cgroup *cgrp,
p = cgroup_parent(p);
} while (p);
- progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
+ progs = bpf_prog_array_alloc(cnt, flags);
if (!progs)
return -ENOMEM;
@@ -308,7 +309,7 @@ int cgroup_bpf_inherit(struct cgroup *cgrp)
INIT_LIST_HEAD(&cgrp->bpf.storages);
for (i = 0; i < NR; i++)
- if (compute_effective_progs(cgrp, i, &arrays[i]))
+ if (compute_effective_progs(cgrp, i, &arrays[i], GFP_KERNEL))
goto cleanup;
for (i = 0; i < NR; i++)
@@ -328,7 +329,8 @@ int cgroup_bpf_inherit(struct cgroup *cgrp)
}
static int update_effective_progs(struct cgroup *cgrp,
- enum cgroup_bpf_attach_type atype)
+ enum cgroup_bpf_attach_type atype,
+ gfp_t flags)
{
struct cgroup_subsys_state *css;
int err;
@@ -340,7 +342,8 @@ static int update_effective_progs(struct cgroup *cgrp,
if (percpu_ref_is_zero(&desc->bpf.refcnt))
continue;
- err = compute_effective_progs(desc, atype, &desc->bpf.inactive);
+ err = compute_effective_progs(desc, atype, &desc->bpf.inactive,
+ flags);
if (err)
goto cleanup;
}
@@ -499,7 +502,7 @@ static int __cgroup_bpf_attach(struct cgroup *cgrp,
bpf_cgroup_storages_assign(pl->storage, storage);
cgrp->bpf.flags[atype] = saved_flags;
- err = update_effective_progs(cgrp, atype);
+ err = update_effective_progs(cgrp, atype, GFP_KERNEL);
if (err)
goto cleanup;
@@ -722,7 +725,7 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
pl->prog = NULL;
pl->link = NULL;
- err = update_effective_progs(cgrp, atype);
+ err = update_effective_progs(cgrp, atype, GFP_NOIO | __GFP_NOFAIL);
if (err)
goto cleanup;
--
2.35.1
======================================================
diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
index 128028efda64..5a47740c317b 100644
--- a/kernel/bpf/cgroup.c
+++ b/kernel/bpf/cgroup.c
@@ -226,7 +226,8 @@ static bool hierarchy_allows_attach(struct cgroup *cgrp,
*/
static int compute_effective_progs(struct cgroup *cgrp,
enum cgroup_bpf_attach_type atype,
- struct bpf_prog_array **array)
+ struct bpf_prog_array **array,
+ gfp_t flags)
{
struct bpf_prog_array_item *item;
struct bpf_prog_array *progs;
@@ -241,7 +242,7 @@ static int compute_effective_progs(struct cgroup *cgrp,
p = cgroup_parent(p);
} while (p);
- progs = bpf_prog_array_alloc(cnt, GFP_KERNEL);
+ progs = bpf_prog_array_alloc(cnt, flags);
if (!progs)
return -ENOMEM;
@@ -308,7 +309,7 @@ int cgroup_bpf_inherit(struct cgroup *cgrp)
INIT_LIST_HEAD(&cgrp->bpf.storages);
for (i = 0; i < NR; i++)
- if (compute_effective_progs(cgrp, i, &arrays[i]))
+ if (compute_effective_progs(cgrp, i, &arrays[i], GFP_KERNEL))
goto cleanup;
for (i = 0; i < NR; i++)
@@ -328,7 +329,8 @@ int cgroup_bpf_inherit(struct cgroup *cgrp)
}
static int update_effective_progs(struct cgroup *cgrp,
- enum cgroup_bpf_attach_type atype)
+ enum cgroup_bpf_attach_type atype,
+ gfp_t flags)
{
struct cgroup_subsys_state *css;
int err;
@@ -340,7 +342,8 @@ static int update_effective_progs(struct cgroup *cgrp,
if (percpu_ref_is_zero(&desc->bpf.refcnt))
continue;
- err = compute_effective_progs(desc, atype, &desc->bpf.inactive);
+ err = compute_effective_progs(desc, atype, &desc->bpf.inactive,
+ flags);
if (err)
goto cleanup;
}
@@ -499,7 +502,7 @@ static int __cgroup_bpf_attach(struct cgroup *cgrp,
bpf_cgroup_storages_assign(pl->storage, storage);
cgrp->bpf.flags[atype] = saved_flags;
- err = update_effective_progs(cgrp, atype);
+ err = update_effective_progs(cgrp, atype, GFP_KERNEL);
if (err)
goto cleanup;
@@ -722,7 +725,7 @@ static int __cgroup_bpf_detach(struct cgroup *cgrp, struct bpf_prog *prog,
pl->prog = NULL;
pl->link = NULL;
- err = update_effective_progs(cgrp, atype);
+ err = update_effective_progs(cgrp, atype, GFP_NOIO | __GFP_NOFAIL);
if (err)
goto cleanup;
--
2.35.1
syzbot
Apr 13, 2022, 2:09:11 PM4/13/22
to syzkaller-a...@googlegroups.com, tadeus...@linaro.org
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f264bf...@syzkaller.appspotmail.com
Tested on:
commit: a1994480 Merge tag 'hardening-v5.18-rc3' of git://git...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=e5c1703829c231c4
dashboard link: https://syzkaller.appspot.com/bug?extid=f264bffdfbd5614f3bb2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10d6da04f00000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-and-tested-by: syzbot+f264bf...@syzkaller.appspotmail.com
Tested on:
commit: a1994480 Merge tag 'hardening-v5.18-rc3' of git://git...
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
kernel config: https://syzkaller.appspot.com/x/.config?x=e5c1703829c231c4
dashboard link: https://syzkaller.appspot.com/bug?extid=f264bffdfbd5614f3bb2
compiler: Debian clang version 13.0.1-++20220126092033+75e33f71c2da-1~exp1~20220126212112.63, GNU ld (GNU Binutils for Debian) 2.35.2
patch: https://syzkaller.appspot.com/x/patch.diff?x=10d6da04f00000
Note: testing is done by a robot and is best-effort only.
Reply all
Reply to author
Forward
0 new messages