Re: [PATCH bpf-next 2/4] bpf: Use rcu_work in BTF teardown

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Use-After-Free in `btf_module_notify()` when flushing RCU work after `btf_put()`.
--

commit dc547d68e9d5193df746bf0203a1b6ef30ad4a58
Author: Justin Suess <utilityemal77@gmail.com>

bpf: Use rcu_work in BTF teardown

This commit queues the final BTF teardown from an RCU callback onto
an rcu_work. This ensures all RCU grace periods cease before proceeding
with the free work, allowing synchronous teardown for subsequent patches.

> diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
> index 77af44d8a3ad..2b0511663319 100644
> --- a/kernel/bpf/btf.c
> +++ b/kernel/bpf/btf.c

[ ... ]

> @@ -8446,6 +8451,7 @@ static int btf_module_notify(struct notifier_block *nb, unsigned long op,
>  				sysfs_remove_bin_file(btf_kobj, btf_mod->sysfs_attr);
>  			purge_cand_cache(btf_mod->btf);
>  			btf_put(btf_mod->btf);
> +			flush_rcu_work(&btf_mod->btf->free_work);

Can this result in a use-after-free regression of the btf object?

When btf_put() drops the module's reference to the BTF object, the current
thread no longer owns a reference. If this was the last reference,
queue_rcu_work() is invoked to asynchronously free the btf object after
an RCU grace period.

Because the thread is no longer inside an RCU read-side critical section,
it can be preempted before flush_rcu_work() runs. During this preemption
window, the RCU grace period could expire, allowing the background workqueue
to execute btf_free_work() and free the btf object via kfree().

When the thread resumes, flush_rcu_work() evaluates &btf_mod->btf->free_work
and checks its internal state. Does this directly dereference the
potentially freed btf memory?

>  			kfree(btf_mod->sysfs_attr);
>  			kfree(btf_mod);
>  			break;

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260428201422.1518903-1-utilityemal77@gmail.com?part=2