From: sashiko-bot@kernel.org
To: "Amery Hung" <ameryhung@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 08/15] bpf: Add a few bpf_cgroup_array_* helper functions
Date: Tue, 23 Jun 2026 22:25:38 +0000 [thread overview]
Message-ID: <20260623222538.B8DA81F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260623175006.3136053-9-ameryhung@gmail.com>
Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
Pre-existing issues:
- [High] Use-After-Free of BPF programs due to absolute index misuse in `replace_effective_prog`.
--
commit b4f54d11b7b09f1a7417ca11be6452325ecc5aaf
Author: Martin KaFai Lau <martin.lau@kernel.org>
bpf: Add a few bpf_cgroup_array_* helper functions
bpf_cgroup_array_length(), bpf_cgroup_array_copy_to_user(), and
bpf_cgroup_array_delete_safe_at() are added as a preparation work
to allow skipping the cfi_stubs in the upcoming patch.
> diff --git a/kernel/bpf/cgroup.c b/kernel/bpf/cgroup.c
> index 7abbe12e108f0..081d81de18163 100644
> --- a/kernel/bpf/cgroup.c
> +++ b/kernel/bpf/cgroup.c
[ ... ]
> @@ -1166,7 +1227,7 @@ static void purge_effective_progs(struct cgroup *cgrp, struct bpf_prog_list *pl,
> lockdep_is_held(&cgroup_mutex));
>
> /* Remove the program from the array */
> - WARN_ONCE(bpf_prog_array_delete_safe_at(progs, pos),
> + WARN_ONCE(bpf_cgroup_array_delete_safe_at(progs, pos, atype),
> "Failed to purge a prog from array at index %d", pos);
> }
> }
[Severity: High]
This is a pre-existing issue, but when purge_effective_progs() replaces a
program with a dummy in the effective array, does it cause an index mismatch
for subsequent operations?
Looking at replace_effective_prog(), it updates the effective array using a
logical index from effective_prog_pos() directly as an absolute index:
replace_effective_prog() {
...
pos = effective_prog_pos(desc, atype, pl);
...
item = &progs->items[pos];
prog_list_replace_item(pl, item);
}
If a previous detach operation failed to allocate memory and fell back to
purge_effective_progs(), it leaves a dummy program in the array while removing
the program from the logical list. Doesn't this mean pos is a logical index
that fails to account for the left-over dummy programs?
Unlike bpf_cgroup_array_delete_safe_at() which skips dummies to find the
correct physical index, replace_effective_prog() uses pos directly. Could
this cause replace_effective_prog() to overwrite the wrong entry and lead
to a use-after-free when the old program is freed via bpf_prog_put() in
__cgroup_bpf_replace()?
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260623175006.3136053-1-ameryhung@gmail.com?part=8
next prev parent reply other threads:[~2026-06-23 22:25 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-23 17:49 [PATCH bpf-next v2 00/15] bpf: A common way to attach struct_ops to a cgroup Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 01/15] bpf: Remove __rcu tagging in st_link->map Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 02/15] bpf: Make struct_ops tasks_rcu grace period optional Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 03/15] bpf: Add bpf_struct_ops accessor helpers Amery Hung
2026-06-23 21:40 ` sashiko-bot
2026-06-23 17:49 ` [PATCH bpf-next v2 04/15] bpf: Remove unnecessary prog_list_prog() check Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 05/15] bpf: Replace prog_list_prog() check with direct pl->prog and pl->link check Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 06/15] bpf: Add prog_list_init_item(), prog_list_replace_item(), and prog_list_id() Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 07/15] bpf: Move LSM trampoline unlink into bpf_cgroup_link_auto_detach() Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 08/15] bpf: Add a few bpf_cgroup_array_* helper functions Amery Hung
2026-06-23 22:25 ` sashiko-bot [this message]
2026-06-23 17:49 ` [PATCH bpf-next v2 09/15] bpf: Add infrastructure to support attaching struct_ops to cgroups Amery Hung
2026-06-23 22:53 ` sashiko-bot
2026-06-23 17:49 ` [PATCH bpf-next v2 10/15] bpf: Allow all struct_ops to use bpf_dynptr_from_skb() Amery Hung
2026-06-23 17:49 ` [PATCH bpf-next v2 11/15] bpf: tcp: Support selected sock_ops callbacks as struct_ops Amery Hung
2026-06-23 23:22 ` sashiko-bot
2026-06-23 17:50 ` [PATCH bpf-next v2 12/15] bpf: tcp: Support parse/len/write header option hooks in bpf_tcp_ops Amery Hung
2026-06-23 23:40 ` sashiko-bot
2026-06-23 17:50 ` [PATCH bpf-next v2 13/15] libbpf: Support attaching struct_ops to a cgroup Amery Hung
2026-06-23 23:53 ` sashiko-bot
2026-06-23 17:50 ` [PATCH bpf-next v2 14/15] selftests/bpf: Test " Amery Hung
2026-06-24 0:03 ` sashiko-bot
2026-06-23 17:50 ` [PATCH bpf-next v2 15/15] selftests/bpf: Add test for bpf_tcp_ops header option hooks Amery Hung
2026-06-24 0:14 ` sashiko-bot
[not found] ` <0e6fb8d7eca4b5494e08a2230056e333bdd814d97c16784b3e1f7687b3640990@mail.kernel.org>
2026-06-23 21:11 ` [PATCH bpf-next v2 00/15] bpf: A common way to attach struct_ops to a cgroup Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260623222538.B8DA81F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=ameryhung@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.