From: Martin KaFai Lau <martin.lau@linux.dev>
To: Amery Hung <ameryhung@gmail.com>
Cc: sashiko-reviews@lists.linux.dev, bpf@vger.kernel.org
Subject: Re: [RFC PATCH bpf-next 09/12] bpf: Add infrastructure to support attaching struct_ops to cgroups
Date: Tue, 26 May 2026 14:37:13 -0700 [thread overview]
Message-ID: <2026526211020.HhEJ.martin.lau@linux.dev> (raw)
In-Reply-To: <CAMB2axPDDom8sD7u+2Fgo9dZO1ereX-unai8EW1SmsiDrnzzwQ@mail.gmail.com>
On Tue, May 26, 2026 at 10:54:00AM -0700, Amery Hung wrote:
> > > > +static enum cgroup_bpf_attach_type find_atype_by_struct_ops_id(u32 type_id)
> > >
> > > [ ... ]
> > >
> > > > static void *bpf_cgroup_array_dummy(enum cgroup_bpf_attach_type atype)
> > > > {
> > > > + if (cgroup_bpf_is_struct_ops_atype(atype))
> > > > + return struct_ops_cfi_stubs[atype];
> > > > return bpf_prog_dummy();
> > > > }
> > >
> > > [Severity: High]
> > > Can using a loadable module's cfi_stubs as a dummy sentinel cause a
> > > use-after-free when the module is unloaded and reloaded?
> > >
> > > If all maps are detached, the module providing the struct_ops can be unloaded,
> > > and its cfi_stubs memory freed. However, the cgroup's effective array might
> > > still retain the dangling pointer to the freed cfi_stubs if BPF_F_ALLOW_MULTI
> > > was set.
> > >
> > > If the module is reloaded, cgroup_bpf_struct_ops_register() updates
> > > struct_ops_cfi_stubs[atype] with a new pointer. If a user then queries the
> > > cgroup via BPF_PROG_QUERY, the loop checks
> > > item->prog == bpf_cgroup_array_dummy(atype) to skip the dummy. Since the
> > > array contains the old freed pointer, it won't match the new cfi_stubs
> > > pointer, and the query loop might mistakenly treat the old dummy as a valid
> > > map, causing a use-after-free when calling bpf_struct_ops_kdata_map_id().
> >
> > Agree. This will be an issue on BPF_PROG_QUERY when the module reload.
> > I did think about the module reload case but I have only considered the
> > rcu-reader in bpf_cgroup_struct_ops_foreach.
> > BPF_PROG_QUERY does not use rcu_read_lock and depends on cgroup_lock.
> > This will need to be addressed.
> >
>
> Also thinking of the potential problems of leaving dangling cfi_stubs,
> but I don't see any other cases.
>
> In this instance, it seems adding a cgroup_bpf_enabled() guard in
> __cgroup_bpf_query should be enough. The dangling cfi_stubs will not
> be cleared until update_effective_progs(), which happens during the
> first struct_ops map attachment. cgroup_bpf_enabled() will be false
> until a struct_ops map is attached.
In __cgroup_struct_ops_link_detach, the static_branch_dec is done without
the cgroup_lock() for now. May be moving it before the cgroup_unlock()
is enough?
__cgroup_bpf_query() has already held cgroup_lock(). I was thinking to
use cgroup_lock() in cgroup_bpf_struct_ops_register() also but it will
need a cgroup_bpf_struct_ops_"un"register() when the module is in
MODULE_STATE_GOING.
Either way, this should fail early in __cgroup_bpf_query() once detected.
next prev parent reply other threads:[~2026-05-26 21:37 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 21:58 [RFC PATCH bpf-next 00/12] bpf: A common way to attach struct_ops to a cgroup Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 01/12] bpf: Remove __rcu tagging in st_link->map Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 02/12] bpf: Make struct_ops tasks_rcu grace period optional Martin KaFai Lau
2026-05-19 22:54 ` sashiko-bot
2026-05-20 0:25 ` Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 03/12] bpf: Add bpf_struct_ops accessor helpers Martin KaFai Lau
2026-05-19 22:25 ` sashiko-bot
2026-05-19 21:58 ` [RFC PATCH bpf-next 04/12] bpf: Remove unnecessary prog_list_prog() check Martin KaFai Lau
2026-05-19 22:49 ` sashiko-bot
2026-05-19 21:58 ` [RFC PATCH bpf-next 05/12] bpf: Replace prog_list_prog() check with direct pl->prog and pl->link check Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 06/12] bpf: Add prog_list_init_item(), prog_list_replace_item(), and prog_list_id() Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 07/12] bpf: Move LSM trampoline unlink into bpf_cgroup_link_auto_detach() Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 08/12] bpf: Add a few bpf_cgroup_array_* helper functions Martin KaFai Lau
2026-05-19 22:45 ` sashiko-bot
2026-05-19 22:50 ` Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 09/12] bpf: Add infrastructure to support attaching struct_ops to cgroups Martin KaFai Lau
2026-05-19 22:50 ` sashiko-bot
2026-05-19 23:56 ` Martin KaFai Lau
2026-05-26 17:54 ` Amery Hung
2026-05-26 21:37 ` Martin KaFai Lau [this message]
2026-05-26 22:23 ` Amery Hung
2026-05-19 21:58 ` [RFC PATCH bpf-next 10/12] bpf: tcp: Support selected sock_ops callbacks as struct_ops Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 11/12] libbpf: Support attaching struct_ops to a cgroup Martin KaFai Lau
2026-05-19 21:58 ` [RFC PATCH bpf-next 12/12] selftests/bpf: Test " Martin KaFai Lau
2026-05-19 23:03 ` sashiko-bot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2026526211020.HhEJ.martin.lau@linux.dev \
--to=martin.lau@linux.dev \
--cc=ameryhung@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.