Re: FAILED: patch "[PATCH] bpf,perf: Fix invalid prog_array access in" failed to apply to 5.15-stable tree

[Jiri Olsa <olsajiri@gmail.com>]

On Sun, Dec 15, 2024 at 10:02:07AM +0100, gregkh@linuxfoundation.org wrote:
> 
> The patch below does not apply to the 5.15-stable tree.
> If someone wants it applied there, or to any other stable or longterm
> tree, then please email the backport, including the original git commit
> id to <stable@vger.kernel.org>.

hi,
there's conflict because 5.15.y is not getting [1] fix (because 5.15.y does not have [2]),
I'll send new backport

jirka


[1] ef1b808e3b7c bpf: Fix UAF via mismatching bpf_prog/attachment RCU flavors
[2] 8c7dcb84e3b7 bpf: implement sleepable uprobes by chaining gps

> 
> To reproduce the conflict and resubmit, you may use the following commands:
> 
> git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.15.y
> git checkout FETCH_HEAD
> git cherry-pick -x 978c4486cca5c7b9253d3ab98a88c8e769cb9bbd
> # <resolve conflicts, build, test, etc.>
> git commit -s
> git send-email --to '<stable@vger.kernel.org>' --in-reply-to '2024121506-pancreas-mosaic-0ae0@gregkh' --subject-prefix 'PATCH 5.15.y' HEAD^..
> 
> Possible dependencies:
> 
> 
> 
> thanks,
> 
> greg k-h
> 
> ------------------ original commit in Linus's tree ------------------
> 
> From 978c4486cca5c7b9253d3ab98a88c8e769cb9bbd Mon Sep 17 00:00:00 2001
> From: Jiri Olsa <jolsa@kernel.org>
> Date: Sun, 8 Dec 2024 15:25:07 +0100
> Subject: [PATCH] bpf,perf: Fix invalid prog_array access in
>  perf_event_detach_bpf_prog
> 
> Syzbot reported [1] crash that happens for following tracing scenario:
> 
>   - create tracepoint perf event with attr.inherit=1, attach it to the
>     process and set bpf program to it
>   - attached process forks -> chid creates inherited event
> 
>     the new child event shares the parent's bpf program and tp_event
>     (hence prog_array) which is global for tracepoint
> 
>   - exit both process and its child -> release both events
>   - first perf_event_detach_bpf_prog call will release tp_event->prog_array
>     and second perf_event_detach_bpf_prog will crash, because
>     tp_event->prog_array is NULL
> 
> The fix makes sure the perf_event_detach_bpf_prog checks prog_array
> is valid before it tries to remove the bpf program from it.
> 
> [1] https://lore.kernel.org/bpf/Z1MR6dCIKajNS6nU@krava/T/#m91dbf0688221ec7a7fc95e896a7ef9ff93b0b8ad
> 
> Fixes: 0ee288e69d03 ("bpf,perf: Fix perf_event_detach_bpf_prog error handling")
> Reported-by: syzbot+2e0d2840414ce817aaac@syzkaller.appspotmail.com
> Signed-off-by: Jiri Olsa <jolsa@kernel.org>
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> Link: https://lore.kernel.org/bpf/20241208142507.1207698-1-jolsa@kernel.org
> 
> diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
> index a403b05a7091..1b8db5aee9d3 100644
> --- a/kernel/trace/bpf_trace.c
> +++ b/kernel/trace/bpf_trace.c
> @@ -2250,6 +2250,9 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
>  		goto unlock;
>  
>  	old_array = bpf_event_rcu_dereference(event->tp_event->prog_array);
> +	if (!old_array)
> +		goto put;
> +
>  	ret = bpf_prog_array_copy(old_array, event->prog, NULL, 0, &new_array);
>  	if (ret < 0) {
>  		bpf_prog_array_delete_safe(old_array, event->prog);
> @@ -2258,6 +2261,7 @@ void perf_event_detach_bpf_prog(struct perf_event *event)
>  		bpf_prog_array_free_sleepable(old_array);
>  	}
>  
> +put:
>  	/*
>  	 * It could be that the bpf_prog is not sleepable (and will be freed
>  	 * via normal RCU), but is called from a point that supports sleepable
>