From: Leon Hwang <leon.hwang@linux.dev>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: bot+bpf-ci@kernel.org, bpf <bpf@vger.kernel.org>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Martin KaFai Lau <martin.lau@linux.dev>,
Eduard <eddyz87@gmail.com>, Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
John Fastabend <john.fastabend@gmail.com>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>,
Jiri Olsa <jolsa@kernel.org>, Shuah Khan <shuah@kernel.org>,
Christian Brauner <brauner@kernel.org>,
Oleg Nesterov <oleg@redhat.com>,
sforshee@kernel.org, yuichtsu@amazon.com, aalbersh@redhat.com,
Willem de Bruijn <willemb@google.com>,
Jason Xing <kerneljasonxing@gmail.com>,
Paul Chaignon <paul.chaignon@gmail.com>,
Mykyta Yatsenko <yatsenko@meta.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>,
Anton Protopopov <a.s.protopopov@gmail.com>,
Amery Hung <ameryhung@gmail.com>, Rong Tao <rongtao@cestc.cn>,
LKML <linux-kernel@vger.kernel.org>,
Linux API <linux-api@vger.kernel.org>,
"open list:KERNEL SELFTEST FRAMEWORK"
<linux-kselftest@vger.kernel.org>,
kernel-patches-bot@fb.com,
Martin KaFai Lau <martin.lau@kernel.org>,
Chris Mason <clm@meta.com>,
Ihor Solodrai <ihor.solodrai@linux.dev>
Subject: Re: [RESEND PATCH bpf-next v4 7/9] bpf: Add common attr support for map_create
Date: Wed, 7 Jan 2026 14:31:48 +0800 [thread overview]
Message-ID: <a936f459-a7a1-431d-8ef8-cae5cf4d2196@linux.dev> (raw)
In-Reply-To: <CAADnVQJLifBhcpe5ci7FBB2uzTR5OXPji5RPq2NLSoVXpTfScg@mail.gmail.com>
On 7/1/26 14:20, Alexei Starovoitov wrote:
> On Tue, Jan 6, 2026 at 9:57 PM Leon Hwang <leon.hwang@linux.dev> wrote:
>>
>>
>>
>> On 7/1/26 01:44, bot+bpf-ci@kernel.org wrote:
>>>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>>>> index 14fc5738f2b9..e64cc7504731 100644
>>>> --- a/kernel/bpf/syscall.c
>>>> +++ b/kernel/bpf/syscall.c
>>>
>>> [ ... ]
>>>
>>>> @@ -6279,7 +6345,11 @@ static int __sys_bpf(enum bpf_cmd cmd, bpfptr_t uattr, unsigned int size,
>>>>
>>>> switch (cmd) {
>>>> case BPF_MAP_CREATE:
>>>> - err = map_create(&attr, uattr);
>>>> + common_attrs.log_true_size = 0;
>>>> + err = map_create(&attr, uattr, &common_attrs);
>>>> + ret = copy_common_attr_log_true_size(uattr_common, size_common,
>>>> + &common_attrs.log_true_size);
>>>> + err = ret ? ret : err;
>>>
>>> When map_create() succeeds, it returns a file descriptor that is already
>>> installed in the caller's fd table via bpf_map_new_fd(). If
>>> copy_common_attr_log_true_size() then fails (e.g., user provided a
>>> read-only buffer for uattr_common), the syscall returns -EFAULT but the
>>> fd remains installed.
>>>
>>> Could this leak the file descriptor? The user gets an error and has no
>>> way to know what fd number was allocated, so they cannot close it.
>>>
>>
>> Good catch — you’re right.
>>
>> If 'map_create()' succeeds and 'copy_common_attr_log_true_size()' later
>> fails (e.g. returning -EFAULT), the newly created file descriptor would
>> remain installed and could be leaked.
>>
>> I’ll fix this in the next revision by explicitly closing the fd when
>> ret is non-zero.
>
> No. The refactoring was wrong. Don't make the kernel do extra work.
> Patch 3 introduced a bug and closing fd is not a solution.
> Such a pattern can be exploited for DoS.
You’re right — closing the fd after the fact is not the correct
solution, and introducing extra work in the kernel is undesirable. Doing
so could also open the door to DoS-style abuse.
The correct approach is to copy log_true_size into common_attrs
before allocating and installing the new fd, so that a failure in
copying cannot leave behind a partially created object.
I’ll rework this accordingly in the next revision.
Thanks,
Leon
next prev parent reply other threads:[~2026-01-07 6:32 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-06 17:20 [RESEND PATCH bpf-next v4 0/9] bpf: Extend bpf syscall with common attributes support Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 1/9] " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 2/9] libbpf: Add support for extended bpf syscall Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 3/9] bpf: Refactor reporting log_true_size for prog_load Leon Hwang
2026-01-06 17:44 ` bot+bpf-ci
2026-01-07 5:52 ` Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 4/9] bpf: Add common attr support " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 5/9] bpf: Refactor reporting btf_log_true_size for btf_load Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 6/9] bpf: Add common attr support " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 7/9] bpf: Add common attr support for map_create Leon Hwang
2026-01-06 17:44 ` bot+bpf-ci
2026-01-07 5:56 ` Leon Hwang
2026-01-07 6:20 ` Alexei Starovoitov
2026-01-07 6:31 ` Leon Hwang [this message]
2026-01-09 21:08 ` Alexei Starovoitov
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 8/9] libbpf: " Leon Hwang
2026-01-06 17:20 ` [RESEND PATCH bpf-next v4 9/9] selftests/bpf: Add tests to verify map create failure log Leon Hwang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a936f459-a7a1-431d-8ef8-cae5cf4d2196@linux.dev \
--to=leon.hwang@linux.dev \
--cc=a.s.protopopov@gmail.com \
--cc=aalbersh@redhat.com \
--cc=alexei.starovoitov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=brauner@kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=ihor.solodrai@linux.dev \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kernel-patches-bot@fb.com \
--cc=kerneljasonxing@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=martin.lau@kernel.org \
--cc=martin.lau@linux.dev \
--cc=memxor@gmail.com \
--cc=oleg@redhat.com \
--cc=paul.chaignon@gmail.com \
--cc=rongtao@cestc.cn \
--cc=sdf@fomichev.me \
--cc=sforshee@kernel.org \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
--cc=willemb@google.com \
--cc=yatsenko@meta.com \
--cc=yonghong.song@linux.dev \
--cc=yuichtsu@amazon.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.