From: "Alexei Starovoitov" <alexei.starovoitov@gmail.com>
To: "Sanghyun Park" <sanghyun.park.cnu@gmail.com>,
<yonghong.song@linux.dev>, <ast@kernel.org>,
<daniel@iogearbox.net>, <andrii@kernel.org>
Cc: <bpf@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
<puranjay@kernel.org>
Subject: Re: [PATCH bpf v3] bpf: Fix use-after-free on mm_struct in bpf_find_vma()
Date: Tue, 09 Jun 2026 11:25:44 -0700 [thread overview]
Message-ID: <DJ4QA5I3YRHJ.2C8RP02UQ0TPB@gmail.com> (raw)
In-Reply-To: <20260609105216.3536839-1-sanghyun.park.cnu@gmail.com>
On Tue Jun 9, 2026 at 3:52 AM PDT, Sanghyun Park wrote:
> bpf_find_vma() reads task->mm and calls mmap_read_trylock(mm) without
> holding a reference on the mm. On a foreign task, a concurrent exit_mm()
> can free the mm_struct between the lockless read and the trylock,
> resulting in a use-after-free. mm_struct is not SLAB_TYPESAFE_BY_RCU.
>
> For the current task, task->mm is stable. For a foreign task, pin the mm
> under task->alloc_lock and release it with mmput_async(), mirroring commit
> d8e27d2d22b6 ("bpf: fix mm lifecycle in open-coded task_vma iterator").
> Use spin_trylock() instead of get_task_mm() so BPF context does not block
> on alloc_lock. Reject irqs-disabled contexts and !CONFIG_MMU on the
> foreign-task path because dropping the mm reference is not safe there.
>
> Race:
>
> CPU0 (BPF program) CPU1 (exiting task)
> ============================ ==========================
> bpf_find_vma(foreign_task):
> mm = task->mm
> exit_mm():
> task->mm = NULL
> mmput(mm) -> frees mm_struct
> mmap_read_trylock(mm)
> // UAF on mm
>
> Fixes: 7c7e3d31e785 ("bpf: Introduce helper bpf_find_vma")
> Signed-off-by: Sanghyun Park <sanghyun.park.cnu@gmail.com>
> ---
> v3:
> - Drop get_task_mm()+mmput(); mirror d8e27d2d22b6 with alloc_lock
> trylock + mmput_async(). (Yonghong Song)
> - Reject irqs-disabled contexts on the foreign-task path.
> - Reject foreign-task path when !CONFIG_MMU: bpf_iter_mmput_async()
> falls back to mmput() which may sleep, and bpf_find_vma() can run
> in non-sleepable context.
> - Shorten the foreign-task rationale comment and trim the changelog body.
> - Fix the v2's whitespace damage.
Pls use [PATCH bpf-next] subject.
pw-bot: cr
prev parent reply other threads:[~2026-06-09 18:25 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-09 10:52 [PATCH bpf v3] bpf: Fix use-after-free on mm_struct in bpf_find_vma() Sanghyun Park
2026-06-09 18:25 ` Alexei Starovoitov [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJ4QA5I3YRHJ.2C8RP02UQ0TPB@gmail.com \
--to=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=puranjay@kernel.org \
--cc=sanghyun.park.cnu@gmail.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox