Re: bpf: Race condition in bpf_trampoline_unlink_cgroup_shim during concurrent cgroup LSM link release

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: Martin KaFai Lau <martin.lau@linux.dev>
To: 梅开彦 <kaiyanm@hust.edu.cn>, "Stanislav Fomichev" <sdf@fomichev.me>
Cc: daniel@iogearbox.net, hust-os-kernel-patches@googlegroups.com,
	dddddd@hust.edu.cn, dzm91@hust.edu.cn, ast@kernel.org,
	bpf@vger.kernel.org
Subject: Re: bpf: Race condition in bpf_trampoline_unlink_cgroup_shim during concurrent cgroup LSM link release
Date: Mon, 1 Dec 2025 12:21:57 -0800	[thread overview]
Message-ID: <dd71a6ff-929d-4958-ac73-99b4852808e4@linux.dev> (raw)
In-Reply-To: <3c4ebb0b.46ff8.19abab8abe2.Coremail.kaiyanm@hust.edu.cn>

On 11/25/25 3:14 AM, 梅开彦 wrote:
> Our fuzzer discovered a race condition vulnerability in the BPF subsystem, specifically in the release path for cgroup-attached LSM programs. When multiple BPF cgroup links attached to the same LSM hook are released concurrently, a race condition in `bpf_trampoline_unlink_cgroup_shim` can lead to state corruption, triggering a kernel warning (`ODEBUG bug in __init_work`) and a subsequent kernel panic.
> 
> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
> Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
> Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
> 
> ## Vulnerability Description
> 
> The vulnerability is triggered when multiple threads concurrently close file descriptors corresponding to `bpf_cgroup_link`s that share a common underlying `bpf_shim_tramp_link`. The `bpf_link_put` function, which is called during the release path, is not designed to handle concurrent calls on the same link instance when its reference count is low. This race leads to the re-initialization of an already-active `work_struct`, a memory state corruption that is detected by the kernel's debug objects feature.

I don't think concurrent bpf_link_put(same_link) is the issue. 
bpf_link_put uses an atomic link->refcnt to handle this situation.

The race should be between the bpf_link_put() in 
bpf_trampoline_unlink_cgroup_shim() and the cgroup_shim_find() in 
bpf_trampoline_link_cgroup_shim(). The cgroup_shim_find() in 
bpf_trampoline_link_cgroup_shim() gets a shim_link with a refcnt 0, then 
a UAF.

The changes in commit ab5d47bd41b1 ("bpf: Remove in_atomic() from 
bpf_link_put().") made this bug easier to manifest as in the reproducer 
because the bpf_trampoline_unlink_prog() is always delayed.

A potential fix is to check the link->refcnt in 
bpf_trampoline_unlink_cgroup_shim() and call 
bpf_trampoline_unlink_prog() when needed inside the 
mutex_lock(&tr->mutex). Cc: Stanislav

next prev parent reply	other threads:[~2025-12-01 20:22 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-11-25 11:14 bpf: Race condition in bpf_trampoline_unlink_cgroup_shim during concurrent cgroup LSM link release 梅开彦
2025-12-01 20:21 ` Martin KaFai Lau [this message]
2025-12-02  4:48   ` 梅开彦
2026-02-06  7:13   ` [PATCH] bpf: fix: Race condition in bpf_trampoline_unlink_cgroup_shim xulang
2026-02-06  7:50     ` bot+bpf-ci
2026-02-12 19:51     ` Martin KaFai Lau
2026-02-24  9:42       ` xulang
2026-02-25  6:54       ` [PATCH v2] " xulang
2026-02-25  7:38         ` bot+bpf-ci
2026-02-27 20:33           ` Martin KaFai Lau
2026-02-28  2:24             ` [PATCH bpf v3] " xulang
2026-02-28  3:04               ` bot+bpf-ci
2026-03-03  2:39                 ` Martin KaFai Lau
2026-03-03  8:36                   ` [PATCH bpf v4] " xulang
2026-03-03  9:28                     ` bot+bpf-ci
2026-03-03  9:52                       ` [PATCH bpf v5] bpf: fix: Race condition in bpf_trampoline_link_cgroup_shim xulang
2026-03-03 23:30                         ` patchwork-bot+netdevbpf
2026-03-03 23:30                     ` [PATCH bpf v4] bpf: fix: Race condition in bpf_trampoline_unlink_cgroup_shim patchwork-bot+netdevbpf
2026-03-03 23:46                       ` Martin KaFai Lau

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=dd71a6ff-929d-4958-ac73-99b4852808e4@linux.dev \
    --to=martin.lau@linux.dev \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=dddddd@hust.edu.cn \
    --cc=dzm91@hust.edu.cn \
    --cc=hust-os-kernel-patches@googlegroups.com \
    --cc=kaiyanm@hust.edu.cn \
    --cc=sdf@fomichev.me \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox