From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-pg1-f201.google.com (mail-pg1-f201.google.com [209.85.215.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 43A32274FD1 for ; Fri, 24 Apr 2026 23:52:51 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777074772; cv=none; b=FRDT9ZwcGSdJb4NYK0JNR8Y2mwKcMWer0uMbDmHQw65DKWXCnN6Di26QxQ5SXivOeEKQCSZe8PJ4DpkxML79WF1KxxjdykCDdWN1is31R+HXDIWmVW1ZrQWshaXjGvGWA1vLLYP2DDOGD6MtVDIjL/oIZDjmEihTGF0BRJe79Og= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777074772; c=relaxed/simple; bh=QJ6YINPJxDE8ce/SSg+gEPEuZCMMootlW1RL0db12+E=; h=Date:Mime-Version:Message-ID:Subject:From:To:Cc:Content-Type; b=LB/jb3c/XYYSTPBCHEgggEmYZMBUsmok0F0G2X1C7sWVtwXPViwoirqlTUOH/UTlcImX7xgKPDl0ZtHAOI5KVdmk0Ac50XS74e81JDckRO6rotmmXvDgjL0urGNfoukEuqjz92wg34+BoYqM+um6tFPergPfxSHQ8110s358iwk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com; spf=pass smtp.mailfrom=flex--kuniyu.bounces.google.com; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b=IenHmcKB; arc=none smtp.client-ip=209.85.215.201 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=google.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=flex--kuniyu.bounces.google.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=google.com header.i=@google.com header.b="IenHmcKB" Received: by mail-pg1-f201.google.com with SMTP id 41be03b00d2f7-c7977177675so4302256a12.0 for ; Fri, 24 Apr 2026 16:52:51 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20251104; t=1777074770; x=1777679570; darn=vger.kernel.org; h=cc:to:from:subject:message-id:mime-version:date:from:to:cc:subject :date:message-id:reply-to; bh=XnVmcqSWgBrIZOINeFfkUbMwryuHt4PzyHkF5OrKAp4=; b=IenHmcKBm55oIXWcqHCofMdfnNkKQtFd8L5ctrIa1JcWbhwwR84MMehyDcu8HD+09t aF+uqSC25up2kaL0BmhCB874PRjsaqmKa85Rh5Led/MpVAraUVEUmsOHAdbFb8Fm5ESK iwMv042uE6vWmby9U27B0GHDpM4JnNWOzaqsFD3d4hhbi4gNCfbPkkfJ3Adz/7OiVxZ6 axc9Dy66Ys+aC6uEsOQW+gVzFsYvgdQbmjfkaocZPxmP4aDofxtMoHhzqhK3FiPB2obM JBlvYWNV1bhondobioFcDMisOcYjNgB5J1XNkisioT8bnoXVo6uAO4DBWZs2vcR0pR3O 8K0A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777074770; x=1777679570; h=cc:to:from:subject:message-id:mime-version:date:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=XnVmcqSWgBrIZOINeFfkUbMwryuHt4PzyHkF5OrKAp4=; b=g+rG6uGmUQdxiXxcY/L6r/CUGsAg8suoBr6sxYVQFDaz6upBqybnRlTKfN2AlEgPKg 4IlhiitQnl1z50o1hh7PRkWS/3l/5oU4LTrpeC4hEAnpn7LDwNeCe6PIj7AmmxuOnRaU kziXNhaLQcL+Mq2AFWt2feLTnEVrsmHa8Sw0MpQIbnunoJGdUkpBZHyB9qljTC9T0Dls LrWAgPUYsst9dVoD3UWW+GAoGthX4vga5mUmGwlSENnoJLO4m34RixbAVSEpS6tzUSNi oItIvHPRtktUMXmEZcVe3+eUfknS8+FgMnIEFHJ3BxV0DSYBXxi5Tqdqsaexha9Gq4Gb VsoQ== X-Forwarded-Encrypted: i=1; AFNElJ9McAiAQtPhZvTXE2h641P572ekFZu14hdehKyg6pIXgipI8p9LaK54GXQSTUDv8SNHxsHe3gk=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+WLy2Bc3wwZsg1+nzoWVMEkQpzXU98wD7trOqvUQU5kfjnuxc Jx7Fd+1SMC3LG1JN9IrNdMrw6qo7u5jfs2lCUOvKubPLRenvjFPwwOlHysnueCdZEyDBrBi1Fcp LD0whNQ== X-Received: from pfblu1.prod.google.com ([2002:a05:6a00:7481:b0:82f:24a1:2b5a]) (user=kuniyu job=prod-delivery.src-stubby-dispatcher) by 2002:a05:6a00:22c5:b0:82f:316:3206 with SMTP id d2e1a72fcca58-82f8c92997fmr35230164b3a.34.1777074770298; Fri, 24 Apr 2026 16:52:50 -0700 (PDT) Date: Fri, 24 Apr 2026 23:52:46 +0000 Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 X-Mailer: git-send-email 2.54.0.rc2.544.gc7ae2d5bb8-goog Message-ID: <20260424235247.1990272-1-kuniyu@google.com> Subject: [PATCH v1 bpf] bpf: Free reuseport cBPF prog after RCU grace period. From: Kuniyuki Iwashima To: Martin KaFai Lau , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Eduard Zingerman , Kumar Kartikeya Dwivedi Cc: Kuniyuki Iwashima , Kuniyuki Iwashima , bpf@vger.kernel.org, netdev@vger.kernel.org, Eulgyu Kim Content-Type: text/plain; charset="UTF-8" Eulgyu Kim reported the splat below with a repro. [0] The repro sets up a UDP reuseport group with a cBPF prog and replaces it with a new one while another thread is sending a UDP packet to the group. The reuseport prog is freed by sk_reuseport_prog_free(). bpf_prog_put() is called for "e"BPF prog to destruct through multiple stages while cBPF prog is freed immediately by bpf_release_orig_filter() and bpf_prog_free(). If a reuseport prog is detached from the setsockopt() path (reuseport_attach_prog() or reuseport_detach_prog()), sk_reuseport_prog_free() is called without waiting for RCU readers to complete, resulting in various bugs. Let's defer freeing the reuseport cBPF prog after one RCU grace period. Note "e"BPF prog is safe as is unless the fast path starts to touch fields destroyed in bpf_prog_put_deferred() and __bpf_prog_put_noref(). [0]: BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 Read of size 4 at addr ffffc9000051e004 by task slowme/10208 CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full) Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 Call Trace: dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596 udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495 __udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723 __udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752 __udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752 ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207 ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318 __netif_receive_skb_one_core net/core/dev.c:6181 [inline] __netif_receive_skb net/core/dev.c:6294 [inline] process_backlog+0xaa4/0x1960 net/core/dev.c:6645 __napi_poll+0xae/0x340 net/core/dev.c:7709 napi_poll net/core/dev.c:7772 [inline] net_rx_action+0x5d7/0xf50 net/core/dev.c:7929 handle_softirqs+0x22b/0x870 kernel/softirq.c:622 do_softirq+0x76/0xd0 kernel/softirq.c:523 __local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450 local_bh_enable include/linux/bottom_half.h:33 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline] __dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890 neigh_output include/net/neighbour.h:556 [inline] ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237 NF_HOOK_COND include/linux/netfilter.h:307 [inline] ip_output+0x29f/0x450 net/ipv4/ip_output.c:438 ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508 udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195 udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg net/socket.c:742 [inline] __sys_sendto+0x554/0x680 net/socket.c:2206 __do_sys_sendto net/socket.c:2213 [inline] __se_sys_sendto net/socket.c:2209 [inline] __x64_sys_sendto+0xde/0x100 net/socket.c:2209 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x415a2d Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003 RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0 R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0 Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF") Reported-by: Eulgyu Kim Signed-off-by: Kuniyuki Iwashima --- net/core/filter.c | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/net/core/filter.c b/net/core/filter.c index bc96c18df4e0..dba4c9340bb7 100644 --- a/net/core/filter.c +++ b/net/core/filter.c @@ -1654,15 +1654,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk) return err; } -void sk_reuseport_prog_free(struct bpf_prog *prog) +static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu) +{ + struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu); + struct bpf_prog *prog = aux->prog; + + bpf_release_orig_filter(prog); + bpf_prog_free(prog); +} + +void sk_reuseport_prog_free(struct bpf_prog *prog, bool wait_rcu) { if (!prog) return; - if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT) - bpf_prog_put(prog); + if (bpf_prog_was_classic(prog)) + call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu); else - bpf_prog_destroy(prog); + bpf_prog_put(prog); } static inline int __bpf_try_make_writable(struct sk_buff *skb, -- 2.54.0.rc2.544.gc7ae2d5bb8-goog