From: Martin KaFai Lau <martin.lau@linux.dev>
To: ameryhung@gmail.com
Cc: netdev@vger.kernel.org, alexei.starovoitov@gmail.com,
andrii@kernel.org, daniel@iogearbox.net, tj@kernel.org,
martin.lau@kernel.org, kernel-team@meta.com, ast@kernel.org,
eddyz87@gmail.com, yonghong.song@linux.dev, clm@meta.com,
ihor.solodrai@linux.dev, bpf@vger.kernel.org,
bot+bpf-ci@kernel.org
Subject: Re: [PATCH bpf-next v6 2/6] bpf: Support associating BPF program with struct_ops
Date: Mon, 17 Nov 2025 13:39:44 -0800 [thread overview]
Message-ID: <c891d752-33cc-413d-8311-dcf8afbf339d@linux.dev> (raw)
In-Reply-To: <16d43cdc90504cad5143df62b3d40f325a271aeca0adc521c6fef711023f90ef@mail.kernel.org>
On 11/14/25 2:51 PM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c
>> index a41e6730e..626aa9197 100644
>> --- a/kernel/bpf/bpf_struct_ops.c
>> +++ b/kernel/bpf/bpf_struct_ops.c
>
> [ ... ]
>
>> @@ -811,6 +822,12 @@ static long bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key,
>> bpf_link_init(&link->link, BPF_LINK_TYPE_STRUCT_OPS,
>> &bpf_struct_ops_link_lops, prog, prog->expected_attach_type);
>> *plink++ = &link->link;
>> +
>> + err = bpf_prog_assoc_struct_ops(prog, &st_map->map);
>> + if (err) {
>> + bpf_prog_put(prog);
>> + goto reset_unlock;
>> + }
>
> Can this double-put the prog reference? In bpf_struct_ops_map_update_elem:
>
> prog = bpf_prog_get(prog_fd); // refcnt = 1
> bpf_link_init(..., prog, ...); // link takes ownership
> *plink++ = &link->link; // link stored in st_map
> err = bpf_prog_assoc_struct_ops(prog, ...);
> if (err) {
> bpf_prog_put(prog); // refcnt = 0, prog freed
> goto reset_unlock;
> }
>
> Then at reset_unlock:
>
> bpf_struct_ops_map_put_progs(st_map); // calls bpf_link_put(link)
>
> The bpf_link_put will eventually call bpf_link_dealloc()->bpf_prog_put(link->prog),
> attempting to put the already-freed prog reference. This looks like a use-after-free
> if bpf_prog_assoc_struct_ops fails (which can happen when a non-struct_ops program
> is already associated and returns -EBUSY).
The ai-review should be correct in general on the double bpf_prog_put.
>
> Should the error path skip the bpf_prog_put and let bpf_struct_ops_map_put_progs
> handle the cleanup via the link?
bpf_prog_assoc_struct_ops will never return error for
BPF_PROG_TYPE_STRUCT_OPS. If that is the case, maybe completely remove
the err check.
next prev parent reply other threads:[~2025-11-17 21:40 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-14 22:17 [PATCH bpf-next v6 0/7] Support associating BPF programs with struct_ops Amery Hung
2025-11-14 22:17 ` [PATCH bpf-next v6 1/6] bpf: Allow verifier to fixup kernel module kfuncs Amery Hung
2025-11-14 23:06 ` bot+bpf-ci
2025-11-14 22:17 ` [PATCH bpf-next v6 2/6] bpf: Support associating BPF program with struct_ops Amery Hung
2025-11-14 22:51 ` bot+bpf-ci
2025-11-17 21:39 ` Martin KaFai Lau [this message]
2025-11-17 21:53 ` Amery Hung
2025-11-14 22:17 ` [PATCH bpf-next v6 3/6] libbpf: Add support for " Amery Hung
2025-11-14 22:58 ` bot+bpf-ci
2025-11-14 22:17 ` [PATCH bpf-next v6 4/6] selftests/bpf: Test BPF_PROG_ASSOC_STRUCT_OPS command Amery Hung
2025-11-14 22:17 ` [PATCH bpf-next v6 5/6] selftests/bpf: Test ambiguous associated struct_ops Amery Hung
2025-11-14 22:17 ` [PATCH bpf-next v6 6/6] selftests/bpf: Test getting associated struct_ops in timer callback Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c891d752-33cc-413d-8311-dcf8afbf339d@linux.dev \
--to=martin.lau@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=ameryhung@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=tj@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).