From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 783C1235C01; Mon, 23 Mar 2026 14:59:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774277967; cv=none; b=eJ4tQSuB+gqgz8LP05m9pWDiqDdHPWhPzNTMPMpkpXzsGkuRl2+49szWfStzz5K50X+dy3VVztyDTVJfkdXV3jpq8nzS5kRh/DwkPZdLbz++iNxs+91OoD52Xx/Hk1Ik1QbycKcASJCFNAEcJMqOrATDKicBdwqVMvj43JsG1Cw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774277967; c=relaxed/simple; bh=agbhmcAGCUnOpvE5+HG2Ig6WNcAoMB8H1IDF2wEe334=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=e+m6C93tZQZSD206DOAF0xfaLWzJPX88cvOYugUm9M158hU2p6q9zzi0VLAsEQ/f1ddI678BxtSttvmydJKpC9qpADarxVRe8LoATSSfneK5IsnShP8Az2toZl95jh8B2pXNd93yd+++iz8B7ymTOgfx2usyfqL5MDBYEAAl8kE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=MBAUdKyr; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="MBAUdKyr" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 05A52C4CEF7; Mon, 23 Mar 2026 14:59:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1774277967; bh=agbhmcAGCUnOpvE5+HG2Ig6WNcAoMB8H1IDF2wEe334=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MBAUdKyruqYx3vQCrSjsjlk1ngZXxtGfNoB4wGSslGDRH6XPg99BFMaXpk2oG8D+4 Agn8zDCnaIQ6jzXuzbN9JLhf8Rglrhoklm1mFCLopwcF/q+DS/jJOjDZgJwXyE7WEd 2Qt+RmC9dDuaM0jnQwWGg90u3Q8UgqNfVkqZZ7gg= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Kaiyan Mei , Lang Xu , Martin KaFai Lau , Sasha Levin Subject: [PATCH 6.6 159/567] bpf: Fix a UAF issue in bpf_trampoline_link_cgroup_shim Date: Mon, 23 Mar 2026 14:41:19 +0100 Message-ID: <20260323134537.756568108@linuxfoundation.org> X-Mailer: git-send-email 2.53.0 In-Reply-To: <20260323134533.749096647@linuxfoundation.org> References: <20260323134533.749096647@linuxfoundation.org> User-Agent: quilt/0.69 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lang Xu [ Upstream commit 56145d237385ca0e7ca9ff7b226aaf2eb8ef368b ] The root cause of this bug is that when 'bpf_link_put' reduces the refcount of 'shim_link->link.link' to zero, the resource is considered released but may still be referenced via 'tr->progs_hlist' in 'cgroup_shim_find'. The actual cleanup of 'tr->progs_hlist' in 'bpf_shim_tramp_link_release' is deferred. During this window, another process can cause a use-after-free via 'bpf_trampoline_link_cgroup_shim'. Based on Martin KaFai Lau's suggestions, I have created a simple patch. To fix this: Add an atomic non-zero check in 'bpf_trampoline_link_cgroup_shim'. Only increment the refcount if it is not already zero. Testing: I verified the fix by adding a delay in 'bpf_shim_tramp_link_release' to make the bug easier to trigger: static void bpf_shim_tramp_link_release(struct bpf_link *link) { /* ... */ if (!shim_link->trampoline) return; + msleep(100); WARN_ON_ONCE(bpf_trampoline_unlink_prog(&shim_link->link, shim_link->trampoline, NULL)); bpf_trampoline_put(shim_link->trampoline); } Before the patch, running a PoC easily reproduced the crash(almost 100%) with a call trace similar to KaiyanM's report. After the patch, the bug no longer occurs even after millions of iterations. Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor") Reported-by: Kaiyan Mei Closes: https://lore.kernel.org/bpf/3c4ebb0b.46ff8.19abab8abe2.Coremail.kaiyanm@hust.edu.cn/ Signed-off-by: Lang Xu Signed-off-by: Martin KaFai Lau Link: https://patch.msgid.link/279EEE1BA1DDB49D+20260303095217.34436-1-xulang@uniontech.com Signed-off-by: Sasha Levin --- kernel/bpf/trampoline.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/kernel/bpf/trampoline.c b/kernel/bpf/trampoline.c index e48791442acc5..6f7968d3704eb 100644 --- a/kernel/bpf/trampoline.c +++ b/kernel/bpf/trampoline.c @@ -701,10 +701,8 @@ int bpf_trampoline_link_cgroup_shim(struct bpf_prog *prog, mutex_lock(&tr->mutex); shim_link = cgroup_shim_find(tr, bpf_func); - if (shim_link) { + if (shim_link && !IS_ERR(bpf_link_inc_not_zero(&shim_link->link.link))) { /* Reusing existing shim attached by the other program. */ - bpf_link_inc(&shim_link->link.link); - mutex_unlock(&tr->mutex); bpf_trampoline_put(tr); /* bpf_trampoline_get above */ return 0; -- 2.51.0