lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <16d43cdc90504cad5143df62b3d40f325a271aeca0adc521c6fef711023f90ef@mail.kernel.org>
Date: Fri, 14 Nov 2025 22:51:36 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: ameryhung@...il.com,bpf@...r.kernel.org
Cc: netdev@...r.kernel.org,alexei.starovoitov@...il.com,andrii@...nel.org,daniel@...earbox.net,tj@...nel.org,martin.lau@...nel.org,ameryhung@...il.com,kernel-team@...a.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v6 2/6] bpf: Support associating BPF program with struct_ops

> diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c
> index a41e6730e..626aa9197 100644
> --- a/kernel/bpf/bpf_struct_ops.c
> +++ b/kernel/bpf/bpf_struct_ops.c

[ ... ]

> @@ -811,6 +822,12 @@ static long bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key,
>  		bpf_link_init(&link->link, BPF_LINK_TYPE_STRUCT_OPS,
>  			      &bpf_struct_ops_link_lops, prog, prog->expected_attach_type);
>  		*plink++ = &link->link;
> +
> +		err = bpf_prog_assoc_struct_ops(prog, &st_map->map);
> +		if (err) {
> +			bpf_prog_put(prog);
> +			goto reset_unlock;
> +		}

Can this double-put the prog reference? In bpf_struct_ops_map_update_elem:

  prog = bpf_prog_get(prog_fd);              // refcnt = 1
  bpf_link_init(..., prog, ...);             // link takes ownership
  *plink++ = &link->link;                    // link stored in st_map
  err = bpf_prog_assoc_struct_ops(prog, ...);
  if (err) {
    bpf_prog_put(prog);                      // refcnt = 0, prog freed
    goto reset_unlock;
  }

Then at reset_unlock:

  bpf_struct_ops_map_put_progs(st_map);      // calls bpf_link_put(link)

The bpf_link_put will eventually call bpf_link_dealloc()->bpf_prog_put(link->prog),
attempting to put the already-freed prog reference. This looks like a use-after-free
if bpf_prog_assoc_struct_ops fails (which can happen when a non-struct_ops program
is already associated and returns -EBUSY).

Should the error path skip the bpf_prog_put and let bpf_struct_ops_map_put_progs
handle the cleanup via the link?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19379369447

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ