lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <b52396ff5028256639d3e9721b0976e28be6b721cec0e36cfe190e30884e189f@mail.kernel.org>
Date: Tue,  2 Dec 2025 17:35:35 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: ameryhung@...il.com,bpf@...r.kernel.org
Cc: netdev@...r.kernel.org,alexei.starovoitov@...il.com,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,ameryhung@...il.com,kernel-team@...a.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf v2 1/2] bpf: Disallow tail call to programs that use cgroup storage

> diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
> index 80b1765a3..fbfc45ed9 100644
> --- a/kernel/bpf/arraymap.c
> +++ b/kernel/bpf/arraymap.c
> @@ -892,8 +892,9 @@ int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file,
>  				 void *key, void *value, u64 map_flags)
>  {
>  	struct bpf_array *array = container_of(map, struct bpf_array, map);
> +	u32 i, index = *(u32 *)key, ufd;
>  	void *new_ptr, *old_ptr;
> -	u32 index = *(u32 *)key, ufd;
> +	struct bpf_prog *prog;
>
>  	if (map_flags != BPF_ANY)
>  		return -EINVAL;
> @@ -906,6 +907,14 @@ int bpf_fd_array_map_update_elem(struct bpf_map *map, struct file *map_file,
>  	if (IS_ERR(new_ptr))
>  		return PTR_ERR(new_ptr);
>
> +	if (map->map_type == BPF_MAP_TYPE_PROG_ARRAY) {
> +		prog = (struct bpf_prog *)new_ptr;
> +
> +		for_each_cgroup_storage_type(i)
> +			if (prog->aux->cgroup_storage[i])
> +				return -EINVAL;
> +	}
> +

Does this leak the program reference acquired from map_fd_get_ptr()?

In bpf_fd_array_map_update_elem(), the call to map->ops->map_fd_get_ptr()
at line 906 acquires a reference to the program. Looking at
prog_fd_array_get_ptr(), this increments both the program refcount via
bpf_prog_get() and prog->aux->prog_array_member_cnt.

When returning -EINVAL after the cgroup storage check, shouldn't the code
call map->ops->map_fd_put_ptr(map, new_ptr, true) to properly release
these resources? The normal cleanup path at the end of the function calls
map_fd_put_ptr() for old_ptr, and prog_fd_array_put_ptr() decrements
both prog_array_member_cnt and calls bpf_prog_put().

Without this cleanup, the program would have a leaked reference and an
incorrect prog_array_member_cnt value.

>  	if (map->ops->map_poke_run) {
>  		mutex_lock(&array->aux->poke_mutex);
>  		old_ptr = xchg(array->ptrs + index, new_ptr);

[ ... ]


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/19867449786

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ