From: Song Liu <liu.song.a23@gmail.com>
To: Roman Gushchin <guro@fb.com>
Cc: bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
open list <linux-kernel@vger.kernel.org>,
Kernel Team <kernel-team@fb.com>,
Networking <netdev@vger.kernel.org>,
stable@vger.kernel.org
Subject: Re: [PATCH bpf] bpf: cgroup: prevent out-of-order release of cgroup bpf
Date: Fri, 3 Jan 2020 09:47:01 -0800 [thread overview]
Message-ID: <CAPhsuW7SKrS9WOVZXXoXjeGaFugUZmwip-m44gWAWyCbEkhBvA@mail.gmail.com> (raw)
In-Reply-To: <20191227215034.3169624-1-guro@fb.com>
On Fri, Dec 27, 2019 at 1:50 PM Roman Gushchin <guro@fb.com> wrote:
>
> Before commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf
> from cgroup itself") cgroup bpf structures were released with
> corresponding cgroup structures. It guaranteed the hierarchical order
> of destruction: children were always first. It preserved attached
> programs from being released before their propagated copies.
>
> But with cgroup auto-detachment there are no such guarantees anymore:
> cgroup bpf is released as soon as the cgroup is offline and there are
> no live associated sockets. It means that an attached program can be
> detached and released, while its propagated copy is still living
> in the cgroup subtree. This will obviously lead to an use-after-free
> bug.
>
[...]
>
> Thanks to Josef Bacik for the debugging and the initial analysis of
> the problem.
>
> Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself")
> Reported-by: Josef Bacik <josef@toxicpanda.com>
> Signed-off-by: Roman Gushchin <guro@fb.com>
> Cc: Alexei Starovoitov <ast@kernel.org>
> Cc: stable@vger.kernel.org
LGTM. Thanks for the fix!
Acked-by: Song Liu <songliubraving@fb.com>
next prev parent reply other threads:[~2020-01-03 17:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-12-27 21:50 [PATCH bpf] bpf: cgroup: prevent out-of-order release of cgroup bpf Roman Gushchin
2020-01-03 15:30 ` Roman Gushchin
2020-01-03 17:47 ` Song Liu [this message]
2020-01-04 0:35 ` Alexei Starovoitov
2020-01-04 1:13 ` Roman Gushchin
2020-01-04 2:31 ` Alexei Starovoitov
2020-01-04 3:00 ` Roman Gushchin
2020-01-06 22:07 ` Alexei Starovoitov
2020-01-06 22:20 ` Roman Gushchin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAPhsuW7SKrS9WOVZXXoXjeGaFugUZmwip-m44gWAWyCbEkhBvA@mail.gmail.com \
--to=liu.song.a23@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=guro@fb.com \
--cc=kernel-team@fb.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).