)]}'
{
  "commit": "6e8448271551ff2b91eb46dfbfb8e14b8ef4ea22",
  "tree": "bd7b9e91ee6233665eb8bd4b061d4b39e67275ea",
  "parents": [
    "7f5d2f924a97cc3952b32fd08efd5182d99976ea"
  ],
  "author": {
    "name": "Hou Tao",
    "email": "houtao1@huawei.com",
    "time": "Mon Dec 04 22:04:22 2023 +0800"
  },
  "committer": {
    "name": "COS Cherry Picker",
    "email": "cloud-image-release@prod.google.com",
    "time": "Thu Mar 14 14:01:50 2024 -0700"
  },
  "message": "bpf: Defer the free of inner map when necessary\n\n[ Upstream commit 876673364161da50eed6b472d746ef88242b2368 ]\n\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops-\u003emap_free() in a kworker. But for now, most .map_free() callbacks\ndon\u0027t use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops-\u003emap_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\n\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.\n\nBUG\u003db/326650130\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2023-52447 in the Linux kernel.\n\ncos-patch: security-high\nFixes: bba1dc0b55ac (\"bpf: Remove redundant synchronize_rcu.\")\nFixes: 638e4b825d52 (\"bpf: Allows per-cpu maps and map-in-map in sleepable programs\")\nSigned-off-by: Hou Tao \u003choutao1@huawei.com\u003e\nLink: https://lore.kernel.org/r/20231204140425.1480317-5-houtao@huaweicloud.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n(cherry picked from commit 62fca83303d608ad4fec3f7428c8685680bb01b0)\nSigned-off-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nChange-Id: I69b3c4e0c787c323d08d4ab0f7e5165ff52c0c52\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/66891\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nMain-Branch-Verified: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "a1673b90e59700651191055f5099c85fab0cf1ae",
      "old_mode": 33188,
      "old_path": "include/linux/bpf.h",
      "new_id": "dd6bc568e526aa79860b9b828da1b9e16f6a7a53",
      "new_mode": 33188,
      "new_path": "include/linux/bpf.h"
    },
    {
      "type": "modify",
      "old_id": "0cf4cb685810557f78e29394dbbea5eae35319c9",
      "old_mode": 33188,
      "old_path": "kernel/bpf/map_in_map.c",
      "new_id": "caa1a17cbae1533cfdd5be89e4baef3edfc549d1",
      "new_mode": 33188,
      "new_path": "kernel/bpf/map_in_map.c"
    },
    {
      "type": "modify",
      "old_id": "3b864036564341534c39ffda349baeb9c1de1952",
      "old_mode": 33188,
      "old_path": "kernel/bpf/syscall.c",
      "new_id": "b4cfca5e68310b70ac43fe58013c7c5ea09228db",
      "new_mode": 33188,
      "new_path": "kernel/bpf/syscall.c"
    }
  ]
}