)]}'
{
  "commit": "bd506e88531d83c0de55bb12c316775f6e805728",
  "tree": "8f12155aafb337624614c4e5b4c99e7b74024b8f",
  "parents": [
    "aa6351063cb2052db10c0ce07e06ed68aa422342"
  ],
  "author": {
    "name": "Hou Tao",
    "email": "houtao1@huawei.com",
    "time": "Mon Dec 04 22:04:22 2023 +0800"
  },
  "committer": {
    "name": "COS Cherry Picker",
    "email": "cloud-image-release@prod.google.com",
    "time": "Tue Mar 12 17:34:27 2024 -0700"
  },
  "message": "bpf: Defer the free of inner map when necessary\n\n[ Upstream commit 876673364161da50eed6b472d746ef88242b2368 ]\n\nWhen updating or deleting an inner map in map array or map htab, the map\nmay still be accessed by non-sleepable program or sleepable program.\nHowever bpf_map_fd_put_ptr() decreases the ref-counter of the inner map\ndirectly through bpf_map_put(), if the ref-counter is the last one\n(which is true for most cases), the inner map will be freed by\nops-\u003emap_free() in a kworker. But for now, most .map_free() callbacks\ndon\u0027t use synchronize_rcu() or its variants to wait for the elapse of a\nRCU grace period, so after the invocation of ops-\u003emap_free completes,\nthe bpf program which is accessing the inner map may incur\nuse-after-free problem.\n\nFix the free of inner map by invoking bpf_map_free_deferred() after both\none RCU grace period and one tasks trace RCU grace period if the inner\nmap has been removed from the outer map before. The deferment is\naccomplished by using call_rcu() or call_rcu_tasks_trace() when\nreleasing the last ref-counter of bpf map. The newly-added rcu_head\nfield in bpf_map shares the same storage space with work field to\nreduce the size of bpf_map.\n\nBUG\u003db/326650130\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2023-52447 in the Linux kernel.\n\ncos-patch: security-high\nFixes: bba1dc0b55ac (\"bpf: Remove redundant synchronize_rcu.\")\nFixes: 638e4b825d52 (\"bpf: Allows per-cpu maps and map-in-map in sleepable programs\")\nSigned-off-by: Hou Tao \u003choutao1@huawei.com\u003e\nLink: https://lore.kernel.org/r/20231204140425.1480317-5-houtao@huaweicloud.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n(cherry picked from commit 62fca83303d608ad4fec3f7428c8685680bb01b0)\nSigned-off-by: Robert Kolchmeyer \u003crkolchmeyer@google.com\u003e\nChange-Id: I69b3c4e0c787c323d08d4ab0f7e5165ff52c0c52\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/66412\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nMain-Branch-Verified: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "48f3cc3bafea7ca029395cf9b89fa1b6319b0fff",
      "old_mode": 33188,
      "old_path": "include/linux/bpf.h",
      "new_id": "5e24027c24714baa108071949a1a320fc616aaa4",
      "new_mode": 33188,
      "new_path": "include/linux/bpf.h"
    },
    {
      "type": "modify",
      "old_id": "af0f15db1bf9a935de97ba7487b9f8d85af05755",
      "old_mode": 33188,
      "old_path": "kernel/bpf/map_in_map.c",
      "new_id": "4cf79f86bf4584977aa19e0d5c0cf122dda84c8c",
      "new_mode": 33188,
      "new_path": "kernel/bpf/map_in_map.c"
    },
    {
      "type": "modify",
      "old_id": "ad41b8230780b52b5a155e936afde830e99d940c",
      "old_mode": 33188,
      "old_path": "kernel/bpf/syscall.c",
      "new_id": "d497459fce211cea27f560d0e284a14a39c919fc",
      "new_mode": 33188,
      "new_path": "kernel/bpf/syscall.c"
    }
  ]
}