)]}'
{
  "commit": "c06af89ced34c1b1328f305f99abc55cd3f496f5",
  "tree": "e84de123ff0ee2f48187fd5007dabf4c179067a2",
  "parents": [
    "4776db3f160b3657e069e7390d16ba919c417701"
  ],
  "author": {
    "name": "Abel Wu",
    "email": "wuyun.abel@bytedance.com",
    "time": "Sat Dec 21 14:10:16 2024 +0800"
  },
  "committer": {
    "name": "Arnav Kansal",
    "email": "rnv@google.com",
    "time": "Sat Mar 15 14:13:39 2025 -0700"
  },
  "message": "bpf: Fix deadlock when freeing cgroup storage\n\n[ Upstream commit c78f4afbd962f43a3989f45f3ca04300252b19b5 ]\n\nThe following commit\nbc235cdb423a (\"bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]\")\nfirst introduced deadlock prevention for fentry/fexit programs attaching\non bpf_task_storage helpers. That commit also employed the logic in map\nfree path in its v6 version.\n\nLater bpf_cgrp_storage was first introduced in\nc4bcfb38a95e (\"bpf: Implement cgroup storage available to non-cgroup-attached bpf progs\")\nwhich faces the same issue as bpf_task_storage, instead of its busy\ncounter, NULL was passed to bpf_local_storage_map_free() which opened\na window to cause deadlock:\n\n\t\u003cTASK\u003e\n\t\t(acquiring local_storage-\u003elock)\n\t_raw_spin_lock_irqsave+0x3d/0x50\n\tbpf_local_storage_update+0xd1/0x460\n\tbpf_cgrp_storage_get+0x109/0x130\n\tbpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170\n\t? __bpf_prog_enter_recur+0x16/0x80\n\tbpf_trampoline_6442485186+0x43/0xa4\n\tcgroup_storage_ptr+0x9/0x20\n\t\t(holding local_storage-\u003elock)\n\tbpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160\n\tbpf_selem_unlink_storage+0x6f/0x110\n\tbpf_local_storage_map_free+0xa2/0x110\n\tbpf_map_free_deferred+0x5b/0x90\n\tprocess_one_work+0x17c/0x390\n\tworker_thread+0x251/0x360\n\tkthread+0xd2/0x100\n\tret_from_fork+0x34/0x50\n\tret_from_fork_asm+0x1a/0x30\n\t\u003c/TASK\u003e\n\nProgs:\n - A: SEC(\"fentry/cgroup_storage_ptr\")\n   - cgid (BPF_MAP_TYPE_HASH)\n\tRecord the id of the cgroup the current task belonging\n\tto in this hash map, using the address of the cgroup\n\tas the map key.\n   - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)\n\tIf current task is a kworker, lookup the above hash\n\tmap using function parameter @owner as the key to get\n\tits corresponding cgroup id which is then used to get\n\ta trusted pointer to the cgroup through\n\tbpf_cgroup_from_id(). This trusted pointer can then\n\tbe passed to bpf_cgrp_storage_get() to finally trigger\n\tthe deadlock issue.\n - B: SEC(\"tp_btf/sys_enter\")\n   - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)\n\tThe only purpose of this prog is to fill Prog A\u0027s\n\thash map by calling bpf_cgrp_storage_get() for as\n\tmany userspace tasks as possible.\n\nSteps to reproduce:\n - Run A;\n - while (true) { Run B; Destroy B; }\n\nFix this issue by passing its busy counter to the free procedure so\nit can be properly incremented before storage/smap locking.\n\nBUG\u003db/403503321\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2024-58088 in the Linux kernel.\n\ncos-patch: security-moderate\nFixes: c4bcfb38a95e (\"bpf: Implement cgroup storage available to non-cgroup-attached bpf progs\")\nChange-Id: Ic919d1b4aedb89bc214746d75b3b4b782773340b\nSigned-off-by: Abel Wu \u003cwuyun.abel@bytedance.com\u003e\nAcked-by: Martin KaFai Lau \u003cmartin.lau@kernel.org\u003e\nLink: https://lore.kernel.org/r/20241221061018.37717-1-wuyun.abel@bytedance.com\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/96094\nReviewed-by: Arnav Kansal \u003crnv@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Shuo Yang \u003cgshuoy@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "d44fe8dd9732955f5cf358fcc03ab7e557d511f4",
      "old_mode": 33188,
      "old_path": "kernel/bpf/bpf_cgrp_storage.c",
      "new_id": "ee1c7b77096e7b55ddc94edbf0ef4663e372e5b2",
      "new_mode": 33188,
      "new_path": "kernel/bpf/bpf_cgrp_storage.c"
    }
  ]
}