On Fri, Dec 27, 2019 at 1:50 PM Roman Gushchin guro@fb.com wrote:
Before commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") cgroup bpf structures were released with corresponding cgroup structures. It guaranteed the hierarchical order of destruction: children were always first. It preserved attached programs from being released before their propagated copies.
But with cgroup auto-detachment there are no such guarantees anymore: cgroup bpf is released as soon as the cgroup is offline and there are no live associated sockets. It means that an attached program can be detached and released, while its propagated copy is still living in the cgroup subtree. This will obviously lead to an use-after-free bug.
[...]
Thanks to Josef Bacik for the debugging and the initial analysis of the problem.
Fixes: 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") Reported-by: Josef Bacik josef@toxicpanda.com Signed-off-by: Roman Gushchin guro@fb.com Cc: Alexei Starovoitov ast@kernel.org Cc: stable@vger.kernel.org
LGTM. Thanks for the fix!
Acked-by: Song Liu songliubraving@fb.com