Re: [PATCH bpf] bpf: cgroup: prevent out-of-order release of cgroup bpf

From: Alexei Starovoitov <hidden>
Date: 2020-01-04 00:35:29
Also in: bpf, lkml, stable

On Fri, Dec 27, 2019 at 01:50:34PM -0800, Roman Gushchin wrote:

Before commit 4bfc0bb2c60e ("bpf: decouple the lifetime of cgroup_bpf
from cgroup itself") cgroup bpf structures were released with
corresponding cgroup structures. It guaranteed the hierarchical order
of destruction: children were always first. It preserved attached
programs from being released before their propagated copies.

But with cgroup auto-detachment there are no such guarantees anymore:
cgroup bpf is released as soon as the cgroup is offline and there are
no live associated sockets. It means that an attached program can be
detached and released, while its propagated copy is still living
in the cgroup subtree. This will obviously lead to an use-after-free
bug.

...

quoted hunk ↗ jump to hunk

@@ -65,6 +65,9 @@ static void cgroup_bpf_release(struct work_struct *work)
 
 	mutex_unlock(&cgroup_mutex);
 
+	for (p = cgroup_parent(cgrp); p; p = cgroup_parent(p))
+		cgroup_bpf_put(p);
+

The fix makes sense, but is it really safe to walk cgroup hierarchy
without holding cgroup_mutex?

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help