CVE-2024-35860

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: support deferring bpf_link dealloc to after RCU grace period<br /> <br /> BPF link for some program types is passed as a "context" which can be<br /> used by those BPF programs to look up additional information. E.g., for<br /> multi-kprobes and multi-uprobes, link is used to fetch BPF cookie values.<br /> <br /> Because of this runtime dependency, when bpf_link refcnt drops to zero<br /> there could still be active BPF programs running accessing link data.<br /> <br /> This patch adds generic support to defer bpf_link dealloc callback to<br /> after RCU GP, if requested. This is done by exposing two different<br /> deallocation callbacks, one synchronous and one deferred. If deferred<br /> one is provided, bpf_link_free() will schedule dealloc_deferred()<br /> callback to happen after RCU GP.<br /> <br /> BPF is using two flavors of RCU: "classic" non-sleepable one and RCU<br /> tasks trace one. The latter is used when sleepable BPF programs are<br /> used. bpf_link_free() accommodates that by checking underlying BPF<br /> program&amp;#39;s sleepable flag, and goes either through normal RCU GP only for<br /> non-sleepable, or through RCU tasks trace GP *and* then normal RCU GP<br /> (taking into account rcu_trace_implies_rcu_gp() optimization), if BPF<br /> program is sleepable.<br /> <br /> We use this for multi-kprobe and multi-uprobe links, which dereference<br /> link during program run. We also preventively switch raw_tp link to use<br /> deferred dealloc callback, as upcoming changes in bpf-next tree expose<br /> raw_tp link data (specifically, cookie value) to BPF program at runtime<br /> as well.