CVE-2024-58088

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Fix deadlock when freeing cgroup storage<br /> <br /> The following commit<br /> bc235cdb423a ("bpf: Prevent deadlock from recursive bpf_task_storage_[get|delete]")<br /> first introduced deadlock prevention for fentry/fexit programs attaching<br /> on bpf_task_storage helpers. That commit also employed the logic in map<br /> free path in its v6 version.<br /> <br /> Later bpf_cgrp_storage was first introduced in<br /> c4bcfb38a95e ("bpf: Implement cgroup storage available to non-cgroup-attached bpf progs")<br /> which faces the same issue as bpf_task_storage, instead of its busy<br /> counter, NULL was passed to bpf_local_storage_map_free() which opened<br /> a window to cause deadlock:<br /> <br /> <br /> (acquiring local_storage-&gt;lock)<br /> _raw_spin_lock_irqsave+0x3d/0x50<br /> bpf_local_storage_update+0xd1/0x460<br /> bpf_cgrp_storage_get+0x109/0x130<br /> bpf_prog_a4d4a370ba857314_cgrp_ptr+0x139/0x170<br /> ? __bpf_prog_enter_recur+0x16/0x80<br /> bpf_trampoline_6442485186+0x43/0xa4<br /> cgroup_storage_ptr+0x9/0x20<br /> (holding local_storage-&gt;lock)<br /> bpf_selem_unlink_storage_nolock.constprop.0+0x135/0x160<br /> bpf_selem_unlink_storage+0x6f/0x110<br /> bpf_local_storage_map_free+0xa2/0x110<br /> bpf_map_free_deferred+0x5b/0x90<br /> process_one_work+0x17c/0x390<br /> worker_thread+0x251/0x360<br /> kthread+0xd2/0x100<br /> ret_from_fork+0x34/0x50<br /> ret_from_fork_asm+0x1a/0x30<br /> <br /> <br /> Progs:<br /> - A: SEC("fentry/cgroup_storage_ptr")<br /> - cgid (BPF_MAP_TYPE_HASH)<br /> Record the id of the cgroup the current task belonging<br /> to in this hash map, using the address of the cgroup<br /> as the map key.<br /> - cgrpa (BPF_MAP_TYPE_CGRP_STORAGE)<br /> If current task is a kworker, lookup the above hash<br /> map using function parameter @owner as the key to get<br /> its corresponding cgroup id which is then used to get<br /> a trusted pointer to the cgroup through<br /> bpf_cgroup_from_id(). This trusted pointer can then<br /> be passed to bpf_cgrp_storage_get() to finally trigger<br /> the deadlock issue.<br /> - B: SEC("tp_btf/sys_enter")<br /> - cgrpb (BPF_MAP_TYPE_CGRP_STORAGE)<br /> The only purpose of this prog is to fill Prog A&amp;#39;s<br /> hash map by calling bpf_cgrp_storage_get() for as<br /> many userspace tasks as possible.<br /> <br /> Steps to reproduce:<br /> - Run A;<br /> - while (true) { Run B; Destroy B; }<br /> <br /> Fix this issue by passing its busy counter to the free procedure so<br /> it can be properly incremented before storage/smap locking.