CVE-2023-52447

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Defer the free of inner map when necessary<br /> <br /> When updating or deleting an inner map in map array or map htab, the map<br /> may still be accessed by non-sleepable program or sleepable program.<br /> However bpf_map_fd_put_ptr() decreases the ref-counter of the inner map<br /> directly through bpf_map_put(), if the ref-counter is the last one<br /> (which is true for most cases), the inner map will be freed by<br /> ops-&gt;map_free() in a kworker. But for now, most .map_free() callbacks<br /> don&amp;#39;t use synchronize_rcu() or its variants to wait for the elapse of a<br /> RCU grace period, so after the invocation of ops-&gt;map_free completes,<br /> the bpf program which is accessing the inner map may incur<br /> use-after-free problem.<br /> <br /> Fix the free of inner map by invoking bpf_map_free_deferred() after both<br /> one RCU grace period and one tasks trace RCU grace period if the inner<br /> map has been removed from the outer map before. The deferment is<br /> accomplished by using call_rcu() or call_rcu_tasks_trace() when<br /> releasing the last ref-counter of bpf map. The newly-added rcu_head<br /> field in bpf_map shares the same storage space with work field to<br /> reduce the size of bpf_map.