For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] bpf: defer bpffs symlink inode freeing until RCU grace period
Author: hongao@uniontech.com

#syz test

bpffs currently frees inodes directly from ->destroy_inode(). This can race
with RCU path walk following a bpffs symlink: a lookup reader may still hold
an unstable inode pointer while unlink frees the inode memory, leading to a
KASAN use-after-free in security_inode_follow_link().

Keep BPF object reference dropping in ->destroy_inode(), where sleeping
cleanup is allowed, but move symlink target and inode memory freeing to
->free_inode() so VFS releases them after an RCU grace period.

Fixes: 4f375ade6aa9 ("bpf: Avoid RCU context warning when unpinning htab with internal structs")
Reported-by: syzbot+0962e3a1af6d5e26a52c@syzkaller.appspotmail.com

Signed-off-by: hongao <hongao@uniontech.com>
---
 kernel/bpf/inode.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index 25c06a011825..a1e9660f9237 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -766,10 +766,14 @@ static void bpf_destroy_inode(struct inode *inode)
 {
 	enum bpf_type type;
 
-	if (S_ISLNK(inode->i_mode))
-		kfree(inode->i_link);
 	if (!bpf_inode_type(inode, &type))
 		bpf_any_put(inode->i_private, type);
+}
+
+static void bpf_free_inode(struct inode *inode)
+{
+	if (S_ISLNK(inode->i_mode))
+		kfree(inode->i_link);
 	free_inode_nonrcu(inode);
 }
 
@@ -778,6 +782,7 @@ const struct super_operations bpf_super_ops = {
 	.drop_inode	= inode_just_drop,
 	.show_options	= bpf_show_options,
 	.destroy_inode	= bpf_destroy_inode,
+	.free_inode	= bpf_free_inode,
 };
 
 enum {
-- 
2.51.0