kernel/bpf/inode.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-)
bpffs currently frees inodes directly from ->destroy_inode(). This can
race with RCU path walk following a bpffs symlink: a lookup reader may
still hold an unstable inode pointer while unlink frees the inode
memory, leading to a KASAN use-after-free in
security_inode_follow_link().
Keep BPF object reference dropping in ->destroy_inode(), where sleeping
cleanup is allowed, but move symlink target and inode memory freeing to
->free_inode() so VFS releases them after an RCU grace period.
Fixes: 4f375ade6aa9 ("bpf: Avoid RCU context warning when unpinning htab with internal structs")
Reported-by: syzbot+0962e3a1af6d5e26a52c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0962e3a1af6d5e26a52c
Tested-by: syzbot+0962e3a1af6d5e26a52c@syzkaller.appspotmail.com
Signed-off-by: hongao <hongao@uniontech.com>
---
kernel/bpf/inode.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
index 25c06a011825..a1e9660f9237 100644
--- a/kernel/bpf/inode.c
+++ b/kernel/bpf/inode.c
@@ -766,10 +766,14 @@ static void bpf_destroy_inode(struct inode *inode)
{
enum bpf_type type;
- if (S_ISLNK(inode->i_mode))
- kfree(inode->i_link);
if (!bpf_inode_type(inode, &type))
bpf_any_put(inode->i_private, type);
+}
+
+static void bpf_free_inode(struct inode *inode)
+{
+ if (S_ISLNK(inode->i_mode))
+ kfree(inode->i_link);
free_inode_nonrcu(inode);
}
@@ -778,6 +782,7 @@ const struct super_operations bpf_super_ops = {
.drop_inode = inode_just_drop,
.show_options = bpf_show_options,
.destroy_inode = bpf_destroy_inode,
+ .free_inode = bpf_free_inode,
};
enum {
--
2.51.0
On 5/29/26 6:30 PM, hongao wrote:
> bpffs currently frees inodes directly from ->destroy_inode(). This can
> race with RCU path walk following a bpffs symlink: a lookup reader may
> still hold an unstable inode pointer while unlink frees the inode
> memory, leading to a KASAN use-after-free in
> security_inode_follow_link().
>
> Keep BPF object reference dropping in ->destroy_inode(), where sleeping
> cleanup is allowed, but move symlink target and inode memory freeing to
> ->free_inode() so VFS releases them after an RCU grace period.
>
> Fixes: 4f375ade6aa9 ("bpf: Avoid RCU context warning when unpinning htab with internal structs")
> Reported-by: syzbot+0962e3a1af6d5e26a52c@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=0962e3a1af6d5e26a52c
> Tested-by: syzbot+0962e3a1af6d5e26a52c@syzkaller.appspotmail.com
> Signed-off-by: hongao <hongao@uniontech.com>
Please have tag [PATCH bpf] to indicate it is form bpf tree.
Please have proper name instead of hongao. See examples in bpf repo.
Other than the above, the patch LGTM.
Acked-by: Yonghong Song <yonghong.song@linux.dev>
> ---
> kernel/bpf/inode.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/inode.c b/kernel/bpf/inode.c
> index 25c06a011825..a1e9660f9237 100644
> --- a/kernel/bpf/inode.c
> +++ b/kernel/bpf/inode.c
> @@ -766,10 +766,14 @@ static void bpf_destroy_inode(struct inode *inode)
> {
> enum bpf_type type;
>
> - if (S_ISLNK(inode->i_mode))
> - kfree(inode->i_link);
> if (!bpf_inode_type(inode, &type))
> bpf_any_put(inode->i_private, type);
> +}
> +
> +static void bpf_free_inode(struct inode *inode)
> +{
> + if (S_ISLNK(inode->i_mode))
> + kfree(inode->i_link);
> free_inode_nonrcu(inode);
> }
>
> @@ -778,6 +782,7 @@ const struct super_operations bpf_super_ops = {
> .drop_inode = inode_just_drop,
> .show_options = bpf_show_options,
> .destroy_inode = bpf_destroy_inode,
> + .free_inode = bpf_free_inode,
> };
>
> enum {
© 2016 - 2026 Red Hat, Inc.