From: Hou Tao <houtao1@xxxxxxxxxx> Hi, The patchset tries to fix the potential use-after-free problem in cgroup iterator. The problem is similar with the UAF problem fixed in map iterator and the fix is also similar: pinning the iterated resource in .init_seq_private() and unpinning it in .fini_seq_private(). An alternative fix is pinning iterator link when opening iterator fd, but it will make iterator link still being visible after the close of iterator link fd and the behavior is different with other link types, so just fixing the bug alone by pinning the start cgroup when creating cgroup iterator. Also adding a selftests to demonstrate the UAF problem when iterating a dead cgroup. Comments are always welcome. Change Log: v3: * Target bpf-next instead of bpf * Patch 1: Use the solution proposed in v1, because pinning iterator link will make it behaving different with other link types. * Patch 3: Add Acked-by from Hao Luo v2: https://lore.kernel.org/bpf/20221111063417.1603111-1-houtao@xxxxxxxxxxxxxxx/ * Patch 1: Pinning iterator link when opening iterator, instead of acquiring the reference of start cgroup in cgroup_iter_seq_init(). * Patch 2 & 3: Address comments from Yonghong Song and add Acked-by tag v1: https://lore.kernel.org/bpf/20221107074222.1323017-1-houtao@xxxxxxxxxxxxxxx/ Hou Tao (3): bpf: Pin the start cgroup in cgroup_iter_seq_init() selftests/bpf: Add cgroup helper remove_cgroup() selftests/bpf: Add test for cgroup iterator on a dead cgroup kernel/bpf/cgroup_iter.c | 14 ++++ tools/testing/selftests/bpf/cgroup_helpers.c | 19 +++++ tools/testing/selftests/bpf/cgroup_helpers.h | 1 + .../selftests/bpf/prog_tests/cgroup_iter.c | 76 +++++++++++++++++++ 4 files changed, 110 insertions(+) -- 2.29.2
