On 2/15/23 6:11 PM, Hou Tao wrote:
For local storage, when its owner (sk/task/inode/cgrp) is going away, the
memory can be reused immediately. No rcu gp is needed.
Now it seems it will wait for RCU GP and i think it is still necessary, because
when the process exits, other processes may still access the local storage
through pidfd or task_struct of the exited process.
When its owner (sk/task/cgrp...) is going away, its owner has reached refcnt 0
and will be kfree immediately next. eg. bpf_sk_storage_free is called just
before the sk is about to be kfree. No bpf prog should have a hold on this sk.
The same should go for the task.
A bpf syscall may have already found the task local storage through a pidfd,
then the target task exits and the local storage is free immediately, then bpf
syscall starts to copy the local storage and there will be a UAF, right ? Did I
missing something here ?
bpf syscall like bpf_pid_task_storage_lookup_elem and you meant
__put_task_struct() will be called while the syscall's bpf_map_copy_value() is
still under rcu_read_lock()?
