Patch "bpf: prevent leak of lsm program after failed attach" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 25 Dec 2022 08:46:36 -0500

This is a note to let you know that I've just added the patch titled

    bpf: prevent leak of lsm program after failed attach

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-prevent-leak-of-lsm-program-after-failed-attach.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 9770f8c7e18ae8ae3617098ff0f672cef8b96a5b
Author: Milan Landaverde <milan@xxxxxxxxxxxx>
Date:   Tue Dec 13 12:57:14 2022 -0500

    bpf: prevent leak of lsm program after failed attach
    
    [ Upstream commit e89f3edffb860a0f54a9ed16deadb7a4a1fa3862 ]
    
    In [0], we added the ability to bpf_prog_attach LSM programs to cgroups,
    but in our validation to make sure the prog is meant to be attached to
    BPF_LSM_CGROUP, we return too early if the check fails. This results in
    lack of decrementing prog's refcnt (through bpf_prog_put)
    leaving the LSM program alive past the point of the expected lifecycle.
    This fix allows for the decrement to take place.
    
    [0] https://lore.kernel.org/all/20220628174314.1216643-4-sdf@xxxxxxxxxx/
    
    Fixes: 69fd337a975c ("bpf: per-cgroup lsm flavor")
    Signed-off-by: Milan Landaverde <milan@xxxxxxxxxxxx>
    Signed-off-by: Martin KaFai Lau <martin.lau@xxxxxxxxxx>
    Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
    Reviewed-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20221213175714.31963-1-milan@xxxxxxxxxxxx
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index 7b373a5e861f..439ed7e5a82b 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -3504,9 +3504,9 @@ static int bpf_prog_attach(const union bpf_attr *attr)
 	case BPF_PROG_TYPE_LSM:
 		if (ptype == BPF_PROG_TYPE_LSM &&
 		    prog->expected_attach_type != BPF_LSM_CGROUP)
-			return -EINVAL;
-
-		ret = cgroup_bpf_prog_attach(attr, ptype, prog);
+			ret = -EINVAL;
+		else
+			ret = cgroup_bpf_prog_attach(attr, ptype, prog);
 		break;
 	default:
 		ret = -EINVAL;






