Patch "bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers" has been added to the 5.15-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Mon, 6 Feb 2023 08:42:25 -0500

This is a note to let you know that I've just added the patch titled

    bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-a-possible-task-gone-issue-with-bpf_send_sig.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 93e11619ad069b9c3bf2f50086e79f84e7a63486
Author: Yonghong Song <yhs@xxxxxx>
Date:   Wed Jan 18 12:48:15 2023 -0800

    bpf: Fix a possible task gone issue with bpf_send_signal[_thread]() helpers
    
    [ Upstream commit bdb7fdb0aca8b96cef9995d3a57e251c2289322f ]
    
    In current bpf_send_signal() and bpf_send_signal_thread() helper
    implementation, irq_work is used to handle nmi context. Hao Sun
    reported in [1] that the current task at the entry of the helper
    might be gone during irq_work callback processing. To fix the issue,
    a reference is acquired for the current task before enqueuing into
    the irq_work so that the queued task is still available during
    irq_work callback processing.
    
      [1] https://lore.kernel.org/bpf/20230109074425.12556-1-sunhao.th@xxxxxxxxx/
    
    Fixes: 8b401f9ed244 ("bpf: implement bpf_send_signal() helper")
    Tested-by: Hao Sun <sunhao.th@xxxxxxxxx>
    Reported-by: Hao Sun <sunhao.th@xxxxxxxxx>
    Signed-off-by: Yonghong Song <yhs@xxxxxx>
    Link: https://lore.kernel.org/r/20230118204815.3331855-1-yhs@xxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c
index 4daf1e044556..b314e71a008c 100644
--- a/kernel/trace/bpf_trace.c
+++ b/kernel/trace/bpf_trace.c
@@ -776,6 +776,7 @@ static void do_bpf_send_signal(struct irq_work *entry)
 
 	work = container_of(entry, struct send_signal_irq_work, irq_work);
 	group_send_sig_info(work->sig, SEND_SIG_PRIV, work->task, work->type);
+	put_task_struct(work->task);
 }
 
 static int bpf_send_signal_common(u32 sig, enum pid_type type)
@@ -812,7 +813,7 @@ static int bpf_send_signal_common(u32 sig, enum pid_type type)
 		 * to the irq_work. The current task may change when queued
 		 * irq works get executed.
 		 */
-		work->task = current;
+		work->task = get_task_struct(current);
 		work->sig = sig;
 		work->type = type;
 		irq_work_queue(&work->irq_work);






