maillist inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/ID7DOT Reference: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next.git/commit/?id=... -------------------------------- Syzkaller triggers an invalid memory access issue following fault injection in update_effective_progs. The issue can be described as follows: __cgroup_bpf_detach update_effective_progs compute_effective_progs bpf_prog_array_alloc <-- fault inject purge_effective_progs /* change to dummy_bpf_prog */ array->items[index] = &dummy_bpf_prog.prog ---softirq start--- __do_softirq ... __cgroup_bpf_run_filter_skb __bpf_prog_run_save_cb bpf_prog_run stats = this_cpu_ptr(prog->stats) /* invalid memory access */ flags = u64_stats_update_begin_irqsave(&stats->syncp) ---softirq end--- static_branch_dec(&cgroup_bpf_enabled_key[atype]) The reason is that fault injection caused update_effective_progs to fail and then changed the original prog into dummy_bpf_prog.prog in purge_effective_progs. Then a softirq came, and accessing the members of dummy_bpf_prog.prog in the softirq triggers invalid mem access. To fix it, skip updating stats when stats is NULL. Fixes: 492ecee892c2 ("bpf: enable program stats") Signed-off-by: Pu Lehui <pulehui@huawei.com> Link: https://lore.kernel.org/r/20251115102343.2200727-1-pulehui@huaweicloud.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Conflicts: include/linux/filter.h kernel/bpf/syscall.c [context conflicts and no bpf_prog_inc_misses_counter] Signed-off-by: Pu Lehui <pulehui@huawei.com> --- include/linux/filter.h | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/include/linux/filter.h b/include/linux/filter.h index 3c43603bfb62..75c79546aae7 100644 --- a/include/linux/filter.h +++ b/include/linux/filter.h @@ -580,11 +580,13 @@ DECLARE_STATIC_KEY_FALSE(bpf_stats_enabled_key); u64 __start = sched_clock(); \ unsigned long flags; \ __ret = dfunc(ctx, (prog)->insnsi, (prog)->bpf_func); \ - __stats = this_cpu_ptr(prog->aux->stats); \ - flags = u64_stats_update_begin_irqsave(&__stats->syncp);\ - __stats->cnt++; \ - __stats->nsecs += sched_clock() - __start; \ - u64_stats_update_end_irqrestore(&__stats->syncp, flags);\ + if (likely(prog->aux && prog->aux->stats)) { \ + __stats = this_cpu_ptr(prog->aux->stats); \ + flags = u64_stats_update_begin_irqsave(&__stats->syncp);\ + __stats->cnt++; \ + __stats->nsecs += sched_clock() - __start; \ + u64_stats_update_end_irqrestore(&__stats->syncp, flags);\ + } \ } else { \ __ret = dfunc(ctx, (prog)->insnsi, (prog)->bpf_func); \ } \ -- 2.34.1