Re: [PATCH bpf] bpf: Fix use-after-free in offloaded map/prog info fill

Next message: Tejun Heo: "Re: [PATCH 2/2] sched_ext: Dump the stall CPU first in watchdog exit"
Previous message: Tejun Heo: "Re: [PATCH] sched/ext: fix cpumask leak in scx_init() error path"
In reply to: Jiayuan Chen: "Re: [PATCH bpf] bpf: Fix use-after-free in offloaded map/prog info fill"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: bot+bpf-ci

Date: Wed Apr 08 2026 - 21:16:48 EST

> Fix this by using maybe_get_net() instead of get_net(). maybe_get_net()
> uses refcount_inc_not_zero() and returns NULL if the refcount is already
> zero, which causes ns_get_path_cb() to fail and the caller to return
> -ENODEV -- the correct behavior when the netns is being destroyed.

Should this say -ENOENT rather than -ENODEV? When maybe_get_net()
returns NULL, ns_get_path_cb() returns -ENOENT:

fs/nsfs.c:ns_get_path_cb() {
ns = ns_get_cb(private_data);
if (!ns)
return -ENOENT;
}

Since the callback sets info->ifindex before maybe_get_net() fails,
bpf_prog_offload_info_fill() takes this path:

if (res) {
if (!info->ifindex) /* false, ifindex was set */
return -ENODEV;
return res; /* returns -ENOENT */
}

Daniel Borkmann also noted this in his review of v1:
https://lore.kernel.org/bpf/1eccd7fc-8a1c-4499-ae81-a63fc8d0ff26@xxxxxxxxxxxxx/

---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24166717291