Re: [PATCH v2] bpf: fix UAF by restoring RCU-delayed inode freeing in bpffs
From: Alexei Starovoitov
Date: Mon Jun 01 2026 - 22:54:55 EST
On Mon, Jun 1, 2026 at 7:53 PM Deepanshu Kartikey <kartikey406@xxxxxxxxx> wrote:
>
> commit 4f375ade6aa9 ("bpf: Avoid RCU context warning when unpinning
> htab with internal structs") moved inode cleanup from ->free_inode()
> into ->destroy_inode() to avoid sleeping in RCU context when calling
> bpf_any_put(). However this removed the RCU delay on freeing the
> inode itself and the cached symlink body (i_link), both of which
> can be accessed by RCU pathwalk (pick_link, may_lookup etc.).
>
> This causes a use-after-free when a concurrent unlinkat() drops the
> last inode reference and destroy_inode() frees the inode immediately,
> while another task is still walking the path in RCU mode and reads
> inode->i_opflags (offset +2) inside current_time() -> is_mgtime().
>
> KASAN reports:
> BUG: KASAN: slab-use-after-free in is_mgtime include/linux/fs.h:2313
> Read of size 2 at addr ffff8880407e4282 (offset +2 = i_opflags)
>
> The rules (per Al Viro):
> ->destroy_inode() called immediately, can sleep, use for blocking
> cleanup e.g. bpf_any_put()
> ->free_inode() called after RCU grace period, use for freeing
> inode and anything RCU-accessible e.g. i_link
>
> Fix: split the two concerns properly:
> - keep bpf_any_put() in bpf_destroy_inode() since it is blocking
> and needs to run promptly
> - introduce bpf_free_inode() to handle kfree(i_link) and
> free_inode_nonrcu() with proper RCU delay, preventing the UAF
>
> Fixes: 4f375ade6aa9 ("bpf: Avoid RCU context warning when unpinning htab with internal structs")
> Reported-by: syzbot+36e50496c8ac4bcde3f9@xxxxxxxxxxxxxxxxxxxxxxxxx
> Closes: https://syzkaller.appspot.com/bug?extid=36e50496c8ac4bcde3f9
> Suggested-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> Link: https://lore.kernel.org/all/20260423043906.GN3518998@ZenIV/
> Link: https://lore.kernel.org/all/20260602002607.110866-1-kartikey406@xxxxxxxxx/T/ [v1]
> Signed-off-by: Deepanshu Kartikey <kartikey406@xxxxxxxxx>
> ---
> Changes in v2:
> - NAK on v1 fix in fs/namei.c (pick_link) by Al Viro
> - v1 was papering over the symptom not fixing root cause
> - real fix is in kernel/bpf/inode.c as suggested by Al Viro
Al,
please ack.