Dev news

Commit f75aeb2de891 for kernel

commit f75aeb2de89127052975b1bfade88ac87f164f4a
Author: Amery Hung <ameryhung@gmail.com>
Date:   Fri Apr 17 10:49:00 2026 -0700

    bpf: Dissociate struct_ops program with map if map_update fails

    Currently, when bpf_struct_ops_map_update_elem() fails, the programs'
    st_ops_assoc will remain set. They may become dangling pointers if the
    map is freed later, but they will never be dereferenced since the
    struct_ops attachment did not succeed. However, if one of the programs
    is subsequently attached as part of another struct_ops map, its
    st_ops_assoc will be poisoned even though its old st_ops_assoc was stale
    from a failed attachment.

    Fix the spurious poisoned st_ops_assoc by dissociating struct_ops
    programs with a map if the attachment fails. Move
    bpf_prog_assoc_struct_ops() to after *plink++ to make sure
    bpf_prog_disassoc_struct_ops() will not miss a program when iterating
    st_map->links.

    Note that, dissociating a program from a map requires some attention as
    it must not reset a poisoned st_ops_assoc or a st_ops_assoc pointing to
    another map. The former is already guarded in
    bpf_prog_disassoc_struct_ops(). The latter also will not happen since
    st_ops_assoc of programs in st_map->links are set by
    bpf_prog_assoc_struct_ops(), which can only be poisoned or pointing to
    the current map.

    Signed-off-by: Amery Hung <ameryhung@gmail.com>
    Link: https://lore.kernel.org/r/20260417174900.2895486-1-ameryhung@gmail.com
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/bpf_struct_ops.c b/kernel/bpf/bpf_struct_ops.c
index 05b366b821c3..521cb9d7e8c7 100644
--- a/kernel/bpf/bpf_struct_ops.c
+++ b/kernel/bpf/bpf_struct_ops.c
@@ -811,9 +811,6 @@ static long bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key,
 			goto reset_unlock;
 		}

-		/* Poison pointer on error instead of return for backward compatibility */
-		bpf_prog_assoc_struct_ops(prog, &st_map->map);
-
 		link = kzalloc_obj(*link, GFP_USER);
 		if (!link) {
 			bpf_prog_put(prog);
@@ -824,6 +821,9 @@ static long bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key,
 			      &bpf_struct_ops_link_lops, prog, prog->expected_attach_type);
 		*plink++ = &link->link;

+		/* Poison pointer on error instead of return for backward compatibility */
+		bpf_prog_assoc_struct_ops(prog, &st_map->map);
+
 		ksym = kzalloc_obj(*ksym, GFP_USER);
 		if (!ksym) {
 			err = -ENOMEM;
@@ -906,6 +906,7 @@ static long bpf_struct_ops_map_update_elem(struct bpf_map *map, void *key,
 reset_unlock:
 	bpf_struct_ops_map_free_ksyms(st_map);
 	bpf_struct_ops_map_free_image(st_map);
+	bpf_struct_ops_map_dissoc_progs(st_map);
 	bpf_struct_ops_map_put_progs(st_map);
 	memset(uvalue, 0, map->value_size);
 	memset(kvalue, 0, map->value_size);