Use-after-free / memory safety race in reuseport BPF handling (RCU-related)
Description
Summary of the issue:
- The patch fixes a memory-safety race in the handling of reuseport BPF programs (both classic BPF and eBPF for reuseport) under concurrent detach/usage. Previously, when detaching a reuseport program (via reuseport_attach_prog or reuseport_detach_prog) the code could free the program data structures too early, potentially while other threads were reading the program (in the reuseport select path). This could lead to use-after-free and memory-corruption scenarios, evidenced by a KASAN report showing vmalloc-out-of-bounds in reuseport_select_sock and related call paths.
What the fix does:
- Introduces an RCU-based defer for freeing reuseport BPF programs. Specifically, sk_reuseport_prog_free() now defers freeing for classic BPF programs by scheduling an RCU callback (sk_reuseport_prog_free_rcu) that ultimately calls bpf_release_orig_filter() and bpf_prog_free(). Non-classic (eBPF) reuseport programs are freed via bpf_prog_put() as before.
- The deferral ensures that any in-flight readers of the reuseport code paths do not encounter freed memory, addressing the race between detaching a program and concurrent UDP lookups/packet delivery.
Vulnerability type and impact:
- Type: Use-after-free / memory safety issue in reuseport BPF handling under concurrent access (RCU-related).
- Impact: Potential memory corruption or kernel crash under adversarial timing of reuseport program detach while traffic is being processed. This is a security-relevant bug due to kernel memory safety, which could be exploited to crash the system or leak/reuse freed memory under specific conditions.
- Affected versions: prior to this commit (7.0-rc6 and earlier in the v7.0-rc6 track).
Rationale for the assessment:
- The commit explicitly defers freeing the cBPF/eBPF reuseport program until after an RCU grace period and adjusts the free path to avoid prematurely freeing memory accessed by readers in reuseport_select_sock. The repro described in the message (a thread sending UDP traffic while the program is detached) aligns with a classical UAF risk. The KASAN report cited in the commit notes the vmalloc-out-of-bounds access in reuseport_select_sock, consistent with a use-after-free related issue that the RCU-based fix addresses. The fix is a targeted memory-safety correction rather than a mere code cleanup or dependency bump.
Is this a real vulnerability fix? Yes.
- is_real_vulnerability: true
- is_version_bump: false
- vulnerability_type: Use-after-free / memory safety race in reuseport BPF handling (RCU-related)
Proof of Concept
PoC outline (to be run in a controlled test environment with an affected kernel built with this patch):
Prerequisites:
- A Linux kernel build that includes this patch (or a mainline/kernel image with the patch applied).
- libbpf or a user-space helper to load an EBPF or classic BPF program for reuseport.
- A test setup that allows multiple UDP sockets to share the same port (SO_REUSEPORT) and to load an attached reuseport BPF program (SO_ATTACH_REUSEPORT_EBPF or SO_ATTACH_REUSEPORT_CBPF).
- A separate thread/process that continuously sends UDP traffic to the shared port to create a read path through reuseport while a detach happens.
Steps (high level):
1) Create two UDP sockets (s1, s2) bound to 127.0.0.1:12345 with SO_REUSEPORT enabled.
2) Compile/load a minimal BPF program suitable for reuseport (either a classic BPF or an EBPF program) and attach it to the reuseport group via setsockopt(SO_ATTACH_REUSEPORT_EBPF or CBPF).
3) Start a sender thread that repeatedly sends UDP datagrams to 127.0.0.1:12345.
4) In another thread, detach the BPF program from one of the sockets using the corresponding SO_DETACH_REUSEPORT_EBPF/CBPF option while traffic is in flight.
5) Observe the kernel behavior via dmesg/kasan logs or a crash in a worst-case timing window. On a patched kernel, the detach should not access freed memory and the crash should be prevented.
Notes:
- The exact user-space API names depend on whether the program is EBPF or classic BPF (CBPF). Example options are SO_ATTACH_REUSEPORT_EBPF, SO_DETACH_REUSEPORT_EBPF, and SO_ATTACH_REUSEPORT_CBPF, SO_DETACH_REUSEPORT_CBPF. The PoC should use a minimal BPF program that can be attached (e.g., a no-op program that returns 0).
- This PoC is intended for a controlled lab environment with a KASAN-enabled kernel to observe memory-safety failures and verify that the fix prevents the crash.
Commit Details
Author: Kuniyuki Iwashima
Date: 2026-04-26 01:26 UTC
Message:
bpf: Free reuseport cBPF prog after RCU grace period.
Eulgyu Kim reported the splat below with a repro. [0]
The repro sets up a UDP reuseport group with a cBPF prog and
replaces it with a new one while another thread is sending
a UDP packet to the group.
The reuseport prog is freed by sk_reuseport_prog_free().
bpf_prog_put() is called for "e"BPF prog to destruct through
multiple stages while cBPF prog is freed immediately by
bpf_release_orig_filter() and bpf_prog_free().
If a reuseport prog is detached from the setsockopt() path
(reuseport_attach_prog() or reuseport_detach_prog()),
sk_reuseport_prog_free() is called without waiting for RCU
readers to complete, resulting in various bugs.
Let's defer freeing the reuseport cBPF prog after one RCU
grace period.
Note "e"BPF prog is safe as is unless the fast path starts
to touch fields destroyed in bpf_prog_put_deferred() and
__bpf_prog_put_noref().
[0]:
BUG: KASAN: vmalloc-out-of-bounds in reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
Read of size 4 at addr ffffc9000051e004 by task slowme/10208
CPU: 6 UID: 1000 PID: 10208 Comm: slowme Not tainted 7.0.0-geb7ac95ff75e #32 PREEMPT(full)
Hardware name: QEMU Ubuntu 24.04 PC v2 (i440FX + PIIX, arch_caps fix, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:378 [inline]
print_report+0xca/0x240 mm/kasan/report.c:482
kasan_report+0x118/0x150 mm/kasan/report.c:595
reuseport_select_sock+0xedc/0x1220 net/core/sock_reuseport.c:596
udp4_lib_lookup2+0x3bc/0x950 net/ipv4/udp.c:495
__udp4_lib_lookup+0x768/0xe20 net/ipv4/udp.c:723
__udp4_lib_lookup_skb+0x297/0x390 net/ipv4/udp.c:752
__udp4_lib_rcv+0x1312/0x2620 net/ipv4/udp.c:2752
ip_protocol_deliver_rcu+0x282/0x440 net/ipv4/ip_input.c:207
ip_local_deliver_finish+0x3bb/0x6f0 net/ipv4/ip_input.c:241
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
NF_HOOK+0x30c/0x3a0 include/linux/netfilter.h:318
__netif_receive_skb_one_core net/core/dev.c:6181 [inline]
__netif_receive_skb net/core/dev.c:6294 [inline]
process_backlog+0xaa4/0x1960 net/core/dev.c:6645
__napi_poll+0xae/0x340 net/core/dev.c:7709
napi_poll net/core/dev.c:7772 [inline]
net_rx_action+0x5d7/0xf50 net/core/dev.c:7929
handle_softirqs+0x22b/0x870 kernel/softirq.c:622
do_softirq+0x76/0xd0 kernel/softirq.c:523
</IRQ>
<TASK>
__local_bh_enable_ip+0xf8/0x130 kernel/softirq.c:450
local_bh_enable include/linux/bottom_half.h:33 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:924 [inline]
__dev_queue_xmit+0x1dd7/0x3710 net/core/dev.c:4890
neigh_output include/net/neighbour.h:556 [inline]
ip_finish_output2+0xca9/0x1070 net/ipv4/ip_output.c:237
NF_HOOK_COND include/linux/netfilter.h:307 [inline]
ip_output+0x29f/0x450 net/ipv4/ip_output.c:438
ip_send_skb+0x45/0xc0 net/ipv4/ip_output.c:1508
udp_send_skb+0xb04/0x1510 net/ipv4/udp.c:1195
udp_sendmsg+0x1a71/0x2350 net/ipv4/udp.c:1485
sock_sendmsg_nosec net/socket.c:727 [inline]
__sock_sendmsg net/socket.c:742 [inline]
__sys_sendto+0x554/0x680 net/socket.c:2206
__do_sys_sendto net/socket.c:2213 [inline]
__se_sys_sendto net/socket.c:2209 [inline]
__x64_sys_sendto+0xde/0x100 net/socket.c:2209
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x160/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x415a2d
Code: b3 66 2e 0f 1f 84 00 00 00 00 00 66 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6bc31e41e8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f6bc31e4cdc RCX: 0000000000415a2d
RDX: 0000000000000001 RSI: 00007f6bc31e421f RDI: 0000000000000003
RBP: 00007f6bc31e4240 R08: 00007f6bc31e4220 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000212 R12: 00007f6bc31e46c0
R13: ffffffffffffffb8 R14: 0000000000000000 R15: 00007ffc9b0d70b0
</TASK>
Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
Reported-by: Eulgyu Kim <eulgyukim@snu.ac.kr>
Reported-by: Taeyang Lee <0wn@theori.io>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20260426012647.3233119-1-kuniyu@google.com
Triage Assessment
Vulnerability Type: Use-after-free / Memory safety (RCU-related) in reuseport/BPF
Confidence: MEDIUM
Reasoning:
Commit fixes a race/memory-safety issue in BPF reuseport program handling by deferring freeing of the reuseport cBPF prog until after an RCU grace period. The bug could lead to use-after-free and memory corruption under concurrent access, which is a security-relevant vulnerability (information disclosure or process crash under attack scenarios). The message explicitly discusses a vulnerability repro and deferring free to fix it.
Verification Assessment
Vulnerability Type: Use-after-free / memory safety race in reuseport BPF handling (RCU-related)
Confidence: MEDIUM
Affected Versions: 7.0-rc6 and earlier in the 7.0-rc6 track; fixed by commit 18fc650ccd7fe3376eca89203668cfb8268f60df
Code Diff
diff --git a/net/core/filter.c b/net/core/filter.c
index ef0877eefaa7cf..70eef14edb990c 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1654,15 +1654,24 @@ int sk_reuseport_attach_bpf(u32 ufd, struct sock *sk)
return err;
}
+static void sk_reuseport_prog_free_rcu(struct rcu_head *rcu)
+{
+ struct bpf_prog_aux *aux = container_of(rcu, struct bpf_prog_aux, rcu);
+ struct bpf_prog *prog = aux->prog;
+
+ bpf_release_orig_filter(prog);
+ bpf_prog_free(prog);
+}
+
void sk_reuseport_prog_free(struct bpf_prog *prog)
{
if (!prog)
return;
- if (prog->type == BPF_PROG_TYPE_SK_REUSEPORT)
- bpf_prog_put(prog);
+ if (bpf_prog_was_classic(prog))
+ call_rcu(&prog->aux->rcu, sk_reuseport_prog_free_rcu);
else
- bpf_prog_destroy(prog);
+ bpf_prog_put(prog);
}
static inline int __bpf_try_make_writable(struct sk_buff *skb,