diff options
| author | Leon Hwang <leon.hwang@linux.dev> | 2026-05-21 17:29:09 +0300 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2026-05-29 05:56:37 +0300 |
| commit | 9b435d23f51e55b62dda3a345a9f8931248ca514 (patch) | |
| tree | dcad05018a1467a1a31ffa3017b85cf4a0a89969 /include/linux | |
| parent | 7f9ce282da0c397673be7d5870b0bcdbc8c6ce82 (diff) | |
| download | linux-9b435d23f51e55b62dda3a345a9f8931248ca514.tar.xz | |
bpf: Fix race between bpf_map_new_fd() and close_fd()
Because there is time gap between bpf_map_new_fd() and close_fd(), a
concurrent thread is able to close the new fd and opens a new, unrelated
file with the exact same fd number. Thereafter, this close_fd() might
inadvertently close the unrelated file.
To avoid such regression, do finalize log before security_bpf_map_create().
However, in order to achieve it, move bpf_get_file_flag(),
security_bpf_map_create(), bpf_map_alloc_id(), and bpf_map_new_fd() from
__map_create() to map_create(). And, rename __map_create() to
map_create_alloc() meanwhile.
Then, in order to reuse the map and token when all checks pass in
map_create_alloc(), pass "struct bpf_map **" and "struct bpf_token **" to
map_create_alloc().
Fixes: 49f9b2b2a18c ("bpf: Add syscall common attributes support for map_create")
Signed-off-by: Leon Hwang <leon.hwang@linux.dev>
Link: https://lore.kernel.org/r/20260521142909.95818-1-leon.hwang@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions