a17f63c532
We encountered UAF issue with bpf cgroup, which was caused by this patch.
dda4eba1d ("bpf: decouple the lifetime of cgroup_bpf from cgroup itself")
By comparing this patch in the upstream torvalds/Linux kernel tree[1],
we found that we missed a line of changes in the qcom_sm8150 kernel tree.
This can lead to a reference counting lifetime inconsistency,
causing a UAF issue in the function "__cgroup_bpf_run_filter_skb",
which can lead to kernel panics and random reboot issuse.
The changes in our kernel tree [2] separated a portion of the code in
the cgroup_sk_alloc function into the cgroup_sk_clone function. Therefore,
the changes omission in dda4eba1d need to be added to cgroup_sk_clone to
fix the inconsistency in reference counting.
Consistent with cgroup_sk_clone in GKI android13-5.10 [3]
[1]: https://github.com/torvalds/linux/commit/4bfc0bb2c
[2]: https://github.com/LineageOS/android_kernel_qcom_sm8150/commit/82fd2138a
[3]: https://github.com/aosp-mirror/kernel_common/blob/android13-5.10/kernel/cgroup/cgroup.c#L6731
ad0f75e5f5
Fixes: https://gitlab.com/LineageOS/issues/android/-/issues/9458
The co-authors have reported stable operation on their devices for 7 days
without any further restart issues caused by __cgroup_bpf_run_filter_skb.
Co-authored-by: TwinbornPlate75 <3342733415@qq.com>
Co-authored-by: zhaoyuenan <amktiao030215@gmail.com>
Co-authored-by: Helium-Studio <helium_studio@outlook.com>
Co-authored-by: Hxsyzl <knbn666@gmail.com>
Co-authored-by: crrashh1542 <1542@crrashh.com>
Change-Id: Iba7ad237a53fec10bc89c7e8c716e899158dfad2