mirror of
https://github.com/LineageOS/android_kernel_fxtec_sm6115.git
synced 2026-04-02 20:03:10 +00:00
a86148f89f
We encountered UAF issue with bpf cgroup, which was caused by this patch.8cd90e5df("bpf: decouple the lifetime of cgroup_bpf from cgroup itself") By comparing this patch in the upstream torvalds/Linux kernel tree[1], we found that we missed a line of changes in the qcom_sm8250 kernel tree. This can lead to a reference counting lifetime inconsistency, causing a UAF issue in the function "__cgroup_bpf_run_filter_skb", which can lead to kernel panics and random reboot issuse. The changes in our kernel tree [2] separated a portion of the code in the cgroup_sk_alloc function into the cgroup_sk_clone function. Therefore, the changes omission in8cd90e5dfneed to be added to cgroup_sk_clone to fix the inconsistency in reference counting. Consistent with cgroup_sk_clone in GKI android13-5.10 [3] [1]: https://github.com/torvalds/linux/commit/4bfc0bb2c [2]: https://github.com/LineageOS/android_kernel_qcom_sm8250/commit/0505cc4c9 [3]: https://github.com/aosp-mirror/kernel_common/blob/android13-5.10/kernel/cgroup/cgroup.c#L6731 Fixes: https://gitlab.com/LineageOS/issues/android/-/issues/9458 The co-authors have reported stable operation on their devices for 7 days without any further restart issues caused by __cgroup_bpf_run_filter_skb. Co-authored-by: TwinbornPlate75 <3342733415@qq.com> Co-authored-by: zhaoyuenan <amktiao030215@gmail.com> Co-authored-by: Helium-Studio <helium_studio@outlook.com> Co-authored-by: Hxsyzl <knbn666@gmail.com> Co-authored-by: crrashh1542 <1542@crrashh.com> Change-Id: Iba7ad237a53fec10bc89c7e8c716e899158dfad2