Skip to content

sdt_task: Avoid use-after-free after deleting task_storage #2006

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 2, 2025
Merged

sdt_task: Avoid use-after-free after deleting task_storage #2006

merged 1 commit into from
Jun 2, 2025

Conversation

@EricccTaiwan
Copy link
Collaborator

@EricccTaiwan EricccTaiwan commented May 27, 2025
edited
Loading

In scx_task_free(), after releasing the allocator index, invoke bpf_task_storage_delete() to remove the task's entry from the BPF map.

Also zero-initialize mval->tid so that no stale identifier remains in local storage.

Edit: Remove redundant mval field updates after deletion.

@EricccTaiwan EricccTaiwan force-pushed the delete-task-storage branch 2 times, most recently from 6b3af3b to 337508c Compare May 27, 2025 18:26
@etsal etsal self-requested a review May 27, 2025 20:29
@EricccTaiwan EricccTaiwan force-pushed the delete-task-storage branch 2 times, most recently from 75b61a9 to a167059 Compare May 28, 2025 14:06
@EricccTaiwan EricccTaiwan changed the title lib/sdt_task: Delete task storage entry and reset TID sdt_task: Delete task storage entry and reset TID May 28, 2025
@EricccTaiwan EricccTaiwan force-pushed the delete-task-storage branch from a167059 to 8d18907 Compare May 28, 2025 16:27
@EricccTaiwan
Copy link
Collaborator Author

EricccTaiwan commented May 28, 2025

Hi @etsal , PTAL thanks!

@EricccTaiwan EricccTaiwan force-pushed the delete-task-storage branch 2 times, most recently from 227b752 to 3a029c9 Compare May 28, 2025 19:38
@etsal
Copy link
Contributor

etsal commented May 29, 2025

This looks ok but I will give it a closer look, thank you!

@EricccTaiwan EricccTaiwan force-pushed the delete-task-storage branch 6 times, most recently from a655c75 to 7c6cda1 Compare May 31, 2025 18:04
@etsal
Copy link
Contributor

etsal commented May 31, 2025

I think if we delete then we should not be fixing up the fields of mval, this is a use-after-free. I suspect the only reason this works fine and passes verification is because of RCU preventing the use-after-free from having side effects. Can you adjust to only keep the delete call?

I am also wondering whether this has performance implications. If the kernel caches task_struct allocations and reuses deallocated task struct instances often, then this patch will add a BPF map allocation on the process initialization path. This is in addition to slowing down exit().

In the end, it all depends on how much reuse there is in the kernel of task_struct. @htejun, what do you think?

@EricccTaiwan
Copy link
Collaborator Author

EricccTaiwan commented May 31, 2025

Can you adjust to only keep the delete call?

I think it's best to wait for @htejun 's feedback before adjusting it.
TBH, I hadn't considered the implications in that depth. Appreciate the insight and explanation.
TBD depending on further discussion. 👍

@htejun
Copy link
Contributor

htejun commented Jun 2, 2025

Yeah, no need to update mval if the elem is being deleted.

@EricccTaiwan @charliechiou
sdt_task: Avoid use-after-free after deleting task_storage
5c16eb5 
Remove redundant mval field updates after deletion.

Suggested-by: Tejun Heo <tj@kernel.org>
Suggested-by: Emil Tsalapatis <emil@etsalapatis.com>
Co-authored-by: Po-Ying Chiu <charlie910417@gmail.com>
Signed-off-by: Cheng-Yang Chou <yphbchou0911@gmail.com>
@EricccTaiwan EricccTaiwan force-pushed the delete-task-storage branch from 7c6cda1 to 5c16eb5 Compare June 2, 2025 18:55
@EricccTaiwan EricccTaiwan changed the title sdt_task: Delete task storage entry and reset TID sdt_task: Avoid use-after-free after deleting task_storage Jun 2, 2025
@EricccTaiwan
Copy link
Collaborator Author

EricccTaiwan commented Jun 2, 2025

Yeah, no need to update mval if the elem is being deleted.

Ok, I only kept the bpf_task_storage_delete() call. PTAL!

@etsal etsal added this pull request to the merge queue Jun 2, 2025
Merged via the queue into sched-ext:main with commit 1eae057 Jun 2, 2025
16 checks passed
@EricccTaiwan EricccTaiwan deleted the delete-task-storage branch June 2, 2025 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etsal etsal Awaiting requested review from etsal

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@EricccTaiwan @etsal @htejun