bpf: Sync pending IRQ work before freeing ring buffer

neqbal · Alexei Starovoitov · commit 4e9077638301 · 2025-10-21T09:57:48.000-07:00
Fix a race where irq_work can be queued in bpf_ringbuf_commit() but the ring buffer is freed before the work executes. In the syzbot reproducer, a BPF program attached to sched_switch triggers bpf_ringbuf_commit(), queuing an irq_work. If the ring buffer is freed before this work executes, the irq_work thread may accesses freed memory. Calling `irq_work_sync(&rb->work)` ensures that all pending irq_work complete before freeing the buffer. Fixes: 457f443 ("bpf: Implement BPF ring buffer and verifier support for it") Reported-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=2617fc732430968b45d2 Tested-by: syzbot+2617fc732430968b45d2@syzkaller.appspotmail.com Signed-off-by: Noorain Eqbal <nooraineqbal@gmail.com> Link: https://lore.kernel.org/r/20251020180301.103366-1-nooraineqbal@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
diff --git a/kernel/bpf/ringbuf.c b/kernel/bpf/ringbuf.c
@@ -216,6 +216,8 @@ static struct bpf_map *ringbuf_map_alloc(union bpf_attr *attr)
 
 static void bpf_ringbuf_free(struct bpf_ringbuf *rb)
 {
+	irq_work_sync(&rb->work);
+
 	/* copy pages pointer and nr_pages to local variable, as we are going
 	 * to unmap rb itself with vunmap() below
 	 */

Original file line number	Diff line number	Diff line change
`@@ -216,6 +216,8 @@ static struct bpf_map ringbuf_map_alloc(union bpf_attr attr)`
`216`	`216`
`217`	`217`	`static void bpf_ringbuf_free(struct bpf_ringbuf *rb)`
`218`	`218`	`{`
	`219`	`+ irq_work_sync(&rb->work);`
	`220`	`+`
`219`	`221`	`/* copy pages pointer and nr_pages to local variable, as we are going`
`220`	`222`	`* to unmap rb itself with vunmap() below`
`221`	`223`	`*/`