bpf: Free reuseport cBPF prog after RCU grace period.
Summary
In the Linux kernel, the following vulnerability has been resolved: bpf: Free reuseport cBPF prog after RCU grace period. Eulgyu Kim reported the splat below with a repro. [0] The repro sets up a UDP reuseport group with a cBPF prog and replaces it with a new one while another thread is sending a UDP packet to the group. The reuseport prog is freed by sk_reuseport_prog_free(). bpf_prog_put() is called for "e"BPF prog to destruct through multiple stages while cBPF prog is freed immediately by bpf_release_orig_filter() and bpf_prog_free(). If a reuseport prog is detached from the setsockopt() path (reuseport_attach_prog() or reuseport_detach_prog()), sk_reuseport_prog_free() is called without waiting for RCU readers to complete, resulting in various bugs. Let's defer freeing the reuseport cBPF prog after one RCU grace period.
What this means
In plain English
In the Linux kernel, the following vulnerability has been resolved: bpf: Free reuseport cBPF prog after RCU grace period. Eulgyu Kim reported the splat below with a repro. [0] The repro sets up a UDP reuseport group with a cBPF prog and replaces it with a new one while another thread is sending a UDP packet to the group. The reuseport prog is freed by sk_reuseport_prog_free(). bpf_prog_put() is called for "e"BPF prog to destruct through multiple stages while cBPF prog is freed immediately by bpf_release_orig_filter() and bpf_prog_free().
Recommended action
Primary action: update to a vendor-listed fixed release: 08264d5bba0bdd3a79bc2984fee09286aba0c4eb, fec41484e7c2aa7ded44c541bba98872be937754, c3e3fddda6b5d9ba505d218b4055e7d8a282ac57, f8b8f1d4bb76098e87b8269a0631019648330e6d, 298db6167f81e9c470a57cf652e4e47757b4293e, 87dfb977bdb6eaa47e9993a34e18f44970f88b1f, 90e47dc5c572d1c73971ac51c7428803f42b78eb, 18fc650ccd7fe3376eca89203668cfb8268f60df.
Rewritten locally from the scraped official advisory data above; no generative API is used. The vendor advisory is authoritative.
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before 08264d5bba0bdd3a79bc2984fee09286aba0c4eb
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before fec41484e7c2aa7ded44c541bba98872be937754
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before c3e3fddda6b5d9ba505d218b4055e7d8a282ac57
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before f8b8f1d4bb76098e87b8269a0631019648330e6d
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before 298db6167f81e9c470a57cf652e4e47757b4293e
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before 87dfb977bdb6eaa47e9993a34e18f44970f88b1f
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before 90e47dc5c572d1c73971ac51c7428803f42b78eb
- Linux 538950a1b7527a0a52ccd9337e3fcd304f027f13 before 18fc650ccd7fe3376eca89203668cfb8268f60df
- Linux 4.5
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
- 08264d5bba0bdd3a79bc2984fee09286aba0c4eb
- fec41484e7c2aa7ded44c541bba98872be937754
- c3e3fddda6b5d9ba505d218b4055e7d8a282ac57
- f8b8f1d4bb76098e87b8269a0631019648330e6d
- 298db6167f81e9c470a57cf652e4e47757b4293e
- 87dfb977bdb6eaa47e9993a34e18f44970f88b1f
- 90e47dc5c572d1c73971ac51c7428803f42b78eb
- 18fc650ccd7fe3376eca89203668cfb8268f60df
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Mitigation
Upgrade to a fixed release: 08264d5bba0bdd3a79bc2984fee09286aba0c4eb, fec41484e7c2aa7ded44c541bba98872be937754, c3e3fddda6b5d9ba505d218b4055e7d8a282ac57, f8b8f1d4bb76098e87b8269a0631019648330e6d, 298db6167f81e9c470a57cf652e4e47757b4293e, 87dfb977bdb6eaa47e9993a34e18f44970f88b1f. That is the remediation for this advisory.
The vendor advisory may list additional interim mitigations or workarounds not captured here — review it before change work.
Official advisory · high-confidence parse· fetched 2 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.