CVE-2024-35860

In the Linux kernel, the following vulnerability has been resolved: bpf:
support deferring bpf_link dealloc to after RCU grace period BPF link for
some program types is passed as a “context” which can be used by those BPF
programs to look up additional information. E.g., for multi-kprobes and
multi-uprobes, link is used to fetch BPF cookie values. Because of this
runtime dependency, when bpf_link refcnt drops to zero there could still be
active BPF programs running accessing link data. This patch adds generic
support to defer bpf_link dealloc callback to after RCU GP, if requested.
This is done by exposing two different deallocation callbacks, one
synchronous and one deferred. If deferred one is provided, bpf_link_free()
will schedule dealloc_deferred() callback to happen after RCU GP. BPF is
using two flavors of RCU: “classic” non-sleepable one and RCU tasks trace
one. The latter is used when sleepable BPF programs are used.
bpf_link_free() accommodates that by checking underlying BPF program’s
sleepable flag, and goes either through normal RCU GP only for
non-sleepable, or through RCU tasks trace GP and then normal RCU GP
(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF
program is sleepable. We use this for multi-kprobe and multi-uprobe links,
which dereference link during program run. We also preventively switch
raw_tp link to use deferred dealloc callback, as upcoming changes in
bpf-next tree expose raw_tp link data (specifically, cookie value) to BPF
program at runtime as well.