{"id":"CVE-2024-35860","summary":"bpf: support deferring bpf_link dealloc to after RCU grace period","details":"In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: support deferring bpf_link dealloc to after RCU grace period\n\nBPF link for some program types is passed as a \"context\" which can be\nused by those BPF programs to look up additional information. E.g., for\nmulti-kprobes and multi-uprobes, link is used to fetch BPF cookie values.\n\nBecause of this runtime dependency, when bpf_link refcnt drops to zero\nthere could still be active BPF programs running accessing link data.\n\nThis patch adds generic support to defer bpf_link dealloc callback to\nafter RCU GP, if requested. This is done by exposing two different\ndeallocation callbacks, one synchronous and one deferred. If deferred\none is provided, bpf_link_free() will schedule dealloc_deferred()\ncallback to happen after RCU GP.\n\nBPF is using two flavors of RCU: \"classic\" non-sleepable one and RCU\ntasks trace one. The latter is used when sleepable BPF programs are\nused. bpf_link_free() accommodates that by checking underlying BPF\nprogram's sleepable flag, and goes either through normal RCU GP only for\nnon-sleepable, or through RCU tasks trace GP *and* then normal RCU GP\n(taking into account rcu_trace_implies_rcu_gp() optimization), if BPF\nprogram is sleepable.\n\nWe use this for multi-kprobe and multi-uprobe links, which dereference\nlink during program run. We also preventively switch raw_tp link to use\ndeferred dealloc callback, as upcoming changes in bpf-next tree expose\nraw_tp link data (specifically, cookie value) to BPF program at runtime\nas well.","modified":"2026-04-02T11:51:21.443254Z","published":"2024-05-19T08:34:19.368Z","related":["SUSE-SU-2024:2008-1","SUSE-SU-2024:2019-1","SUSE-SU-2024:2135-1","SUSE-SU-2024:2190-1","SUSE-SU-2024:2203-1","SUSE-SU-2024:2973-1","SUSE-SU-2025:20008-1","SUSE-SU-2025:20028-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35860.json","cna_assigner":"Linux"},"references":[{"type":"WEB","url":"https://git.kernel.org/stable/c/1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce"},{"type":"WEB","url":"https://git.kernel.org/stable/c/5d8d447777564b35f67000e7838e7ccb64d525c8"},{"type":"WEB","url":"https://git.kernel.org/stable/c/876941f533e7b47fc69977fc4551c02f2d18af97"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/35xxx/CVE-2024-35860.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-35860"},{"type":"PACKAGE","url":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git","events":[{"introduced":"0dcac272540613d41c05e89679e4ddb978b612f1"},{"fixed":"876941f533e7b47fc69977fc4551c02f2d18af97"},{"fixed":"5d8d447777564b35f67000e7838e7ccb64d525c8"},{"fixed":"1a80dbcb2dbaf6e4c216e62e30fa7d3daa8001ce"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-35860.json"}}],"schema_version":"1.7.5"}