CVE-2023-53790

In the Linux kernel, the following vulnerability has been resolved:

bpf: Zeroing allocated object from slab in bpf memory allocator

Currently the freed element in bpf memory allocator may be immediately reused, for htab map the reuse will reinitialize special fields in map value (e.g., bpfspinlock), but lookup procedure may still access these special fields, and it may lead to hard-lockup as shown below:

NMI backtrace for cpu 16 CPU: 16 PID: 2574 Comm: htab.bin Tainted: G L 6.1.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), RIP: 0010:queuedspinlockslowpath+0x283/0x2c0 ...... Call Trace: <TASK> copymapvaluelocked+0xb7/0x170 bpfmapcopy_value+0x113/0x3c0 __sys_bpf+0x1c67/0x2780 __x64sysbpf+0x1c/0x20 dosyscall64+0x30/0x60 entrySYSCALL64afterhwframe+0x46/0xb0 ...... </TASK>

For htab map, just like the preallocated case, these is no need to initialize these special fields in map value again once these fields have been initialized. For preallocated htab map, these fields are initialized through __GFPZERO in bpfmapareaalloc(), so do the similar thing for non-preallocated htab in bpf memory allocator. And there is no need to use __GFP_ZERO for per-cpu bpf memory allocator, because __allocpercpugfp() does it implicitly.