bpf_get_root_mem_cgroup() is registered with the KF_ACQUIRE flag,
which causes the BPF verifier to enforce a mandatory paired call to
the KF_RELEASE function bpf_put_mem_cgroup(). The release function
unconditionally calls css_put().

However, bpf_get_root_mem_cgroup() returns root_mem_cgroup without
calling css_get(). Every valid BPF program using this kfunc causes a
net css_put() with no matching css_get(), producing a persistent
refcount underflow on root_mem_cgroup->css.

A previous attempt to address this removed the KF_ACQUIRE flag
entirely (commit e463b6de9da1), but that was reverted because losing
reference tracking semantics negatively impacted usability in practice.
The correct fix is to acquire a reference in bpf_get_root_mem_cgroup()
to balance the css_put() in bpf_put_mem_cgroup().

Link: https://lore.kernel.org/bpf/878qdx6yut.fsf@linux.dev/
Fixes: d0f5d4f8f328 ("bpf: Revert "bpf: drop KF_ACQUIRE flag on BPF kfunc
bpf_get_root_mem_cgroup()"")
Signed-off-by: Caner ÖZDERE <cnrzdr.dev@gmail.com>
---
 mm/bpf_memcontrol.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/mm/bpf_memcontrol.c b/mm/bpf_memcontrol.c
index 716df49..3e8721b 100644
--- a/mm/bpf_memcontrol.c
+++ b/mm/bpf_memcontrol.c
@@ -25,7 +25,14 @@ __bpf_kfunc struct mem_cgroup
*bpf_get_root_mem_cgroup(void)
        if (mem_cgroup_disabled())
                return NULL;

-       /* css_get() is not needed */
+       /*
+        * BPF verifier enforces a match between this KF_ACQUIRE kfunc
+        * and bpf_put_mem_cgroup() (KF_RELEASE). Since the release
+        * function unconditionally calls css_put(), we must acquire a
+        * reference here to balance it.
+        */
+       css_get(&root_mem_cgroup->css);
+
        return root_mem_cgroup;
 }

--
2.50.1 (Apple Git-155)

Greg KH <gregkh@linuxfoundation.org>, 1 May 2026 Cum, 15:54 tarihinde şunu
yazdı:

> On Fri, May 01, 2026 at 03:40:46PM +0300, Caner ÖZDERE wrote:
> > Hi Greg,
> >
> > Thank you for the quick response.
> >
> > I have since confirmed that the bug is present in v7.0, which was
> > released as a stable kernel on 2026-04-12. The affected file can be
> > verified at:
> >
> >   https://github.com/torvalds/linux/blob/v7.0/mm/bpf_memcontrol.c
>
> Ok, then can you turn your patch into something that can be accepted and
> send it here and cc: the bpf maintainers for their review?
>
> thanks,
>
> greg k-h
>