Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759555AbcKDAn7 (ORCPT ); Thu, 3 Nov 2016 20:43:59 -0400 Received: from mail-qt0-f182.google.com ([209.85.216.182]:33530 "EHLO mail-qt0-f182.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752193AbcKDAn5 (ORCPT ); Thu, 3 Nov 2016 20:43:57 -0400 MIME-Version: 1.0 In-Reply-To: <581B6776.3060908@iogearbox.net> References: <581B6776.3060908@iogearbox.net> From: Dmitry Vyukov Date: Thu, 3 Nov 2016 18:43:35 -0600 Message-ID: Subject: Re: bpf: kernel BUG in htab_elem_free To: Daniel Borkmann Cc: Alexei Starovoitov , netdev , LKML , syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1248 Lines: 36 On Thu, Nov 3, 2016 at 10:36 AM, Daniel Borkmann wrote: > On 11/03/2016 03:15 PM, Dmitry Vyukov wrote: >> >> On Wed, Nov 2, 2016 at 11:14 PM, Dmitry Vyukov wrote: >>> >>> Here we go. >>> >>> The following program triggers kernel BUG in htab_elem_free. >>> On commit 0c183d92b20b5c84ca655b45ef57b3318b83eb9e (Oct 31). >>> Run as "while true; do ./a.out; done". > > > This one fixes it for me. Could you check it from your side as well? > I'll submit an official fix then. I've seen you mailed the fix already. If you were able to reproduce it and test the fix, then there is nothing else I can do. > Thanks a lot for the catch! > Daniel > > diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c > index 570eeca..ad1bc67 100644 > --- a/kernel/bpf/hashtab.c > +++ b/kernel/bpf/hashtab.c > @@ -687,7 +687,8 @@ static void delete_all_elements(struct bpf_htab *htab) > > hlist_for_each_entry_safe(l, n, head, hash_node) { > hlist_del_rcu(&l->hash_node); > - htab_elem_free(htab, l); > + if (l->state != HTAB_EXTRA_ELEM_USED) > + htab_elem_free(htab, l); > } > } > }