Received: by 10.223.185.111 with SMTP id b44csp903258wrg; Fri, 9 Mar 2018 16:27:06 -0800 (PST) X-Google-Smtp-Source: AG47ELsiVVfiN0ZpMb1LeM+g5jt6izzoUy7dkRrEI5PeAQ8mU6Usx7bBng3QJNTkePVIhv/YsamR X-Received: by 10.98.86.15 with SMTP id k15mr312607pfb.187.1520641626053; Fri, 09 Mar 2018 16:27:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520641626; cv=none; d=google.com; s=arc-20160816; b=uobxvSBQNPwlLT6D7lD+aOhf4AavqVs5kjHo9LsuftHvEqI7QiDGWBcN0XpAVjjPuW 5CTcCEWPVrcD9W1paHnUDcqyaybS16/aFC7ARz8KMQsmYvwnR2S98wNKkiwN1DYTKcsj 4zAHyMpUe2ctotj7yX/lRYOfl5TYXvdKheTuwAOlNla8EnarqGiEc741Ntmh4uvtVmyF +59Au7m3WJeIMuPGgA5aemiVK4oYGkBX7fObwtz74CqgjxJa/fqp8kX/tSmAntQ1A82g oTVNr0JQBIKqCiea8c0YEgrLDcBT0zCOmbAY8puf5KMXquINAJQ/lU1Gn6xKbt7Lxtu+ cG8w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=5b9vnqoqctf1aAClg7PPSGu82+aMkUatAq7AHzutA/M=; b=mU0/i1qaal+WqXN+t0e4N8DrxcGQoly4yckHm7E8uHPJ1gAavk2xt/6q/LinAy8qev DD8muSa4uKRUIKVQKYNXKW6zIiSHtLu8qxCoBIc1uAb/9e8rkM5UvGt7JT61nNOr8x1I uSE5/glmuD2TzGPoxPbkKMmciLGdAMHJAjVHVt4BxFMdlJtnOE7AhFQ57gHMGhXAxoAj oyZpyLnGO2DF/+ll90tawPiOmf7118y/XPUSHzjeicMHB0mIyWTUD9C47bELfzKWcYRs 90Buq5UQ85Is/R2Dq7oEB/8hk7swW8tU5dC2ibh1ISGbWQ2dwxU0ZyE5DQRap0f2QYXf v1cA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m189si1691146pfc.410.2018.03.09.16.26.51; Fri, 09 Mar 2018 16:27:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934154AbeCJAXp (ORCPT + 99 others); Fri, 9 Mar 2018 19:23:45 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:41094 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933088AbeCJAXm (ORCPT ); Fri, 9 Mar 2018 19:23:42 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8AF5BEF1; Sat, 10 Mar 2018 00:23:41 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, "ast@kernel.org, daniel@iogearbox.net, stable@vger.kernel.org, Yonghong Song" , Mathieu Malaterre , Alexei Starovoitov , Daniel Borkmann , Yonghong Song Subject: [PATCH 4.15 02/11] bpf: fix memory leak in lpm_trie map_free callback function Date: Fri, 9 Mar 2018 16:19:16 -0800 Message-Id: <20180310001834.664221516@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180310001834.560857664@linuxfoundation.org> References: <20180310001834.560857664@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Yonghong Song [ upstream commit 9a3efb6b661f71d5675369ace9257833f0e78ef3 ] There is a memory leak happening in lpm_trie map_free callback function trie_free. The trie structure itself does not get freed. Also, trie_free function did not do synchronize_rcu before freeing various data structures. This is incorrect as some rcu_read_lock region(s) for lookup, update, delete or get_next_key may not complete yet. The fix is to add synchronize_rcu in the beginning of trie_free. The useless spin_lock is removed from this function as well. Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation") Reported-by: Mathieu Malaterre Reported-by: Alexei Starovoitov Tested-by: Mathieu Malaterre Signed-off-by: Yonghong Song Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/lpm_trie.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) --- a/kernel/bpf/lpm_trie.c +++ b/kernel/bpf/lpm_trie.c @@ -560,7 +560,10 @@ static void trie_free(struct bpf_map *ma struct lpm_trie_node __rcu **slot; struct lpm_trie_node *node; - raw_spin_lock(&trie->lock); + /* Wait for outstanding programs to complete + * update/lookup/delete/get_next_key and free the trie. + */ + synchronize_rcu(); /* Always start at the root and walk down to a node that has no * children. Then free that node, nullify its reference in the parent @@ -574,7 +577,7 @@ static void trie_free(struct bpf_map *ma node = rcu_dereference_protected(*slot, lockdep_is_held(&trie->lock)); if (!node) - goto unlock; + goto out; if (rcu_access_pointer(node->child[0])) { slot = &node->child[0]; @@ -592,8 +595,8 @@ static void trie_free(struct bpf_map *ma } } -unlock: - raw_spin_unlock(&trie->lock); +out: + kfree(trie); } static int trie_get_next_key(struct bpf_map *map, void *key, void *next_key)