Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp37758711rwd; Tue, 11 Jul 2023 20:13:14 -0700 (PDT) X-Google-Smtp-Source: APBJJlGvsnZf/ZPtfrX11JQPcp1HvMebdC0bV+TJGxKdZevGXhUeTQ/Rs+puISyVSCHQSHmNDlbi X-Received: by 2002:a17:907:3e88:b0:993:f9d8:9fd0 with SMTP id hs8-20020a1709073e8800b00993f9d89fd0mr1005724ejc.1.1689131594371; Tue, 11 Jul 2023 20:13:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689131594; cv=none; d=google.com; s=arc-20160816; b=AVWtrPsxhvzXaWMjs8+mGGuu22m2FVihml57TuKFBiNSRd5m3vOCgBXnu57GsG33uh ZZ/j1Z6RQYPJ3GP8//C4V3rhsl40GfUuYX+/hCDy/NM3dHR+5JeeaJA+DkeA5CAGq9Kp 6bwfX4We7IyWJWpUtU6ml8TQYv9PNyFTlToHT1OSz4i9I48Jq2hgSR3dFX24LR76Dctf 9i5BQO1c251nXKuRwG3gy1uToCoXIo8BxrvFCRgyscVgqi9QjHYKRpd803CshBYFZOYy OjW8mboXaxpmKFYS9nUOyGRFuQHKvUTTaLh8AhrKg7Go+ZsKvZFG4I7k2rGYeyIx4vRo AA0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-language:content-transfer-encoding :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=2yfrgBZo2vb84SjiPVSym1rn+lL/RhJhKgCfnuR7W4U=; fh=PBaKsiAutyVRxZLKhmpZeki/A69BIzikehkRvV8LDQw=; b=llUMIl74OO1IMrysuBBoco3Kuuon4oPcro8BPw7u/39+cpoJ/UJwMHvMyMwBV992tJ rnDt8oyQvMmpZ8g7SYuzNjcjo5u/E8KX1QwVuRZqEKKBlmj3baJwpckro0RfmOoOfu0+ PI6k4Q+dZRR6/IlvKG+vvASpDs7VzCi+j4ZUiqTqhD9v7VHCpewh7Fj/NCmFw1a9tM1Y L/dceHGOMaHGzcrKSEJCNgVcBXWaMKc1J5KQaEJ0o38CIaILx7k2SntQgQihuls9h0oz RRreAYFPo2V2Q9NiLkCoBLAh1tKYirWzO/YcflQmSKYxpoyT17Tj2arXJaSwxmSJPvGG XFGw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id v15-20020a1709060b4f00b00991d97d8eb5si3602673ejg.145.2023.07.11.20.12.50; Tue, 11 Jul 2023 20:13:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231213AbjGLCMM (ORCPT + 99 others); Tue, 11 Jul 2023 22:12:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37436 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229945AbjGLCML (ORCPT ); Tue, 11 Jul 2023 22:12:11 -0400 Received: from dggsgout12.his.huawei.com (unknown [45.249.212.56]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A3BBE11B; Tue, 11 Jul 2023 19:12:09 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.153]) by dggsgout12.his.huawei.com (SkyGuard) with ESMTP id 4R11TH6rp5z4f3mJ4; Wed, 12 Jul 2023 10:12:03 +0800 (CST) Received: from [10.174.176.117] (unknown [10.174.176.117]) by APP1 (Coremail) with SMTP id cCh0CgDX9jDyC65k9Z0eNA--.18259S2; Wed, 12 Jul 2023 10:12:06 +0800 (CST) Subject: Re: [PATCH bpf] bpf: cpumap: Fix memory leak in cpu_map_update_elem To: Pu Lehui , bpf@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , "David S. Miller" , Jakub Kicinski , Jesper Dangaard Brouer , John Fastabend , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Xu Kuohai , Pu Lehui References: <20230711115848.2701559-1-pulehui@huaweicloud.com> From: Hou Tao Message-ID: Date: Wed, 12 Jul 2023 10:12:02 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.6.0 MIME-Version: 1.0 In-Reply-To: <20230711115848.2701559-1-pulehui@huaweicloud.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Content-Language: en-US X-CM-TRANSID: cCh0CgDX9jDyC65k9Z0eNA--.18259S2 X-Coremail-Antispam: 1UD129KBjvJXoWxXrWrAFWrZF1xCFWfAFy7Wrg_yoW5Cr4Dpr Wrtr1DKr48tr4DZw48t3WrGr18Zw1jya4UJrZ3Jr4fAF18G3W8t348GFZ7JFZrZrn8Xry7 Jas8t3yvg34DA3DanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvIb4IE77IF4wAFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x 0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7Mxk0xIA0c2IE e2xFo4CEbIxvr21l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxV Aqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r4a 6rW5MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6x kF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE 14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf 9x07UZ18PUUUUU= X-CM-SenderInfo: xkrx3t3r6k3tpzhluzxrxghudrp/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,KHOP_HELO_FCRDNS, NICE_REPLY_A,SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 7/11/2023 7:58 PM, Pu Lehui wrote: > From: Pu Lehui > > Syzkaller reported a memory leak as follows: > > BUG: memory leak > unreferenced object 0xff110001198ef748 (size 192): > comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) > hex dump (first 32 bytes): > 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J........... > 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(....... > backtrace: > [] __cpu_map_entry_alloc+0xf7/0xb00 > [] cpu_map_update_elem+0x2fe/0x3d0 > [] bpf_map_update_value.isra.0+0x2bd/0x520 > [] map_update_elem+0x4cb/0x720 > [] __se_sys_bpf+0x8c3/0xb90 > [] do_syscall_64+0x30/0x40 > [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 > > BUG: memory leak > unreferenced object 0xff110001198ef528 (size 192): > comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) > hex dump (first 32 bytes): > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > backtrace: > [] __cpu_map_entry_alloc+0x260/0xb00 > [] cpu_map_update_elem+0x2fe/0x3d0 > [] bpf_map_update_value.isra.0+0x2bd/0x520 > [] map_update_elem+0x4cb/0x720 > [] __se_sys_bpf+0x8c3/0xb90 > [] do_syscall_64+0x30/0x40 > [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 > > BUG: memory leak > unreferenced object 0xff1100010fd93d68 (size 8): > comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) > hex dump (first 8 bytes): > 00 00 00 00 00 00 00 00 ........ > backtrace: > [] kvmalloc_node+0x11e/0x170 > [] __cpu_map_entry_alloc+0x2f0/0xb00 > [] cpu_map_update_elem+0x2fe/0x3d0 > [] bpf_map_update_value.isra.0+0x2bd/0x520 > [] map_update_elem+0x4cb/0x720 > [] __se_sys_bpf+0x8c3/0xb90 > [] do_syscall_64+0x30/0x40 > [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 > > In the cpu_map_update_elem flow, when kthread_stop is called before > calling the threadfn of rcpu->kthread, since the KTHREAD_SHOULD_STOP bit > of kthread has been set by kthread_stop, the threadfn of rcpu->kthread > will never be executed, and rcpu->refcnt will never be 0, which will > lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot be > released. > > Calling kthread_stop before executing kthread's threadfn will return > -EINTR. We can complete the release of memory resources in this state. > > Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_CPUMAP") > Signed-off-by: Pu Lehui Acked-by: Hou Tao