Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp37772830rwd; Tue, 11 Jul 2023 20:32:27 -0700 (PDT) X-Google-Smtp-Source: APBJJlEoU40ZjU1m4CA443ItQSapYK+vvwV+abG+cbbHqpUHUwtOkrh3F2FBgF6shcndq4/w2swX X-Received: by 2002:a05:6a20:442a:b0:11b:3e33:d2ce with SMTP id ce42-20020a056a20442a00b0011b3e33d2cemr24235388pzb.1.1689132747089; Tue, 11 Jul 2023 20:32:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689132747; cv=none; d=google.com; s=arc-20160816; b=mVAzwGo4AI1XnXrWSjmzs5l9LRn10KHLm7gZ4ttiBIqFfB8v5mT9Y867cxN0xtv5y+ 6aXXNEsVt4GgyHtJKxnKXcRX30g/24DbcLwV6aNAT9/rwnLGEa1YO5BY8AH2MupdeJY3 55pbwf+4t4zIpJg5C5aquLIPLJRhzM0yG/I1GBkG+RC/I3QxYow8pUt9okA1tZBq+AmF JhN0FaBbml0oWF8fti1GczVjyIuMryiRGCyyxYJqTHudYKXGV9CYXi1MFn71ILKBnlEZ d56yvodPILJ3EDszJP9NM/gTRB4ZfVk0tbi/aGHqhrRYtbnnb3s7fUuTMJPjQ4H68ix7 x/Dw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=PN0oGQ8AorTIXTWyQga8RykNuxoH3ndOd/siNCCXBTQ=; fh=8IOsTiWyd3AngzxIJB6KxilFlQxN3dIwNQlxRRhrAJk=; b=MF2N77+kZxzdqoNqW8QzGo8mb2UMfO4tjt0sAvd7ebV9Xq0PR5u9qVVVaGVc+pJlM1 BzyEFLR5cx3/yrnXbGjbM9tDCx5cvivE8rCltrLWDTqak9P198bn9VrE9GV6U8pwdMed KjqssCKq5TCKdJNrf5+nwh/MjlxFbjlU/9L4l6+Iz+GxxZzhyF6cSXrG5SQ7wmy9qk5x ARwIXDM3OHuswreIRGfKuPZY9G4kBu0CSkhhCkV2IgWoJNl281kNamsihyDOnThI9Wc1 0Xc9816EADplBxLouKrgDmWnpg8yDZVfUcjtOhvUAAX2uHALk6M7LH2q48PQKN7FAqud j1FQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=oKstHnuG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id k15-20020a056a00168f00b006828af9aeb5si2422616pfc.352.2023.07.11.20.32.14; Tue, 11 Jul 2023 20:32:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20221208 header.b=oKstHnuG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230381AbjGLDEh (ORCPT + 99 others); Tue, 11 Jul 2023 23:04:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55874 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229505AbjGLDEg (ORCPT ); Tue, 11 Jul 2023 23:04:36 -0400 Received: from mail-lj1-x22a.google.com (mail-lj1-x22a.google.com [IPv6:2a00:1450:4864:20::22a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9EB3D1712; Tue, 11 Jul 2023 20:04:34 -0700 (PDT) Received: by mail-lj1-x22a.google.com with SMTP id 38308e7fff4ca-2b69e6d324aso103519911fa.0; Tue, 11 Jul 2023 20:04:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1689131073; x=1691723073; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=PN0oGQ8AorTIXTWyQga8RykNuxoH3ndOd/siNCCXBTQ=; b=oKstHnuGaNI2uzY/Z5i5pHksvtbSHFOndi07P1Nk09ilz+R6axIcIlktSO3gPZTr66 3bxAw8EUehjHLzqnuFaMjXMkqz85yzY/WHdxBnvBQkZCIgcKiGacHx4Piz49lm1xan5+ Ua8zZ+/GWYFO+rptlUb2tOqjSZm6Mmmmqd6ZOq8saaH/u4KIG/daBBcYzy4mg+0LINIj 7QN9qbi1YajLKsW3bjA8tXWO/QsAcfJCF6o9oqx1HQ3t6Miod0P9TeEkWZNDzAvKnv17 4H6VjgiMuKes9/IfKh3nO1hfEXwTpFtsI4eyQUkfkBvRYjOMXEQ9cCh38ozocT03QCtK KL0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1689131073; x=1691723073; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=PN0oGQ8AorTIXTWyQga8RykNuxoH3ndOd/siNCCXBTQ=; b=j+SuBnyuY7T0thvnmSgmPiFoeEGCSt5OYU0iDOHo7ktw6WOYimxH414e+8U7fr3/qh ImvxbSzD1P8Plpm8xANK2DtLfV3/mAdD9BEWpMkQNNQ9Ki80ACerMXaFNxyyf2EODwbI 7v1XrF4qhJn1x5f7g0uQXiD9kohULviIQqhqkoZHJR4oltRZ5uoz7AdicNwqd8+NVW6V Pz+ijVnzYpBcrDiyovhW3ZHp5Snmkvlp20pPREwmrJTpEfjAOhI9fPz2gSb4URPujq+l 4rQPeNs0zuEQZcRrZ/HCek69+qSEm1F1i9gJkvDgaZs3ZfUq78bpkrdTK56IeHYwYFB1 nURw== X-Gm-Message-State: ABy/qLZbiZoyao0W4Dwbe245m5gJ2p2rYXnlmJhssjhxH5SEgDchnP8p lgomg0GEXt2tmsKCbzFMjm7TRoFzpnMZCCoDufLHrpnk X-Received: by 2002:a05:651c:120c:b0:2b6:fc80:c45f with SMTP id i12-20020a05651c120c00b002b6fc80c45fmr13847457lja.13.1689131072627; Tue, 11 Jul 2023 20:04:32 -0700 (PDT) MIME-Version: 1.0 References: <20230711115848.2701559-1-pulehui@huaweicloud.com> In-Reply-To: From: Alexei Starovoitov Date: Tue, 11 Jul 2023 20:04:21 -0700 Message-ID: Subject: Re: [PATCH bpf] bpf: cpumap: Fix memory leak in cpu_map_update_elem To: Hou Tao Cc: Pu Lehui , bpf , Network Development , LKML , Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , "David S. Miller" , Jakub Kicinski , Jesper Dangaard Brouer , John Fastabend , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Xu Kuohai , Pu Lehui Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Jul 11, 2023 at 7:12=E2=80=AFPM Hou Tao wr= ote: > > > > On 7/11/2023 7:58 PM, Pu Lehui wrote: > > From: Pu Lehui > > > > Syzkaller reported a memory leak as follows: > > > > BUG: memory leak > > unreferenced object 0xff110001198ef748 (size 192): > > comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) > > hex dump (first 32 bytes): > > 00 00 00 00 4a 19 00 00 80 ad e3 e4 fe ff c0 00 ....J........... > > 00 b2 d3 0c 01 00 11 ff 28 f5 8e 19 01 00 11 ff ........(....... > > backtrace: > > [] __cpu_map_entry_alloc+0xf7/0xb00 > > [] cpu_map_update_elem+0x2fe/0x3d0 > > [] bpf_map_update_value.isra.0+0x2bd/0x520 > > [] map_update_elem+0x4cb/0x720 > > [] __se_sys_bpf+0x8c3/0xb90 > > [] do_syscall_64+0x30/0x40 > > [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 > > > > BUG: memory leak > > unreferenced object 0xff110001198ef528 (size 192): > > comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) > > hex dump (first 32 bytes): > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ > > backtrace: > > [] __cpu_map_entry_alloc+0x260/0xb00 > > [] cpu_map_update_elem+0x2fe/0x3d0 > > [] bpf_map_update_value.isra.0+0x2bd/0x520 > > [] map_update_elem+0x4cb/0x720 > > [] __se_sys_bpf+0x8c3/0xb90 > > [] do_syscall_64+0x30/0x40 > > [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 > > > > BUG: memory leak > > unreferenced object 0xff1100010fd93d68 (size 8): > > comm "syz-executor.3", pid 17672, jiffies 4298118891 (age 9.906s) > > hex dump (first 8 bytes): > > 00 00 00 00 00 00 00 00 ........ > > backtrace: > > [] kvmalloc_node+0x11e/0x170 > > [] __cpu_map_entry_alloc+0x2f0/0xb00 > > [] cpu_map_update_elem+0x2fe/0x3d0 > > [] bpf_map_update_value.isra.0+0x2bd/0x520 > > [] map_update_elem+0x4cb/0x720 > > [] __se_sys_bpf+0x8c3/0xb90 > > [] do_syscall_64+0x30/0x40 > > [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 > > > > In the cpu_map_update_elem flow, when kthread_stop is called before > > calling the threadfn of rcpu->kthread, since the KTHREAD_SHOULD_STOP bi= t > > of kthread has been set by kthread_stop, the threadfn of rcpu->kthread > > will never be executed, and rcpu->refcnt will never be 0, which will > > lead to the allocated rcpu, rcpu->queue and rcpu->queue->queue cannot b= e > > released. > > > > Calling kthread_stop before executing kthread's threadfn will return > > -EINTR. We can complete the release of memory resources in this state. > > > > Fixes: 6710e1126934 ("bpf: introduce new bpf cpu map type BPF_MAP_TYPE_= CPUMAP") > > Signed-off-by: Pu Lehui > > Acked-by: Hou Tao > Applied. Thanks