From nobody Sat Feb 7 21:14:55 2026 Received: from out-172.mta0.migadu.com (out-172.mta0.migadu.com [91.218.175.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6933032ED51; Mon, 20 Oct 2025 16:46:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.172 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978799; cv=none; b=pSZH/4JKsBhZiVaamrORtDU2Jw3wIZoNPOm9K3GxXCG2BZAN8eP0H+dGEOTRg/EeiKc3aGwMs01vnmxuFgLjAX4giWQKeoJoy4Ox3LoA7uU8tKypllxPjtexzfwlr6Rgo9jJpQONH/NZxSP5RGKTPJ68jeHFNq3tpceDdYitdSI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978799; c=relaxed/simple; bh=PjmQAumqVG200dBo41AFGYL3MBYNt+UtWyJdspmHbwQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=lPUIyHYCRa5OnRGRbsKQoq/X6EFVpom58OTh2q7WwhUD0/bXisPfTojD6mkyD29/gcUBtAfpjzoaixSJVT2hp6FaiRqEk0C7Ni4TBxGwT9/kh1bWJgOZjqMDHpe2hJ8VCw6yeKDW3nuFzBCloQtVOgK91sHrKPWoX9nxhM2/ClU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=UyUuTLE/; arc=none smtp.client-ip=91.218.175.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="UyUuTLE/" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1760978795; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=CDg6q4AF09gd/6Pogmiva+sx2W7UnqDx36lrBRWQ0zU=; b=UyUuTLE/S/1ltg7AjGyu3H9tATmwdenQiJPHzf5FY/1+ESu+MW9um2ETivtu66tmt8BycW 8l0c3Jm/M1E3m8bGLfTo6NEnyaG5BsaHLtHMs6fflhzNGBYU3ignnsHGOUQv5+U44afrxI +yJG3HGISbzXAa08hnsOiDibva01dJs= From: Leon Hwang To: bpf@vger.kernel.org Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, memxor@gmail.com, linux-kernel@vger.kernel.org, kernel-patches-bot@fb.com, Leon Hwang Subject: [PATCH bpf v2 1/4] bpf: Fix possible memleak in [lru_,]percpu_hash map update Date: Tue, 21 Oct 2025 00:46:05 +0800 Message-ID: <20251020164608.20536-2-leon.hwang@linux.dev> In-Reply-To: <20251020164608.20536-1-leon.hwang@linux.dev> References: <20251020164608.20536-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" As [lru_,]percpu_hash maps support BPF_KPTR_{REF,PERCPU}, missing calls to 'bpf_obj_free_fields()' in 'pcpu_copy_value()' can leak memory referenced by BPF_KPTR_{REF,PERCPU} fields. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value[,_long]()' in 'pcpu_copy_value()'. Fixes: 65334e64a493 ("bpf: Support kptrs in percpu hashmap and percpu LRU h= ashmap") Signed-off-by: Leon Hwang --- kernel/bpf/hashtab.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index c2fcd0cd51e51..26308adc9ccb3 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -950,12 +950,14 @@ static void pcpu_copy_value(struct bpf_htab *htab, vo= id __percpu *pptr, if (!onallcpus) { /* copy true value_size bytes */ copy_map_value(&htab->map, this_cpu_ptr(pptr), value); + bpf_obj_free_fields(htab->map.record, this_cpu_ptr(pptr)); } else { u32 size =3D round_up(htab->map.value_size, 8); int off =3D 0, cpu; =20 for_each_possible_cpu(cpu) { copy_map_value_long(&htab->map, per_cpu_ptr(pptr, cpu), value + off); + bpf_obj_free_fields(htab->map.record, per_cpu_ptr(pptr, cpu)); off +=3D size; } } --=20 2.51.0 From nobody Sat Feb 7 21:14:55 2026 Received: from out-182.mta0.migadu.com (out-182.mta0.migadu.com [91.218.175.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 78BBA32F763 for ; Mon, 20 Oct 2025 16:46:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978806; cv=none; b=lX6vJhvXUcuJNX9jEXQwi7pm3xKOrOxSiwxCL7kUUMiIOPhNQGCzpYdFZdfyuqqtRDMFiaGaeVdTNUmbyZxSLuHcsFn4Ou7Grjd3sQ5Jce4LBLLy93LzXaGMwVGE2T8Mmq7VbcVeJXH9NQz4eYt/qGAQVBJCDjZu8uL75CBHFqU= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978806; c=relaxed/simple; bh=PneJOE+5GCYSbec2t+KA/fNgWOJ8risb7FcysszoFm8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GcQtlPukwt17edwV9sFkpSLiPhNIAv6EOOT1RjoUT3TP4xMo/+ud7ZsFSRPufWyYmxRJIFAqF29JbxqBU7I1LbLNixUtUTXtTJIff5D/IzjVT96Gfs0e5b4WgeXkYpCVnTFOaiv5aTwPBwnlxIlb2Dz9hfIjwuCoENeVKlJwvEk= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=tCVWWE4u; arc=none smtp.client-ip=91.218.175.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="tCVWWE4u" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1760978801; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fwHz9CW1U502JagQ/hh1ku1vzSqD4BJw+Md0Gzmq1Os=; b=tCVWWE4uuG/c1IeqfQkRh3CkxXRrP+0Fn/yxRhtaicnop/ymuIa+p3xjR2XJCQ7RR9qG90 r0ljq0Tun9MvlHhJh+Syhx8Zr1HSRX8fjXAdt8AfnjeJ5fRqSVvD8nwxDxwBMhX0Kzpssr CzChVFo0KPvKUZ4xAhaRH9Mb11W+JSY= From: Leon Hwang To: bpf@vger.kernel.org Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, memxor@gmail.com, linux-kernel@vger.kernel.org, kernel-patches-bot@fb.com, Leon Hwang Subject: [PATCH bpf v2 2/4] bpf: Fix possible memleak when updating hash maps with BPF_F_LOCK Date: Tue, 21 Oct 2025 00:46:06 +0800 Message-ID: <20251020164608.20536-3-leon.hwang@linux.dev> In-Reply-To: <20251020164608.20536-1-leon.hwang@linux.dev> References: <20251020164608.20536-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" When updating hash maps with BPF_F_LOCK, the special fields were not freed after being replaced. This could cause memory referenced by BPF_KPTR_{REF,PERCPU} fields to leak. Fix this by calling 'check_and_free_fields()' after 'copy_map_value_locked()' to properly release the old fields. Fixes: 14a324f6a67e ("bpf: Wire up freeing of referenced kptr") Signed-off-by: Leon Hwang --- kernel/bpf/hashtab.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c index 26308adc9ccb3..65009ea3e9379 100644 --- a/kernel/bpf/hashtab.c +++ b/kernel/bpf/hashtab.c @@ -1124,6 +1124,7 @@ static long htab_map_update_elem(struct bpf_map *map,= void *key, void *value, copy_map_value_locked(map, htab_elem_value(l_old, key_size), value, false); + check_and_free_fields(htab, l_old); return 0; } /* fall through, grab the bucket lock and lookup again. @@ -1152,6 +1153,7 @@ static long htab_map_update_elem(struct bpf_map *map,= void *key, void *value, copy_map_value_locked(map, htab_elem_value(l_old, key_size), value, false); + check_and_free_fields(htab, l_old); ret =3D 0; goto err; } --=20 2.51.0 From nobody Sat Feb 7 21:14:55 2026 Received: from out-189.mta0.migadu.com (out-189.mta0.migadu.com [91.218.175.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A38A7330322 for ; Mon, 20 Oct 2025 16:46:48 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.189 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978811; cv=none; b=DhkvdGSvQbt8kvZuMq4qtJ09rKN6+N8GGENWcsgV8jdeZty57VN9agmfkcdyz6lc9JIPMGzX4BTXgdcn0vAAG65NX90CR/eOcO+3hi8VgXFewnW1KJNE+5BGMCKV0yhzju340MkI7ktflrKEKUauB59f6KBjCNWMprugdmrsrL4= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978811; c=relaxed/simple; bh=aePpf2hEql1qfdG3M5ylZaVHF0AGBqfwF+1CHFlgt6s=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GdEJhR6QCGmyIOrg2mWHsbQ/ExVDTJ3WIDxc9g8iIicM9k6zVjX8GyzzlYG33QPHAm5eyouoZ8Wn3WLI1jIACW1nuPi7R8yGje2PW8wZCYu02yaZCFtPy8Bhz87JEhCjbpA3vmaOLlxtGaL3nRppvDQzVKvi8w3SrpIBmZwQfpw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=nDiye4FY; arc=none smtp.client-ip=91.218.175.189 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="nDiye4FY" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1760978806; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JEyL06pmQ86osgNWjo4Zb1J+CW0SUTbpdgIL0oBMIEE=; b=nDiye4FYbJB03BthBlTXPaV/oZeta74ZUU+b5zq1vYXDOQJFICAAM61oR6by55aLu9lvcK V96Gk4T7K8E9CjqhWf8EGbGwplf9kzY2ONn+0QHk6EJGkIjoM1iBq/7BTD1PtcpnXiYWj8 JeRQQOxPLUWRQCe+NTf4DmIzKSgaGCI= From: Leon Hwang To: bpf@vger.kernel.org Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, memxor@gmail.com, linux-kernel@vger.kernel.org, kernel-patches-bot@fb.com, Leon Hwang Subject: [PATCH bpf v2 3/4] bpf: Fix possible memleak when updating local storage maps with BPF_F_LOCK Date: Tue, 21 Oct 2025 00:46:07 +0800 Message-ID: <20251020164608.20536-4-leon.hwang@linux.dev> In-Reply-To: <20251020164608.20536-1-leon.hwang@linux.dev> References: <20251020164608.20536-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" When updating local storage maps with BPF_F_LOCK, the special fields were not freed after being replaced. This could cause memory referenced by BPF_KPTR_{REF,PERCPU} fields to leak. Fix this by calling 'bpf_obj_free_fields()' after 'copy_map_value_locked()' to properly release the old fields. Fixes: 9db44fdd8105 ("bpf: Support kptrs in local storage maps") Signed-off-by: Leon Hwang --- kernel/bpf/bpf_local_storage.c | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c index b931fbceb54da..2b7bd47e99b33 100644 --- a/kernel/bpf/bpf_local_storage.c +++ b/kernel/bpf/bpf_local_storage.c @@ -609,6 +609,7 @@ bpf_local_storage_update(void *owner, struct bpf_local_= storage_map *smap, if (old_sdata && selem_linked_to_storage_lockless(SELEM(old_sdata))) { copy_map_value_locked(&smap->map, old_sdata->data, value, false); + bpf_obj_free_fields(smap->map.record, old_sdata->data); return old_sdata; } } --=20 2.51.0 From nobody Sat Feb 7 21:14:55 2026 Received: from out-177.mta0.migadu.com (out-177.mta0.migadu.com [91.218.175.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C1A6B330D20 for ; Mon, 20 Oct 2025 16:46:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.177 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978816; cv=none; b=ZEVqbSXnqq4GLGXA4Y3Hn6CTy+vixWdNfh/Bj7bbp/QVZxUrl9nSulpcpL8fNtq5lxOSU3E0c0OuKeRqx8gQo5ZDA6ME0OI2WDVPdNiSRgrtEkn9TSul9FsvBAcdD538XYUtlo8YXP/hXyrpsBCbNpzorNZ/mJCirS6G4/4IJeQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1760978816; c=relaxed/simple; bh=vG3+Go6UC5T7FOBaderERe8+6lxEQmMeFglvzrhIA0E=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NWwik6V8xQHOlyz1GRWECPGoPxDS781u+WA27Z/zRc9Zbny+c03USsDds7PizhloHCOBOlf5l/CgZLMN9YQDYcdx4BbntT69y+s6cQ1MK8XbKpAmN1eJgla76QjcgaE4k9mLCGGqb6NrFw41LOH5/x3RDhpsq4HBUZIsZpYOvsA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=qdrc+UKg; arc=none smtp.client-ip=91.218.175.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="qdrc+UKg" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1760978811; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=fYNgGs1ndibKH788F5dG/PgeEGnQ7wEDq1gqnEleHTQ=; b=qdrc+UKg5SEvMpkMLZvr0psEkT5nIypk6UmvnhNB+PEUwmZGJM7YYWSSuD4nlFdl6qfzEc GfhYrGzpwbzeDsjntq4g3+9XVUxYG0K+piV+sw+gpcwVkWtRfG73V6mkoyzq4UsUpmpvRU Gs4KIgI0jA1S01K/Old2DEnSdGcnozQ= From: Leon Hwang To: bpf@vger.kernel.org Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, memxor@gmail.com, linux-kernel@vger.kernel.org, kernel-patches-bot@fb.com, Leon Hwang Subject: [PATCH bpf v2 4/4] selftests/bpf: Add tests to verify no memleak when updating hash and cgrp storage maps Date: Tue, 21 Oct 2025 00:46:08 +0800 Message-ID: <20251020164608.20536-5-leon.hwang@linux.dev> In-Reply-To: <20251020164608.20536-1-leon.hwang@linux.dev> References: <20251020164608.20536-1-leon.hwang@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Add tests to verify that updating hash and local storage maps does not leak memory when BPF_KPTR_REF objects are involved. The tests perform the following steps: 1. Call update_elem() to insert an initial value. 2. Use bpf_refcount_acquire() to increment the refcount. 3. Store the node pointer in the map value. 4. Add the node to a linked list. 5. Probe-read the refcount and verify it is *2*. 6. Call update_elem() again to trigger refcount decrement. 7. Probe-read the refcount and verify it is *1*. Signed-off-by: Leon Hwang --- .../bpf/prog_tests/refcounted_kptr.c | 167 +++++++++++++++++- .../selftests/bpf/progs/refcounted_kptr.c | 160 +++++++++++++++++ 2 files changed, 326 insertions(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/prog_tests/refcounted_kptr.c b/too= ls/testing/selftests/bpf/prog_tests/refcounted_kptr.c index d6bd5e16e6372..83a59c68e70cb 100644 --- a/tools/testing/selftests/bpf/prog_tests/refcounted_kptr.c +++ b/tools/testing/selftests/bpf/prog_tests/refcounted_kptr.c @@ -3,7 +3,7 @@ =20 #include #include - +#include "cgroup_helpers.h" #include "refcounted_kptr.skel.h" #include "refcounted_kptr_fail.skel.h" =20 @@ -44,3 +44,168 @@ void test_refcounted_kptr_wrong_owner(void) ASSERT_OK(opts.retval, "rbtree_wrong_owner_remove_fail_a2 retval"); refcounted_kptr__destroy(skel); } + +static void test_refcnt_leak(void *values, size_t values_sz, u64 flags, st= ruct bpf_map *map, + struct bpf_program *prog_leak, struct bpf_program *prog_check) +{ + int ret, fd, key =3D 0; + LIBBPF_OPTS(bpf_test_run_opts, opts, + .data_in =3D &pkt_v4, + .data_size_in =3D sizeof(pkt_v4), + .repeat =3D 1, + ); + + ret =3D bpf_map__update_elem(map, &key, sizeof(key), values, values_sz, f= lags); + if (!ASSERT_OK(ret, "bpf_map__update_elem init")) + return; + + fd =3D bpf_program__fd(prog_leak); + ret =3D bpf_prog_test_run_opts(fd, &opts); + if (!ASSERT_OK(ret, "test_run_opts")) + return; + if (!ASSERT_EQ(opts.retval, 2, "retval refcount")) + return; + + ret =3D bpf_map__update_elem(map, &key, sizeof(key), values, values_sz, f= lags); + if (!ASSERT_OK(ret, "bpf_map__update_elem dec refcount")) + return; + + fd =3D bpf_program__fd(prog_check); + ret =3D bpf_prog_test_run_opts(fd, &opts); + ASSERT_OK(ret, "test_run_opts"); + ASSERT_EQ(opts.retval, 1, "retval"); +} + +static void test_percpu_hash_refcount_leak(void) +{ + struct refcounted_kptr *skel; + size_t values_sz; + u64 *values; + int cpu_nr; + + cpu_nr =3D libbpf_num_possible_cpus(); + if (!ASSERT_GT(cpu_nr, 0, "libbpf_num_possible_cpus")) + return; + + values =3D calloc(cpu_nr, sizeof(u64)); + if (!ASSERT_OK_PTR(values, "calloc values")) + return; + + skel =3D refcounted_kptr__open_and_load(); + if (!ASSERT_OK_PTR(skel, "refcounted_kptr__open_and_load")) { + free(values); + return; + } + + values_sz =3D cpu_nr * sizeof(u64); + memset(values, 0, values_sz); + + test_refcnt_leak(values, values_sz, 0, skel->maps.pcpu_hash, + skel->progs.pcpu_hash_refcount_leak, + skel->progs.check_pcpu_hash_refcount); + + refcounted_kptr__destroy(skel); + free(values); +} + +struct lock_map_value { + u64 kptr; + struct bpf_spin_lock lock; + int value; +}; + +static void test_hash_lock_refcount_leak(void) +{ + struct lock_map_value value =3D {}; + struct refcounted_kptr *skel; + + skel =3D refcounted_kptr__open_and_load(); + if (!ASSERT_OK_PTR(skel, "refcounted_kptr__open_and_load")) + return; + + test_refcnt_leak(&value, sizeof(value), BPF_F_LOCK, skel->maps.lock_hash, + skel->progs.hash_lock_refcount_leak, + skel->progs.check_hash_lock_refcount); + + refcounted_kptr__destroy(skel); +} + +static void test_cgroup_storage_lock_refcount_leak(void) +{ + int server_fd =3D -1, client_fd =3D -1; + struct lock_map_value value =3D {}; + struct refcounted_kptr *skel; + u64 flags =3D BPF_F_LOCK; + struct bpf_link *link; + struct bpf_map *map; + int cgroup, err; + + cgroup =3D test__join_cgroup("/cg_refcount_leak"); + if (!ASSERT_GE(cgroup, 0, "test__join_cgroup")) + return; + + skel =3D refcounted_kptr__open_and_load(); + if (!ASSERT_OK_PTR(skel, "refcounted_kptr__open_and_load")) + goto out; + + link =3D bpf_program__attach_cgroup(skel->progs.cgroup_storage_refcount_l= eak, cgroup); + if (!ASSERT_OK_PTR(link, "bpf_program__attach_cgroup")) + goto out; + skel->links.cgroup_storage_refcount_leak =3D link; + + server_fd =3D start_server(AF_INET6, SOCK_STREAM, "::1", 0, 0); + if (!ASSERT_GE(server_fd, 0, "start_server")) + goto out; + + client_fd =3D connect_to_fd(server_fd, 0); + if (!ASSERT_GE(client_fd, 0, "connect_to_fd")) + goto out; + + map =3D skel->maps.cgrp_strg; + err =3D bpf_map__lookup_elem(map, &cgroup, sizeof(cgroup), &value, sizeof= (value), flags); + if (!ASSERT_OK(err, "bpf_map__lookup_elem")) + goto out; + + ASSERT_EQ(value.value, 2, "refcount"); + + err =3D bpf_map__update_elem(map, &cgroup, sizeof(cgroup), &value, sizeof= (value), flags); + if (!ASSERT_OK(err, "bpf_map__update_elem")) + goto out; + + err =3D bpf_link__detach(skel->links.cgroup_storage_refcount_leak); + if (!ASSERT_OK(err, "bpf_link__detach")) + goto out; + + link =3D bpf_program__attach(skel->progs.check_cgroup_storage_refcount); + if (!ASSERT_OK_PTR(link, "bpf_program__attach")) + goto out; + skel->links.check_cgroup_storage_refcount =3D link; + + close(client_fd); + client_fd =3D connect_to_fd(server_fd, 0); + if (!ASSERT_GE(client_fd, 0, "connect_to_fd")) + goto out; + + err =3D bpf_map__lookup_elem(map, &cgroup, sizeof(cgroup), &value, sizeof= (value), flags); + if (!ASSERT_OK(err, "bpf_map__lookup_elem")) + goto out; + + ASSERT_EQ(value.value, 1, "refcount"); +out: + close(cgroup); + refcounted_kptr__destroy(skel); + if (client_fd >=3D 0) + close(client_fd); + if (server_fd >=3D 0) + close(server_fd); +} + +void test_kptr_refcount_leak(void) +{ + if (test__start_subtest("percpu_hash_refcount_leak")) + test_percpu_hash_refcount_leak(); + if (test__start_subtest("hash_lock_refcount_leak")) + test_hash_lock_refcount_leak(); + if (test__start_subtest("cgroup_storage_lock_refcount_leak")) + test_cgroup_storage_lock_refcount_leak(); +} diff --git a/tools/testing/selftests/bpf/progs/refcounted_kptr.c b/tools/te= sting/selftests/bpf/progs/refcounted_kptr.c index 893a4fdb4b6e9..09efae9537c9b 100644 --- a/tools/testing/selftests/bpf/progs/refcounted_kptr.c +++ b/tools/testing/selftests/bpf/progs/refcounted_kptr.c @@ -7,6 +7,7 @@ #include #include "bpf_misc.h" #include "bpf_experimental.h" +#include "bpf_tracing_net.h" =20 extern void bpf_rcu_read_lock(void) __ksym; extern void bpf_rcu_read_unlock(void) __ksym; @@ -568,4 +569,163 @@ int BPF_PROG(rbtree_sleepable_rcu_no_explicit_rcu_loc= k, return 0; } =20 +private(leak) u64 ref; + +static u32 probe_read_refcount(void) +{ + u32 refcnt; + + bpf_probe_read_kernel(&refcnt, sizeof(refcnt), (void *) ref); + return refcnt; +} + +static int __insert_in_list(struct bpf_list_head *head, struct bpf_spin_lo= ck *lock, + struct node_data __kptr **node) +{ + struct node_data *n, *m; + + n =3D bpf_obj_new(typeof(*n)); + if (!n) + return -1; + + m =3D bpf_refcount_acquire(n); + n =3D bpf_kptr_xchg(node, n); + if (n) { + bpf_obj_drop(n); + bpf_obj_drop(m); + return -2; + } + + bpf_spin_lock(lock); + bpf_list_push_front(head, &m->l); + ref =3D (u64)(void *) &m->ref; + bpf_spin_unlock(lock); + return probe_read_refcount(); +} + +static void *__lookup_map(void *map) +{ + int key =3D 0; + + return bpf_map_lookup_elem(map, &key); +} + +struct { + __uint(type, BPF_MAP_TYPE_PERCPU_HASH); + __type(key, int); + __type(value, struct map_value); + __uint(max_entries, 1); +} pcpu_hash SEC(".maps"); + +SEC("tc") +int pcpu_hash_refcount_leak(void *ctx) +{ + struct map_value *v; + + v =3D __lookup_map(&pcpu_hash); + if (!v) + return 0; + + return __insert_in_list(&head, &lock, &v->node); +} + +SEC("tc") +int check_pcpu_hash_refcount(void *ctx) +{ + return probe_read_refcount(); +} + +struct lock_map_value { + struct node_data __kptr *node; + struct bpf_spin_lock lock; + int value; +}; + +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __type(key, int); + __type(value, struct lock_map_value); + __uint(max_entries, 1); +} lock_hash SEC(".maps"); + +SEC("tc") +int hash_lock_refcount_leak(void *ctx) +{ + struct lock_map_value *v; + + v =3D __lookup_map(&lock_hash); + if (!v) + return 0; + + bpf_spin_lock(&v->lock); + v->value =3D 42; + bpf_spin_unlock(&v->lock); + return __insert_in_list(&head, &lock, &v->node); +} + +SEC("tc") +int check_hash_lock_refcount(void *ctx) +{ + return probe_read_refcount(); +} + +struct { + __uint(type, BPF_MAP_TYPE_CGRP_STORAGE); + __uint(map_flags, BPF_F_NO_PREALLOC); + __type(key, int); + __type(value, struct lock_map_value); +} cgrp_strg SEC(".maps"); + +SEC("cgroup/connect6") +int cgroup_storage_refcount_leak(struct bpf_sock_addr *ctx) +{ + struct lock_map_value *v; + struct tcp_sock *tsk; + struct bpf_sock *sk; + u32 refcnt; + + if (ctx->family !=3D AF_INET6 || ctx->user_family !=3D AF_INET6) + return 1; + + sk =3D ctx->sk; + if (!sk) + return 1; + + tsk =3D bpf_skc_to_tcp_sock(sk); + if (!tsk) + return 1; + + v =3D bpf_cgrp_storage_get(&cgrp_strg, tsk->inet_conn.icsk_inet.sk.sk_cgr= p_data.cgroup, 0, + BPF_LOCAL_STORAGE_GET_F_CREATE); + if (!v) + return 1; + + refcnt =3D __insert_in_list(&head, &lock, &v->node); + bpf_spin_lock(&v->lock); + v->value =3D refcnt; + bpf_spin_unlock(&v->lock); + return 1; +} + +SEC("fexit/inet_stream_connect") +int BPF_PROG(check_cgroup_storage_refcount, struct socket *sock, struct so= ckaddr *uaddr, int addr_len, + int flags) +{ + struct lock_map_value *v; + u32 refcnt; + + if (uaddr->sa_family !=3D AF_INET6) + return 0; + + v =3D bpf_cgrp_storage_get(&cgrp_strg, sock->sk->sk_cgrp_data.cgroup, 0, = 0); + if (!v) + return 0; + + refcnt =3D probe_read_refcount(); + bpf_spin_lock(&v->lock); + v->value =3D refcnt; + bpf_spin_unlock(&v->lock); + return 0; +} + char _license[] SEC("license") =3D "GPL"; --=20 2.51.0