From: Eric Dumazet <eric.dumazet@gmail.com>
To: Yonghong Song <yhs@fb.com>,
ast@fb.com, daniel@iogearbox.net, malat@debian.org,
netdev@vger.kernel.org
Cc: kernel-team@fb.com
Subject: Re: [PATCH bpf] bpf: fix memory leak in lpm_trie map_free callback function
Date: Mon, 12 Feb 2018 14:15:55 -0800 [thread overview]
Message-ID: <1518473755.3715.166.camel@gmail.com> (raw)
In-Reply-To: <20180212215802.1827544-1-yhs@fb.com>
On Mon, 2018-02-12 at 13:58 -0800, Yonghong Song wrote:
> There is a memory leak happening in lpm_trie map_free callback
> function trie_free. The trie structure itself does not get freed.
>
> Also, trie_free function did not do synchronize_rcu before freeing
> various data structures. This is incorrect as some rcu_read_lock
> region(s) for lookup, update, delete or get_next_key may not complete yet.
> The fix is to add synchronize_rcu in the beginning of trie_free.
> The useless spin_lock is removed from this function as well.
>
> Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation")
> Reported-by: Mathieu Malaterre <malat@debian.org>
> Reported-by: Alexei Starovoitov <ast@kernel.org>
> Tested-by: Mathieu Malaterre <malat@debian.org>
> Signed-off-by: Yonghong Song <yhs@fb.com>
> ---
> kernel/bpf/lpm_trie.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/lpm_trie.c b/kernel/bpf/lpm_trie.c
> index 7b469d1..9b41ea4 100644
> --- a/kernel/bpf/lpm_trie.c
> +++ b/kernel/bpf/lpm_trie.c
> @@ -555,7 +555,12 @@ static void trie_free(struct bpf_map *map)
> struct lpm_trie_node __rcu **slot;
> struct lpm_trie_node *node;
>
> - raw_spin_lock(&trie->lock);
> + /* at this point bpf_prog->aux->refcnt == 0 and this map->refcnt == 0,
> + * so the programs (can be more than one that used this map) were
> + * disconnected from events. Wait for outstanding programs to complete
> + * update/lookup/delete/get_next_key and free the trie.
> + */
> + synchronize_rcu();
>
Please do not do that.
Use kfree_rcu() instead (adding one struct rcu_head in struct lpm_trie)
> /* Always start at the root and walk down to a node that has no
> * children. Then free that node, nullify its reference in the parent
> @@ -588,7 +593,7 @@ static void trie_free(struct bpf_map *map)
> }
>
> unlock:
> - raw_spin_unlock(&trie->lock);
> + kfree(trie);
> }
>
> static int trie_get_next_key(struct bpf_map *map, void *_key, void *_next_key)
next prev parent reply other threads:[~2018-02-12 22:15 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-12 21:58 [PATCH bpf] bpf: fix memory leak in lpm_trie map_free callback function Yonghong Song
2018-02-12 22:15 ` Eric Dumazet [this message]
2018-02-12 22:20 ` Eric Dumazet
2018-02-14 1:11 ` Daniel Borkmann
2018-02-14 1:46 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1518473755.3715.166.camel@gmail.com \
--to=eric.dumazet@gmail.com \
--cc=ast@fb.com \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=malat@debian.org \
--cc=netdev@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.