* [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
@ 2025-08-01 23:23 Eduard Zingerman
2025-08-02 0:59 ` Alexei Starovoitov
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Eduard Zingerman @ 2025-08-01 23:23 UTC (permalink / raw)
To: bpf, ast
Cc: andrii, daniel, martin.lau, kernel-team, yonghong.song,
Eduard Zingerman, Jens Axboe, Alexei Starovoitov
env->scc_info array contains references to bpf_scc_info objects
allocated lazily in verifier.c:scc_visit_alloc().
env->scc_cnt was supposed to track env->scc_info array size
in order to free referenced objects in verifier.c:free_states().
Initialization of env->scc_cnt was omitted in
verifier.c:compute_scc(), which is fixed by this commit.
To reproduce the bug:
- build with CONFIG_DEBUG_KMEMLEAK
- boot and load bpf program with loops, e.g.:
./veristat -q pyperf180.bpf.o
- initiate memleak scan and check results:
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
Reported-by: Jens Axboe <axboe@kernel.dk>
Closes: https://lore.kernel.org/bpf/CAADnVQKXUWg9uRCPD5ebRXwN4dmBCRUFFM7kN=GxymYz3zU25A@mail.gmail.com/T/
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
---
kernel/bpf/verifier.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0806295945e4..c4f69a9e9af6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23114,6 +23114,8 @@ static void free_states(struct bpf_verifier_env *env)
for (i = 0; i < env->scc_cnt; ++i) {
info = env->scc_info[i];
+ if (!info)
+ continue;
for (j = 0; j < info->num_visits; j++)
free_backedges(&info->visits[j]);
kvfree(info);
@@ -24554,6 +24556,7 @@ static int compute_scc(struct bpf_verifier_env *env)
err = -ENOMEM;
goto exit;
}
+ env->scc_cnt = next_scc_id;
exit:
kvfree(stack);
kvfree(pre);
--
2.50.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
@ 2025-08-02 0:59 ` Alexei Starovoitov
2025-08-02 1:12 ` patchwork-bot+netdevbpf
2025-08-02 13:54 ` Jens Axboe
2 siblings, 0 replies; 4+ messages in thread
From: Alexei Starovoitov @ 2025-08-02 0:59 UTC (permalink / raw)
To: Eduard Zingerman
Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann,
Martin KaFai Lau, Kernel Team, Yonghong Song, Jens Axboe
On Fri, Aug 1, 2025 at 4:23 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> env->scc_info array contains references to bpf_scc_info objects
> allocated lazily in verifier.c:scc_visit_alloc().
> env->scc_cnt was supposed to track env->scc_info array size
> in order to free referenced objects in verifier.c:free_states().
> Initialization of env->scc_cnt was omitted in
> verifier.c:compute_scc(), which is fixed by this commit.
Applied to bpf tree and slightly reworded above commit
log and subject to use imperative language.
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
2025-08-02 0:59 ` Alexei Starovoitov
@ 2025-08-02 1:12 ` patchwork-bot+netdevbpf
2025-08-02 13:54 ` Jens Axboe
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-08-02 1:12 UTC (permalink / raw)
To: Eduard Zingerman
Cc: bpf, ast, andrii, daniel, martin.lau, kernel-team, yonghong.song,
axboe, alexei.starovoitov
Hello:
This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Fri, 1 Aug 2025 16:23:30 -0700 you wrote:
> env->scc_info array contains references to bpf_scc_info objects
> allocated lazily in verifier.c:scc_visit_alloc().
> env->scc_cnt was supposed to track env->scc_info array size
> in order to free referenced objects in verifier.c:free_states().
> Initialization of env->scc_cnt was omitted in
> verifier.c:compute_scc(), which is fixed by this commit.
>
> [...]
Here is the summary with links:
- [bpf,v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
https://git.kernel.org/bpf/bpf/c/989705e34ad3
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
2025-08-02 0:59 ` Alexei Starovoitov
2025-08-02 1:12 ` patchwork-bot+netdevbpf
@ 2025-08-02 13:54 ` Jens Axboe
2 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2025-08-02 13:54 UTC (permalink / raw)
To: Eduard Zingerman, bpf, ast
Cc: andrii, daniel, martin.lau, kernel-team, yonghong.song,
Alexei Starovoitov
On 8/1/25 5:23 PM, Eduard Zingerman wrote:
> env->scc_info array contains references to bpf_scc_info objects
> allocated lazily in verifier.c:scc_visit_alloc().
> env->scc_cnt was supposed to track env->scc_info array size
> in order to free referenced objects in verifier.c:free_states().
> Initialization of env->scc_cnt was omitted in
> verifier.c:compute_scc(), which is fixed by this commit.
>
> To reproduce the bug:
> - build with CONFIG_DEBUG_KMEMLEAK
> - boot and load bpf program with loops, e.g.:
> ./veristat -q pyperf180.bpf.o
> - initiate memleak scan and check results:
> echo scan > /sys/kernel/debug/kmemleak
> cat /sys/kernel/debug/kmemleak
Thanks for fixing this. Even though it's already applied, I did test it:
Tested-by: Jens Axboe <axboe@kernel.dk>
--
Jens Axboe
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-08-02 13:54 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
2025-08-02 0:59 ` Alexei Starovoitov
2025-08-02 1:12 ` patchwork-bot+netdevbpf
2025-08-02 13:54 ` Jens Axboe
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.