[PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
@ 2025-08-01 23:23 Eduard Zingerman
  2025-08-02  0:59 ` Alexei Starovoitov
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eduard Zingerman @ 2025-08-01 23:23 UTC (permalink / raw)
  To: bpf, ast
  Cc: andrii, daniel, martin.lau, kernel-team, yonghong.song,
	Eduard Zingerman, Jens Axboe, Alexei Starovoitov

env->scc_info array contains references to bpf_scc_info objects
allocated lazily in verifier.c:scc_visit_alloc().
env->scc_cnt was supposed to track env->scc_info array size
in order to free referenced objects in verifier.c:free_states().
Initialization of env->scc_cnt was omitted in
verifier.c:compute_scc(), which is fixed by this commit.

To reproduce the bug:
- build with CONFIG_DEBUG_KMEMLEAK
- boot and load bpf program with loops, e.g.:
  ./veristat -q pyperf180.bpf.o
- initiate memleak scan and check results:
  echo scan > /sys/kernel/debug/kmemleak
  cat /sys/kernel/debug/kmemleak

Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
Reported-by: Jens Axboe <axboe@kernel.dk>
Closes: https://lore.kernel.org/bpf/CAADnVQKXUWg9uRCPD5ebRXwN4dmBCRUFFM7kN=GxymYz3zU25A@mail.gmail.com/T/
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
---
 kernel/bpf/verifier.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0806295945e4..c4f69a9e9af6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23114,6 +23114,8 @@ static void free_states(struct bpf_verifier_env *env)
 
 	for (i = 0; i < env->scc_cnt; ++i) {
 		info = env->scc_info[i];
+		if (!info)
+			continue;
 		for (j = 0; j < info->num_visits; j++)
 			free_backedges(&info->visits[j]);
 		kvfree(info);
@@ -24554,6 +24556,7 @@ static int compute_scc(struct bpf_verifier_env *env)
 		err = -ENOMEM;
 		goto exit;
 	}
+	env->scc_cnt = next_scc_id;
 exit:
 	kvfree(stack);
 	kvfree(pre);
-- 
2.50.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
  2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
@ 2025-08-02  0:59 ` Alexei Starovoitov
  2025-08-02  1:12 ` patchwork-bot+netdevbpf
  2025-08-02 13:54 ` Jens Axboe
  2 siblings, 0 replies; 4+ messages in thread
From: Alexei Starovoitov @ 2025-08-02  0:59 UTC (permalink / raw)
  To: Eduard Zingerman
  Cc: bpf, Alexei Starovoitov, Andrii Nakryiko, Daniel Borkmann,
	Martin KaFai Lau, Kernel Team, Yonghong Song, Jens Axboe

On Fri, Aug 1, 2025 at 4:23 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> env->scc_info array contains references to bpf_scc_info objects
> allocated lazily in verifier.c:scc_visit_alloc().
> env->scc_cnt was supposed to track env->scc_info array size
> in order to free referenced objects in verifier.c:free_states().
> Initialization of env->scc_cnt was omitted in
> verifier.c:compute_scc(), which is fixed by this commit.

Applied to bpf tree and slightly reworded above commit
log and subject to use imperative language.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
  2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
  2025-08-02  0:59 ` Alexei Starovoitov
@ 2025-08-02  1:12 ` patchwork-bot+netdevbpf
  2025-08-02 13:54 ` Jens Axboe
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-08-02  1:12 UTC (permalink / raw)
  To: Eduard Zingerman
  Cc: bpf, ast, andrii, daniel, martin.lau, kernel-team, yonghong.song,
	axboe, alexei.starovoitov

Hello:

This patch was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Fri,  1 Aug 2025 16:23:30 -0700 you wrote:
> env->scc_info array contains references to bpf_scc_info objects
> allocated lazily in verifier.c:scc_visit_alloc().
> env->scc_cnt was supposed to track env->scc_info array size
> in order to free referenced objects in verifier.c:free_states().
> Initialization of env->scc_cnt was omitted in
> verifier.c:compute_scc(), which is fixed by this commit.
> 
> [...]

Here is the summary with links:
  - [bpf,v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
    https://git.kernel.org/bpf/bpf/c/989705e34ad3

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
  2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
  2025-08-02  0:59 ` Alexei Starovoitov
  2025-08-02  1:12 ` patchwork-bot+netdevbpf
@ 2025-08-02 13:54 ` Jens Axboe
  2 siblings, 0 replies; 4+ messages in thread
From: Jens Axboe @ 2025-08-02 13:54 UTC (permalink / raw)
  To: Eduard Zingerman, bpf, ast
  Cc: andrii, daniel, martin.lau, kernel-team, yonghong.song,
	Alexei Starovoitov

On 8/1/25 5:23 PM, Eduard Zingerman wrote:
> env->scc_info array contains references to bpf_scc_info objects
> allocated lazily in verifier.c:scc_visit_alloc().
> env->scc_cnt was supposed to track env->scc_info array size
> in order to free referenced objects in verifier.c:free_states().
> Initialization of env->scc_cnt was omitted in
> verifier.c:compute_scc(), which is fixed by this commit.
> 
> To reproduce the bug:
> - build with CONFIG_DEBUG_KMEMLEAK
> - boot and load bpf program with loops, e.g.:
>   ./veristat -q pyperf180.bpf.o
> - initiate memleak scan and check results:
>   echo scan > /sys/kernel/debug/kmemleak
>   cat /sys/kernel/debug/kmemleak

Thanks for fixing this. Even though it's already applied, I did test it:

Tested-by: Jens Axboe <axboe@kernel.dk>

-- 
Jens Axboe

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-08-02 13:54 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-08-01 23:23 [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Eduard Zingerman
2025-08-02  0:59 ` Alexei Starovoitov
2025-08-02  1:12 ` patchwork-bot+netdevbpf
2025-08-02 13:54 ` Jens Axboe

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.