From: Eduard Zingerman <eddyz87@gmail.com>
To: bpf@vger.kernel.org, ast@kernel.org
Cc: andrii@kernel.org, daniel@iogearbox.net, martin.lau@linux.dev,
kernel-team@fb.com, yonghong.song@linux.dev,
Eduard Zingerman <eddyz87@gmail.com>,
Jens Axboe <axboe@kernel.dk>,
Alexei Starovoitov <alexei.starovoitov@gmail.com>
Subject: [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info
Date: Fri, 1 Aug 2025 16:23:30 -0700 [thread overview]
Message-ID: <20250801232330.1800436-1-eddyz87@gmail.com> (raw)
env->scc_info array contains references to bpf_scc_info objects
allocated lazily in verifier.c:scc_visit_alloc().
env->scc_cnt was supposed to track env->scc_info array size
in order to free referenced objects in verifier.c:free_states().
Initialization of env->scc_cnt was omitted in
verifier.c:compute_scc(), which is fixed by this commit.
To reproduce the bug:
- build with CONFIG_DEBUG_KMEMLEAK
- boot and load bpf program with loops, e.g.:
./veristat -q pyperf180.bpf.o
- initiate memleak scan and check results:
echo scan > /sys/kernel/debug/kmemleak
cat /sys/kernel/debug/kmemleak
Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
Reported-by: Jens Axboe <axboe@kernel.dk>
Closes: https://lore.kernel.org/bpf/CAADnVQKXUWg9uRCPD5ebRXwN4dmBCRUFFM7kN=GxymYz3zU25A@mail.gmail.com/T/
Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
---
kernel/bpf/verifier.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0806295945e4..c4f69a9e9af6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23114,6 +23114,8 @@ static void free_states(struct bpf_verifier_env *env)
for (i = 0; i < env->scc_cnt; ++i) {
info = env->scc_info[i];
+ if (!info)
+ continue;
for (j = 0; j < info->num_visits; j++)
free_backedges(&info->visits[j]);
kvfree(info);
@@ -24554,6 +24556,7 @@ static int compute_scc(struct bpf_verifier_env *env)
err = -ENOMEM;
goto exit;
}
+ env->scc_cnt = next_scc_id;
exit:
kvfree(stack);
kvfree(pre);
--
2.50.1
next reply other threads:[~2025-08-01 23:23 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-01 23:23 Eduard Zingerman [this message]
2025-08-02 0:59 ` [PATCH bpf v1] bpf: correctly free bpf_scc_info objects referenced in env->scc_info Alexei Starovoitov
2025-08-02 1:12 ` patchwork-bot+netdevbpf
2025-08-02 13:54 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250801232330.1800436-1-eddyz87@gmail.com \
--to=eddyz87@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=axboe@kernel.dk \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=martin.lau@linux.dev \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.