[PATCH bpf v2 0/4] bpf: Fix possible memleak when updating hash and local storage maps

[Leon Hwang <leon.hwang@linux.dev>]

In the discussion thread
"[PATCH bpf-next v9 0/7] bpf: Introduce BPF_F_CPU and BPF_F_ALL_CPUS flags for percpu maps"[1],
it was pointed out that missing calls to bpf_obj_free_fields() could
lead to memory leaks.

A selftest was added to confirm that this is indeed a real issue - the
memory referenced by BPF_KPTR_{REF,PERCPU} fields is not freed when
bpf_obj_free_fields() is missing after copy_map_value[,_long]().

Further inspection of copy_map_value[,_long]() call sites revealed two
locations affected by this issue:

1. pcpu_copy_value()
2. htab_map_update_elem() when used with BPF_F_LOCK

This series fixes the leaks by properly calling bpf_obj_free_fields()
(or check_and_free_fields()) after copy_map_value[,_long]() and adds
selftests to verify the fix.

Changes:
v1 -> v2:
* Add test to verify no memleak when updating cgroup local storage maps.
* Address review from AI bot:
  * Fast path without bucket lock (around line 610) in
    'bpf_local_storage.c'.
v1: https://lore.kernel.org/bpf/20251016145801.47552-1-leon.hwang@linux.dev/

Links:
[1] https://lore.kernel.org/bpf/20250930153942.41781-1-leon.hwang@linux.dev/

Leon Hwang (4):
  bpf: Fix possible memleak in [lru_,]percpu_hash map update
  bpf: Fix possible memleak when updating hash maps with BPF_F_LOCK
  bpf: Fix possible memleak when updating local storage maps with
    BPF_F_LOCK
  selftests/bpf: Add tests to verify no memleak when updating hash and
    cgrp storage maps

 kernel/bpf/bpf_local_storage.c                |   1 +
 kernel/bpf/hashtab.c                          |   4 +
 .../bpf/prog_tests/refcounted_kptr.c          | 167 +++++++++++++++++-
 .../selftests/bpf/progs/refcounted_kptr.c     | 160 +++++++++++++++++
 4 files changed, 331 insertions(+), 1 deletion(-)

--
2.51.0