From: Yonghong Song <yhs@meta.com>
To: Dave Marchevsky <davemarchevsky@fb.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Kernel Team <kernel-team@fb.com>, Yonghong Song <yhs@fb.com>,
Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: [PATCH v2 bpf-next 1/2] bpf: Fix release_on_unlock release logic for multiple refs
Date: Thu, 1 Dec 2022 16:10:04 -0800 [thread overview]
Message-ID: <800ebe54-1f66-7704-984e-815ecdfd5b64@meta.com> (raw)
In-Reply-To: <20221201183406.1203621-1-davemarchevsky@fb.com>
On 12/1/22 10:34 AM, Dave Marchevsky wrote:
> Consider a verifier state with three acquired references, all with
> release_on_unlock = true:
>
> idx 0 1 2
> state->refs = [2 4 6]
>
> (with 2, 4, and 6 being the ref ids).
>
> When bpf_spin_unlock is called, process_spin_lock will loop through all
> acquired_refs and, for each ref, if it's release_on_unlock, calls
> release_reference on it. That function in turn calls
> release_reference_state, which removes the reference from state->refs by
> swapping the reference state with the last reference state in
> refs array and decrements acquired_refs count.
>
> process_spin_lock's loop logic, which is essentially:
>
> for (i = 0; i < state->acquired_refs; i++) {
> if (!state->refs[i].release_on_unlock)
> continue;
> release_reference(state->refs[i].id);
> }
>
> will fail to release release_on_unlock references which are swapped from
> the end. Running this logic on our example demonstrates:
>
> state->refs = [2 4 6] (start of idx=0 iter)
> release state->refs[0] by swapping w/ state->refs[2]
>
> state->refs = [6 4] (start of idx=1)
> release state->refs[1], no need to swap as it's the last idx
>
> state->refs = [6] (start of idx=2, loop terminates)
>
> ref_id 6 should have been removed but was skipped.
>
> Fix this by looping from back-to-front, which results in refs that are
> candidates for removal being swapped with refs which have already been
> examined and kept.
>
> If we modify our initial example such that ref 6 is replaced with ref 7,
> which is _not_ release_on_unlock, and loop from the back, we'd see:
>
> state->refs = [2 4 7] (start of idx=2)
>
> state->refs = [2 4 7] (start of idx=1)
>
> state->refs = [2 7] (start of idx=0, refs 7 and 4 swapped)
>
> state->refs = [7] (after idx=0, 7 and 2 swapped, loop terminates)
Thanks, new description is much better.
>
> Signed-off-by: Dave Marchevsky <davemarchevsky@fb.com>
> Acked-by: Yonghong Song <yhs@fb.com>
> cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
> Fixes: 534e86bc6c66 ("bpf: Add 'release on unlock' logic for bpf_list_push_{front,back}")
> ---
> v1 -> v2 lore.kernel.org/bpf/b5d46fd5-2693-cd46-9515-700fef1a110b@meta.com:
>
> * Update second example in patch summary to use a new ref_id for the
> non-release_on_unlock ref. (Yonghong)
> * Add Yonghong's ack
[...]
next prev parent reply other threads:[~2022-12-02 0:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-01 18:34 [PATCH v2 bpf-next 1/2] bpf: Fix release_on_unlock release logic for multiple refs Dave Marchevsky
2022-12-01 18:34 ` [PATCH v2 bpf-next 2/2] selftests/bpf: Validate multiple ref release_on_unlock logic Dave Marchevsky
2022-12-02 3:21 ` Yonghong Song
2022-12-02 0:10 ` Yonghong Song [this message]
2022-12-02 3:50 ` [PATCH v2 bpf-next 1/2] bpf: Fix release_on_unlock release logic for multiple refs patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=800ebe54-1f66-7704-984e-815ecdfd5b64@meta.com \
--to=yhs@meta.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davemarchevsky@fb.com \
--cc=kernel-team@fb.com \
--cc=memxor@gmail.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.