From: Yonghong Song <yonghong.song@linux.dev>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Hou Tao <houtao@huaweicloud.com>,
Andrii Nakryiko <andrii.nakryiko@gmail.com>,
bpf <bpf@vger.kernel.org>, Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Kernel Team <kernel-team@fb.com>,
Martin KaFai Lau <martin.lau@kernel.org>
Subject: Re: [PATCH bpf] bpf: Fix a race condition between btf_put() and map_free()
Date: Tue, 5 Dec 2023 14:50:57 -0800 [thread overview]
Message-ID: <f4f05bf8-37ad-400a-a38d-0a7061f0a4c3@linux.dev> (raw)
In-Reply-To: <CAADnVQL+uc6VV65_Ezgzw3WH=ME9z1Fdy8Pd6xd0oOq8rgwh7g@mail.gmail.com>
On 12/5/23 4:13 PM, Alexei Starovoitov wrote:
> On Mon, Dec 4, 2023 at 11:01 PM Yonghong Song <yonghong.song@linux.dev> wrote:
>>> Er, it is not what I want, although I have written a similar patch in
>>> which bpf_map_put() will call btf_put() and set map->btf as NULL if
>>> there is no BPF_LIST_HEAD and BPF_RB_ROOT fields in map->record,
>>> otherwise calling bpf_put() in bpf_put_free_deferred(). What I have
>>> suggested is to optionally pin btf in graph_root.btf just like
>>> btf_field_kptr does.
>> Okay, I see what you mean. This is actually what I kind of think
>> as well in below to identify *all* cases btf data might be accessed.
>> I didn't explicitly mention this approach in detail but the idea is
>> to get a reference count for btf and later release it during btf_record_free.
>> I think this should work. I need to do an audit then to find other potential
>> places, if exists, to do similar things. The current approach
>> is simpler but looks like we can do better with existing
>> btf_field_kptr approach.
> imo that would be the only correct way to fix it.
> we btf_get(kptr_btf) before saving it kptr.btf in btf_parse_kptr() and
> btf_put() it eventually in btf_record_free().
> graph_root looks buggy.
> It saved the btf pointer in btf_parse_graph_root() without taking refcnt.
Agreed. Just send v3 patch:
https://lore.kernel.org/bpf/20231205224812.813224-1-yonghong.song@linux.dev/
next prev parent reply other threads:[~2023-12-05 22:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-04 17:39 [PATCH bpf] bpf: Fix a race condition between btf_put() and map_free() Yonghong Song
2023-12-05 0:42 ` Andrii Nakryiko
2023-12-05 1:31 ` Hou Tao
2023-12-05 4:15 ` Yonghong Song
2023-12-05 6:30 ` Hou Tao
2023-12-05 7:01 ` Yonghong Song
2023-12-05 21:13 ` Alexei Starovoitov
2023-12-05 22:50 ` Yonghong Song [this message]
2023-12-05 3:58 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f4f05bf8-37ad-400a-a38d-0a7061f0a4c3@linux.dev \
--to=yonghong.song@linux.dev \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii.nakryiko@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=houtao@huaweicloud.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.