[PATCH] bpf: fix memory leak in SCC management

[PATCH] bpf: fix memory leak in SCC management

[Dmitry Antipov]

Running with CONFIG_DEBUG_KMEMLEAK enabled, I've noticed a few memory
leaks reported as follows:

unreferenced object 0xffff8881ce3bd080 (size 64):
  comm "systemd", pid 3524, jiffies 4294789711
  hex dump (first 32 bytes):
    01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace (crc 8c5ed7af):
    __kmalloc_node_track_caller_noprof+0x25e/0x4e0
    krealloc_noprof+0xe8/0x2f0
    kvrealloc_noprof+0x65/0xe0
    do_check+0x3ef1/0xcd10
    do_check_common+0x1631/0x2110
    bpf_check+0x3686/0x1e430
    bpf_prog_load+0xda2/0x13f0
    __sys_bpf+0x374/0x5b0
    __x64_sys_bpf+0x7c/0x90
    do_syscall_64+0x8a/0x220
    entry_SYSCALL_64_after_hwframe+0x76/0x7e

Wnen an array of SCC slots is allocated in 'compute_scc()', 'scc_cnt' of
the corresponding environment should be adjusted to match the size of this
array. Otherwise an array members (re)assigned in 'scc_visit_alloc()' will
be unreachable from the freeing loop in 'free_states()'.

Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
---
 kernel/bpf/verifier.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0806295945e4..c4f69a9e9af6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -23114,6 +23114,8 @@ static void free_states(struct bpf_verifier_env *env)
 
 	for (i = 0; i < env->scc_cnt; ++i) {
 		info = env->scc_info[i];
+		if (!info)
+			continue;
 		for (j = 0; j < info->num_visits; j++)
 			free_backedges(&info->visits[j]);
 		kvfree(info);
@@ -24554,6 +24556,7 @@ static int compute_scc(struct bpf_verifier_env *env)
 		err = -ENOMEM;
 		goto exit;
 	}
+	env->scc_cnt = next_scc_id;
 exit:
 	kvfree(stack);
 	kvfree(pre);
-- 
2.50.1

Re: [PATCH] bpf: fix memory leak in SCC management

[Kumar Kartikeya Dwivedi]

On Thu, 7 Aug 2025 at 14:35, Dmitry Antipov <dmantipov@yandex.ru> wrote:
>
> Running with CONFIG_DEBUG_KMEMLEAK enabled, I've noticed a few memory
> leaks reported as follows:
>
> unreferenced object 0xffff8881ce3bd080 (size 64):
>   comm "systemd", pid 3524, jiffies 4294789711
>   hex dump (first 32 bytes):
>     01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>   backtrace (crc 8c5ed7af):
>     __kmalloc_node_track_caller_noprof+0x25e/0x4e0
>     krealloc_noprof+0xe8/0x2f0
>     kvrealloc_noprof+0x65/0xe0
>     do_check+0x3ef1/0xcd10
>     do_check_common+0x1631/0x2110
>     bpf_check+0x3686/0x1e430
>     bpf_prog_load+0xda2/0x13f0
>     __sys_bpf+0x374/0x5b0
>     __x64_sys_bpf+0x7c/0x90
>     do_syscall_64+0x8a/0x220
>     entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Wnen an array of SCC slots is allocated in 'compute_scc()', 'scc_cnt' of
> the corresponding environment should be adjusted to match the size of this
> array. Otherwise an array members (re)assigned in 'scc_visit_alloc()' will
> be unreachable from the freeing loop in 'free_states()'.
>
> Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
> ---

Already fixed and applied here:
https://lore.kernel.org/bpf/20250801232330.1800436-1-eddyz87@gmail.com

>

Re: [PATCH] bpf: fix memory leak in SCC management

[Yonghong Song]

On 8/7/25 5:34 AM, Dmitry Antipov wrote:
> Running with CONFIG_DEBUG_KMEMLEAK enabled, I've noticed a few memory
> leaks reported as follows:
>
> unreferenced object 0xffff8881ce3bd080 (size 64):
>    comm "systemd", pid 3524, jiffies 4294789711
>    hex dump (first 32 bytes):
>      01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>    backtrace (crc 8c5ed7af):
>      __kmalloc_node_track_caller_noprof+0x25e/0x4e0
>      krealloc_noprof+0xe8/0x2f0
>      kvrealloc_noprof+0x65/0xe0
>      do_check+0x3ef1/0xcd10
>      do_check_common+0x1631/0x2110
>      bpf_check+0x3686/0x1e430
>      bpf_prog_load+0xda2/0x13f0
>      __sys_bpf+0x374/0x5b0
>      __x64_sys_bpf+0x7c/0x90
>      do_syscall_64+0x8a/0x220
>      entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> Wnen an array of SCC slots is allocated in 'compute_scc()', 'scc_cnt' of
> the corresponding environment should be adjusted to match the size of this
> array. Otherwise an array members (re)assigned in 'scc_visit_alloc()' will
> be unreachable from the freeing loop in 'free_states()'.
>
> Fixes: c9e31900b54c ("bpf: propagate read/precision marks over state graph backedges")
> Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>

This one has been fixed in
   https://lore.kernel.org/all/20250801232330.1800436-1-eddyz87@gmail.com/

> ---
>   kernel/bpf/verifier.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 0806295945e4..c4f69a9e9af6 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -23114,6 +23114,8 @@ static void free_states(struct bpf_verifier_env *env)
>   
>   	for (i = 0; i < env->scc_cnt; ++i) {
>   		info = env->scc_info[i];
> +		if (!info)
> +			continue;
>   		for (j = 0; j < info->num_visits; j++)
>   			free_backedges(&info->visits[j]);
>   		kvfree(info);
> @@ -24554,6 +24556,7 @@ static int compute_scc(struct bpf_verifier_env *env)
>   		err = -ENOMEM;
>   		goto exit;
>   	}
> +	env->scc_cnt = next_scc_id;
>   exit:
>   	kvfree(stack);
>   	kvfree(pre);