Re: Possible kernel memory leak in bpf_timer

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Hou Tao <houtao@huaweicloud.com>
To: Hsin-Wei Hung <hsinweih@uci.edu>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <kafai@fb.com>, Song Liu <songliubraving@fb.com>,
	Yonghong Song <yhs@fb.com>,
	John Fastabend <john.fastabend@gmail.com>,
	KP Singh <kpsingh@kernel.org>,
	Network Development <netdev@vger.kernel.org>,
	bpf <bpf@vger.kernel.org>,
	Kumar Kartikeya Dwivedi <memxor@gmail.com>
Subject: Re: Possible kernel memory leak in bpf_timer
Date: Wed, 11 Oct 2023 14:16:46 +0800	[thread overview]
Message-ID: <bc65ba0c-831e-779e-cbf1-69a409fc211a@huaweicloud.com> (raw)
In-Reply-To: <CABcoxUZU-+aaPw1VsqbYRsbCEq8R7Mb+aCCkq6M6zVoP3Oq36g@mail.gmail.com>

Hi,

On 10/11/2023 12:39 PM, Hsin-Wei Hung wrote:
> On Sat, Oct 7, 2023 at 7:46 PM Hou Tao <houtao@huaweicloud.com> wrote:
>> Hi,
>>
>> On 9/27/2023 1:32 PM, Hsin-Wei Hung wrote:
>>> Hi,
>>>
>>> We found a potential memory leak in bpf_timer in v5.15.26 using a
>>> customized syzkaller for fuzzing bpf runtime. It can happen when
>>> an arraymap is being released. An entry that has been checked by
>>> bpf_timer_cancel_and_free() can again be initialized by bpf_timer_init().
>>> Since both paths are almost identical between v5.15 and net-next,
>>> I suspect this problem still exists. Below are kmemleak report and
>>> some additional printks I inserted.
>>>
>>> [ 1364.081694] array_map_free_timers map:0xffffc900005a9000
>>> [ 1364.081730] ____bpf_timer_init map:0xffffc900005a9000
>>> timer:0xffff888001ab4080
>>>
>>> *no bpf_timer_cancel_and_free that will kfree struct bpf_hrtimer*
>>> at 0xffff888001ab4080 is called
>> I think the kmemleak happened as follows:
>>
>> bpf_timer_init()
>>   lock timer->lock
>>     read timer->timer as NULL
>>     read map->usercnt != 0
>>
>>                 bpf_map_put_uref()
>>                   // map->usercnt = 0
>>                   atomic_dec_and_test(map->usercnt)
>>                     array_map_free_timers()
>>                     // just return and lead to mem leak
>>                     find timer->timer is NULL
>>
>>     t = bpf_map_kmalloc_node()
>>     timer->timer = t
>>   unlock timer->lock
>>
>> Could you please try the attached patch to check whether the kmemleak
>> problem has been fixed ?
>>
> Hi,
>
> Sorry for the late reply to this thread.
>
> KASAN is complaining about double-free/invalid-free in the kfree after
> applying the patch. There are some cases that jump to "out" before the
> bpf_hrtimer is allocated or when the bpf_hrtimer is already allocated.

My bad. Didn't carefully test the patch before posting the patch. Could
you please apply the modification below to the patch and try it again ?

diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
index bcbd47436a19..c72e28d0ce86 100644
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1175,6 +1175,7 @@ BPF_CALL_3(bpf_timer_init, struct bpf_timer_kern
*, timer, struct bpf_map *, map
        __bpf_spin_lock_irqsave(&timer->lock);
        t = timer->timer;
        if (t) {
+               t = NULL;
                ret = -EBUSY;
                goto out;
        }


>
> I am still trying to have a standalone working POC. I think a key to
> trigger this memory leak is to 1) have a large array map 2) a bpf
> program init a timer in a small-index entry and then 3) release the
> map.
Yes. And I still think my guess about how the kmemleak happens is correct.

>
> -Amery
>
>
>>> [ 1383.907869] kmemleak: 1 new suspected memory leaks (see
>>> /sys/kernel/debug/kmemleak)
>>> BUG: memory leak
>>> unreferenced object 0xffff888001ab4080 (size 96):
>>>   comm "sshd", pid 279, jiffies 4295233126 (age 29.952s)
>>>   hex dump (first 32 bytes):
>>>     80 40 ab 01 80 88 ff ff 00 00 00 00 00 00 00 00  .@..............
>>>     00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
>>>   backtrace:
>>>     [<000000009d018da0>] bpf_map_kmalloc_node+0x89/0x1a0
>>>     [<00000000ebcb33fc>] bpf_timer_init+0x177/0x320
>>>     [<00000000fb7e90bf>] 0xffffffffc02a0358
>>>     [<000000000c89ec4f>] __cgroup_bpf_run_filter_skb+0xcbf/0x1110
>>>     [<00000000fd663fc0>] ip_finish_output+0x13d/0x1f0
>>>     [<00000000acb3205c>] ip_output+0x19b/0x310
>>>     [<000000006b584375>] __ip_queue_xmit+0x182e/0x1ed0
>>>     [<00000000b921b07e>] __tcp_transmit_skb+0x2b65/0x37f0
>>>     [<0000000026104b23>] tcp_write_xmit+0xf19/0x6290
>>>     [<000000006dc71bc5>] __tcp_push_pending_frames+0xaf/0x390
>>>     [<00000000251b364a>] tcp_push+0x452/0x6d0
>>>     [<000000008522b7d3>] tcp_sendmsg_locked+0x2567/0x3030
>>>     [<0000000038c644d2>] tcp_sendmsg+0x30/0x50
>>>     [<000000009fe3413f>] inet_sendmsg+0xba/0x140
>>>     [<0000000034d78039>] sock_sendmsg+0x13d/0x190
>>>     [<00000000f55b8db6>] sock_write_iter+0x296/0x3d0
>>>
>>>
>>> Thanks,
>>> Hsin-Wei (Amery)
>>>
>>>
>>> .
>
> .

next prev parent reply	other threads:[~2023-10-11  6:17 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-09-27  5:32 Possible kernel memory leak in bpf_timer Hsin-Wei Hung
2023-09-27  8:42 ` Kumar Kartikeya Dwivedi
2023-10-08  2:46 ` Hou Tao
2023-10-11  4:39   ` Hsin-Wei Hung
2023-10-11  6:16     ` Hou Tao [this message]
2023-10-11  6:48       ` Hou Tao

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:bcbd47436a1 dfblob:c72e28d0ce8 )
 OR (
bs:"Re: Possible kernel memory leak in bpf_timer" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bc65ba0c-831e-779e-cbf1-69a409fc211a@huaweicloud.com \
    --to=houtao@huaweicloud.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=hsinweih@uci.edu \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=kpsingh@kernel.org \
    --cc=memxor@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=songliubraving@fb.com \
    --cc=yhs@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).