RE: [PATCH bpf 1/2] libbpf: fix removal of inner map in bpf_object__create_map

From: John Fastabend <john.fastabend@gmail.com>
To: Martynas Pumputis <m@lambda.lt>, bpf@vger.kernel.org
Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, m@lambda.lt
Subject: RE: [PATCH bpf 1/2] libbpf: fix removal of inner map in bpf_object__create_map
Date: Wed, 14 Jul 2021 17:30:07 -0700	[thread overview]
Message-ID: <60ef818f81c18_5a0c120898@john-XPS-13-9370.notmuch> (raw)
In-Reply-To: <20210714165440.472566-2-m@lambda.lt>

Martynas Pumputis wrote:
> If creating an outer map of a BTF-defined map-in-map fails (via
> bpf_object__create_map()), then the previously created its inner map
> won't be destroyed.
> 
> Fix this by ensuring that the destroy routines are not bypassed in the
> case of a failure.
> 
> Fixes: 646f02ffdd49c ("libbpf: Add BTF-defined map-in-map support")
> Reported-by: Andrii Nakryiko <andrii@kernel.org>
> Signed-off-by: Martynas Pumputis <m@lambda.lt>
> ---
>  tools/lib/bpf/libbpf.c | 5 +++--
>  1 file changed, 3 insertions(+), 2 deletions(-)
> 
> diff --git a/tools/lib/bpf/libbpf.c b/tools/lib/bpf/libbpf.c
> index 6f5e2757bb3c..1a840e81ea0a 100644
> --- a/tools/lib/bpf/libbpf.c
> +++ b/tools/lib/bpf/libbpf.c
> @@ -4479,6 +4479,7 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b
>  {
>  	struct bpf_create_map_attr create_attr;
>  	struct bpf_map_def *def = &map->def;
> +	int ret = 0;
>  
>  	memset(&create_attr, 0, sizeof(create_attr));
>  
> @@ -4561,7 +4562,7 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b
>  	}
>  
>  	if (map->fd < 0)
> -		return -errno;
> +		ret = -errno;
>  

I'm trying to track this down, not being overly familiar with this bit of
code.

We entered bpf_object__create_map with map->inner_map potentially set and
then here we are going to zfree(&map->inner_map). I'm trying to track
down if this is problematic, I guess not? But seems like we could
also free a map here that we didn't create from this call in the above
logic.

>  	if (bpf_map_type__is_map_in_map(def->type) && map->inner_map) {

        if (bpf_map_type__is_map_in_map(def->type) && map->inner_map) {
                if (obj->gen_loader)
                        map->inner_map->fd = -1;
                bpf_map__destroy(map->inner_map);
                zfree(&map->inner_map);
        }

Also not sure here, sorry didn't have time to follow too thoroughly
will check again later. But, the 'map->inner_map->fd = -1' is going to
cause bpf_map__destroy to bypass the close(fd) as I understand it.
So are we leaking an fd if the inner_map->fd is coming from above
create? Or maybe never happens because obj->gen_loader is NULL?

Thanks!

>  		if (obj->gen_loader)
> @@ -4570,7 +4571,7 @@ static int bpf_object__create_map(struct bpf_object *obj, struct bpf_map *map, b
>  		zfree(&map->inner_map);
>  	}
>  
> -	return 0;
> +	return ret;
>  }
>  
>  static int init_map_slots(struct bpf_object *obj, struct bpf_map *map)
> -- 
> 2.32.0
> 