* [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map
@ 2020-07-29 4:09 Andrii Nakryiko
2020-07-29 4:09 ` [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks Andrii Nakryiko
2020-07-29 23:44 ` [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map Daniel Borkmann
0 siblings, 2 replies; 7+ messages in thread
From: Andrii Nakryiko @ 2020-07-29 4:09 UTC (permalink / raw)
To: bpf, netdev, ast, daniel
Cc: andrii.nakryiko, kernel-team, Andrii Nakryiko, Song Liu, stable
Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update()
operation. This is due to per-cpu extra_elems optimization, which bypassed
free_htab_elem() logic doing proper clean ups. Make sure that inner map is put
properly in optimized case as well.
Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic")
Acked-by: Song Liu <songliubraving@fb.com>
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: Andrii Nakryiko <andriin@fb.com>
---
kernel/bpf/hashtab.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/hashtab.c b/kernel/bpf/hashtab.c
index b4b288a3c3c9..b32cc8ce8ff6 100644
--- a/kernel/bpf/hashtab.c
+++ b/kernel/bpf/hashtab.c
@@ -779,15 +779,20 @@ static void htab_elem_free_rcu(struct rcu_head *head)
htab_elem_free(htab, l);
}
-static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
+static void htab_put_fd_value(struct bpf_htab *htab, struct htab_elem *l)
{
struct bpf_map *map = &htab->map;
+ void *ptr;
if (map->ops->map_fd_put_ptr) {
- void *ptr = fd_htab_map_get_ptr(map, l);
-
+ ptr = fd_htab_map_get_ptr(map, l);
map->ops->map_fd_put_ptr(ptr);
}
+}
+
+static void free_htab_elem(struct bpf_htab *htab, struct htab_elem *l)
+{
+ htab_put_fd_value(htab, l);
if (htab_is_prealloc(htab)) {
__pcpu_freelist_push(&htab->freelist, &l->fnode);
@@ -839,6 +844,7 @@ static struct htab_elem *alloc_htab_elem(struct bpf_htab *htab, void *key,
*/
pl_new = this_cpu_ptr(htab->extra_elems);
l_new = *pl_new;
+ htab_put_fd_value(htab, old_elem);
*pl_new = old_elem;
} else {
struct pcpu_freelist_node *l;
--
2.24.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks
2020-07-29 4:09 [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map Andrii Nakryiko
@ 2020-07-29 4:09 ` Andrii Nakryiko
2020-07-29 14:29 ` Jakub Sitnicki
2020-07-29 23:44 ` [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map Daniel Borkmann
1 sibling, 1 reply; 7+ messages in thread
From: Andrii Nakryiko @ 2020-07-29 4:09 UTC (permalink / raw)
To: bpf, netdev, ast, daniel
Cc: andrii.nakryiko, kernel-team, Andrii Nakryiko, Song Liu, stable
Add test validating that all inner maps are released properly after skeleton
is destroyed. To ensure determinism, trigger kernel-side synchronize_rcu()
before checking map existence by their IDs.
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Andrii Nakryiko <andriin@fb.com>
---
.../selftests/bpf/prog_tests/btf_map_in_map.c | 124 ++++++++++++++++--
1 file changed, 110 insertions(+), 14 deletions(-)
diff --git a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
index f7ee8fa377ad..f6eee3fb933c 100644
--- a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
+++ b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
@@ -5,10 +5,60 @@
#include "test_btf_map_in_map.skel.h"
+static int duration;
+
+static __u32 bpf_map_id(struct bpf_map *map)
+{
+ struct bpf_map_info info;
+ __u32 info_len = sizeof(info);
+ int err;
+
+ memset(&info, 0, info_len);
+ err = bpf_obj_get_info_by_fd(bpf_map__fd(map), &info, &info_len);
+ if (err)
+ return 0;
+ return info.id;
+}
+
+/*
+ * Trigger synchronize_cpu() in kernel.
+ *
+ * ARRAY_OF_MAPS/HASH_OF_MAPS lookup/update operations trigger
+ * synchronize_rcu(), if looking up/updating non-NULL element. Use this fact
+ * to trigger synchronize_cpu(): create map-in-map, create a trivial ARRAY
+ * map, update map-in-map with ARRAY inner map. Then cleanup. At the end, at
+ * least one synchronize_rcu() would be called.
+ */
+static int kern_sync_rcu(void)
+{
+ int inner_map_fd, outer_map_fd, err, zero = 0;
+
+ inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, 4, 4, 1, 0);
+ if (CHECK(inner_map_fd < 0, "inner_map_create", "failed %d\n", -errno))
+ return -1;
+
+ outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
+ sizeof(int), inner_map_fd, 1, 0);
+ if (CHECK(outer_map_fd < 0, "outer_map_create", "failed %d\n", -errno)) {
+ close(inner_map_fd);
+ return -1;
+ }
+
+ err = bpf_map_update_elem(outer_map_fd, &zero, &inner_map_fd, 0);
+ if (err)
+ err = -errno;
+ CHECK(err, "outer_map_update", "failed %d\n", err);
+ close(inner_map_fd);
+ close(outer_map_fd);
+ return err;
+}
+
void test_btf_map_in_map(void)
{
- int duration = 0, err, key = 0, val;
- struct test_btf_map_in_map* skel;
+ int err, key = 0, val, i;
+ struct test_btf_map_in_map *skel;
+ int outer_arr_fd, outer_hash_fd;
+ int fd, map1_fd, map2_fd, map1_id, map2_id;
skel = test_btf_map_in_map__open_and_load();
if (CHECK(!skel, "skel_open", "failed to open&load skeleton\n"))
@@ -18,32 +68,78 @@ void test_btf_map_in_map(void)
if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err))
goto cleanup;
+ map1_fd = bpf_map__fd(skel->maps.inner_map1);
+ map2_fd = bpf_map__fd(skel->maps.inner_map2);
+ outer_arr_fd = bpf_map__fd(skel->maps.outer_arr);
+ outer_hash_fd = bpf_map__fd(skel->maps.outer_hash);
+
/* inner1 = input, inner2 = input + 1 */
- val = bpf_map__fd(skel->maps.inner_map1);
- bpf_map_update_elem(bpf_map__fd(skel->maps.outer_arr), &key, &val, 0);
- val = bpf_map__fd(skel->maps.inner_map2);
- bpf_map_update_elem(bpf_map__fd(skel->maps.outer_hash), &key, &val, 0);
+ map1_fd = bpf_map__fd(skel->maps.inner_map1);
+ bpf_map_update_elem(outer_arr_fd, &key, &map1_fd, 0);
+ map2_fd = bpf_map__fd(skel->maps.inner_map2);
+ bpf_map_update_elem(outer_hash_fd, &key, &map2_fd, 0);
skel->bss->input = 1;
usleep(1);
- bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map1), &key, &val);
+ bpf_map_lookup_elem(map1_fd, &key, &val);
CHECK(val != 1, "inner1", "got %d != exp %d\n", val, 1);
- bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map2), &key, &val);
+ bpf_map_lookup_elem(map2_fd, &key, &val);
CHECK(val != 2, "inner2", "got %d != exp %d\n", val, 2);
/* inner1 = input + 1, inner2 = input */
- val = bpf_map__fd(skel->maps.inner_map2);
- bpf_map_update_elem(bpf_map__fd(skel->maps.outer_arr), &key, &val, 0);
- val = bpf_map__fd(skel->maps.inner_map1);
- bpf_map_update_elem(bpf_map__fd(skel->maps.outer_hash), &key, &val, 0);
+ bpf_map_update_elem(outer_arr_fd, &key, &map2_fd, 0);
+ bpf_map_update_elem(outer_hash_fd, &key, &map1_fd, 0);
skel->bss->input = 3;
usleep(1);
- bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map1), &key, &val);
+ bpf_map_lookup_elem(map1_fd, &key, &val);
CHECK(val != 4, "inner1", "got %d != exp %d\n", val, 4);
- bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map2), &key, &val);
+ bpf_map_lookup_elem(map2_fd, &key, &val);
CHECK(val != 3, "inner2", "got %d != exp %d\n", val, 3);
+ for (i = 0; i < 5; i++) {
+ val = i % 2 ? map1_fd : map2_fd;
+ err = bpf_map_update_elem(outer_hash_fd, &key, &val, 0);
+ if (CHECK_FAIL(err)) {
+ printf("failed to update hash_of_maps on iter #%d\n", i);
+ goto cleanup;
+ }
+ err = bpf_map_update_elem(outer_arr_fd, &key, &val, 0);
+ if (CHECK_FAIL(err)) {
+ printf("failed to update hash_of_maps on iter #%d\n", i);
+ goto cleanup;
+ }
+ }
+
+ map1_id = bpf_map_id(skel->maps.inner_map1);
+ map2_id = bpf_map_id(skel->maps.inner_map2);
+ CHECK(map1_id == 0, "map1_id", "failed to get ID 1\n");
+ CHECK(map2_id == 0, "map2_id", "failed to get ID 2\n");
+
+ test_btf_map_in_map__destroy(skel);
+ skel = NULL;
+
+ /* we need to either wait for or force synchronize_rcu(), before
+ * checking for "still exists" condition, otherwise map could still be
+ * resolvable by ID, causing false positives.
+ *
+ * Older kernels (5.8 and earlier) freed map only after two
+ * synchronize_rcu()s, so trigger two, to be entirely sure.
+ */
+ CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
+ CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
+
+ fd = bpf_map_get_fd_by_id(map1_id);
+ if (CHECK(fd >= 0, "map1_leak", "inner_map1 leaked!\n")) {
+ close(fd);
+ goto cleanup;
+ }
+ fd = bpf_map_get_fd_by_id(map2_id);
+ if (CHECK(fd >= 0, "map2_leak", "inner_map2 leaked!\n")) {
+ close(fd);
+ goto cleanup;
+ }
+
cleanup:
test_btf_map_in_map__destroy(skel);
}
--
2.24.1
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks
2020-07-29 4:09 ` [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks Andrii Nakryiko
@ 2020-07-29 14:29 ` Jakub Sitnicki
2020-07-29 17:48 ` Andrii Nakryiko
0 siblings, 1 reply; 7+ messages in thread
From: Jakub Sitnicki @ 2020-07-29 14:29 UTC (permalink / raw)
To: Andrii Nakryiko
Cc: bpf, netdev, ast, daniel, andrii.nakryiko, kernel-team, Song Liu, stable
On Wed, Jul 29, 2020 at 06:09 AM CEST, Andrii Nakryiko wrote:
> Add test validating that all inner maps are released properly after skeleton
> is destroyed. To ensure determinism, trigger kernel-side synchronize_rcu()
> before checking map existence by their IDs.
>
> Acked-by: Song Liu <songliubraving@fb.com>
> Signed-off-by: Andrii Nakryiko <andriin@fb.com>
> ---
> .../selftests/bpf/prog_tests/btf_map_in_map.c | 124 ++++++++++++++++--
> 1 file changed, 110 insertions(+), 14 deletions(-)
>
> diff --git a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
> index f7ee8fa377ad..f6eee3fb933c 100644
> --- a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
> +++ b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
> @@ -5,10 +5,60 @@
>
> #include "test_btf_map_in_map.skel.h"
>
> +static int duration;
> +
> +static __u32 bpf_map_id(struct bpf_map *map)
> +{
> + struct bpf_map_info info;
> + __u32 info_len = sizeof(info);
> + int err;
> +
> + memset(&info, 0, info_len);
> + err = bpf_obj_get_info_by_fd(bpf_map__fd(map), &info, &info_len);
> + if (err)
> + return 0;
> + return info.id;
> +}
> +
> +/*
> + * Trigger synchronize_cpu() in kernel.
Nit: synchronize_*r*cu().
> + *
> + * ARRAY_OF_MAPS/HASH_OF_MAPS lookup/update operations trigger
> + * synchronize_rcu(), if looking up/updating non-NULL element. Use this fact
> + * to trigger synchronize_cpu(): create map-in-map, create a trivial ARRAY
> + * map, update map-in-map with ARRAY inner map. Then cleanup. At the end, at
> + * least one synchronize_rcu() would be called.
> + */
That's a cool trick. I'm a bit confused by "looking up/updating non-NULL
element". It looks like you're updating an element that is NULL/unset in
the code below. What am I missing?
> +static int kern_sync_rcu(void)
> +{
> + int inner_map_fd, outer_map_fd, err, zero = 0;
> +
> + inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, 4, 4, 1, 0);
> + if (CHECK(inner_map_fd < 0, "inner_map_create", "failed %d\n", -errno))
> + return -1;
> +
> + outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
> + sizeof(int), inner_map_fd, 1, 0);
> + if (CHECK(outer_map_fd < 0, "outer_map_create", "failed %d\n", -errno)) {
> + close(inner_map_fd);
> + return -1;
> + }
> +
> + err = bpf_map_update_elem(outer_map_fd, &zero, &inner_map_fd, 0);
> + if (err)
> + err = -errno;
> + CHECK(err, "outer_map_update", "failed %d\n", err);
> + close(inner_map_fd);
> + close(outer_map_fd);
> + return err;
> +}
> +
> void test_btf_map_in_map(void)
> {
> - int duration = 0, err, key = 0, val;
> - struct test_btf_map_in_map* skel;
> + int err, key = 0, val, i;
> + struct test_btf_map_in_map *skel;
> + int outer_arr_fd, outer_hash_fd;
> + int fd, map1_fd, map2_fd, map1_id, map2_id;
>
> skel = test_btf_map_in_map__open_and_load();
> if (CHECK(!skel, "skel_open", "failed to open&load skeleton\n"))
> @@ -18,32 +68,78 @@ void test_btf_map_in_map(void)
> if (CHECK(err, "skel_attach", "skeleton attach failed: %d\n", err))
> goto cleanup;
>
> + map1_fd = bpf_map__fd(skel->maps.inner_map1);
> + map2_fd = bpf_map__fd(skel->maps.inner_map2);
> + outer_arr_fd = bpf_map__fd(skel->maps.outer_arr);
> + outer_hash_fd = bpf_map__fd(skel->maps.outer_hash);
> +
> /* inner1 = input, inner2 = input + 1 */
> - val = bpf_map__fd(skel->maps.inner_map1);
> - bpf_map_update_elem(bpf_map__fd(skel->maps.outer_arr), &key, &val, 0);
> - val = bpf_map__fd(skel->maps.inner_map2);
> - bpf_map_update_elem(bpf_map__fd(skel->maps.outer_hash), &key, &val, 0);
> + map1_fd = bpf_map__fd(skel->maps.inner_map1);
> + bpf_map_update_elem(outer_arr_fd, &key, &map1_fd, 0);
> + map2_fd = bpf_map__fd(skel->maps.inner_map2);
> + bpf_map_update_elem(outer_hash_fd, &key, &map2_fd, 0);
> skel->bss->input = 1;
> usleep(1);
>
> - bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map1), &key, &val);
> + bpf_map_lookup_elem(map1_fd, &key, &val);
> CHECK(val != 1, "inner1", "got %d != exp %d\n", val, 1);
> - bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map2), &key, &val);
> + bpf_map_lookup_elem(map2_fd, &key, &val);
> CHECK(val != 2, "inner2", "got %d != exp %d\n", val, 2);
>
> /* inner1 = input + 1, inner2 = input */
> - val = bpf_map__fd(skel->maps.inner_map2);
> - bpf_map_update_elem(bpf_map__fd(skel->maps.outer_arr), &key, &val, 0);
> - val = bpf_map__fd(skel->maps.inner_map1);
> - bpf_map_update_elem(bpf_map__fd(skel->maps.outer_hash), &key, &val, 0);
> + bpf_map_update_elem(outer_arr_fd, &key, &map2_fd, 0);
> + bpf_map_update_elem(outer_hash_fd, &key, &map1_fd, 0);
> skel->bss->input = 3;
> usleep(1);
>
> - bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map1), &key, &val);
> + bpf_map_lookup_elem(map1_fd, &key, &val);
> CHECK(val != 4, "inner1", "got %d != exp %d\n", val, 4);
> - bpf_map_lookup_elem(bpf_map__fd(skel->maps.inner_map2), &key, &val);
> + bpf_map_lookup_elem(map2_fd, &key, &val);
> CHECK(val != 3, "inner2", "got %d != exp %d\n", val, 3);
>
> + for (i = 0; i < 5; i++) {
> + val = i % 2 ? map1_fd : map2_fd;
> + err = bpf_map_update_elem(outer_hash_fd, &key, &val, 0);
> + if (CHECK_FAIL(err)) {
> + printf("failed to update hash_of_maps on iter #%d\n", i);
> + goto cleanup;
> + }
> + err = bpf_map_update_elem(outer_arr_fd, &key, &val, 0);
> + if (CHECK_FAIL(err)) {
> + printf("failed to update hash_of_maps on iter #%d\n", i);
> + goto cleanup;
> + }
> + }
> +
> + map1_id = bpf_map_id(skel->maps.inner_map1);
> + map2_id = bpf_map_id(skel->maps.inner_map2);
> + CHECK(map1_id == 0, "map1_id", "failed to get ID 1\n");
> + CHECK(map2_id == 0, "map2_id", "failed to get ID 2\n");
> +
> + test_btf_map_in_map__destroy(skel);
> + skel = NULL;
> +
> + /* we need to either wait for or force synchronize_rcu(), before
> + * checking for "still exists" condition, otherwise map could still be
> + * resolvable by ID, causing false positives.
> + *
> + * Older kernels (5.8 and earlier) freed map only after two
> + * synchronize_rcu()s, so trigger two, to be entirely sure.
> + */
> + CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
> + CHECK(kern_sync_rcu(), "sync_rcu", "failed\n");
> +
> + fd = bpf_map_get_fd_by_id(map1_id);
> + if (CHECK(fd >= 0, "map1_leak", "inner_map1 leaked!\n")) {
> + close(fd);
> + goto cleanup;
> + }
> + fd = bpf_map_get_fd_by_id(map2_id);
> + if (CHECK(fd >= 0, "map2_leak", "inner_map2 leaked!\n")) {
> + close(fd);
> + goto cleanup;
> + }
> +
> cleanup:
> test_btf_map_in_map__destroy(skel);
> }
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks
2020-07-29 14:29 ` Jakub Sitnicki
@ 2020-07-29 17:48 ` Andrii Nakryiko
2020-07-29 20:29 ` Jakub Sitnicki
2020-07-29 21:17 ` Daniel Borkmann
0 siblings, 2 replies; 7+ messages in thread
From: Andrii Nakryiko @ 2020-07-29 17:48 UTC (permalink / raw)
To: Jakub Sitnicki
Cc: Andrii Nakryiko, bpf, Networking, Alexei Starovoitov,
Daniel Borkmann, Kernel Team, Song Liu, linux- stable
On Wed, Jul 29, 2020 at 7:29 AM Jakub Sitnicki <jakub@cloudflare.com> wrote:
>
> On Wed, Jul 29, 2020 at 06:09 AM CEST, Andrii Nakryiko wrote:
> > Add test validating that all inner maps are released properly after skeleton
> > is destroyed. To ensure determinism, trigger kernel-side synchronize_rcu()
> > before checking map existence by their IDs.
> >
> > Acked-by: Song Liu <songliubraving@fb.com>
> > Signed-off-by: Andrii Nakryiko <andriin@fb.com>
> > ---
> > .../selftests/bpf/prog_tests/btf_map_in_map.c | 124 ++++++++++++++++--
> > 1 file changed, 110 insertions(+), 14 deletions(-)
> >
> > diff --git a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
> > index f7ee8fa377ad..f6eee3fb933c 100644
> > --- a/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
> > +++ b/tools/testing/selftests/bpf/prog_tests/btf_map_in_map.c
> > @@ -5,10 +5,60 @@
> >
> > #include "test_btf_map_in_map.skel.h"
> >
> > +static int duration;
> > +
> > +static __u32 bpf_map_id(struct bpf_map *map)
> > +{
> > + struct bpf_map_info info;
> > + __u32 info_len = sizeof(info);
> > + int err;
> > +
> > + memset(&info, 0, info_len);
> > + err = bpf_obj_get_info_by_fd(bpf_map__fd(map), &info, &info_len);
> > + if (err)
> > + return 0;
> > + return info.id;
> > +}
> > +
> > +/*
> > + * Trigger synchronize_cpu() in kernel.
>
> Nit: synchronize_*r*cu().
welp, yeah
>
> > + *
> > + * ARRAY_OF_MAPS/HASH_OF_MAPS lookup/update operations trigger
> > + * synchronize_rcu(), if looking up/updating non-NULL element. Use this fact
> > + * to trigger synchronize_cpu(): create map-in-map, create a trivial ARRAY
> > + * map, update map-in-map with ARRAY inner map. Then cleanup. At the end, at
> > + * least one synchronize_rcu() would be called.
> > + */
>
> That's a cool trick. I'm a bit confused by "looking up/updating non-NULL
> element". It looks like you're updating an element that is NULL/unset in
> the code below. What am I missing?
I was basically trying to say that it has to be a successful lookup or
update. For lookup that means looking up non-NULL (existing) entry.
For update -- setting valid inner map FD.
Not sure fixing this and typo above is worth it to post v5.
>
> > +static int kern_sync_rcu(void)
> > +{
> > + int inner_map_fd, outer_map_fd, err, zero = 0;
> > +
> > + inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, 4, 4, 1, 0);
> > + if (CHECK(inner_map_fd < 0, "inner_map_create", "failed %d\n", -errno))
> > + return -1;
> > +
> > + outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
> > + sizeof(int), inner_map_fd, 1, 0);
> > + if (CHECK(outer_map_fd < 0, "outer_map_create", "failed %d\n", -errno)) {
> > + close(inner_map_fd);
> > + return -1;
> > + }
> > +
> > + err = bpf_map_update_elem(outer_map_fd, &zero, &inner_map_fd, 0);
> > + if (err)
> > + err = -errno;
> > + CHECK(err, "outer_map_update", "failed %d\n", err);
> > + close(inner_map_fd);
> > + close(outer_map_fd);
> > + return err;
> > +}
> > +
[...]
trimming's good ;)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks
2020-07-29 17:48 ` Andrii Nakryiko
@ 2020-07-29 20:29 ` Jakub Sitnicki
2020-07-29 21:17 ` Daniel Borkmann
1 sibling, 0 replies; 7+ messages in thread
From: Jakub Sitnicki @ 2020-07-29 20:29 UTC (permalink / raw)
To: Andrii Nakryiko
Cc: Andrii Nakryiko, bpf, Networking, Alexei Starovoitov,
Daniel Borkmann, Kernel Team, Song Liu, linux- stable
On Wed, Jul 29, 2020 at 07:48 PM CEST, Andrii Nakryiko wrote:
> On Wed, Jul 29, 2020 at 7:29 AM Jakub Sitnicki <jakub@cloudflare.com> wrote:
>>
>> On Wed, Jul 29, 2020 at 06:09 AM CEST, Andrii Nakryiko wrote:
[...]
>> > +/*
>> > + * Trigger synchronize_cpu() in kernel.
>>
>> Nit: synchronize_*r*cu().
>
> welp, yeah
>
>>
>> > + *
>> > + * ARRAY_OF_MAPS/HASH_OF_MAPS lookup/update operations trigger
>> > + * synchronize_rcu(), if looking up/updating non-NULL element. Use this fact
>> > + * to trigger synchronize_cpu(): create map-in-map, create a trivial ARRAY
>> > + * map, update map-in-map with ARRAY inner map. Then cleanup. At the end, at
>> > + * least one synchronize_rcu() would be called.
>> > + */
>>
>> That's a cool trick. I'm a bit confused by "looking up/updating non-NULL
>> element". It looks like you're updating an element that is NULL/unset in
>> the code below. What am I missing?
>
> I was basically trying to say that it has to be a successful lookup or
> update. For lookup that means looking up non-NULL (existing) entry.
> For update -- setting valid inner map FD.
>
> Not sure fixing this and typo above is worth it to post v5.
I just wanted to understand that the helper is working as intended. It
seems handy. I agree that it's not worth respinning the patches just for
this.
>
>>
>> > +static int kern_sync_rcu(void)
>> > +{
>> > + int inner_map_fd, outer_map_fd, err, zero = 0;
>> > +
>> > + inner_map_fd = bpf_create_map(BPF_MAP_TYPE_ARRAY, 4, 4, 1, 0);
>> > + if (CHECK(inner_map_fd < 0, "inner_map_create", "failed %d\n", -errno))
>> > + return -1;
>> > +
>> > + outer_map_fd = bpf_create_map_in_map(BPF_MAP_TYPE_ARRAY_OF_MAPS, NULL,
>> > + sizeof(int), inner_map_fd, 1, 0);
>> > + if (CHECK(outer_map_fd < 0, "outer_map_create", "failed %d\n", -errno)) {
>> > + close(inner_map_fd);
>> > + return -1;
>> > + }
>> > +
>> > + err = bpf_map_update_elem(outer_map_fd, &zero, &inner_map_fd, 0);
>> > + if (err)
>> > + err = -errno;
>> > + CHECK(err, "outer_map_update", "failed %d\n", err);
>> > + close(inner_map_fd);
>> > + close(outer_map_fd);
>> > + return err;
>> > +}
>> > +
>
> [...]
>
> trimming's good ;)
You caught me. Just being lazy. No excuses :-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks
2020-07-29 17:48 ` Andrii Nakryiko
2020-07-29 20:29 ` Jakub Sitnicki
@ 2020-07-29 21:17 ` Daniel Borkmann
1 sibling, 0 replies; 7+ messages in thread
From: Daniel Borkmann @ 2020-07-29 21:17 UTC (permalink / raw)
To: Andrii Nakryiko, Jakub Sitnicki
Cc: Andrii Nakryiko, bpf, Networking, Alexei Starovoitov,
Kernel Team, Song Liu, linux- stable
On 7/29/20 7:48 PM, Andrii Nakryiko wrote:
> On Wed, Jul 29, 2020 at 7:29 AM Jakub Sitnicki <jakub@cloudflare.com> wrote:
>>
>> On Wed, Jul 29, 2020 at 06:09 AM CEST, Andrii Nakryiko wrote:
>>> Add test validating that all inner maps are released properly after skeleton
>>> is destroyed. To ensure determinism, trigger kernel-side synchronize_rcu()
>>> before checking map existence by their IDs.
>>>
>>> Acked-by: Song Liu <songliubraving@fb.com>
>>> Signed-off-by: Andrii Nakryiko <andriin@fb.com>
[...]
>>> +/*
>>> + * Trigger synchronize_cpu() in kernel.
>>
>> Nit: synchronize_*r*cu().
>
> welp, yeah
>
>>
>>> + *
>>> + * ARRAY_OF_MAPS/HASH_OF_MAPS lookup/update operations trigger
>>> + * synchronize_rcu(), if looking up/updating non-NULL element. Use this fact
>>> + * to trigger synchronize_cpu(): create map-in-map, create a trivial ARRAY
>>> + * map, update map-in-map with ARRAY inner map. Then cleanup. At the end, at
>>> + * least one synchronize_rcu() would be called.
>>> + */
>>
>> That's a cool trick. I'm a bit confused by "looking up/updating non-NULL
>> element". It looks like you're updating an element that is NULL/unset in
>> the code below. What am I missing?
>
> I was basically trying to say that it has to be a successful lookup or
> update. For lookup that means looking up non-NULL (existing) entry.
> For update -- setting valid inner map FD.
>
> Not sure fixing this and typo above is worth it to post v5.
Nope, I'll fix it up while applying.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map
2020-07-29 4:09 [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map Andrii Nakryiko
2020-07-29 4:09 ` [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks Andrii Nakryiko
@ 2020-07-29 23:44 ` Daniel Borkmann
1 sibling, 0 replies; 7+ messages in thread
From: Daniel Borkmann @ 2020-07-29 23:44 UTC (permalink / raw)
To: Andrii Nakryiko, bpf, netdev, ast
Cc: andrii.nakryiko, kernel-team, Song Liu, stable
On 7/29/20 6:09 AM, Andrii Nakryiko wrote:
> Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update()
> operation. This is due to per-cpu extra_elems optimization, which bypassed
> free_htab_elem() logic doing proper clean ups. Make sure that inner map is put
> properly in optimized case as well.
>
> Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic")
> Acked-by: Song Liu <songliubraving@fb.com>
> Cc: <stable@vger.kernel.org> # v4.14+
> Signed-off-by: Andrii Nakryiko <andriin@fb.com>
Both applied, thanks!
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-07-29 23:44 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-29 4:09 [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map Andrii Nakryiko
2020-07-29 4:09 ` [PATCH v4 bpf 2/2] selftests/bpf: extend map-in-map selftest to detect memory leaks Andrii Nakryiko
2020-07-29 14:29 ` Jakub Sitnicki
2020-07-29 17:48 ` Andrii Nakryiko
2020-07-29 20:29 ` Jakub Sitnicki
2020-07-29 21:17 ` Daniel Borkmann
2020-07-29 23:44 ` [PATCH v4 bpf 1/2] bpf: fix map leak in HASH_OF_MAPS map Daniel Borkmann
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).