• Kumar Kartikeya Dwivedi's avatar
    bpf: Do btf_record_free outside map_free callback · d7f5ef65
    Kumar Kartikeya Dwivedi authored
    Since the commit being fixed, we now miss freeing btf_record for local
    storage maps which will have a btf_record populated in case they have
    bpf_spin_lock element.
    
    This was missed because I made the choice of offloading the job to free
    kptr_off_tab (now btf_record) to the map_free callback when adding
    support for kptrs.
    
    Revisiting the reason for this decision, there is the possibility that
    the btf_record gets used inside map_free callback (e.g. in case of maps
    embedding kptrs) to iterate over them and free them, hence doing it
    before the map_free callback would be leaking special field memory, and
    do invalid memory access. The btf_record keeps module references which
    is critical to ensure the dtor call made for referenced kptr is safe to
    do.
    
    If doing it after map_free callback, the map area is already freed, so
    we cannot access bpf_map structure anymore.
    
    To fix this and prevent such lapses in future, move bpf_map_free_record
    out of the map_free callback, and do it after map_free by remembering
    the btf_record pointer. There is no need to access bpf_map structure in
    that case, and we can avoid missing this case when support for new map
    types is added for other special fields.
    
    Since a btf_record and its btf_field_offs are used together, for
    consistency delay freeing of field_offs as well. While not a problem
    right now, a lot of code assumes that either both record and field_offs
    are set or none at once.
    
    Note that in case of map of maps (outer maps), inner_map_meta->record is
    only used during verification, not to free fields in map value, hence we
    simply keep the bpf_map_free_record call as is in bpf_map_meta_free and
    never touch map->inner_map_meta in bpf_map_free_deferred.
    
    Add a comment making note of these details.
    
    Fixes: db559117 ("bpf: Consolidate spin_lock, timer management into btf_record")
    Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
    Link: https://lore.kernel.org/r/20221118015614.2013203-3-memxor@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    d7f5ef65
syscall.c 127 KB