[PATCH bpf 00/11] bpf: Fix the release of inner map

Hou Tao <houtao@xxxxxxxxxxxxxxx> · Tue, 7 Nov 2023 22:06:51 +0800

From: Hou Tao <houtao1@xxxxxxxxxx>

Hi,

The patch-set aims to fix the release of inner map in map array or map
htab. The release of inner map is different with normal map. For normal
map, the map is released after the bpf program which uses the map is
destroyed, because the bpf program tracks the used maps. However bpf
program can not track the used inner map because these inner map may be
updated or deleted dynamically, and for now the ref-count of inner map
is decreased after the inner map is overrided or deleted from map in
map, so the inner map may be released before the bpf program which is
accessing the inner map exits and there will be use-after-free problem
as demonstrate by patch #11.

The patchset fixes the problem by deferring the decrease of ref-count of
inner map. Patch #1 fixes the warning when running the newly-added
selftest. Patch #2~#6 add necessary helpers, patch #7~#8 fix the problem
for map array and map htab, patch #9 removes unused helpers and patch
#10~#11 update test add add new test cases. Please check individual
patches for more details. And comments are always welcome.

Regards,
Tao

Hou Tao (11):
  bpf: Check rcu_read_lock_trace_held() before calling bpf map helpers
  bpf: Reduce the scope of rcu_read_lock when updating fd map
  bpf: Use GFP_KERNEL in bpf_event_entry_gen()
  bpf: Add need_defer parameter to .map_fd_put_ptr()
  bpf: Add bpf_map_of_map_fd_{get,put}_ptr() helpers
  bpf: Add bpf_map_of_map_fd_sys_lookup_elem() helper
  bpf: Defer bpf_map_put() for inner map in map array
  bpf: Defer bpf_map_put() for inner map in map htab
  bpf: Remove unused helpers for map-in-map
  selftests/bpf: Remove the liveness test for inner map
  selftests/bpf: Add test cases for inner map

 include/linux/bpf.h                           |   6 +-
 kernel/bpf/arraymap.c                         |  40 +++--
 kernel/bpf/hashtab.c                          |  33 +++--
 kernel/bpf/helpers.c                          |  13 +-
 kernel/bpf/map_in_map.c                       |  60 ++++++--
 kernel/bpf/map_in_map.h                       |  16 +-
 kernel/bpf/syscall.c                          |   4 -
 .../selftests/bpf/prog_tests/btf_map_in_map.c |  26 +---
 .../selftests/bpf/prog_tests/map_in_map.c     | 138 ++++++++++++++++++
 .../selftests/bpf/progs/access_map_in_map.c   |  99 +++++++++++++
 10 files changed, 359 insertions(+), 76 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/prog_tests/map_in_map.c
 create mode 100644 tools/testing/selftests/bpf/progs/access_map_in_map.c

-- 
2.29.2