> From: Hou Tao <houtao1@xxxxxxxxxx> > When there is bpf_list_head or bpf_rb_root field in map value, the free > of map btf and the free of map value may run concurrently and there may > be use-after-free problem, so add two test cases to demonstrate it. And > the use-after-free problem can been easily reproduced by using bpf_next > tree and a KASAN-enabled kernel. > > The first test case tests the racing between the free of map btf and the > free of array map. It constructs the racing by releasing the array map in > the end after other ref-counter of map btf has been released. To delay > the free of array map and make it be invoked after btf_free_rcu() is > invoked, it stresses system_unbound_wq by closing multiple percpu array > maps before it closes the array map. I tested this version and it is indeed much better now and can reproduce the issue within 5 tries. Considering the test in CI will run by multiple configurations (compiler + arch + bpf cpu versions), I still recommend to add the test to the bpf selftests. > > The second case tests the racing between the free of map btf and the > free of inner map. Beside using the similar method as the first one > does, it uses bpf_map_delete_elem() to delete the inner map and to defer > the release of inner map after one RCU grace period. > > The reason for using two skeletons is to prevent the release of outer > map and inner map in map_in_map_btf.c interfering the release of bpf > map in normal_map_btf.c. > > Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx> Note this patch can only be applied after https://lore.kernel.org/bpf/20231206210959.1035724-1-yonghong.song@xxxxxxxxx/ With the above Acked-by: Yonghong Song <yonghong.song@xxxxxxxxx>
