On Mon, 2024-04-08 at 10:09 +0200, Benjamin Tissoires wrote:
[...]
> diff --git a/kernel/bpf/helpers.c b/kernel/bpf/helpers.c
> index 9234174ccb21..fd05d4358b31 100644
> --- a/kernel/bpf/helpers.c
> +++ b/kernel/bpf/helpers.c
> @@ -1096,12 +1096,19 @@ const struct bpf_func_proto bpf_snprintf_proto = {
> * freeing the timers when inner map is replaced or deleted by user space.
> */
> struct bpf_hrtimer {
> - struct hrtimer timer;
> + union {
> + struct hrtimer timer;
> + struct work_struct work;
> + };
> struct bpf_map *map;
> struct bpf_prog *prog;
> void __rcu *callback_fn;
> void *value;
> - struct rcu_head rcu;
> + union {
> + struct rcu_head rcu;
> + struct work_struct sync_work;
Nit:
I find this name very confusing, the field is used to cancel timer
execution, is it a convention to call such things '...sync...'?
> + };
> + u64 flags;
> };
>
[...]
> +static void bpf_timer_sync_work_cb(struct work_struct *work)
> +{
> + struct bpf_hrtimer *t = container_of(work, struct bpf_hrtimer, sync_work);
> +
> + cancel_work_sync(&t->work);
> +
> + kfree_rcu(t, rcu);
Sorry, I might be wrong, but this looks suspicious.
The 'rcu' field of 'bpf_hrtimer' is defined as follows:
struct bpf_hrtimer {
...
union {
struct rcu_head rcu;
struct work_struct sync_work;
};
...
};
And for sleepable timers the 'sync_work' field is set as follows:
BPF_CALL_3(bpf_timer_init, struct bpf_timer_kern *, timer, struct bpf_map *, map,
u64, flags)
{
...
INIT_WORK(&t->sync_work, bpf_timer_sync_work_cb);
...
}
So, it looks like 'kfree_rcu' would be called for a non-rcu pointer.
> +}
> +
